Setting Up Teleport Community Edition: A Comprehensive Guide
Setting Up Teleport Community Edition: A Comprehensive Guide
This guide provides a step-by-step walkthrough for setting up Teleport Community Edition tailored to your specific requirements. We’ll cover installation, configuration, role definitions, user management, security setups, and best practices to ensure a secure and well-organized Teleport deployment.
Table of Contents
- Introduction
- Prerequisites
- Installation
- Configuring Teleport
- Role Definitions
- Node Labeling
- User Management
- Enforcing MFA
- Session Recording
- Monitoring and Auditing
- Security Best Practices
- Additional Suggestions
- Conclusion
Introduction
Teleport is an open-source tool that provides secure access to servers, applications, and Kubernetes clusters. It consolidates access controls, authentication, authorization, and auditing into a single platform. This guide will help you set up Teleport Community Edition on your infrastructure at teleport.webiste.com
, configure roles and permissions, enforce security measures, and manage users effectively.
Prerequisites
- Servers: A Teleport server (auth and proxy) hosted at
teleport.webiste.com
and multiple nodes (servers) in different environments (staging, production, testing). - Operating System: Linux-based systems (Ubuntu, CentOS, etc.).
- Users: System users (
root
,webiste
,ubuntu
,viewer
) managed via Puppet. - Domain: A valid domain (
teleport.webiste.com
) with DNS records pointing to your Teleport server. - Ports: Access to necessary ports (3023, 3024, 3025, 3080).
- SSL Certificate: Ability to obtain Let’s Encrypt certificates.
Installation
1. Install Teleport on the Auth and Proxy Server
# Import GPG keys and add Teleport's repository
curl https://deb.releases.teleport.dev/teleport-pubkey.asc | sudo apt-key add -
echo "deb https://deb.releases.teleport.dev/ stable main" | sudo tee /etc/apt/sources.list.d/teleport.list
# Update package list and install Teleport
sudo apt-get update
sudo apt-get install teleport
2. Install Teleport on Nodes
Repeat the installation steps on each node (server) that you want to manage with Teleport.
Configuring Teleport
Teleport Configuration File (/etc/teleport.yaml
)
Below is an example of a Teleport configuration file tailored to your requirements:
# /etc/teleport.yaml
teleport:
nodename: teleport.webiste.com
data_dir: /var/lib/teleport
log:
output: stderr
severity: INFO
auth_token: "your-secure-auth-token"
connection_limits:
max_connections: 15000
max_users: 250
storage:
type: dir
path: /var/lib/teleport/backend
auth_service:
enabled: yes
cluster_name: "webiste-cluster"
listen_addr: 0.0.0.0:3025
authentication:
type: local
second_factor: on
webauthn:
rp_id: teleport.webiste.com
proxy_service:
enabled: yes
listen_addr: 0.0.0.0:3023
web_listen_addr: 0.0.0.0:3080
tunnel_listen_addr: 0.0.0.0:3024
public_addr:
- teleport.webiste.com:3080
- teleport.webiste.com:3023
https_key_file: /etc/letsencrypt/live/teleport.webiste.com/privkey.pem
https_cert_file: /etc/letsencrypt/live/teleport.webiste.com/fullchain.pem
acme:
enabled: yes
email: admin@webiste.com
ssh_service:
enabled: yes
labels:
environment: production
commands:
- name: hostname
command: [hostname]
period: 1h
Setting Up Let’s Encrypt
Teleport can automatically obtain and renew Let’s Encrypt certificates.
- Ensure port 80 is open on your proxy server for initial certificate issuance.
- Configure the
acme
section inproxy_service
as shown above.
Restricting Service Ports to Trusted IP Ranges
Update your firewall settings to restrict access:
# Example using UFW (Uncomplicated Firewall)
sudo ufw allow from <trusted_ip_range> to any port 3025
sudo ufw allow from <trusted_ip_range> to any port 3023
sudo ufw allow from <trusted_ip_range> to any port 3024
sudo ufw allow from any to any port 3080 # If web UI is publicly accessible
Role Definitions
Admin Role
# admin-role.yaml
kind: role
version: v4
metadata:
name: admin
spec:
options:
max_session_ttl: 12h
forward_agent: true
allow:
logins: ['root', 'webiste', 'ubuntu']
node_labels:
'*': '*'
rules:
- resources: ['*']
verbs: ['*']
Developer Role
# developer-role.yaml
kind: role
version: v4
metadata:
name: developer
spec:
options:
max_session_ttl: 8h
allow:
logins: ['developer']
node_labels:
environment: 'staging'
rules:
- resources: ['node']
verbs: ['read', 'list', 'create']
Readonly Role
# readonly-role.yaml
kind: role
version: v4
metadata:
name: readonly
spec:
options:
max_session_ttl: 4h
allow:
logins: ['viewer']
node_labels:
'*': '*'
rules:
- resources: ['session']
verbs: ['read', 'list']
deny:
rules:
- resources: ['ssh']
verbs: ['update', 'delete', 'create']
Node Labeling
Node labels are key-value pairs assigned to nodes to categorize them. They are crucial for role-based access control.
Example Node Configuration
On each node, update the ssh_service
section in /etc/teleport.yaml
:
ssh_service:
enabled: yes
labels:
environment: staging # Change to production or testing as appropriate
region: us-west
User Management
Creating Users
# Create a user with multiple roles
tctl users add alice --roles=developer,readonly
Modifying Users
# Update roles for an existing user
tctl users update alice --set-roles=admin
Deleting Users
# Delete a user
tctl users rm alice
Resetting MFA
# Reset MFA for a user
tctl auth sign --user=alice --mfa
Enforcing MFA
MFA is enforced via the second_factor
setting in the authentication
section:
authentication:
type: local
second_factor: on # Options: off, otp, u2f, on (for any second factor)
Session Recording
Enable session recording in the ssh_service
section:
ssh_service:
enabled: yes
recording:
mode: node # Records sessions at the node level
Session recordings are stored in /var/lib/teleport/log
by default and are accessible via the Web UI under the “Sessions” tab.
Monitoring and Auditing
Monitoring Active Sessions
Use the Web UI or CLI to view active sessions:
tctl sessions ls
Viewing Audit Logs
Audit logs are stored in /var/lib/teleport/log
. You can view them using standard log viewing tools:
less /var/lib/teleport/log/teleport.log
Periodic Role and User Auditing
List all users and their roles:
tctl users ls
List all roles:
tctl get roles
Review role definitions:
tctl get role <role-name> -o yaml
Security Best Practices
- Regular Updates: Keep Teleport updated to the latest version.
- Least Privilege: Assign the minimal required permissions to each role.
- MFA Enforcement: Ensure MFA is always enabled (
second_factor: on
). - Audit Trails: Regularly review audit logs and session recordings.
- Secure Authentication Tokens: Keep
auth_token
values secure and rotate them periodically. - Network Security: Use firewalls and security groups to restrict access to Teleport’s ports.
- Backup Configuration: Regularly backup configuration files and important data directories.
Additional Suggestions
- High Availability: Consider setting up Teleport in high availability mode with multiple auth servers.
- External Authentication: Integrate with external identity providers (e.g., GitHub, SAML) for centralized authentication.
- Custom CA Pins: Use custom certificate authorities for added security.
- Periodic Training: Conduct regular training for users on security practices and how to use Teleport.
- Automation: Use configuration management tools (like Puppet) to manage Teleport configurations across nodes.
Conclusion
By following this guide, you will have a secure and organized Teleport deployment that meets your requirements. Regularly review and update your configurations and practices to adapt to new security challenges and organizational needs.