Secure Access to Linux Systems and Kubernetes With Teleport

In this dispensation of interconnected systems, it is utterly crucial that every asset, every document and every information is kept as far as possible to prying eyes and ears. What makes this worse is that there is a burgeoning number of these unsavory eyes and ears and keeping them off your systems is getting harder and trickier every waking day. So what to do? Innovation from good minds in our world have come up with solutions that can at least ward them off as well as making their efforts harder as well. Teleport is one of these solutions and we shall descend into an elaborate disquisition about it in this brief guide.

Gravitational Teleport is a gateway for managing access to clusters of Linux servers via SSH or the Kubernetes API. It is intended to be used instead of traditional OpenSSH for organizations that need to: Source: Teleport Documentation

• Secure their infrastructure and comply with security best-practices and regulatory requirements.
• Have complete visibility into activity happening across their infrastructure.
• Reduce the operational overhead of privileged access management across both traditional and cloud-native infrastructure.

Comprehensive Features of Teleport

Teleport offers impressive new features that traditional administrators and developers are going to enjoy. They inlude:

• Single SSH/Kubernetes access gateway for an entire organization.
• SSH certificate based authentication instead of static keys.
• Avoid key distribution and trust on first use issues by using auto-expiring keys signed by a cluster certificate authority (CA).
• Enforce 2nd factor authentication.
• Connect to clusters located behind firewalls without direct Internet access via SSH bastions.
• Collaboratively troubleshoot issues through session sharing.
• Discover online servers and Docker containers within a cluster with dynamic node labels.
• A single tool (“pane of glass”) to manage RBAC for both SSH and Kubernetes.
• Audit log with session recording/replay.
• Kubernetes audit log, including the recording of interactive commands executed via kubectl.
• Ability to run in “agentless” mode, i.e. most Teleport features are available on clusters with pre-existing SSH daemons, usually sshd.

Adapted from Teleport official website, Teleport comes as three binaries: the teleport daemon, the tsh client, and the tctl administration tool. They are dependency-free, written in a compiled language, and run on any UNIX-compatible operating system, such as Linux, FreeBSD, or macOS. Teleport is open source under the Apache 2 license and the source code is available on Github.

Teleport is easy to deploy. It is a traditional Linux daemon similar to sshd and usually runs as a systemd service.

Teleport core service teleport and admin tool tctl have been designed to run on Linux and Mac operating systems. The Teleport user client tsh and UI are available for Linux, Mac and Windows operating systems.

Install Teleport on Linux

The following examples install the 64-bit version of Teleport binaries, but 32-bit (i386) and ARM binaries are also available. Check the Latest Release page for the most up-to-date information.

Install from the tarball

curl -O https://get.gravitational.com/teleport-v5.0.0-linux-amd64-bin.tar.gz
tar -xzf teleport-v5.0.0-linux-amd64-bin.tar.gz
cd teleport
sudo ./install
Teleport binaries have been copied to /usr/local/bin

Configure teleport SystemD service

We can take advantage of systemd to manage teleport’s lifecycle processes such as starting and stopping the service. Create teleport systemd service thus:

$ sudo vim /etc/systemd/system/teleport.service

[Unit]
Description=Teleport SSH Service
After=network.target

[Service]
Type=simple
Restart=on-failure
EnvironmentFile=-/etc/default/teleport
ExecStart=/usr/local/bin/teleport start --pid-file=/run/teleport.pid
ExecReload=/bin/kill -HUP $MAINPID
PIDFile=/run/teleport.pid
LimitNOFILE=8192

[Install]
WantedBy=multi-user.target

Then reload the daemon, start and enable the service

sudo systemctl daemon-reload
sudo systemctl start teleport
sudo systemctl enable teleport

You can check its status to confirm that everything was started without any fuss

$ sudo systemctl status teleport

● teleport.service - Teleport SSH Service
   Loaded: loaded (/etc/systemd/system/teleport.service; enabled; vendor preset: disabled)
   Active: active (running) since Mon 2020-12-14 07:31:33 UTC; 1h 2min ago
 Main PID: 2053 (teleport)
    Tasks: 9 (limit: 11004)
   Memory: 35.0M
   CGroup: /system.slice/teleport.service
           └─2053 /usr/local/bin/teleport start --pid-file=/run/teleport.pid

Dec 14 07:31:35 centos8.localdomain teleport[2053]: [NODE]         Service 5.0.0:v5.0.0-0-gac4971801 is starting on 0.0.0.0:3022.
Dec 14 07:31:35 centos8.localdomain teleport[2053]: [PROXY]        Reverse tunnel service 5.0.0:v5.0.0-0-gac4971801 is starting on 0.0.0.0:3024.   
Dec 14 07:31:35 centos8.localdomain teleport[2053]: [PROXY]        Web proxy service 5.0.0:v5.0.0-0-gac4971801 is starting on 0.0.0.0:3080.        
Dec 14 07:31:35 centos8.localdomain teleport[2053]: [PROXY]        SSH proxy service 5.0.0:v5.0.0-0-gac4971801 is starting on 0.0.0.0:3023.

Install on CentOS from RPM Repository

If you are on CentOS, you can use the following in case you do not like the tarball installation method

sudo yum-config-manager --add-repo https://rpm.releases.teleport.dev/teleport.repo
sudo yum install teleport -y

Install on Debian Ubuntu from .deb Package

If you are on Debian based system, you can use the following in case you do not like the tarball installation method

$ curl https://get.gravitational.com/teleport_5.0.0_amd64.deb.sha256
$ curl -O https://get.gravitational.com/teleport_5.0.0_amd64.deb
$ sha256sum teleport_5.0.0_amd64.deb
# Verify that the checksums match
$ sudo dpkg -i teleport_5.0.0_amd64.deb
$ which teleport
/usr/local/bin/teleport

Install Teleport on macOS

Thanks to Homebrew, telport can be installed easily on macOS as follows:

$ brew install teleport

How To Configure Teleport

When setting up Teleport, its developers team recommends running it with Teleport’s YAML configuration file as shown below:

$ sudo nano /etc/teleport.yaml

teleport:
    data_dir: /var/lib/teleport
auth_service:
    enabled: true
    cluster_name: "teleport-quickstart"
    listen_addr: 0.0.0.0:3025
    tokens:
    - proxy,node,app:f7adb7ccdf04037bcd2b52ec6010fd6f0caec94ba190b765
    public_addr: 172.20.192.38:3025
ssh_service:
    enabled: true
    labels:
        env: staging
app_service:
    enabled: true
    debug_app: true
proxy_service:
    enabled: true
    listen_addr: 0.0.0.0:3023
    web_listen_addr: 0.0.0.0:3080
    tunnel_listen_addr: 0.0.0.0:3024
    public_addr: 172.20.192.38:3080

From the configuration above, you will notice the directory teleport data will be kept (/var/lib/teleport). In order for everything to work properly, we have to give that directory requisite permissions so that teleport and tctl can be able to read and write. To accomplish that, run the following command

sudo chmod 755 -R /var/lib/teleport/

After updating the configuration file, we will need to open the requisite ports defined in the file as follows

##On CentOS

sudo firewall-cmd --permanent --add-port={3023,3080,3024,3025}/tcp
sudo firewall-cmd --reload

##On Ubuntu

sudo ufw allow 3023,3080,3024,3025/tcp

Configure secure https with Self-singed Certificates

Teleport uses secure https. If you have certificates, you can add them at the end of teleport’s configuration file. For this example, we shall setup a self-signed certificate for our use. Proceed to create it like this:

sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/pki/tls/private/teleport2.key -out /etc/pki/tls/certs/teleport2.crt

This will proceed to ask you some questions as shown below. Enter the right ones for your environment. If you do not have DNS, you can add your domain names under /etc/hosts in your servers

-----
Country Name (2 letter code) [XX]:KE
State or Province Name (full name) []:Nairobi
Locality Name (eg, city) [Default City]:Nairobi
Organization Name (eg, company) [Default Company Ltd]:computingforgeeks
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:teleport.computingforgeeks.com
Email Address []:[email protected]

After this, update your configuration file with the certificates as shown below

teleport:
    data_dir: /var/lib/teleport
auth_service:
    enabled: true
    cluster_name: "teleport-quickstart"
    listen_addr: 0.0.0.0:3025
    tokens:
    - proxy,node,app:f7adb7ccdf04037bcd2b52ec6010fd6f0caec94ba190b765
    public_addr: 172.20.192.38:3025
ssh_service:
    enabled: true
    labels:
        env: staging
app_service:
    enabled: true
    debug_app: true
proxy_service:
    enabled: true
    listen_addr: 0.0.0.0:3023
    web_listen_addr: 0.0.0.0:3080
    tunnel_listen_addr: 0.0.0.0:3024
##Updated/added part of this configuration
    public_addr: 172.20.192.38:3080
    https_keypairs:
      - key_file: /etc/pki/tls/private/teleport2.key
        cert_file: /etc/pki/tls/certs/teleport2.crt

Then restart teleport

sudo systemctl restart teleport

At this stage, you can be able to access Teleport Web UI at: “https://IP-or-Domain-Name:3080“. Simply open up your favorite browser and point it to your server at the specified port (3080). You should see:

But as you will notice, we do not have any users to be able to log into the application. We shall therefore tackle that next.

Create a Teleport user

Just like any other authentication service, teleport requires users and their credentials in order for them to log in and use the servers that are under its protection. Something to note, Teleport will always enforce the use of 2-factor authentication by default. It supports one-time passwords (OTP) and hardware tokens (U2F). This quick start will use OTP – you’ll need an OTP-compatible app which can scan a QR code.

If you do not have the permission to create new users on the Linux host, run tctl users add teleport $(whoami) to explicitly allow Teleport to authenticate as the user that you are currently logged in as.

tctl users add geeks-admin root

User geeks-admin has been created but requires a password. Share this URL with the user to complete user setup, link is valid for 1h0m0s:
https://teleport.computingforgeeks.com:3080/web/invite/2ef0091feea7fea0a210f53a1d8751d3
NOTE: Make sure centos8.localdomain:3080 points at a Teleport proxy which users can access.

The users that you specify (such as root in our example) must exist! What this means is that, geeks-admin will be able to log into the servers in Teleport cluster servers as root.

After the command runs, you will see the message it presents on the shell. Copy the url it has provided and continue to setup the new user: “https://teleport.computingforgeeks.com:3080/web/invite/2ef0091feea7fea0a210f53a1d8751d3“

Once you visit the url on your browser, you will meet a new login page with a QR Code as shown above. In order for you to set up a new user, we recommend using Google Authenticator App from Play Store. Download it and install from play store as shared on the screenshots below.

Once it is downloaded and installed, open it then choose, “Scan a QR code”.

This will open up your camera. Position your camera to read the QR Code and you will see a code presented on your phone. This is the “Two Factor Token” on the Teleport Login page. Enter a new password for the user then the code on your phone under “Two Factor Token” then click “Create Account“.

If all goes well, the new user will be ushered into the dashboard as illustrated below:

Amazing stuff right!

Adding a node to teleport cluster

When you set up Teleport earlier, we configured a strong static token for nodes and apps in the teleport.yaml file. Adding nodes to be part of the cluster is now fairly easy. We are going to use this token in this step. First, install Teleport on the target node, then start it using a command as shown below.

$ sudo teleport start --roles=node 
 --token=f7adb7ccdf04037bcd2b52ec6010fd6f0caec94ba190b765 
 --auth-server=teleport.computingforgeeks.com:3025

[NODE]         Service 5.0.0:v5.0.0-0-gac4971801 is starting on 0.0.0.0:3022.

Review and update auth-server, app-name and app-uri before running this command.

In case you get the error below, delete /var/lib/teleport folder on the node you are trying to add to the cluster and re-run the command above again.

Node failed to establish connection to cluster: Get "https://172.20.192.38:3025/v1/webapi/find": x509: certificate signed by unknown authority. time/sleep.go:148

When you log back into the Teleport Web-UI, you should be able to see the second node on the list of servers as shown below

Logging into the servers via Teleport Web-UI

You can access the terminal of your servers very easily while on your web interface. You simply have to click on the “Connect” button, then choose the right user that will connect to the server. This will allow you to SSH into the server and access the terminal as the user you will choose. Since we only added root user in this example, we shall click on it

And the browser will open a new tab and usher us in.

If you have managed to reach this far, then you are amazing. Teleport is one promising project that inco-operates all of the security features you always envy to have in your environment. Not only does it service servers but also manages Kubernetes clusters and much more. Check it out at Teleport Page and enjoy.

Otherwise, it is festive eve and even though we are still shrouded by this dark cloud of Covid, we wish you safety and health as you celebrate with your loved ones. You can continue reading more stuff shared below

Install and Use Guacamole Remote Desktop on CentOS 8