Secure access to Linux system and Kubernetes through Teleport

You can download this article in PDF format via the link below to support us.Download the guide in PDF formatClose

In the distribution of this interconnected system, it is essential that every asset, every document and every information should be avoided as much as possible. To make matters worse, the number of these annoying eyes and ears is rapidly increasing, and keeping them away from your system becomes more and more difficult and tricky when you wake up every day. So what should I do? Good-hearted people in our world have proposed innovative solutions that can at least resist them and make them work harder. Transport is one of these solutions, and we will discuss them in detail in this brief guide.

Gravitational Teleport is a gateway used to manage access to Linux server clusters via SSH or Kubernetes API. It is intended for organizations that need the following, rather than traditional OpenSSH: Send documents

  • Protect its infrastructure and comply with security best practices and regulatory requirements.
  • Get a comprehensive view of the activities that occur throughout the infrastructure.
  • Reduce the operational overhead of privileged access management in traditional and cloud-native infrastructure.

Comprehensive function of transmission

Teleport provides impressive new features that traditional administrators and developers will love. They include:

  • A single SSH/Kubernetes access gateway for the entire organization.
  • Authentication based on SSH certificates, not static keys.
  • By using automatically expired keys signed by a cluster certification authority (CA), key distribution and first use issues are avoided.
  • Mandatory second factor verification.
  • Connect to the cluster behind the firewall without direct access to the Internet through the SSH bastion.
  • Solve problems collaboratively through session sharing.
  • Discover online servers and Docker containers in the cluster with dynamic node labels.
  • A tool (“glass pane”) for managing SSH and RBAC for Kubernetes.
  • Audit log with session recording/replay.
  • Kubernetes audit log, including recording interactive commands executed through kubectl.
  • Can be in “No agentMode, that is, most Teleport functions are available on clusters with a pre-existing SSH daemon (usually sshd).

be adapted from Teleport official website, Teleport is divided into three binary files: Teleport daemon, tsh client and tctl management tool. They are dependency-free, written in a compiled language, and can run on any UNIX-compatible operating system (such as Linux, FreeBSD or macOS). Teleport is an open source code under the Apache 2 license, and its source code is available on Github.

Transmission is easy to deploy. It is a traditional Linux daemon similar to sshd and usually runs as a systemd service.

Installation of delivery tool

Teleport core service Teleport and management tool tctl are designed to run on Linux and Mac operating systems. Teleport user client tsh and UI are available for Linux, Mac and Windows operating systems.

Install Teleport on Linux

The following example installs the 64-bit version of Teleport binaries, but also provides 32-bit (i386) and ARM binaries. Check the “Latest Release” page for the latest information.

Install from compressed package

curl -O https://get.gravitational.com/teleport-v5.0.0-linux-amd64-bin.tar.gz
tar -xzf teleport-v5.0.0-linux-amd64-bin.tar.gz
cd teleport
sudo ./install
Teleport binaries have been copied to /usr/local/bin

Configure Teleport SystemD service

We can use systemd to manage the delivery life cycle process, such as starting and stopping services. So create a teleportation system service:

$ sudo vim /etc/systemd/system/teleport.service

[Unit]
Description=Teleport SSH Service
After=network.target

[Service]
Type=simple
Restart=on-failure
EnvironmentFile=-/etc/default/teleport
ExecStart=/usr/local/bin/teleport start --pid-file=/run/teleport.pid
ExecReload=/bin/kill -HUP $MAINPID
PIDFile=/run/teleport.pid
LimitNOFILE=8192

[Install]
WantedBy=multi-user.target

Then reload the daemon, start and enable the service

sudo systemctl daemon-reload
sudo systemctl start teleport
sudo systemctl enable teleport

You can check its status to confirm that everything has started without fussing

$ sudo systemctl status teleport

● teleport.service - Teleport SSH Service
   Loaded: loaded (/etc/systemd/system/teleport.service; enabled; vendor preset: disabled)
   Active: active (running) since Mon 2020-12-14 07:31:33 UTC; 1h 2min ago
 Main PID: 2053 (teleport)
    Tasks: 9 (limit: 11004)
   Memory: 35.0M
   CGroup: /system.slice/teleport.service
           └─2053 /usr/local/bin/teleport start --pid-file=/run/teleport.pid

Dec 14 07:31:35 centos8.localdomain teleport[2053]: [NODE]         Service 5.0.0:v5.0.0-0-gac4971801 is starting on 0.0.0.0:3022.
Dec 14 07:31:35 centos8.localdomain teleport[2053]: [PROXY]        Reverse tunnel service 5.0.0:v5.0.0-0-gac4971801 is starting on 0.0.0.0:3024.   
Dec 14 07:31:35 centos8.localdomain teleport[2053]: [PROXY]        Web proxy service 5.0.0:v5.0.0-0-gac4971801 is starting on 0.0.0.0:3080.        
Dec 14 07:31:35 centos8.localdomain teleport[2053]: [PROXY]        SSH proxy service 5.0.0:v5.0.0-0-gac4971801 is starting on 0.0.0.0:3023.

Install on CentOS from RPM database

If you are using CentOS, you can use the following command if you don’t like the tarball installation method

sudo yum-config-manager --add-repo https://rpm.releases.teleport.dev/teleport.repo
sudo yum install teleport -y

Install on Debian Ubuntu via .deb package

If you are using a Debian-based system, you can use the following command if you don’t like the tarball installation method

$ curl https://get.gravitational.com/teleport_5.0.0_amd64.deb.sha256
$ curl -O https://get.gravitational.com/teleport_5.0.0_amd64.deb
$ sha256sum teleport_5.0.0_amd64.deb
# Verify that the checksums match
$ sudo dpkg -i teleport_5.0.0_amd64.deb
$ which teleport
/usr/local/bin/teleport

Install Teleport on macOS

With Homebrew, you can easily install telport on macOS as follows:

$ brew install teleport

How to configure delivery

When setting up Teleport, its team of developers recommends running it using Teleport’s YAML configuration file, as shown below:

$ sudo nano /etc/teleport.yaml

teleport:
    data_dir: /var/lib/teleport
auth_service:
    enabled: true
    cluster_name: "teleport-quickstart"
    listen_addr: 0.0.0.0:3025
    tokens:
    - proxy,node,app:f7adb7ccdf04037bcd2b52ec6010fd6f0caec94ba190b765
    public_addr: 172.20.192.38:3025
ssh_service:
    enabled: true
    labels:
        env: staging
app_service:
    enabled: true
    debug_app: true
proxy_service:
    enabled: true
    listen_addr: 0.0.0.0:3023
    web_listen_addr: 0.0.0.0:3080
    tunnel_listen_addr: 0.0.0.0:3024
    public_addr: 172.20.192.38:3080

Through the above configuration, you will notice that the directory transfer data will be retained (/var/lib/teleport). In order for everything to work properly, we must grant the necessary permissions to the directory so that it can read and write teleport and tctl.To do this, run the following command

sudo chmod 755 -R /var/lib/teleport/

After updating the configuration file, we will need to open the required ports defined in the file as shown below

##On CentOS

sudo firewall-cmd --permanent --add-port={3023,3080,3024,3025}/tcp
sudo firewall-cmd --reload

##On Ubuntu

sudo ufw allow 3023,3080,3024,3025/tcp

Use self-signed certificate to configure secure https

Use secure https for transmission. If you have a certificate, you can add it to the end of the delivery profile. For this example, we will set up a self-signed certificate for us to use. Continue to create it like this:

sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/pki/tls/private/teleport2.key -out /etc/pki/tls/certs/teleport2.crt

This will continue to ask you some questions as shown below. Enter the options that suit your environment.If there is no DNS, you can add the domain name under /etc/hosts of the server

-----
Country Name (2 letter code) [XX]:KE
State or Province Name (full name) []:Nairobi
Locality Name (eg, city) [Default City]:Nairobi
Organization Name (eg, company) [Default Company Ltd]:computingforgeeks
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:teleport.computingforgeeks.com
Email Address []:[email protected]

After that, update your configuration file with the certificate as shown below

teleport:
    data_dir: /var/lib/teleport
auth_service:
    enabled: true
    cluster_name: "teleport-quickstart"
    listen_addr: 0.0.0.0:3025
    tokens:
    - proxy,node,app:f7adb7ccdf04037bcd2b52ec6010fd6f0caec94ba190b765
    public_addr: 172.20.192.38:3025
ssh_service:
    enabled: true
    labels:
        env: staging
app_service:
    enabled: true
    debug_app: true
proxy_service:
    enabled: true
    listen_addr: 0.0.0.0:3023
    web_listen_addr: 0.0.0.0:3080
    tunnel_listen_addr: 0.0.0.0:3024
##Updated/added part of this configuration
    public_addr: 172.20.192.38:3080
    https_keypairs:
      - key_file: /etc/pki/tls/private/teleport2.key
        cert_file: /etc/pki/tls/certs/teleport2.crt

Then restart the transfer

sudo systemctl restart teleport

At this stage, you can access the Teleport Web UI through the following address: “https://IP-or-domain name-:3080”. Just open your favorite browser and point it to the server on the specified port (3080). You should see:

But you will notice that none of our users can log in to the application. Therefore, we will solve this problem next.

Create a teleport user

Like other authentication services, delivery requires users and their credentials to log in and use the server protected by it. It should be noted that by default, Teleport will always force the use of 2-factor authentication. It supports one-time password (OTP) and hardware token (U2F). The quick start will use OTP-you need an OTP compatible app that can scan QR codes.

If you do not have permission to create new users on the Linux host, please run tctl users add teleport $ (whoami) Explicitly allow Teleport to authenticate as the user you are currently logged in as.

tctl users add geeks-admin root

User geeks-admin has been created but requires a password. Share this URL with the user to complete user setup, link is valid for 1h0m0s:
https://teleport.computingforgeeks.com:3080/web/invite/2ef0091feea7fea0a210f53a1d8751d3
NOTE: Make sure centos8.localdomain:3080 points at a Teleport proxy which users can access.

The user you specify (such as root in this example) must exist! This means that geeks-admin will be able to log in to the servers in the Teleport cluster server as the root user.

After the command runs, you will see the message on the shell. Copy the provided URL, and then continue to set up a new user: “https://teleport.computingforgeeks.com:3080/web/invite/2ef0091feea7fea0a210f53a1d8751d3”

Send login 2 factors

After visiting the URL on your browser, you will see a new login page with a QR code, as shown above. To allow you to set up a new user, we recommend that you use the Google Authenticator App in the Play Store. Download and install from the Play Store as shown in the screenshot below.

Authenticator 1

After downloading and installing, open it and select “Scan QR Code”.

Authenticator 2

This will open your camera. Place the camera to read the QR code and you will see a password on your phone. this is”Two-factor token“On the Teleport login page. Enter the user’s new password, and then on the phone”Two-factor token“,then click”create an account“.

Send login 2factor add password and code

If all goes well, the new user will enter the dashboard as shown below:

Send new user login

awesome!

Add nodes to the transport cluster

When setting up Teleport earlier, we configured a powerful static token for nodes and applications in the teleport.yaml file. Now it is very easy to add nodes as part of the cluster. We will use this token in this step. First, install Teleport on the target node, and then start it with the command shown below.

$ sudo teleport start --roles=node 
 --token=f7adb7ccdf04037bcd2b52ec6010fd6f0caec94ba190b765 
 --auth-server=teleport.computingforgeeks.com:3025

[NODE]         Service 5.0.0:v5.0.0-0-gac4971801 is starting on 0.0.0.0:3022.

Before running this command, please check and update the auth-server, app-name and app-uri.

If the following error occurs, please delete /var/lib/teleport You want to add to the folder on the node in the cluster, and then rerun the above command again.

Node failed to establish connection to cluster: Get "https://172.20.192.38:3025/v1/webapi/find": x509: certificate signed by unknown authority. time/sleep.go:148

When you log in to Teleport Web-UI again, you should be able to see the second node in the server list as shown below

Send second node

Log in to the server via Teleport Web-UI

On the web interface, you can easily access the server terminal. You just need to click “connection“Button and select the correct user who will connect to the server. This will allow you to SSH into the server and access the terminal as the user of your choice. Since we only added the root user in this example, we will click it

Send to node

The browser will open a new tab and guide us in.

Send second node 2

Concluding remarks

If you succeed in achieving this goal, then you are truly amazing. Teleport is a very promising project that can collaborate with all the security features you have always envied in your environment. It not only provides services for servers, but also manages Kubernetes clusters and so on.View in Send page enjoy.

Otherwise, it is the eve of the festival, even if we are still shrouded in the dark clouds of Covid, we hope you will be safe and healthy when celebrating with your loved ones.You can continue to read more shared below

Install and use Guacamole remote desktop on CentOS 8

You can download this article in PDF format via the link below to support us.Download the guide in PDF formatClose

Sidebar