Linux Open Source Security

How to install Teleport OSS in Rocky Linux 9

Teleport is an open-source tool for providing zero trust access to servers and cloud applications using SSH, Kubernetes and HTTPS. It can eliminate the need for VPNs by providing a single gateway to access computing infrastructure via SSH, Kubernetes clusters, and cloud applications via a built-in proxy.

Teleport provides an open source alternative. Open source Teleport was designed to provide access to the infrastructure you need without slowing you down. With a single tool, engineers get unified access to Linux and Windows servers, Kubernetes clusters, databases and DevOps applications like AWS Management Console, CI/CD, version control, and monitoring dashboards across all environments.

In this guide, we will learn how to run the open source version of Teleport on Rocky Linux 9 Server.

We will run the following Teleport services:

  • Teleport Auth Service: The certificate authority for your cluster. It issues certificates and conducts authentication challenges. The Auth Service is typically inaccessible outside your private network.
  • Teleport Proxy Service: The cluster frontend, which handles user requests, forwards user credentials to the Auth Service, and communicates with Teleport instances that enable access to specific resources in your infrastructure.
  • Teleport Application Service: Enables secure access to web applications in private networks. In this tutorial, we will use Teleport to access a simple web service.
  • Teleport SSH Service: An SSH server implementation that takes advantage of Teleport’s short-lived certificates, sophisticated RBAC, session recording, and other features.

Related Content:

Prerequisites

To follow along, ensure that you have the following:

  • A Rocky Linux 9 or RHEL 9 based server with only port 443 open to ingress traffic
  • Sudo access or ability to install software on the server
  • A two-factor authenticator app such as AuthyGoogle Authenticator, or Microsoft Authenticator
  • python3 installed on your Linux machine. We will use this to run a simple HTTP file server, so you can use another HTTP server if you have one installed.
  • You must also have one of the following:
  • A registered domain name.
  • An authoritative DNS nameserver managed by your organization, plus an existing certificate authority. If using this approach, ensure that your browser is configured to use your organization’s nameserver.

If you want to try docker locally without DNS, checkout How to run Open source teleport docker.

Step 1. Configure DNS

Teleport uses TLS to provide secure access to its Proxy Service and Auth Service, and this requires a domain name that clients can use to verify Teleport’s certificate.

Set up two A DNS records: tele.citizix.com for all traffic and *.tele.citizix.com for web apps using Application Access. We are assuming that your domain name is citizix.com. Use your own subdomain instead of tele.

Teleport assigns a subdomain to each application you have configured for Application Access (e.g., grafana.tele.citizix.com), so you will need to ensure that a DNS A record exists for each application-specific subdomain so clients can access your applications via Teleport.

You should create either a separate DNS A record for each subdomain or a single record with a wildcard subdomain such as *.teleport.citizix.com. This way, your certificate authority (e.g., Let’s Encrypt) can issue a certificate for each subdomain, enabling clients to verify your Teleport hosts regardless of the application they are accessing.

You can use dig to make sure that DNS records are propagated:

dig tele.citizix.com

Step 2. Run a simple web service

Run the following commands to create a directory on your Linux machine called demo-app and add a simple HTML file to serve to clients:

mkdir citiapp

cat <<EOF>>citiapp/index.html
<!DOCTYPE html>
<html>
  <head><title>Welcome!</title></head>
  <body>
    <h1>Welcome to your Teleport cluster!</h1>
  </body>
</html>
EOF

Run a simple HTTP service on port 9000 that returns your welcome page:

nohup python3 -m http.server 9000 --directory citiapp &

Confirm that it is running as expected

$ ss -tulpn | grep 9000
tcp   LISTEN 0      5            0.0.0.0:9000      0.0.0.0:*    users:(("python3",pid=202653,fd=3))

Since port 9000 is not open on your Linux host, there is currently no way to access the web service from your local machine. We will configure Teleport to enable you to access the web service securely.

Step 3. Set up Teleport on your Linux host

Installing Teleport

In our Rocky server, use this commands to install teleport.

Source variables about OS version

source /etc/os-release

Add the Teleport YUM repository for v11. You’ll need to update this file for each major release of Teleport.

sudo yum-config-manager --add-repo $(rpm --eval "https://yum.releases.teleport.dev/centos/9/Teleport/%{_arch}/stable/v11/teleport.repo")

Then install teleport

sudo yum install teleport

Configure Teleport

Generate a configuration file for Teleport using the teleport configure command. This command requires information about a TLS certificate and private key.

If you are running Teleport on the internet, it is recommended to use Let’s Encrypt to receive your key and certificate automatically. For private networks or custom deployments, use your own private key and certificate.

Let’s Encrypt verifies that you control the domain name of your Teleport cluster by communicating with the HTTPS server listening on port 443 of your Teleport Proxy Service.

You can configure the Teleport Proxy Service to complete the Let’s Encrypt verification process when it starts up.

On the host where you will start the Teleport Auth Service and Proxy Service, run the following teleport configure command, where tele.citizix.com is the domain name of your Teleport cluster and admin@citizix.com is an email address used for notifications (you can use any domain):

DOMAIN=tele.citizix.com
EMAIL=devops@citizix.com

teleport configure --acme --acme-email=${EMAIL?} --cluster-name=${DOMAIN?} | \
sudo tee /etc/teleport.yaml > /dev/null

The --acme--acme-email, and --cluster-name flags will add the following settings to your Teleport configuration file:

proxy_service:
  enabled: "yes"
  web_listen_addr: 0.0.0.0:443
  public_addr: tele.citizix.com:443
  acme:
    enabled: "yes"
    email: devops@citizix.com

Port 443 on your Teleport Proxy Service host must allow traffic from all sources.

Next, configure Teleport to provide secure access to your web service. Edit your Teleport configuration file (/etc/teleport.yaml) to include the following, replacing telt.citizix.com with the domain name of your Teleport cluster.

app_service:
    enabled: <strong>yes</strong>
    apps:
    - name: "demo"
      uri: "http://localhost:9000"
      public_addr: "demo.tele.citizix.com"

Start Teleport

Let us start the service using systemd:

sudo systemctl start teleport

You can access Teleport’s Web UI via HTTPS at the domain you created earlier (e.g., https://tele.citizix.com). You should see a welcome screen.

Step 4. Create a Teleport user and set up two-factor authentication

In this step, we’ll create a new Teleport user,admin, which is allowed to log into SSH hosts as any of the principals rootrocky, or citizix. We will use tctl to achieve this. tctl is an administrative tool that is used to configure Teleport’s auth service.

On your Linux machine, run the following command:

sudo tctl users add admin --roles=editor,access --logins=root,rocky,citizix

The command prints a message similar to the following:

User "admin" has been created but requires a password. Share this URL with the user to complete user setup, link is valid for 1h:
https://tele.citizix.com:443/web/invite/9148581095e93c5ae27314b35f9138fa

NOTE: Make sure tele.citizix.com:443 points at a Teleport proxy which users can access.

Visit the provided URL in order to create your Teleport user.

The users that you specify in the logins flag (e.g., rootrocky and citizix in our examples) must exist on your Linux machine. Otherwise, you will get authentication errors.

If a user does not already exist, you can create it with adduser <login>.

If you do not have the permission to create new users on the Linux host, run tctl users add teleport $(whoami) to explicitly allow Teleport to authenticate as the user that you have currently logged in as.

Teleport enforces the use of two-factor authentication by default. It supports one-time passwords (OTP) and second-factor authenticators (WebAuthn). In this guide, you will need to enroll an OTP authenticator application using the QR code on the Teleport welcome screen.

Step 5. Log in using tsh

tsh is our client tool. It helps you log in to Teleport clusters and obtain short-lived credentials. It can also be used to list resources registered with Teleport, such as servers, applications, and Kubernetes clusters.

Install tsh on your local machine:

curl -O https://get.gravitational.com/teleport-v11.2.1-linux-amd64-bin.tar.gz
tar -xzf teleport-v11.2.1-linux-amd64-bin.tar.gz
cd teleport
sudo ./install

Log in to receive short-lived certificates from Teleport:

tsh login --proxy=tele.citizix.com --user=admin

You should see an output similar to this

$ tsh login --proxy=tele.citizix.com --user=admin
Enter password for Teleport user admin:
Enter your OTP token:
> Profile URL:        https://tele.citizix.com:443
  Logged in as:       admin
  Cluster:            tele.citizix.com
  Roles:              access, editor
  Logins:             root, rocky, citizix, -teleport-internal-join
  Kubernetes:         enabled
  Valid until:        2023-01-19 17:48:42 +0000 UTC [valid for 12h0m0s]
  Extensions:         client-ip, permit-agent-forwarding, permit-port-forwarding, permit-pty, private-key-policy

Step 6. Access resources

Congrats! You’ve completed setting up Teleport and signed in to your cluster. Now you can use Teleport to quickly access resources.

Visit your demo website

Now that you have logged in to Teleport, you can see the demo website you started earlier. Visit https://demo.tele.citizix.com, replacing tele.citizix.com with the domain name of your Teleport cluster.

You can use the Teleport Application Service to configure access to any web application in your private network, including HTTP management endpoints for popular infrastructure technologies.

SSH into your Node

You also configured the Teleport SSH Service, meaning that you can easily access your Linux machine after logging in to Teleport.

See the logins you can use to access a Node:

$ tsh status
> Profile URL:        https://tele.citizix.com:443
  Logged in as:       admin
  Cluster:            tele.citizix.com
  Roles:              access, editor
  Logins:             root, rocky, citizix, -teleport-internal-join
  Kubernetes:         enabled
  Valid until:        2023-01-19 17:48:42 +0000 UTC [valid for 11h58m0s]
  Extensions:         client-ip, permit-agent-forwarding, permit-port-forwarding, permit-pty, private-key-policy

List all SSH servers connected to Teleport:

$ tsh ls
Node Name      Address        Labels
-------------- -------------- -----------------------
fidle-rockysrv 127.0.0.1:3022 hostname=fidle-rockysrv

SSH into fidle-rockysrv as root:

tsh ssh root@fidle-rockysrv

Conclusion

In this guide we managed to set up Teleport OSS on Rocky Linux 9 server

Teleport
Last updated on Oct 14, 2024 11:46 +0300
comments powered by Disqus
© 2020 - 2024 Citizix, Inc.
Citizix Ltd
Built with Hugo
Theme Stack designed by Jimmy