Teleport is an open-source, easy to install certificate Authority system. In case you have different servers that are accessible through SSH, different Kubernetes databases, and Web apps. So teleport is used to put them all in one platform as an access plane to all these infrastructures. It also has a feature of sharing and recording of interactive sessions across all environments.
Teleport also runs as a systemd service and is very easy to install and deploy. In this article, we are going to discuss the installation process of teleport on Ubuntu 20.04 server.
Installation
As in case for Linux and Mac operating systems, teleport core service teleport
Prerequisites
- A Linux machine with a port 443 open
- A two-factor authenticator app such as Authy, Google Authenticator, or Microsoft Authenticator
- An SSH client like OpenSSH
- Access to a DNS service such as Amazon Route 53 or CoreDNS
Installation of teleport on Ubuntu 20.04 server
If you want 32-bit binaries or ARM binaries, check the latest release page at this link https://goteleport.com/teleport/download/ . But to install the 64-bit version of teleport binaries, run the command as shown below.
To install the public key of teleport, run the command as shown below.
$ curl https://deb.releases.teleport.dev/teleport-pubkey.asc | sudo apt-key add -
To add repo to APT, run the command as shown below.
$ sudo add-apt-repository 'deb https://deb.releases.teleport.dev/ stable main'
To update APT Cache, run the command as shown below.
$ sudo apt-get update
Finally to Install Teleport, run the command as shown below.
$ sudo apt install teleport
Configuration of teleport
For the configuration of teleport, simply run the configuration and save it with yaml format. For further details, check the configuration as shown below with the use of your favorite editor.
$ sudo vim /etc/teleport.yaml
teleport: nodename: linuxways data_dir: /var/lib/teleport log: output: stderr severity: INFO format: output: text ca_pin: [] diag_addr: "" auth_service: enabled: “yes” cluster_name: "teleport" listen_addr: 0.0.0.0:3025 tokens: - proxy,node,app:e6cebf660b1f3390f204130b9649 public_addr: 5.22.209.65:3025 ssh_service: enabled: “yes” labels: env: example commands: - name: hostname command: [hostname] period: 1m0s app_service: enabled: “yes” debug_app: true proxy_service: enabled: “yes” listen_addr: 0.0.0.0:3023 web_listen_addr: 0.0.0.0:3080 tunnel_listen_addr: 0.0.0.0:3024 public_addr: 5.22.209.65:3080
For the configuration to work properly, the directory /var/lib/teleport must be provided with right permissions which enable teleport and tctl to read and write without issue. Run the command as shown below for that purpose.
$ sudo chmod 755 -R /var/lib/teleport/
Configuration of Domain Name System
You have to provide the certificate for the secure https protocol. It is possible with the certificate that you already have or by creating a self sign certificate or add the DNS like tele.example.com pointing to your public ip and run commands with the use of ACME protocol that request TLS certificates to be automatically available from Let’s Encrypt. It accesses an HTTP endpoint on your Teleport host in order to complete authentication challenges.
$ sudo teleport configure --acme --acme-email=your-email@example.com --cluster-name=tele.example.com -o file
Or create a self sign certificate and
$ sudo openssl req -x509 -days 365 -nodes -newkey rsa:2048 -keyout /etc/pki/tls/private/teleport.key -out /etc/pki/tls/certs/teleport.crt
After the creation of the certificate, add those certificates on the configuration of the teleport as shown below.
$ sudo vim /etc/teleport.yaml
teleport: nodename: linuxways data_dir: /var/lib/teleport log: output: stderr severity: INFO format: output: text ca_pin: [] diag_addr: "" auth_service: enabled: “yes” cluster_name: "teleport" listen_addr: 0.0.0.0:3025 tokens: - proxy,node,app:e6cebf660b1f3390f204130b9649 public_addr: 5.22.209.65:3025 ssh_service: enabled: “yes” labels: env: example commands: - name: hostname command: [hostname] period: 1m0s app_service: enabled: “yes” debug_app: true proxy_service: enabled: “yes” listen_addr: 0.0.0.0:3023 web_listen_addr: 0.0.0.0:3080 tunnel_listen_addr: 0.0.0.0:3024 public_addr: 5.22.209.65:3080
https_keypairs:
- key_file: /etc/pki/tls/private/teleport1.key
cert_file: /etc/pki/tls/certs/teleport1.crt
Configuration of Teleport service and start the service
Let’s create a systemd service for the teleport service with the commands as shown below.
$ sudo vim /etc/systemd/system/teleport.service
[Unit] Description=Teleport SSH Service After=network.target [Service] Type=simple Restart=on-failure EnvironmentFile=-/etc/default/teleport ExecStart=/usr/local/bin/teleport start --pid-file=/run/teleport.pid ExecReload=/bin/kill -HUP $MAINPID PIDFile=/run/teleport.pid LimitNOFILE=8192 [Install] WantedBy=multi-user.target
Now, let’s run the command as shown below to reload the daemon, enable and start the service.
$ sudo systemctl daemon-reload
$ sudo systemctl start teleport
$ sudo systemctl enable teleport
To check the status of the teleport service, run the command as shown below.
$ sudo systemctl status teleport.service
Creating the teleport user with the set up of two-factor authentication
To login, you must have a user with the right privilege. By default, teleport enforces the use of two factor authentication so we are creating a user with username admin-user using the two factor authentication with the use of google authenticator. You can use other ways of authentication available on the options too.
Run the command as shown below to create the user.
$ sudo tctl users add admin-user --roles=editor,access --logins=root,ubuntu,linuxways
As you can see we are providing roles of editor and access to this user as admin privilege and users like root, ubuntu or linuxways can login to the servers in teleport cluster servers.
After running the above command, you will see the output as shown on the screenshot below with the link to create a password for the user.
Now, let’s browse the site and create a password for the user with the use of two-factor authentication as shown in the screenshot below.
After you click on create account, the dashboard of the teleport Web UI will be shown. You will notice your newly created user with the list of nodes privileged to the user. For further details, check the screenshot as shown below.
Adding a node to the cluster
To add a new node to the teleport cluster, run the command as shown below.
First login to the teleport
$ tsh login --proxy=tele.example.com --auth=local --user=admin-user
Generate a token with a specified time limit, here we are limiting time for 1hour.
$ tctl tokens add --type=node --ttl=1h
Now download the teleport package to your new node. In our case, our new node is running with Ubuntu operating system. For that, go through the installation process as shown below..
$ curl https://deb.releases.teleport.dev/teleport-pubkey.asc | sudo apt-key add -
$sudo add-apt-repository 'deb https://deb.releases.teleport.dev/ stable main'
$ sudo apt-get update
$ sudo apt install teleport
Now run this command on the new node by using the token created with the above command. For further details, check the command as shown below.
As in our case, the hostname is testserver so we can verify it by browsing the site of Teleport WEB-UI and check on servers section as shown in the picture below.
Accessing the added server
Now, the new node has been added successfully so it is easily accessible with the WEB UI or terminal by simply clicking on connect and accessing it with the preferred user option on the list. For further details, check the screenshot as shown below.
In our case, we selected root as a user then the next tab will be open where the new node server can be accessed as shown on the screenshot below.
As you can see, we are easily executing the commands on the new node “testserver” with the WEB UI of teleport.
Conclusion
In this article, you have learnt how to install the teleport on Ubuntu 20.04 server and add the new node. Running the commands on the added server through the WEB UI of teleport is easy to do. Thank you!
Karim Buzdar holds a degree in telecommunication engineering and holds several sysadmin certifications including CCNA RS, SCP, and ACE. As an IT engineer and technical author, he writes for various websites.
Discover more from Ubuntu-Server.com
Subscribe to get the latest posts sent to your email.
