Efficiently Managing Access to Linux VMs with Teleport
LinkedIn
Facebook
Twitter

On one of our client’s projects, the developers needed a fast and secure way to access a mixed cluster of cloud and on-prem servers, and the client’s IT manager also requested detailed oversight. The task is to implement a user-friendly solution, preferably with a nice GUI (Graphical User Interface). It is time for the DevOPS to deliver. 

Bringing everybody onboard, securely!  
The client’s project originally started small, with just a few on-premises Linux servers and a small team of developers who worked on the machines Remote SSH (Secure Socket Shell) access via SSH keys was perfectly suitable for everybody. 
The project evolved and the team grew. A lot of new servers were added to the project, both on-prem and cloud instances. Access became more granular: only some people needed access to certain servers, at a precise time. Security became paramount.  
In this early stage, all the project’s servers were moved behind a Bastion server and access was granted via terminal-based access scripts.  
 
server
A few months passed and things kept scaling. Detailed auditing became paramount. There was a real need to keep track, instantly, of what everybody does, on which resource, for how long, and to record all the activity for reviewing. With so many people on the team now and with so many servers, security concerns grew too.  
For ease of use, the client’s IT manager also needed a graphical interface for managing everything, as opposed to the text menus available which were put in place together with the Bastion server.
Research led to a solution that seemed to fit all the client’s specs: Teleport .
Teleport – the “what”  

So, what is Teleport ?  

Teleport, is an open infrastructure access platform designed to provide secure access to cloud computing resources and on-premises infrastructure. The program was created by Gravitational, a company founded in 2015 with the goal of making it easier for businesses to manage and secure their IT infrastructure. 

Teleport is a certificate authority and identity-aware, multi-protocol access proxy which implements protocols such as SSH, RDP, HTTPS, Kubernetes API, and a variety of SQL and NoSQL databases. It is completely transparent to client-side tools and designed to work with everything in today’s DevOps ecosystem. 

The key concept of Teleport’s architecture is the cluster. A Teleport cluster consists of the Teleport Auth Service, Teleport Proxy Service, Teleport agents, and resources that you want to connect to such as Linux or Windows servers, databases, Kubernetes clusters, Windows desktops, and internal web apps. 

teleport
The Teleport web interface (image source https://goteleport.com/docs/try-out-teleport/digitalocean/)

From a high-level perspective, these are just some of the traits Teleport holds:

  • It provides a unified access interface for managing user access.
  • All the info on the resources administered via Teleport can be customized. This way, an admin can adapt the info to his needs.
  • Accessing Teleport can be done securely, using MFA (Multi Factor Authentication), both via a GUI and via a Command Line Client (tsh). The GUI can be accessed either via a web browser, or by installing the Teleport Connect app, available for macOS, Linux and Windows.
  • As administrators, in Teleport we can create “roles”. Roles govern access to databases, SSH servers, Kubernetes clusters, Windows desktops, and web apps. In Teleport, any local, SSO, or robot user can be assigned one or several roles.
  • Once connected to a server in Teleport via the web browser or via the open-source Teleport Connect app, the user has direct access to a terminal window, in the browser or in the app.
  • An Audit log captures all the activity on the estate. An admin can see who was where, when, and for how long. On top of that, everything that everybody does on the resources administered through Teleport can be recorded as a video. Admins have instant access to all the recordings. This comes in handy both security-wise and training-wise.
  • Teleport has two tiers: the free tier called Community is great for testing and basic operations. There is also Teleport Enterprise which is a paid tier.
server
Teleport – the “how”  

The foundation of Teleport’s architecture is the cluster. A Teleport cluster consists of the Teleport Services (Teleport Auth and Teleport Proxy), Teleport agents, and the resources that you want to connect to such as Linux or Windows servers, databases, Kubernetes clusters, Windows desktops, and internal web apps.

To create a minimal Teleport cluster, we need to launch three components:

 

  • Teleport Auth Service. The certificate authority of the cluster. It issues certificates to clients and maintains the audit log.
  • Teleport Proxy Service. The proxy allows access to cluster resources from the outside. Typically, it is the only service available from the public network.
  • Teleport agents. A Teleport agent runs in the same network as a target resource and speaks its native protocol, such as the SSH, Kubernetes API, HTTPS, PostgreSQL, and MySQL wire protocols.

The clients must authenticate with Teleport and receive a client certificate, which automatically works for all the resources in a cluster. Also, the users and servers must all join the same cluster before access can be granted.

To join a cluster, both users and servers must authenticate and receive certificates.

The CA of the cluster is the Teleport Auth Service, which issues certificates for both users and servers with all supported protocols.

 

To sum it up, Teleport is quite easy to implement: we install a Teleport server, to which we add the users and the resources. Installing the clients is as simple as running a line of code generated by the server.  We can access the server via a web-based client, or via tsh.

Teleport – the “why”

An image says a thousand words. We will go for the double of that:

     Before Teleport (image source https://goteleport.com/)
After Teleport (image source https://goteleport.com/)
Wrapping it up: to Teleport or not to Teleport?

We implemented Teleport on a few clusters of Linux servers, and it does what it claims to do.

The IT Manager has a clear overview of the entire estate, of the current access level of everyone, and all the activity is logged into video files that can be easily previewed.

Every instance’s console can be accessed via the web interface too, in a tabbed way, which is a definite plus.

The developers love it because they can use it in the terminal, via the “tsh” protocol of the app.

Using the Teleport platform for a few months now, we noticed one drawback, though: updates roll out often (one per week, as a loose average), so we must update the server and the clients accordingly, which can be a bit of a hassle sometimes. Other than that, the app (which is currently at version 13.3.4) is mature enough to be taken into serious consideration.

Read more tech topics