Teleport@Debian(Raspberian).md 8.5 KB
#
Objective: to connect to internal resources
# #
2023-03-13 * second deployment, reviewed and updated /A
Official documentation is located here: https://goteleport.com/docs/deploy-a-cluster/open-source/
utils needed, but not mandatory
apt install tmux
Host-based firewall, port forwardings in routers
open (80,443)/tcp to access Teleport and let CertBot to verify domain (it will start webserver for validation)
get certbot running with Let's Encrypt first
apt install certbot
certbot certonly --standalone -d (domain) --staple-ocsp -m (host)-certbot@(domain) --agree-tos
to test cert renewal:
certbot renew --dry-run
run webserver test
nano demo-app/index.html
python3 -m http.server 9000 --directory demo-app
Downloading and installing
determine which architecture in use (I got on my RPi3)
getconf LONG_BIT
32
uname -a
Linux (host) 5.15.84-v7+ #1613 SMP Thu Jan 5 11:59:48 GMT 2023 armv7l GNU/Linux
download from original source, upload to destination and install package from (choose Linux in Top-Right corner) https://goteleport.com/download/#install-links or download directly from host
wget https://cdn.teleport.dev/teleport_12.1.0_arm.deb
dpkg -i ./teleport_12.1.0_arm.deb
? possible dependecies fix, if needed
apt-get -f install
Configuration
set variable by executing commands and launch configuration tool
DOMAIN=(domain)
EMAIL=(host)-teleport@(domain)
teleport configure --acme --acme-email=${EMAIL?} --cluster-name=${DOMAIN?} | tee /etc/teleport.yaml > /dev/null
Add web-based frontend for Teleport by editing config file
nano /etc/teleport.yaml
app_service:
enabled: yes
apps:
- name: "demo"
uri: "http://localhost:9000"
public_addr: "(domain)"
enable and start the service
systemctl enable teleport
systemctl restart teleport
systemctl status teleport
Configuring via WebUi (at this point, it should be accessible)
URL should look like something like this: https://(domain)/web/login?redirect_uri=https://(domain)/web
create admin user and set pass (list usernames, which user can represent (='login as'))
tctl users add teleport-admin --roles=editor,access --logins=root,ubuntu,ec2-user
User "teleport-admin" has been created but requires a password. Share this URL with the user to complete user setup, link is valid for 1h:
https://(domain):443/web/invite/953f9ea8c84c???????8f630874638c
NOTE: Make sure (domain):443 points at a Teleport proxy which users can access (networking works properly).
open link in browser and set pass for created user (it is supposed to send this link to end-user) QR code of OTP token will be generated, use any token management (authentication application) to store it and provide OTP to finalize registration
connecting via WebUI
choose "server", [connect] and choose which user to use as login (Teleport instance should be visible)
creating normal users (father-mother-sister-brother) with access role only
tctl users add (user) --roles=access --logins=(user)
adding new resource - server
it is not possible to deploy Teleport as a resource to itself from WebUi, Servers > Add Server > Server [Next], copy-paste shell command and execute it on destination (new) server. looks like, access to internet is needed to: https://get.gravitational.com/
root@(host):/home/(user)# bash -c "$(curl -fsSL https://(domain)/scripts/c1f0d3d9c6617773a230f89795b40a08/install-node.sh)"
2022-12-05 08:01:00 GMT [teleport-installer] TELEPORT_VERSION: 11.1.1
2022-12-05 08:01:00 GMT [teleport-installer] TARGET_HOSTNAME: (domain)
2022-12-05 08:01:00 GMT [teleport-installer] TARGET_PORT: 443
2022-12-05 08:01:00 GMT [teleport-installer] JOIN_TOKEN: c1f0d3d9c6617773a230f89795b40a08
2022-12-05 08:01:00 GMT [teleport-installer] CA_PIN_HASHES: sha256:94aa8871de87837e5a936f1963d4c6baf21a22031af87637122fcc636211e210
2022-12-05 08:01:00 GMT [teleport-installer] Checking TCP connectivity to Teleport server ((domain):443)
2022-12-05 08:01:00 GMT [teleport-installer] Connectivity to Teleport server (via nc) looks good
2022-12-05 08:01:00 GMT [teleport-installer] Detected host: linux-gnueabihf, using Teleport binary type linux
2022-12-05 08:01:01 GMT [teleport-installer] Detected arch: armv7l, using Teleport arch arm
2022-12-05 08:01:01 GMT [teleport-installer] Detected distro type: debian
2022-12-05 08:01:01 GMT [teleport-installer] Using Teleport distribution: deb
2022-12-05 08:01:01 GMT [teleport-installer] Created temp dir /tmp/teleport-Fol7L1QOSH
2022-12-05 08:01:01 GMT [teleport-installer] Downloading Teleport deb release 11.1.1
2022-12-05 08:01:01 GMT [teleport-installer] Running curl -fsSL --retry 5 --retry-delay 5 https://get.gravitational.com/teleport_11.1.1_arm.deb
2022-12-05 08:01:01 GMT [teleport-installer] Downloading to /tmp/teleport-Fol7L1QOSH/teleport_11.1.1_arm.deb
2022-12-05 08:01:57 GMT [teleport-installer] Downloaded file size: 103483964 bytes
2022-12-05 08:01:57 GMT [teleport-installer] Will use shasum -a 256 to validate the checksum of the downloaded file
[...]
2022-12-05 08:02:01 GMT [teleport-installer] The downloaded file's checksum validated correctly
2022-12-05 08:02:01 GMT [teleport-installer] Using dpkg to install /tmp/teleport-Fol7L1QOSH/teleport_11.1.1_arm.deb
Selecting previously unselected package teleport.
(Reading database ... 43613 files and directories currently installed.)
Preparing to unpack .../teleport_11.1.1_arm.deb ...
Unpacking teleport (11.1.1) ...
Setting up teleport (11.1.1) ...
2022-12-05 08:03:05 GMT [teleport-installer] Found: Teleport v11.1.1 git:v11.1.1-0-gbf4e8ea41 go1.19.2
2022-12-05 08:03:05 GMT [teleport-installer] Writing Teleport node service config to /etc/teleport.yaml
A Teleport configuration file has been created at "/etc/teleport.yaml".
To start Teleport with this configuration file, run:
sudo teleport start --config="/etc/teleport.yaml"
Note that starting a Teleport server with this configuration will require root access as:
- The Teleport configuration is located at "/etc/teleport.yaml".
- Teleport will be storing data at "/var/lib/teleport". To change that, run "teleport configure" with the "--data-dir" flag.
Happy Teleporting!
2022-12-05 08:03:06 GMT [teleport-installer] Host is using systemd
2022-12-05 08:03:06 GMT [teleport-installer] Starting Teleport via systemd. It will automatically be started whenever the system reboots.
Created symlink /etc/systemd/system/multi-user.target.wants/teleport.service → /lib/systemd/system/teleport.service.
Teleport has been started.
View its status with 'sudo systemctl status teleport.service'
View Teleport logs using 'sudo journalctl -u teleport.service'
To stop Teleport, run 'sudo systemctl stop teleport.service'
To start Teleport again if you stop it, run 'sudo systemctl start teleport.service'
You can see this node connected in the Teleport web UI or 'tsh ls' with the name '(host)'
Find more details on how to use Teleport here: https://goteleport.com/docs/user-manual/
service may be checked with
root@(host):/home/(user)# systemctl status teleport
and in WebUI below message will appear:
The server successfully joined this Teleport cluster
click [Next], choose OS users, who can connect to new server. choose which OS user to test connection
Step 2
Verify that the server is accessible
Testing complete
You have access to the Node.
Node is alive and reachable.
The requested principal is allowed.
"(user)" user exists in target node
you may test a session by connecting directly from WebUI by pressing [Test session]
Finally, press [Finish]. New server will appear in the list.
connecting using tsh (Teleport SSH)
download and install tsh client from: https://goteleport.com/download/?os=mac reopen terminal to be able to find 'tsh' command
(user)@(local) ~ % tsh login --proxy=(domain) --user=(local)
Enter password for Teleport user anton:
Enter your OTP token:
> Profile URL: https://(local):443
Logged in as: (user)
Cluster: (domain)
Roles: access
Logins: (user), -teleport-internal-join
Kubernetes: enabled
Valid until: 2023-03-14 05:58:00 +0300 +03 [valid for 12h0m0s]
Extensions: login-ip, permit-agent-forwarding, permit-port-forwarding, permit-pty, private-key-policy
list and connect to the new server
tsh ls
Node Name Address Labels
--------- -------------- ----------------
(host) 127.0.0.1:3022 hostname=(host)
tsh ssh (user)@(host)