{"id":11857,"date":"2022-03-18T23:35:35","date_gmt":"2022-03-18T20:35:35","guid":{"rendered":"https:\/\/kifarunix.com\/?p=11857"},"modified":"2024-03-09T11:08:08","modified_gmt":"2024-03-09T08:08:08","slug":"install-and-setup-teleport-access-plane-on-linux","status":"publish","type":"post","link":"https:\/\/kifarunix.com\/install-and-setup-teleport-access-plane-on-linux\/","title":{"rendered":"Install and Setup Teleport Access Plane on Linux"},"content":{"rendered":"\n<p>In this tutorial, you will learn how to install and setup Teleport access plane on Linux. According to the <a href=\"https:\/\/goteleport.com\/docs\/\" target=\"_blank\" rel=\"noreferrer noopener\">documentation page<\/a>, Teleport is a Certificate Authority and an Access Plane for your infrastructure. With Teleport you can:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Set up Single Sign-On and have one place to access your SSH servers, Kubernetes, Databases, Desktops, and Web Apps.<\/li>\n\n\n\n<li>Use your favorite programming language to define access policies to your infrastructure.<\/li>\n\n\n\n<li>Share and record interactive sessions across all environments.<\/li>\n<\/ul>\n\n\n\n<p>Some of the notable features for Teleport include;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Server Access<\/strong>: Single Sign-On, short-lived certificates, and audit for SSH servers.<\/li>\n\n\n\n<li><strong>Application Access<\/strong>: Provide secure access to internal dashboards and web applications.<\/li>\n\n\n\n<li><strong>Kubernetes Access<\/strong>: Single Sign-On, audit and unified access for Kubernetes clusters.<\/li>\n\n\n\n<li><strong>Database Access<\/strong>: Secure access to SQL and NoSQL databases.<\/li>\n\n\n\n<li><strong>Desktop Access<\/strong>: Secure browser-based access to desktop environments.<\/li>\n\n\n\n<li><strong>Cloud<\/strong>: Connect your nodes, web apps, kubernetes clusters and databases to Teleport as a service.<\/li>\n\n\n\n<li><strong>Enterprise<\/strong>: OIDC, SAML, compliance controls and commercial support.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Install and Setup Teleport Access Plane on Linux<\/h2>\n\n\n\n<p>Teleport is available in two editions: community and enterprise edition.<\/p>\n\n\n\n<p>We will be using the community edition in this example setup.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Install Teleport on Linux<\/h3>\n\n\n\n<p>In this example tutorial, we are using an Ubuntu 20.04 system. Hence, to install Teleport on Ubuntu 20.04 Linux server;<\/p>\n\n\n\n<p>Install Teleport repository GPG signing key;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>wget -qO- https:\/\/deb.releases.teleport.dev\/teleport-pubkey.asc \\\n| gpg --dearmor &gt; \/etc\/apt\/trusted.gpg.d\/teleport.gpg<\/code><\/pre>\n\n\n\n<p>Install Teleport repository on Ubuntu 20.04;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>echo \"deb https:\/\/deb.releases.teleport.dev\/ stable main\" &gt; \/etc\/apt\/sources.list.d\/teleport.list<\/code><\/pre>\n\n\n\n<p>Update package cache;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>apt update<\/code><\/pre>\n\n\n\n<p>Install Teleport on Ubuntu 20.04 Linux;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>apt install teleport<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Configure Teleport on Linux<\/h3>\n\n\n\n<p>Next, you need to configure Teleport for secure SSH access.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Set DNS resolvable hostnames for Teleport Server<\/li>\n<\/ul>\n\n\n\n<p>Set the hostname of the Teleport server and update the DNS records accordingly.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>hostnamectl set-hostname teleport.kifarunix-demo.com<\/code><\/pre>\n\n\n\n<p>If you don&#8217;t have a DNS server, set the name resolution on hosts file;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>echo \"192.168.59.23 teleport.kifarunix-demo.com teleport\" &gt;&gt; \/etc\/hosts<\/code><\/pre>\n\n\n\n<p>Update your domain names accordingly.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Generate SSL\/TLS certificates for Teleport Server<\/li>\n<\/ul>\n\n\n\n<p>For a secured access to Teleport web interface, you need to generate SSL\/TLS certificates. This can be the commercially signed certificates (if your Teleport is public facing) or self-signed (if your instance is local).<\/p>\n\n\n\n<p>In this setup, we will use self-signed SSL certs and thus, the command below can be ran to generate them.<\/p>\n\n\n\n<p>NOTE: The certificate must have a subject that corresponds to the domain of your Teleport host, e.g.,&nbsp;<code>*.kifarunix-demo.com<\/code>. Replace the domain names accordingly.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>openssl req -x509 -nodes -newkey rsa:4096 \\\n-keyout \/var\/lib\/teleport\/teleport.key \\\n-out \/var\/lib\/teleport\/teleport.pem -sha256 -days 3650 \\\n-subj \"\/C=US\/ST=Oregon\/L=Portland\/O=Company Name\/OU=Org\/CN=*.kifarunix-demo.com\"<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Generate Teleport Configuration file<\/li>\n<\/ul>\n\n\n\n<p>Once you have setup the domain name and generates the SSL certs, run the command below to generate Teleport configuration file.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>teleport configure -o \/etc\/teleport.yaml  \\\n    --cluster-name=kifarunix-demo.com \\\n    --public-addr=teleport.kifarunix-demo.com:443 \\\n    --cert-file=\/var\/lib\/teleport\/teleport.pem \\\n    --key-file=\/var\/lib\/teleport\/teleport.key<\/code><\/pre>\n\n\n\n<p>This is the sample configuration file;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>cat \/etc\/teleport.yaml<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>version: v2\nteleport:\n  nodename: ubuntu20\n  data_dir: \/var\/lib\/teleport\n  log:\n    output: stderr\n    severity: INFO\n    format:\n      output: text\n  ca_pin: []\n  diag_addr: \"\"\nauth_service:\n  enabled: \"yes\"\n  listen_addr: 0.0.0.0:3025\n  cluster_name: kifarunix-demo.com\n  proxy_listener_mode: multiplex\nssh_service:\n  enabled: \"yes\"\n  labels:\n    env: example\n  commands:\n  - name: hostname\n    command: [hostname]\n    period: 1m0s\nproxy_service:\n  enabled: \"yes\"\n  web_listen_addr: 0.0.0.0:443\n  public_addr: teleport.kifarunix-demo.com:443\n  https_keypairs:\n  - key_file: \/var\/lib\/teleport\/teleport.key\n    cert_file: \/var\/lib\/teleport\/teleport.pem\n  acme: {}\n<\/code><\/pre>\n\n\n\n<p>You can create your config file and you can test its validity using the <strong><code>--test<\/code><\/strong> option.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>teleport configure --test \/etc\/teleport.yaml<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Start Teleport Service<\/li>\n<\/ul>\n\n\n\n<p>Next, start and enable Teleport service to run on system boot;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>systemctl enable --now teleport<\/code><\/pre>\n\n\n\n<p>Check the status;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>systemctl status teleport<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>\n\u25cf teleport.service - Teleport SSH Service\n     Loaded: loaded (\/lib\/systemd\/system\/teleport.service; enabled; vendor preset: enabled)\n     Active: active (running) since Sat 2022-03-18 15:02:19 UTC; 24s ago\n   Main PID: 2144 (teleport)\n      Tasks: 8 (limit: 2274)\n     Memory: 36.2M\n     CGroup: \/system.slice\/teleport.service\n             \u2514\u25002144 \/usr\/local\/bin\/teleport start --pid-file=\/run\/teleport.pid\n\nMar 18 15:02:21 teleport.kifarunix-demo.com teleport[2144]: 2022-03-18T15:02:21Z [DB:SERVIC] INFO Starting Postgres proxy server on 0.0.0.0:443. service\/service.go:3158\nMar 18 15:02:21 teleport.kifarunix-demo.com teleport[2144]: 2022-03-18T15:02:21Z [DB:SERVIC] INFO Starting Database TLS proxy server on 0.0.0.0:443. service\/service.go:3176\nMar 18 15:02:21 teleport.kifarunix-demo.com teleport[2144]: 2022-03-18T15:02:21Z [PROXY:SER] INFO Starting proxy gRPC server on [::]:443. service\/service.go:3210\nMar 18 15:02:21 teleport.kifarunix-demo.com teleport[2144]: 2022-03-18T15:02:21Z [PROXY:SER] INFO Starting TLS ALPN SNI proxy server on [::]:443. service\/service.go:3239\nMar 18 15:02:21 teleport.kifarunix-demo.com teleport[2144]: 2022-03-18T15:02:21Z INFO [NODE:1:CA] Cache \"node\" first init succeeded. cache\/cache.go:742\nMar 18 15:02:21 teleport.kifarunix-demo.com teleport[2144]: 2022-03-18T15:02:21Z [PROC:1]    INFO Service node is creating new listener on 0.0.0.0:3022. service\/signals.go>\nMar 18 15:02:21 teleport.kifarunix-demo.com teleport[2144]: 2022-03-18T15:02:21Z [NODE:1]    INFO Service 9.0.1:v9.0.1-0-g7bbe6f15c is starting on 0.0.0.0:3022 sqlite cach>\nMar 18 15:02:21 teleport.kifarunix-demo.com teleport[2144]: 2022-03-18T15:02:21Z [NODE:1]    INFO Service 9.0.1:v9.0.1-0-g7bbe6f15c is starting on 0.0.0.0:3022. utils\/cli.>\nMar 18 15:02:21 teleport.kifarunix-demo.com teleport[2144]: [NODE]         Service 9.0.1:v9.0.1-0-g7bbe6f15c is starting on 0.0.0.0:3022.\nMar 18 15:02:21 teleport.kifarunix-demo.com teleport[2144]: 2022-03-18T15:02:21Z [PROC:1]    INFO The new service has started successfully. Starting syncing rotation\n<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Create Teleport Admin User<\/li>\n<\/ul>\n\n\n\n<p>Run the command below to generate Teleport admin user. The Teleport users can be created using the tctl command in the format;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>tctl users add --roles=ROLES &#91;&lt;flags&gt;] &lt;account&gt;<\/code><\/pre>\n\n\n\n<p>Thus;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>tctl users add --roles=editor,access kifarunix-admin<\/code><\/pre>\n\n\n\n<p>To get the permissions of the role;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>tctl get role\/role<\/code><\/pre>\n\n\n\n<p>For example;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>tctl get role\/editor<\/code><\/pre>\n\n\n\n<p>tctl will generate a signup token and give you a URL to share with a user. A user will have to complete account creation by visiting the URL.<\/p>\n\n\n\n<p>Sample command output;<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>User \"kifarunix-admin\" has been created but requires a password. Share this URL with the user to complete user setup, link is valid for 1h:\nhttps:\/\/teleport.kifarunix-demo.com:443\/web\/invite\/1c2fd60cad32df99a65b75081f78bbda\n\nNOTE: Make sure teleport.kifarunix-demo.com:443 points at a Teleport proxy which users can access.\n<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Finalize Teleport Setup on Browser<\/li>\n<\/ul>\n\n\n\n<p>You can now access the link provided, which is valid for one hour (by default, can be adjusted using the <code>--ttl<\/code>).<\/p>\n\n\n\n<p>If the firewall is running on the server, ensure you open port 443\/tcp to allow external access.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>https:&#47;&#47;teleport.kifarunix-demo.com:443\/web\/invite\/1c2fd60cad32df99a65b75081f78bbda<\/code><\/pre>\n\n\n\n<p>You can access the URL on browser.<\/p>\n\n\n\n<p>Click <strong>Get Started<\/strong> to create an account.<\/p>\n\n\n\n<p>Set the password for your account and generate 2FA code by scanning the QR code using any authenticator app. I used Duo Mobile in this example.<\/p>\n\n\n\n<p>Enter the 2FA code and proceed to create Teleport admin account.<\/p>\n\n\n\n<div><a href=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/03\/teleport-account.png\" class=\"td-modal-image\"><figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1223\" height=\"888\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/03\/teleport-account.png\" alt=\"Install and Setup Teleport Access Plane on Linux\" class=\"wp-image-11864\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/03\/teleport-account.png?v=1647635701 1223w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/03\/teleport-account-768x558.png?v=1647635701 768w\" sizes=\"(max-width: 1223px) 100vw, 1223px\" \/><\/figure><\/a><\/div>\n\n\n\n<p>And there you go.<\/p>\n\n\n\n<div><a href=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/03\/teleport-web-interface.png\" class=\"td-modal-image\"><figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1904\" height=\"696\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/03\/teleport-web-interface.png\" alt=\"Install and Setup Teleport Access Plane on Linux\" class=\"wp-image-11865\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/03\/teleport-web-interface.png?v=1647635723 1904w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/03\/teleport-web-interface-768x281.png?v=1647635723 768w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/03\/teleport-web-interface-1536x561.png?v=1647635723 1536w\" sizes=\"(max-width: 1904px) 100vw, 1904px\" \/><\/figure><\/a><\/div>\n\n\n\n<p>You can now proceed to add servers for secure access to the Teleport access plane.<\/p>\n\n\n\n<p>Read more on <a href=\"https:\/\/goteleport.com\/docs\/setup\/admin\/\" target=\"_blank\" rel=\"noreferrer noopener\">Teleport Admin Guide<\/a><\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Other Tutorials<\/h3>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/mount-remote-filesystem-over-ssh-using-sshfs\/\" target=\"_blank\" rel=\"noreferrer noopener\">Mount Remote Filesystem Over SSH using SSHFS<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/connect-to-vnc-server-via-ssh-tunnel\/\" target=\"_blank\" rel=\"noreferrer noopener\">Connect to VNC Server via SSH Tunnel<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/monitor-linux-hosts-using-nagios-check_by_ssh-plugin\/\" target=\"_blank\" rel=\"noreferrer noopener\">Monitor Linux Hosts using Nagios check_by_ssh Plugin<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>In this tutorial, you will learn how to install and setup Teleport access plane on Linux. According to the documentation page, Teleport is a Certificate<\/p>\n","protected":false},"author":1,"featured_media":11869,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"rank_math_lock_modified_date":false,"footnotes":""},"categories":[121],"tags":[4705,4706,4707,4709,4710,4708],"class_list":["post-11857","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-howtos","tag-install-and-setup-teleport-access-plane-on-linux","tag-install-teleport-on-linux","tag-install-teleport-on-ubuntu-20-04","tag-linux-server-secure-ssh-access","tag-teleport","tag-teleport-secure-ssh-access-install","generate-columns","tablet-grid-50","mobile-grid-100","grid-parent","grid-50","resize-featured-image"],"_links":{"self":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/11857"}],"collection":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/comments?post=11857"}],"version-history":[{"count":9,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/11857\/revisions"}],"predecessor-version":[{"id":20441,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/11857\/revisions\/20441"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media\/11869"}],"wp:attachment":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media?parent=11857"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/categories?post=11857"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/tags?post=11857"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}