{"id":11870,"date":"2022-03-19T22:11:38","date_gmt":"2022-03-19T19:11:38","guid":{"rendered":"https:\/\/kifarunix.com\/?p=11870"},"modified":"2024-03-09T11:03:52","modified_gmt":"2024-03-09T08:03:52","slug":"setup-secure-ssh-access-on-linux-servers-using-teleport","status":"publish","type":"post","link":"https:\/\/kifarunix.com\/setup-secure-ssh-access-on-linux-servers-using-teleport\/","title":{"rendered":"Setup Secure SSH Access on Linux Servers using Teleport"},"content":{"rendered":"\n

In this tutorial, you will learn how to setup secure SSH access on Linux servers using Teleport. In our previous guide, we learnt how to install and setup Teleport access plan on Linux, specifically Ubuntu 20.04 system.<\/p>\n\n\n\n

Install and Setup Teleport Access Plane on Linux<\/a><\/p>\n\n\n\n

Setup Secure SSH Access on Linux Servers using Teleport<\/h2>\n\n\n\n

To install Teleport;<\/p>\n\n\n\n

Add Remote SSH Server to Teleport Cluster Server<\/h3>\n\n\n\n

There are two ways in which you can add remote ssh Linux servers into the Teleport cluster server to enable you to securely SSH into them:<\/p>\n\n\n\n

    \n
  1. Automatically add SSH servers into Teleport Cluster Server<\/a><\/li>\n\n\n\n
  2. Manually add SSH servers into Teleport Cluster Server<\/a><\/li>\n<\/ol>\n\n\n\n

    Automatically add SSH servers into Teleport Cluster Server<\/h4>\n\n\n\n

    On the Teleport server, you can generate a script that can be executed on an SSH server you want to add to Teleport server.<\/p>\n\n\n\n

    The script will automatically install Teleport client and automatically enrolls the remote SSH server into the Teleport server.<\/p>\n\n\n\n

    To get the script, login to Teleport server web interface and click Add Server<\/strong> under the servers menu tab.<\/p>\n\n\n\n

    \"Setup<\/figure><\/a><\/div>\n\n\n\n

    You will then see such a wizard with a script that is valid for 4 hours generated.<\/p>\n\n\n\n

    \"Setup<\/figure><\/a><\/div>\n\n\n\n

    Copy the script and execute on the remote host to add to the Teleport cluster Server.<\/p>\n\n\n\n

    Ensure that you can connect to Teleport server remotely.<\/p>\n\n\n\n

    For example, on my remote Ubuntu server, check connection to Teleport server port;<\/p>\n\n\n\n

    nc -vz teleport.kifarunix-demo.com 443<\/code><\/pre>\n\n\n\n
    Sample command output;<\/p>\n\n\n\n
    Connection to teleport.kifarunix-demo.com 443 port [tcp\/*] succeeded!<\/code><\/pre>\n\n\n\n
    Next, execute the command generated on the Teleport server on the host to add it to the server;<\/p>\n\n\n\n
    sudo bash -c \"$(curl -fsSL https:\/\/teleport.kifarunix-demo.com\/scripts\/4c4562439fe63111bf439011960aaa3d\/install-node.sh)\"<\/code><\/pre>\n\n\n\n
    If you are using Self-signed SSL certs, be sure to disable certificate peer verify by adding option -k\/--insecure<\/code><\/strong> to curl command.<\/p>\n\n\n\n
    sudo bash -c \"$(curl -kfsSL https:\/\/teleport.kifarunix-demo.com\/scripts\/4c4562439fe63111bf439011960aaa3d\/install-node.sh)\"<\/code><\/pre>\n\n\n\n
    When you run the script, this is the sample output;<\/p>\n\n\n\n
    \n2022-03-19 20:30:03 CET [teleport-installer] TELEPORT_VERSION: 9.0.1\n2022-03-19 20:30:03 CET [teleport-installer] TARGET_HOSTNAME: teleport.kifarunix-demo.com\n2022-03-19 20:30:03 CET [teleport-installer] TARGET_PORT: 443\n2022-03-19 20:30:03 CET [teleport-installer] JOIN_TOKEN: 86fe4487700dd68963947575a0ab1061\n2022-03-19 20:30:03 CET [teleport-installer] CA_PIN_HASHES: sha256:d16c9ee6fd3188787d04b80905a5607ac0c38f7d6c12f3a29bd9962762914065\n2022-03-19 20:30:03 CET [teleport-installer] Checking TCP connectivity to Teleport server (teleport.kifarunix-demo.com:443)\n2022-03-19 20:30:03 CET [teleport-installer] Connectivity to Teleport server (via nc) looks good\n2022-03-19 20:30:03 CET [teleport-installer] Detected host: linux-gnu, using Teleport binary type linux\n2022-03-19 20:30:03 CET [teleport-installer] Detected arch: x86_64, using Teleport arch amd64\n2022-03-19 20:30:03 CET [teleport-installer] Detected distro type: debian\n2022-03-19 20:30:03 CET [teleport-installer] Using Teleport distribution: deb\n2022-03-19 20:30:03 CET [teleport-installer] CrCETed temp dir \/tmp\/teleport-v4FsTm6AhJ\n2022-03-19 20:30:03 CET [teleport-installer] Downloading Teleport deb release 9.0.1\n2022-03-19 20:30:03 CET [teleport-installer] Running curl -fsSL --retry 5 --retry-delay 5 https:\/\/get.gravitational.com\/teleport_9.0.1_amd64.deb\n2022-03-19 20:30:03 CET [teleport-installer] Downloading to \/tmp\/teleport-v4FsTm6AhJ\/teleport_9.0.1_amd64.deb\n2022-03-19 20:31:00 CET [teleport-installer] Downloaded file size: 92653228 bytes\n2022-03-19 20:31:00 CET [teleport-installer] Will use shasum -a 256 to validate the checksum of the downloaded file\n2022-03-19 20:31:02 CET [teleport-installer] The downloaded file's checksum validated correctly\n2022-03-19 20:31:02 CET [teleport-installer] Using dpkg to install \/tmp\/teleport-v4FsTm6AhJ\/teleport_9.0.1_amd64.deb\nSelecting previously unselected package teleport.\n(Reading database ... 104426 files and directories currently installed.)\nPreparing to unpack ...\/teleport_9.0.1_amd64.deb ...\nUnpacking teleport (9.0.1) ...\nSetting up teleport (9.0.1) ...\n2022-03-19 20:31:20 CET [teleport-installer] Found: Teleport v9.0.1 git:v9.0.1-0-g7bbe6f15c go1.17.7\n2022-03-19 20:31:20 CET [teleport-installer] Writing Teleport node service config to \/etc\/teleport.yaml\n2022-03-19 20:31:20 CET [teleport-installer] Host is using systemd\n2022-03-19 20:31:20 CET [teleport-installer] Starting Teleport via systemd. It will automatically be started whenever the system reboots.\n\nTeleport has been started.\n\nView its status with 'sudo systemctl status teleport.service'\nView Teleport logs using 'sudo journalctl -u teleport.service'\nTo stop Teleport, run 'sudo systemctl stop teleport.service'\nTo start Teleport again if you stop it, run 'sudo systemctl start teleport.service'\n\nYou can see this node connected in the Teleport web UI or 'tsh ls' with the name 'cms.kifarunix-demo.com'\nFind more details on how to use Teleport here: https:\/\/goteleport.com\/docs\/user-manual\/\n<\/code><\/pre>\n\n\n\n
    If you are using self-signed SSL\/TLS certs, be sure to update the Teleport service unit file to disable peer certificate verification when running Teleport service.<\/p>\n\n\n\n
    sed -i 's\/start\/start --insecure\/' \/lib\/systemd\/system\/teleport.service<\/code><\/pre>\n\n\n\n
    systemctl daemon-reload<\/code><\/pre>\n\n\n\n
    Restart the Teleport agent;<\/p>\n\n\n\n
    sudo systemctl restart teleport.service<\/code><\/pre>\n\n\n\n
    Check the status;<\/p>\n\n\n\n
    systemctl status teleport.service<\/code><\/pre>\n\n\n\n
    \n\u25cf teleport.service - Teleport SSH Service\n   Loaded: loaded (\/lib\/systemd\/system\/teleport.service; enabled; vendor preset: enabled)\n   Active: active (running) since Sat 2022-03-19 20:40:36 EAT; 2s ago\n Main PID: 2599 (teleport)\n    Tasks: 9 (limit: 2317)\n   CGroup: \/system.slice\/teleport.service\n           \u2514\u25002599 \/usr\/local\/bin\/teleport start --insecure --pid-file=\/run\/teleport.pid\n\nMar 19 20:40:36 cms.kifarunix-demo.com teleport[2599]: 2022-03-19T20:40:36+03:00 INFO [AUDIT:1]   Creating directory \/var\/lib\/teleport\/log\/upload. service\/service.go:2115\nMar 19 20:40:36 cms.kifarunix-demo.com teleport[2599]: 2022-03-19T20:40:36+03:00 INFO [AUDIT:1]   Creating directory \/var\/lib\/teleport\/log\/upload\/sessions. service\/service.\nMar 19 20:40:36 cms.kifarunix-demo.com teleport[2599]: 2022-03-19T20:40:36+03:00 INFO [AUDIT:1]   Creating directory \/var\/lib\/teleport\/log\/upload\/sessions\/default. service\/\nMar 19 20:40:36 cms.kifarunix-demo.com teleport[2599]: 2022-03-19T20:40:36+03:00 INFO [AUDIT:1]   Creating directory \/var\/lib\/teleport\/log. service\/service.go:2115\nMar 19 20:40:36 cms.kifarunix-demo.com teleport[2599]: 2022-03-19T20:40:36+03:00 INFO [AUDIT:1]   Creating directory \/var\/lib\/teleport\/log\/upload. service\/service.go:2115\nMar 19 20:40:36 cms.kifarunix-demo.com teleport[2599]: 2022-03-19T20:40:36+03:00 INFO [AUDIT:1]   Creating directory \/var\/lib\/teleport\/log\/upload\/streaming. service\/service\nMar 19 20:40:36 cms.kifarunix-demo.com teleport[2599]: 2022-03-19T20:40:36+03:00 INFO [AUDIT:1]   Creating directory \/var\/lib\/teleport\/log\/upload\/streaming\/default. service\nMar 19 20:40:36 cms.kifarunix-demo.com teleport[2599]: 2022-03-19T20:40:36+03:00 INFO [NODE:1]    Service is starting in tunnel mode. service\/service.go:2025\nMar 19 20:40:36 cms.kifarunix-demo.com teleport[2599]: 2022-03-19T20:40:36+03:00 INFO [PROC:1]    The new service has started successfully. Starting syncing rotation status\nMar 19 20:40:36 cms.kifarunix-demo.com teleport[2599]: 2022-03-19T20:40:36+03:00 [NODE:PROX] INFO Connected. addr:192.168.100.131:60784 remote-addr:192.168.100.129:443 leas...\n<\/code><\/pre>\n\n\n\n
    Your remote server should now be available under servers tab on Teleport server.<\/p>\n\n\n\n
    Note that if you had created Teleport user with no defined usernames that they can use to login to remote servers (tctl users add --roles=editor,access kifarunix-admin<\/strong><\/code>), the servers wont show up on the servers tab.<\/p>\n\n\n\n
    Hence, navigate to Team > Roles<\/strong>. Under access<\/strong> role, click OPTIONS<\/strong> and edit<\/strong> the role.<\/p>\n\n\n\n
    Under the logins<\/strong> option, you need to define all the users that the user can use to login to remote systems with. See screenshot below.<\/p>\n\n\n\n
    \"Setup<\/figure><\/a><\/div>\n\n\n\n
    Save the changes when done. Refresh the servers tab again.<\/p>\n\n\n\n
    Manually add SSH servers into Teleport Cluster Server<\/h4>\n\n\n\n
    On the remote Linux nodes you want to secure SSH to, login and install Teleport.<\/p>\n\n\n\n
    In this example setup, we have two remote Linux systems for demo. One is an Ubuntu system and the other is Rocky Linux system.<\/p>\n\n\n\n
    To install Teleport on an Ubuntu\/Debian systems;<\/p>\n\n\n\n