×



Teleport is an open-source, easy to install certificate Authority system. In case you have different servers that are accessible through SSH, different Kubernetes databases, and Web apps. So teleport is used to put them all in one platform as an access plane to all these infrastructures. It also has a feature of sharing and recording of interactive sessions across all environments. Also it runs as a systemd service.

Here at LinuxAPT, we shall look into how to install teleport on Ubuntu 20.04 server.


Steps to install teleport on Ubuntu Linux system

Note that in Linux and Mac operating systems, teleport core service teleport and admin tool tctl are used as they are designed to work on such operating systems. Also the teleport user client tsh and UI are available for Linux, Mac and other operating systems.


Prerequisites to be met before proceeding with the installation includes:

  • A Linux machine with a port 443 open.
  • A two-factor authenticator app such as Authy, Google Authenticator, or Microsoft Authenticator.
  • An SSH client like OpenSSH.
  • Access to a DNS service such as Amazon Route 53 or CoreDNS.


If you want 32-bit binaries or ARM binaries, check the latest release page at this link https://goteleport.com/teleport/download/ . But to install the 64-bit version of teleport binaries, run the below command.

To install the public key of teleport, run the command:

$ curl https://deb.releases.teleport.dev/teleport-pubkey.asc | sudo apt-key add -

To add repo to APT, run the command:

$ sudo add-apt-repository 'deb https://deb.releases.teleport.dev/ stable main'

To update APT Cache, run the command:

$ sudo apt-get update

Finally to Install Teleport, run the command:

$ sudo apt install teleport


How to configure teleport ?

To configure teleport, simply run the configuration and save it with yaml format. For further details, check the configuration with the use of your favorite editor:

$ sudo vim /etc/teleport.yaml
teleport:
nodename: linuxapt
data_dir: /var/lib/teleport
log:
output: stderr
severity: INFO
format:
output: text
ca_pin: []
diag_addr: ""
auth_service:
enabled: “yes”
cluster_name: "teleport"
listen_addr: 0.0.0.0:3025
tokens:
- proxy,node,app:e6cebf660b1f3390f204130b9649
public_addr: 5.22.209.65:3025
ssh_service:
enabled: “yes”
labels:
env: example
commands:
- name: hostname
command: [hostname]
period: 1m0s
app_service:
enabled: “yes”
debug_app: true
proxy_service:
enabled: “yes”
listen_addr: 0.0.0.0:3023
web_listen_addr: 0.0.0.0:3080
tunnel_listen_addr: 0.0.0.0:3024
public_addr: 5.22.209.65:3080

For the configuration to work properly, the directory /var/lib/teleport must be provided with right permissions which enable teleport and tctl to read and write without issue. Run the below command for that purpose:

$ sudo chmod 755 -R /var/lib/teleport/


How to configure Domain Name System ?

You have to provide the certificate for the secure https protocol. It is possible with the certificate that you already have or by creating a self sign certificate or add the DNS like tele.example.com pointing to your public ip and run commands with the use of ACME protocol that request TLS certificates to be automatically available from Let's Encrypt. It accesses an HTTP endpoint on your Teleport host in order to complete authentication challenges:

$ sudo teleport configure --acme --acme-email=your-email@example.com --cluster-name=tele.example.com -o file

Or create a self sign certificate:

$ sudo openssl req -x509 -days 365 -nodes -newkey rsa:2048 -keyout /etc/pki/tls/private/teleport.key -out /etc/pki/tls/certs/teleport.crt

After the creation of the certificate, add those certificates on the configuration of the teleport:

$ sudo vim /etc/teleport.yaml
teleport:
nodename: linuxapt
data_dir: /var/lib/teleport
log:
output: stderr
severity: INFO
format:
output: text
ca_pin: []
diag_addr: ""
auth_service:
enabled: “yes”
cluster_name: "teleport"
listen_addr: 0.0.0.0:3025
tokens:
- proxy,node,app:e6cebf660b1f3390f204130b9649
public_addr: 5.22.209.65:3025
ssh_service:
enabled: “yes”
labels:
env: example
commands:
- name: hostname
command: [hostname]
period: 1m0s
app_service:
enabled: “yes”
debug_app: true
proxy_service:
enabled: “yes”
listen_addr: 0.0.0.0:3023
web_listen_addr: 0.0.0.0:3080
tunnel_listen_addr: 0.0.0.0:3024
public_addr: 5.22.209.65:3080

https_keypairs:

- key_file: /etc/pki/tls/private/teleport1.key
 cert_file: /etc/pki/tls/certs/teleport1.crt


How to configure Teleport service and start the service ?

Here, we will create a systemd service for the teleport service with the commands:

$ sudo vim /etc/systemd/system/teleport.service
[Unit]
Description=Teleport SSH Service
After=network.target
[Service]
Type=simple
Restart=on-failure
EnvironmentFile=-/etc/default/teleport
ExecStart=/usr/local/bin/teleport start --pid-file=/run/teleport.pid
ExecReload=/bin/kill -HUP $MAINPID
PIDFile=/run/teleport.pid
LimitNOFILE=8192
[Install]
WantedBy=multi-user.target

Now, execute the below commands to reload the daemon, enable and start the service:

$ sudo systemctl daemon-reload
$ sudo systemctl start teleport
$ sudo systemctl enable teleport

To check the status of the teleport service, run the command:

$ sudo systemctl status teleport.service


How to create the teleport user with the set up of two-factor authentication ?

To login, you must have a user with the right privilege. By default, teleport enforces the use of two factor authentication so we are creating a user with username admin-user using the two factor authentication with the use of google authenticator. You can use other ways of authentication available on the options too.

Run the command as shown below to create the user:

$ sudo tctl users add admin-user --roles=editor,access --logins=root,ubuntu,linuxapt

As you can see we are providing roles of editor and access to this user as admin privilege and users like root, ubuntu or linuxapt can login to the servers in teleport cluster servers.

After running the above command, you will see the link to create a password for the user.

Now, let's browse the site and create a password for the user with the use of two-factor authentication.

After you click on create account, the dashboard of the teleport Web UI will be displayed. You will notice your newly created user with the list of nodes privileged to the user. 


How to add a node to the cluster ?

To add a new node to the teleport cluster,

First login to the teleport:

$ tsh login --proxy=tele.example.com --auth=local --user=admin-user

Generate a token with a specified time limit, here we are limiting time for 1hour:

$ tctl tokens add --type=node --ttl=1h

Now download the teleport package to your new node. In our case, our new node is running with Ubuntu operating system. For that, go through the installation process:

$ curl https://deb.releases.teleport.dev/teleport-pubkey.asc | sudo apt-key add -
$sudo add-apt-repository 'deb https://deb.releases.teleport.dev/ stable main'
$ sudo apt-get update
$ sudo apt install teleport

Now run this command on the new node by using the token created with the above command:

$ teleport start \

As in our case, the hostname is testserver so we can verify it by browsing the site of Teleport WEB-UI and check on servers section.


How to access the added server ?

Now, the new node has been added successfully so it is easily accessible with the WEB UI or terminal by simply clicking on connect and accessing it with the preferred user option on the list.

In our case, we selected root as a user then the next tab will be open where the new node server can be accessed.


[Need help in fixing Linux system issues ? We can help you. ]


Conclusion

This article covers how to install the teleport on Ubuntu 20.04 server and add the new node. In fact, Running the commands on the added server through the WEB UI of teleport is easy to do.


How to uninstall teleport from Ubuntu ?

To uninstall just teleport package itself from Ubuntu execute on terminal:

$ sudo apt-get remove teleport

More Linux Tutorials

We create Linux HowTos and Tutorials for Sys Admins. Visit us on IbmiMedia.com

Also for Tech related tips, Visit forum.outsourcepath.com or General Technical tips on www.outsourcepath.com