bastion jump-hosts with teleport - faelix · 2019. 2. 4. · deploys teleport on a vm (or cluster...
TRANSCRIPT
![Page 1: BASTION JUMP-HOSTS WITH TELEPORT - FAELIX · 2019. 2. 4. · Deploys Teleport on a VM (or cluster for HA) Ansible script #2: Installs Teleport on a Raspberry Pi Preconfigures Teleport](https://reader036.vdocuments.net/reader036/viewer/2022062610/611285d1e3f84d77cc635e8f/html5/thumbnails/1.jpg)
TELEPORTBASTION JUMP-HOSTS WITH
https://faelix.link/netmcr19 — 5Mb
![Page 2: BASTION JUMP-HOSTS WITH TELEPORT - FAELIX · 2019. 2. 4. · Deploys Teleport on a VM (or cluster for HA) Ansible script #2: Installs Teleport on a Raspberry Pi Preconfigures Teleport](https://reader036.vdocuments.net/reader036/viewer/2022062610/611285d1e3f84d77cc635e8f/html5/thumbnails/2.jpg)
A BASTION IS A STRUCTURE PROJECTING OUTWARD FROM THE
CURTAIN WALL OF A FORTIFICATION
"Bastion" — Wikipedia, 2018-01-10
DEFINITION
![Page 3: BASTION JUMP-HOSTS WITH TELEPORT - FAELIX · 2019. 2. 4. · Deploys Teleport on a VM (or cluster for HA) Ansible script #2: Installs Teleport on a Raspberry Pi Preconfigures Teleport](https://reader036.vdocuments.net/reader036/viewer/2022062610/611285d1e3f84d77cc635e8f/html5/thumbnails/3.jpg)
HARDENED AND MONITORED DEVICE THAT SPANS TWO DISSIMILAR SECURITY ZONES AND PROVIDES A CONTROLLED MEANS OF ACCESS BETWEEN THEM
"Jump Server" — Wikipedia, 2018-01-10
DEFINITION
![Page 4: BASTION JUMP-HOSTS WITH TELEPORT - FAELIX · 2019. 2. 4. · Deploys Teleport on a VM (or cluster for HA) Ansible script #2: Installs Teleport on a Raspberry Pi Preconfigures Teleport](https://reader036.vdocuments.net/reader036/viewer/2022062610/611285d1e3f84d77cc635e8f/html5/thumbnails/4.jpg)
SZILAS, PUBLIC DOMAIN, VIA WIKIMEDIA COMMONS
![Page 5: BASTION JUMP-HOSTS WITH TELEPORT - FAELIX · 2019. 2. 4. · Deploys Teleport on a VM (or cluster for HA) Ansible script #2: Installs Teleport on a Raspberry Pi Preconfigures Teleport](https://reader036.vdocuments.net/reader036/viewer/2022062610/611285d1e3f84d77cc635e8f/html5/thumbnails/5.jpg)
IOT SECURITY
(NETMCR #11)
@kooky_uk Tim Bray
SHOUT OUT #1
![Page 6: BASTION JUMP-HOSTS WITH TELEPORT - FAELIX · 2019. 2. 4. · Deploys Teleport on a VM (or cluster for HA) Ansible script #2: Installs Teleport on a Raspberry Pi Preconfigures Teleport](https://reader036.vdocuments.net/reader036/viewer/2022062610/611285d1e3f84d77cc635e8f/html5/thumbnails/6.jpg)
SSH CERTIFICATES
(NETMCR #13)
@TimJDFletcher Tim Fletcher
SHOUT OUT #2
![Page 7: BASTION JUMP-HOSTS WITH TELEPORT - FAELIX · 2019. 2. 4. · Deploys Teleport on a VM (or cluster for HA) Ansible script #2: Installs Teleport on a Raspberry Pi Preconfigures Teleport](https://reader036.vdocuments.net/reader036/viewer/2022062610/611285d1e3f84d77cc635e8f/html5/thumbnails/7.jpg)
IOT SECURITY WITH PI.PE
(NETMCR #17)
@steely_glint Tim Panton
SHOUT OUT #3
![Page 8: BASTION JUMP-HOSTS WITH TELEPORT - FAELIX · 2019. 2. 4. · Deploys Teleport on a VM (or cluster for HA) Ansible script #2: Installs Teleport on a Raspberry Pi Preconfigures Teleport](https://reader036.vdocuments.net/reader036/viewer/2022062610/611285d1e3f84d77cc635e8f/html5/thumbnails/8.jpg)
RIPE ATLAS PROBE SECURITY
(AQL IOT ROUNDTABLE)
@kistel Robert Kisteleki
SHOUT OUT #4
![Page 9: BASTION JUMP-HOSTS WITH TELEPORT - FAELIX · 2019. 2. 4. · Deploys Teleport on a VM (or cluster for HA) Ansible script #2: Installs Teleport on a Raspberry Pi Preconfigures Teleport](https://reader036.vdocuments.net/reader036/viewer/2022062610/611285d1e3f84d77cc635e8f/html5/thumbnails/9.jpg)
WHY WAS I LOOKING AT THESE PROBLEMS?
THE TASK AT HAND
▸ Customers with "Internet access is slow".
▸ At first it seemed that NNI was in common…
▸ Then it seemed that last-mile provider was in common…
▸ Then we thought it might be web filtering solution…
▸ Is it carrier network congestion/loss… not that either…
▸ We need to test this from within the customer network!
![Page 10: BASTION JUMP-HOSTS WITH TELEPORT - FAELIX · 2019. 2. 4. · Deploys Teleport on a VM (or cluster for HA) Ansible script #2: Installs Teleport on a Raspberry Pi Preconfigures Teleport](https://reader036.vdocuments.net/reader036/viewer/2022062610/611285d1e3f84d77cc635e8f/html5/thumbnails/10.jpg)
WHY WAS I LOOKING AT THESE PROBLEMS?
THE TASK AT HAND
▸ Put some probe devices in some customer networks
▸ …to be able to "ssh" into them, run measurements.
▸ Don't want customers to have to open ports on routers.
▸ Some sort of NAT-piercing required.
▸ Security is vital:
▸ Don't want probe to be an attack vector into customer.
▸ Team of staff need access.
![Page 11: BASTION JUMP-HOSTS WITH TELEPORT - FAELIX · 2019. 2. 4. · Deploys Teleport on a VM (or cluster for HA) Ansible script #2: Installs Teleport on a Raspberry Pi Preconfigures Teleport](https://reader036.vdocuments.net/reader036/viewer/2022062610/611285d1e3f84d77cc635e8f/html5/thumbnails/11.jpg)
STANDING ON THE SHOULDERS OF GIANTS
RIPE ATLAS
▸ Plug it in, gets address/DNS by DHCP
▸ Connects to RIPE bastion hosts using ssh (with provisioning)
▸ Creates tunnels to itself for telemetry, read all about it:
▸ https://www.uknof.org.uk/uknof18/Kisteleki-Atlas.pdf
▸ Security rep is pretty good, e.g.
▸ https://www.mdsec.co.uk/2015/09/an-introduction-to-hardware-hacking-the-ripe-atlas-probe/
![Page 12: BASTION JUMP-HOSTS WITH TELEPORT - FAELIX · 2019. 2. 4. · Deploys Teleport on a VM (or cluster for HA) Ansible script #2: Installs Teleport on a Raspberry Pi Preconfigures Teleport](https://reader036.vdocuments.net/reader036/viewer/2022062610/611285d1e3f84d77cc635e8f/html5/thumbnails/12.jpg)
STANDING ON THE SHOULDERS OF GIANTS
SSH BASTION HOSTS, WITH SSH CA
▸ The big players are doing it:
▸ https://code.facebook.com/posts/365787980419535/scalable-and-secure-access-with-ssh/
▸ https://github.com/Netflix/bless
▸ How to apply this pattern to our "IoT" probe project?
![Page 13: BASTION JUMP-HOSTS WITH TELEPORT - FAELIX · 2019. 2. 4. · Deploys Teleport on a VM (or cluster for HA) Ansible script #2: Installs Teleport on a Raspberry Pi Preconfigures Teleport](https://reader036.vdocuments.net/reader036/viewer/2022062610/611285d1e3f84d77cc635e8f/html5/thumbnails/13.jpg)
A LONGER TALK, MAYBE AT UKNOF, WILL HAVE MORE INFORMATION…
THE SOLUTION
▸ Ansible script #1:
▸ Deploys Teleport on a VM (or cluster for HA)
▸ Ansible script #2:
▸ Installs Teleport on a Raspberry Pi
▸ Preconfigures Teleport (outbound connection to bastion host)
▸ Bunch of Raspberry Pi / case / SD card combos
▸ Ship to customers with instructions about placement
▸ Within few days of shipping: RCA = vendor firewall config issue
![Page 14: BASTION JUMP-HOSTS WITH TELEPORT - FAELIX · 2019. 2. 4. · Deploys Teleport on a VM (or cluster for HA) Ansible script #2: Installs Teleport on a Raspberry Pi Preconfigures Teleport](https://reader036.vdocuments.net/reader036/viewer/2022062610/611285d1e3f84d77cc635e8f/html5/thumbnails/14.jpg)
TELEPORTUSING
![Page 15: BASTION JUMP-HOSTS WITH TELEPORT - FAELIX · 2019. 2. 4. · Deploys Teleport on a VM (or cluster for HA) Ansible script #2: Installs Teleport on a Raspberry Pi Preconfigures Teleport](https://reader036.vdocuments.net/reader036/viewer/2022062610/611285d1e3f84d77cc635e8f/html5/thumbnails/15.jpg)
WHO NEEDS ANOTHER SSHD?
WHY BOTHER USING TELEPORT?
▸ ssh CA out of the box, compatible with OpenSSHd
▸ 2FA out of the box (TOTP or U2F), no google_authenticator.pam
▸ ssh through-the-web out of the box
▸ Compliance Officer's dream: session recording jumphost.
▸ …and with "session_recording: proxy" it can do this for legacy sshd implementations too! [caveat: Security Officer]
▸ Free OSS < $aa$_startup_pricing_model < enterpri$$$e
▸ $paid_editions feature include RBAC, LDAP/SASL integration
![Page 16: BASTION JUMP-HOSTS WITH TELEPORT - FAELIX · 2019. 2. 4. · Deploys Teleport on a VM (or cluster for HA) Ansible script #2: Installs Teleport on a Raspberry Pi Preconfigures Teleport](https://reader036.vdocuments.net/reader036/viewer/2022062610/611285d1e3f84d77cc635e8f/html5/thumbnails/16.jpg)
clusterof stuff
![Page 17: BASTION JUMP-HOSTS WITH TELEPORT - FAELIX · 2019. 2. 4. · Deploys Teleport on a VM (or cluster for HA) Ansible script #2: Installs Teleport on a Raspberry Pi Preconfigures Teleport](https://reader036.vdocuments.net/reader036/viewer/2022062610/611285d1e3f84d77cc635e8f/html5/thumbnails/17.jpg)
teleportbastion
clusterof stuff
![Page 18: BASTION JUMP-HOSTS WITH TELEPORT - FAELIX · 2019. 2. 4. · Deploys Teleport on a VM (or cluster for HA) Ansible script #2: Installs Teleport on a Raspberry Pi Preconfigures Teleport](https://reader036.vdocuments.net/reader036/viewer/2022062610/611285d1e3f84d77cc635e8f/html5/thumbnails/18.jpg)
you!
teleportbastion
clusterof stuff
![Page 19: BASTION JUMP-HOSTS WITH TELEPORT - FAELIX · 2019. 2. 4. · Deploys Teleport on a VM (or cluster for HA) Ansible script #2: Installs Teleport on a Raspberry Pi Preconfigures Teleport](https://reader036.vdocuments.net/reader036/viewer/2022062610/611285d1e3f84d77cc635e8f/html5/thumbnails/19.jpg)
tsh login --proxy teleport.example.com --user networkmoose
ssh-key -A
LOGGING IN
![Page 20: BASTION JUMP-HOSTS WITH TELEPORT - FAELIX · 2019. 2. 4. · Deploys Teleport on a VM (or cluster for HA) Ansible script #2: Installs Teleport on a Raspberry Pi Preconfigures Teleport](https://reader036.vdocuments.net/reader036/viewer/2022062610/611285d1e3f84d77cc635e8f/html5/thumbnails/20.jpg)
tsh login --proxy teleport.example.com --user networkmoose
ssh-key -A
LOGGING IN THE BASTION HOST
![Page 22: BASTION JUMP-HOSTS WITH TELEPORT - FAELIX · 2019. 2. 4. · Deploys Teleport on a VM (or cluster for HA) Ansible script #2: Installs Teleport on a Raspberry Pi Preconfigures Teleport](https://reader036.vdocuments.net/reader036/viewer/2022062610/611285d1e3f84d77cc635e8f/html5/thumbnails/22.jpg)
![Page 23: BASTION JUMP-HOSTS WITH TELEPORT - FAELIX · 2019. 2. 4. · Deploys Teleport on a VM (or cluster for HA) Ansible script #2: Installs Teleport on a Raspberry Pi Preconfigures Teleport](https://reader036.vdocuments.net/reader036/viewer/2022062610/611285d1e3f84d77cc635e8f/html5/thumbnails/23.jpg)
SSH FEATURES BAKED IN
ON THE COMMAND-LINE
▸ Remote VM doesn't have ssh open to Internet.
▸ All access is going via tsh.fulcrm.org bastion.
▸ Can do port-forwarding.
![Page 24: BASTION JUMP-HOSTS WITH TELEPORT - FAELIX · 2019. 2. 4. · Deploys Teleport on a VM (or cluster for HA) Ansible script #2: Installs Teleport on a Raspberry Pi Preconfigures Teleport](https://reader036.vdocuments.net/reader036/viewer/2022062610/611285d1e3f84d77cc635e8f/html5/thumbnails/24.jpg)
SSH FEATURES BAKED IN
ON THE COMMAND-LINE
▸ Remote VM doesn't have ssh open to Internet.
▸ All access is going via tsh.fulcrm.org bastion.
▸ Can do port-forwarding.
PROBABLY WANT A SCRIPT
![Page 25: BASTION JUMP-HOSTS WITH TELEPORT - FAELIX · 2019. 2. 4. · Deploys Teleport on a VM (or cluster for HA) Ansible script #2: Installs Teleport on a Raspberry Pi Preconfigures Teleport](https://reader036.vdocuments.net/reader036/viewer/2022062610/611285d1e3f84d77cc635e8f/html5/thumbnails/25.jpg)
SSH FEATURES BAKED IN
ON THE COMMAND-LINE
▸ Remote VM doesn't have ssh open to Internet.
▸ All access is going via tsh.fulcrm.org bastion.
▸ Can do port-forwarding.
PROBABLY WANT A SCRIPTAUTOMATION
![Page 26: BASTION JUMP-HOSTS WITH TELEPORT - FAELIX · 2019. 2. 4. · Deploys Teleport on a VM (or cluster for HA) Ansible script #2: Installs Teleport on a Raspberry Pi Preconfigures Teleport](https://reader036.vdocuments.net/reader036/viewer/2022062610/611285d1e3f84d77cc635e8f/html5/thumbnails/26.jpg)
SSH FEATURES BAKED IN
ON THE COMMAND-LINE
▸ Remote VM doesn't have ssh open to Internet.
▸ All access is going via tsh.fulcrm.org bastion.
▸ Can do port-forwarding.
PROBABLY WANT A SCRIPTAUTOMATION
PLAYS NICELY WITH ANSIBLE (RTFM)
![Page 27: BASTION JUMP-HOSTS WITH TELEPORT - FAELIX · 2019. 2. 4. · Deploys Teleport on a VM (or cluster for HA) Ansible script #2: Installs Teleport on a Raspberry Pi Preconfigures Teleport](https://reader036.vdocuments.net/reader036/viewer/2022062610/611285d1e3f84d77cc635e8f/html5/thumbnails/27.jpg)
THE JESUS AND SSH-KEYCHAIN
MIX AND MATCH OPENSSHD AND TELEPORT
▸ Host blah.example.com User salt Port 3022 ProxyCommand ssh -p 3023 %[email protected] -s proxy:%h:%p
▸ ln -snf /usr/local/bin/tsh /usr/bin/ssh ln -snf /usr/local/bin/tsh /usr/bin/scp
▸ …while using Ansible?
▸ scp_if_ssh = True
![Page 28: BASTION JUMP-HOSTS WITH TELEPORT - FAELIX · 2019. 2. 4. · Deploys Teleport on a VM (or cluster for HA) Ansible script #2: Installs Teleport on a Raspberry Pi Preconfigures Teleport](https://reader036.vdocuments.net/reader036/viewer/2022062610/611285d1e3f84d77cc635e8f/html5/thumbnails/28.jpg)
THE JESUS AND SSH-KEYCHAIN
TELEPORT AS CA FOR OPENSSHD
▸ tctl auth sign --host=yourhost.example.com --format=openssh
▸ HostKey /etc/ssh/ca_ssh_host_rsa_keyHostCertificate /etc/ssh/ca_ssh_host_rsa_key.pub
▸ You might have to…
▸ tsh login --compat=oldssh --proxy=teleport.example.com
▸ tsh ssh -p 22 [email protected]
![Page 29: BASTION JUMP-HOSTS WITH TELEPORT - FAELIX · 2019. 2. 4. · Deploys Teleport on a VM (or cluster for HA) Ansible script #2: Installs Teleport on a Raspberry Pi Preconfigures Teleport](https://reader036.vdocuments.net/reader036/viewer/2022062610/611285d1e3f84d77cc635e8f/html5/thumbnails/29.jpg)
LABEL YOUR NODES (MASS COMMANDS)
![Page 30: BASTION JUMP-HOSTS WITH TELEPORT - FAELIX · 2019. 2. 4. · Deploys Teleport on a VM (or cluster for HA) Ansible script #2: Installs Teleport on a Raspberry Pi Preconfigures Teleport](https://reader036.vdocuments.net/reader036/viewer/2022062610/611285d1e3f84d77cc635e8f/html5/thumbnails/30.jpg)
SEE PREVIOUS SESSIONS
![Page 31: BASTION JUMP-HOSTS WITH TELEPORT - FAELIX · 2019. 2. 4. · Deploys Teleport on a VM (or cluster for HA) Ansible script #2: Installs Teleport on a Raspberry Pi Preconfigures Teleport](https://reader036.vdocuments.net/reader036/viewer/2022062610/611285d1e3f84d77cc635e8f/html5/thumbnails/31.jpg)
"TWITCH FOR TERMINALS"
![Page 32: BASTION JUMP-HOSTS WITH TELEPORT - FAELIX · 2019. 2. 4. · Deploys Teleport on a VM (or cluster for HA) Ansible script #2: Installs Teleport on a Raspberry Pi Preconfigures Teleport](https://reader036.vdocuments.net/reader036/viewer/2022062610/611285d1e3f84d77cc635e8f/html5/thumbnails/32.jpg)
CO-OPERATIVE MULTIPLAYER MODE!
![Page 33: BASTION JUMP-HOSTS WITH TELEPORT - FAELIX · 2019. 2. 4. · Deploys Teleport on a VM (or cluster for HA) Ansible script #2: Installs Teleport on a Raspberry Pi Preconfigures Teleport](https://reader036.vdocuments.net/reader036/viewer/2022062610/611285d1e3f84d77cc635e8f/html5/thumbnails/33.jpg)
TELEPORTUNDERSTANDING
![Page 34: BASTION JUMP-HOSTS WITH TELEPORT - FAELIX · 2019. 2. 4. · Deploys Teleport on a VM (or cluster for HA) Ansible script #2: Installs Teleport on a Raspberry Pi Preconfigures Teleport](https://reader036.vdocuments.net/reader036/viewer/2022062610/611285d1e3f84d77cc635e8f/html5/thumbnails/34.jpg)
you!
proxy
auth
node client(tsh or https)
![Page 35: BASTION JUMP-HOSTS WITH TELEPORT - FAELIX · 2019. 2. 4. · Deploys Teleport on a VM (or cluster for HA) Ansible script #2: Installs Teleport on a Raspberry Pi Preconfigures Teleport](https://reader036.vdocuments.net/reader036/viewer/2022062610/611285d1e3f84d77cc635e8f/html5/thumbnails/35.jpg)
you!
proxy
auth
node client(tsh or https)
all-in-one
![Page 36: BASTION JUMP-HOSTS WITH TELEPORT - FAELIX · 2019. 2. 4. · Deploys Teleport on a VM (or cluster for HA) Ansible script #2: Installs Teleport on a Raspberry Pi Preconfigures Teleport](https://reader036.vdocuments.net/reader036/viewer/2022062610/611285d1e3f84d77cc635e8f/html5/thumbnails/36.jpg)
you!
proxy
auth
node client(tsh or https)
bastion
node(s)
![Page 37: BASTION JUMP-HOSTS WITH TELEPORT - FAELIX · 2019. 2. 4. · Deploys Teleport on a VM (or cluster for HA) Ansible script #2: Installs Teleport on a Raspberry Pi Preconfigures Teleport](https://reader036.vdocuments.net/reader036/viewer/2022062610/611285d1e3f84d77cc635e8f/html5/thumbnails/37.jpg)
you!
proxy
auth
node client(tsh or https)
allseparated
![Page 38: BASTION JUMP-HOSTS WITH TELEPORT - FAELIX · 2019. 2. 4. · Deploys Teleport on a VM (or cluster for HA) Ansible script #2: Installs Teleport on a Raspberry Pi Preconfigures Teleport](https://reader036.vdocuments.net/reader036/viewer/2022062610/611285d1e3f84d77cc635e8f/html5/thumbnails/38.jpg)
you!
proxynode client(tsh or https)
RBAC("enterprise")
auth
LDAPSAML
etc
![Page 39: BASTION JUMP-HOSTS WITH TELEPORT - FAELIX · 2019. 2. 4. · Deploys Teleport on a VM (or cluster for HA) Ansible script #2: Installs Teleport on a Raspberry Pi Preconfigures Teleport](https://reader036.vdocuments.net/reader036/viewer/2022062610/611285d1e3f84d77cc635e8f/html5/thumbnails/39.jpg)
you!proxies
auth
node client(tsh or https)
HA auth
etcd /dynamodb
load bal
![Page 40: BASTION JUMP-HOSTS WITH TELEPORT - FAELIX · 2019. 2. 4. · Deploys Teleport on a VM (or cluster for HA) Ansible script #2: Installs Teleport on a Raspberry Pi Preconfigures Teleport](https://reader036.vdocuments.net/reader036/viewer/2022062610/611285d1e3f84d77cc635e8f/html5/thumbnails/40.jpg)
you!
auth + proxy& trusted cluster
auth
nodetrusting cluster
client(tsh or https)
bastionanother node
![Page 41: BASTION JUMP-HOSTS WITH TELEPORT - FAELIX · 2019. 2. 4. · Deploys Teleport on a VM (or cluster for HA) Ansible script #2: Installs Teleport on a Raspberry Pi Preconfigures Teleport](https://reader036.vdocuments.net/reader036/viewer/2022062610/611285d1e3f84d77cc635e8f/html5/thumbnails/41.jpg)
TELEPORTADMINISTERING
![Page 42: BASTION JUMP-HOSTS WITH TELEPORT - FAELIX · 2019. 2. 4. · Deploys Teleport on a VM (or cluster for HA) Ansible script #2: Installs Teleport on a Raspberry Pi Preconfigures Teleport](https://reader036.vdocuments.net/reader036/viewer/2022062610/611285d1e3f84d77cc635e8f/html5/thumbnails/42.jpg)
READ THE FINE MANUAL, MAKE A PLAYBOOK OR SALT STATE, DONE.
INSTALLATION
▸ Download binary, run installer (or compile your own)
▸ examples directory has systemd service file
▸ Create a user, let them login as root on any nodes:
▸ tctl users add marek root,postgres,www-data,…
▸ Follow enrolment link, set password, scan the QR code
![Page 43: BASTION JUMP-HOSTS WITH TELEPORT - FAELIX · 2019. 2. 4. · Deploys Teleport on a VM (or cluster for HA) Ansible script #2: Installs Teleport on a Raspberry Pi Preconfigures Teleport](https://reader036.vdocuments.net/reader036/viewer/2022062610/611285d1e3f84d77cc635e8f/html5/thumbnails/43.jpg)
ENROLMENT PROCESS
YOUR FIRST USER
![Page 44: BASTION JUMP-HOSTS WITH TELEPORT - FAELIX · 2019. 2. 4. · Deploys Teleport on a VM (or cluster for HA) Ansible script #2: Installs Teleport on a Raspberry Pi Preconfigures Teleport](https://reader036.vdocuments.net/reader036/viewer/2022062610/611285d1e3f84d77cc635e8f/html5/thumbnails/44.jpg)
ENROLMENT PROCESS
YOUR FIRST USER
▸ "netmcr" in teleport can now login on nodes as local "totallyunprivilegeduser"
![Page 45: BASTION JUMP-HOSTS WITH TELEPORT - FAELIX · 2019. 2. 4. · Deploys Teleport on a VM (or cluster for HA) Ansible script #2: Installs Teleport on a Raspberry Pi Preconfigures Teleport](https://reader036.vdocuments.net/reader036/viewer/2022062610/611285d1e3f84d77cc635e8f/html5/thumbnails/45.jpg)
ENROLMENT PROCESS
YOUR FIRST USER
▸ "netmcr" in teleport can now login on nodes as local "totallyunprivilegeduser"
![Page 46: BASTION JUMP-HOSTS WITH TELEPORT - FAELIX · 2019. 2. 4. · Deploys Teleport on a VM (or cluster for HA) Ansible script #2: Installs Teleport on a Raspberry Pi Preconfigures Teleport](https://reader036.vdocuments.net/reader036/viewer/2022062610/611285d1e3f84d77cc635e8f/html5/thumbnails/46.jpg)
GOT ROOT?
"WE'RE IN!"
![Page 47: BASTION JUMP-HOSTS WITH TELEPORT - FAELIX · 2019. 2. 4. · Deploys Teleport on a VM (or cluster for HA) Ansible script #2: Installs Teleport on a Raspberry Pi Preconfigures Teleport](https://reader036.vdocuments.net/reader036/viewer/2022062610/611285d1e3f84d77cc635e8f/html5/thumbnails/47.jpg)
GETTING DEEPER
MORE CONFIGURATION
▸ Limit your ciphersuites
▸ TLS cert for HTTPS
![Page 48: BASTION JUMP-HOSTS WITH TELEPORT - FAELIX · 2019. 2. 4. · Deploys Teleport on a VM (or cluster for HA) Ansible script #2: Installs Teleport on a Raspberry Pi Preconfigures Teleport](https://reader036.vdocuments.net/reader036/viewer/2022062610/611285d1e3f84d77cc635e8f/html5/thumbnails/48.jpg)
GETTING DEEPER
MORE CONFIGURATION
▸ Limit your ciphersuites
▸ TLS cert for HTTPS
▸ Static labels from config
![Page 49: BASTION JUMP-HOSTS WITH TELEPORT - FAELIX · 2019. 2. 4. · Deploys Teleport on a VM (or cluster for HA) Ansible script #2: Installs Teleport on a Raspberry Pi Preconfigures Teleport](https://reader036.vdocuments.net/reader036/viewer/2022062610/611285d1e3f84d77cc635e8f/html5/thumbnails/49.jpg)
GETTING DEEPER
MORE CONFIGURATION
▸ Limit your ciphersuites
▸ TLS cert for HTTPS
▸ Static labels from config
▸ Dynamic values from running commands periodically
![Page 50: BASTION JUMP-HOSTS WITH TELEPORT - FAELIX · 2019. 2. 4. · Deploys Teleport on a VM (or cluster for HA) Ansible script #2: Installs Teleport on a Raspberry Pi Preconfigures Teleport](https://reader036.vdocuments.net/reader036/viewer/2022062610/611285d1e3f84d77cc635e8f/html5/thumbnails/50.jpg)
GETTING DEEPER
POOR MAN'S ORCHESTRATION
![Page 51: BASTION JUMP-HOSTS WITH TELEPORT - FAELIX · 2019. 2. 4. · Deploys Teleport on a VM (or cluster for HA) Ansible script #2: Installs Teleport on a Raspberry Pi Preconfigures Teleport](https://reader036.vdocuments.net/reader036/viewer/2022062610/611285d1e3f84d77cc635e8f/html5/thumbnails/51.jpg)
GETTING DEEPER
POOR MAN'S ORCHESTRATION
![Page 52: BASTION JUMP-HOSTS WITH TELEPORT - FAELIX · 2019. 2. 4. · Deploys Teleport on a VM (or cluster for HA) Ansible script #2: Installs Teleport on a Raspberry Pi Preconfigures Teleport](https://reader036.vdocuments.net/reader036/viewer/2022062610/611285d1e3f84d77cc635e8f/html5/thumbnails/52.jpg)
GETTING DEEPER
POOR MAN'S ORCHESTRATION
tsh ssh root@debian=8.7
![Page 53: BASTION JUMP-HOSTS WITH TELEPORT - FAELIX · 2019. 2. 4. · Deploys Teleport on a VM (or cluster for HA) Ansible script #2: Installs Teleport on a Raspberry Pi Preconfigures Teleport](https://reader036.vdocuments.net/reader036/viewer/2022062610/611285d1e3f84d77cc635e8f/html5/thumbnails/53.jpg)
GETTING DEEPER
POOR MAN'S ORCHESTRATION
![Page 54: BASTION JUMP-HOSTS WITH TELEPORT - FAELIX · 2019. 2. 4. · Deploys Teleport on a VM (or cluster for HA) Ansible script #2: Installs Teleport on a Raspberry Pi Preconfigures Teleport](https://reader036.vdocuments.net/reader036/viewer/2022062610/611285d1e3f84d77cc635e8f/html5/thumbnails/54.jpg)
GETTING DEEPER
POOR MAN'S ORCHESTRATION
![Page 55: BASTION JUMP-HOSTS WITH TELEPORT - FAELIX · 2019. 2. 4. · Deploys Teleport on a VM (or cluster for HA) Ansible script #2: Installs Teleport on a Raspberry Pi Preconfigures Teleport](https://reader036.vdocuments.net/reader036/viewer/2022062610/611285d1e3f84d77cc635e8f/html5/thumbnails/55.jpg)
GETTING DEEPER
POOR MAN'S ORCHESTRATION
![Page 56: BASTION JUMP-HOSTS WITH TELEPORT - FAELIX · 2019. 2. 4. · Deploys Teleport on a VM (or cluster for HA) Ansible script #2: Installs Teleport on a Raspberry Pi Preconfigures Teleport](https://reader036.vdocuments.net/reader036/viewer/2022062610/611285d1e3f84d77cc635e8f/html5/thumbnails/56.jpg)
THANKS FOR LISTENING! ANY QUESTIONS?e: [email protected] t: @maznu w: https://faelix.net/
https://faelix.link/netmcr19