Manage all your SSH servers with teleport

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
i've searched a long time for a good solution to manage all my ssh connections so i wanted to have a centralized approach where i can manage all my servers running on my home network and on my cloud instances from different devices where i don't need to copy all the private and public keys anymore but it still should be a secured connection and i think this also could be very very interesting for any company environment when you for example want to give some developers or some engineers access to your ssh servers of course you then want to have some advanced features like you want to have a secured connection you want to have a good logging a good monitoring and auditing of those sessions and i have found a very interesting software that is called teleport that can do all these things for you this software is completely open source and it also comes with a completely free community edition and in this video i will show you how you can easily set up this software in a containerized approach on your cloud instances and how you can use that to manage all your ssh connections on your servers so if that sounds amazing to you guys then keep watching hi everybody my name is christian and i make great tutorials and content for it professionals i also stream every wednesday and thursday so if you have any questions or you want to get in touch with people who share the same interest like you just jump into my live streams and we can have a discussion about this so in this video i want to show you the software teleport that is made by the company gravitational and this is an open source software to manage ssh connections i found this software when i was searching for a good ssh proxy solution it also can run in a container that can be managed by docker and docker compose and if you know me guys you know that i absolutely love containerizing and i love to deploy everything in the docker container if this is possible and this is exactly what we're going to do in this video so i will create new service on my cloud instance and i have already prepared one server that is a teleport server and i will show you how you can easily set up teleport on a cloud server that you can use to manage all your servers so you can also manage devices that are behind a not firewall because teleport can also create a reverse tunnel and this is actually the best feature for me personally because my isp doesn't give me a real ipv4 address at home and i have a hard time connecting to my servers from outside so i can easily use this software to just create a reverse tunnel from my local area network to my cloud instance and then i can just easily manage all my servers without using a vpn tunnel so as i said this software comes in a community free edition but it also has an enterprise license so if you are a company and you plan to implement that in your production environment you can also buy an enterprise license and you get some advanced features like you can add some external authentication servers to authorize via your active directory or you can have a single sign on so you can just check out the gravitational home page and check their enterprise license i think this is pretty useful for any company but if you are running this in your own home lab solution i think the community edition is absolutely fine i have done that to deploy this in my own environment and it's running very well you can also create multiple users that are secured via two-factor authentication so that is also pretty amazing and it can also raise the security of your servers of course you don't need to run this in a docker container on a cloud server you can in theory also install that directly on your linux server and host this on premise so i cannot cover all the different deployment scenarios on this short video so what i can just recommend you to do if you want to or if you plan to implement this in your own infrastructure and you have a different deployment approach you should just check out the official home page they have a great guide how to set up this in production environment and they explain all the different architecture designs of this software very well so go and check out the documentation but in this video we will focus on a containerized approach and set up this on my cloud instance and i also want to show you how you can easily use a load balancer to terminate your https connection with trusted and managed certificates on your cloud environments so i think this is the best solution if you want to run this in a production environment and secure this with trusted hdbs certificates so i have already prepared one cloud server that is running docker and docker uncomposed not if you don't know anything about docker you probably need to check out my other videos about docker and docker compose before watching this video otherwise it probably is a bit difficult for you so i've put your link to these videos in the description below go to check out if you want to learn more about docker and docker compose and why this is just amazing okay guys so don't waste time anymore let's jump right into the installation part and let's install the trailer part main server on our cloud instance so let's go okay let's start with the installation of our teleport auth and proxy server and first we want to create a docker compose file that will start the teleport container and run those services so i have created a new folder in the opt directory that is called teleport and if we execute an ls i have prepared a docker dash compose.yaml file okay so i open the docker compose file note you don't need to remember all these things here you can just have a look at the link in the video description below to my written blog article there you will find all these templates all the compose files the commands i'm using in this tutorial so you can just copy and paste it and just do some modifications to it you can see there are two services that are configured so the first service is just a configuration container so this is using the image teleport and the container name is teleport dash configure so you can see it just executes a command that will check if there is a teleport.yaml configuration file in the add etc folder and otherwise it will just create a new one with some basic examples here and you can see there is a volume folder that is called config where this configuration file is then stored and if we go down to our teleport container this is the actual container that will run the services of teleport it's also using the same image but you can see it will wait one second for the configuration demon to paste the configuration file in there and then automatically start that with a configuration file here so usually this host name points to the ip address of your teleport server or to the ip address of a load balancer if you have that in front of this i will later show you how this is working with a load balancer because i have added this to use trusted https certificates from let's encrypt terminate those certificates on my load balancer so that the teleport server actually doesn't need to take care of those trusted https certificates i will show you later how this works when you set up a load balancer in front of that i think it definitely is recommended to do that because otherwise you don't have trusted https certificates okay so what we want to do is we will start the container so that will create the configuration file we later can simply just remove this here because we only need that once when we first start our container that it creates this sample configuration file and we will also do some modifications later so save this file and place this into this folder here so i can also cut the docker uh the docker compose file and see if everything is working fine so that all the configuration stuff is in here so let's start the docker container by executing docker compose app and let's do this in the background with the dash d parameter and it should pull down the image i've done this before so you probably won't see that and then it will start the docker containers so let's check if the containers are running by executing docker compose ps and you should see that two containers are now running the first container is the teleport container that hosts all those services and you can also see the teleport configure daemon has now immediately exited but it has created some configuration folders if we execute an ls you could see those two folders here if we go into the config folder and execute nls we can see there is a teleport.yaml configuration file that was created by the daemon and this has some default values in it so we can also edit this later but i will also want to show you something else if we go to the data directory and execute an ls you can see there is a data we have a cache we also have the back end databases that are needed to store all the data in it and we also have the two files here this is a web proxy cert.pm and the web proxy key.pm so this is a certificate and the private key for the certificate and this is usually a self-signed certificate that will use the fully qualified domain name that you have used in your docker compose file here so therefore it is really important that this hostname actually points to the correct server and to the correct ip address otherwise you probably would need to recreate your container in deleting and restart the deployment process again with a fresh new configuration file okay so let's also open this configuration file i will just simply use visual studio code to open this configuration file and you can see this is the example teleport configuration file that was created by the daemon and it starts with some services so you can see the teleport service here is actually a node service so it automatically adds a new node to the configuration that we can manage later and this node is actually running in the docker container but first let's go down and you can see there's the auth service that was automatically enabled and this is listening to all ip addresses on the pod three zero two five so one thing is really really important here now you need to add a new entry here because otherwise the c a pin will not work correctly and then you will get errors once you add new notes to this server because you need to add the public addr and the public addr needs to point to the exact name you will use as an all server entry on your notes later so usually you would use your fully qualified domain name in my case this is def the digital live.com and the port is three zero two five okay so let's scroll down and you can see there's also an ssh service that is enabled here and we also have a proxy service this is enabled we have a listening address here the web listening address and we also have the tunnel listening address here so this is important when you want to create reverse tunnels to your machine later i will show you that at the end of this video as well okay so as i said we need to replace this ca pin hash here but first let's go back to our docker compose file and let's do a modification because we actually don't need this configuration service here anymore it doesn't hurt you if you leave it in but i will just remove that because i don't need it anymore i will also remove the depends on here because uh that is actually not there anymore okay let's save this file here and what we need to do right now is we need to restart the docker container by executing docker compose up dash d double dash force recreate and we also want to remove those uh orphan containers this is remove orphans uh orphans so this will remove the configuration container because we actually don't need it anymore let's hit enter and execute this okay let's check if the container is up and running again so let's execute it ps and you can see it is up and running i want to show you how to set up a load balancer in front of this server and what you need to do because you want to have trusted https certificates and you don't want to have this self-signed certificate here so that you don't get a certification error okay so let me show you how i've set this up in my cloud environment so now i'm using digitaloce as my cloud provider of course you can also use any other cloud provider this is not a sponsored or supported video by digitalocean but i think it's really easy and it's really awesome i use that for all of my projects and if you want to test digital ocean you can also find a link in the video description below where you get 100 credits for 60 days to test out this stuff and this also helps my channel if you use those services later so you know the deal right okay guys so i have added a new load balancer and the dev.thedigitallive.com fqdn will point to this public ip address of the load balancer here and this is the public ip address of the teleport server so what i've done is this load balancer actually will load balance this teleport server here and the https connection with a trusted certificate is also terminating here on the teleport load balancer server so you can see it in settings here this is pretty easy to set up on digitalocean because you can simply just add a new forwarding rule for https for the pod3080 use this certificate you can just create a digital ocean note if this certificate is managed by your provider or by your load balance site usually also is auto renewing this certificate and you don't need to reload the docker container and so forth so this is pretty awesome and i forwarded this just to the port three zero eight zero so now this is important now because the off server is also using https authorization with self signed certificate and ca pinning so therefore the load balancer should not intercept this connection and step into this so this is important that you forward all those ports here those three zero two three four and five with the tcp protocol so that the load balancer doesn't step into this connection and just forwards the tcp connection to your teleport server this is very important when you want to add nodes or want to connect to ssh and create reverse tunnels and so on okay so i've seen that's pretty easy to set up this load balancing stuff here on digitalocean and yeah i can just strongly recommend you test this out and then you can simply just do that okay guys so let's try to access the web interface by using the fully qualified domain name and the port 3080 on the web and you can see it redirects us to the sign inside of teleport teleport doesn't have any default administrator and password and so on we first need to create that through the command line and we also need to create a two-factor authentication bit because teleport enforces that by default which is pretty secure and pretty awesome so let's go back to our server and let's create a new user for this teleport server okay so this easily can be done by executing the tctl command in the docker container by executing docker compose exec exec i cannot write today okay now we need to use teleport the docker container and then simply execute tctl if we do that you should see a help that with all commands that are possible to manage your teleport server and you can see let's also add the tctl status because i remember we first need to change our ci pin hash so this is very important so don't share this with anyone note this is just the test appliance i will just delete it right after this video so don't try to hack me or something like this yeah but this is very important so don't share this with anyone because this is very very important here so copy this and we can simply just replace the configuration file that this is the teleport.yaml uh and replace the ci pin here with a real value okay let's save this after saving this you probably should need to restart your container but i will do this later because i want to show you something else okay so we first want to create a user here and if we to do that we will just enter a user's ad and now we need to specify a username so you can choose any username you want to use i will just create a new user called teleport and now you can also specify what linux users this teleport user is able to log in to the different nodes so now it is recommended that you use any usernames that you want to log in with so as an example i will just enter root because i want to enter as a root user on some linux servers i want to enter as a xcad user on some servers i want to use question as a username on some servers and sometimes when i want to manage my vagrant servers i also want to log in with a vagrant user so then simply hit enter and this will automatically create a new invitation token you can now use to create a new user so simply just copy this link here go to your web browser and access this and now it automatically enforces to set up a two factor authentication and a password and then you can simply download a two-factor authentication app on your mobile phone so i'm using the google authentication all the time but you can of course also use other authentication services and simply just scan the qr code and then your mobile phone will present you a two-factor token that you can just enter so usually this is just a six-digit number i will just enter here and then i can create this account here so if this was successfully takes you to the teleport web interface and you can see different clusters here so a teleport cluster is basically just a group of different servers you can manage and it automatically created a new cluster that is called dev.edulife.com so if i click on this it will take me to the dashboard and then we can see all different notes here we can simply manage with teleport and you can see it automatically created a new host that we can manage and this is the host of the docker container you can also see here asked active sessions if there are any active sessions and you can also join these sessions so you can work with multiple users in one ssh connection which i think is absolutely awesome you also have an audit log so you can see there are some audits when i want to create it this user you can also add the access to help and support community guides quick start guides and so on so here you'll find a lot of great materials and tutorials where you can get help and support okay so let's just open a new connection when we click on connect here and then we can choose one of the username we have used to create the user for example in a docker container usually only the root user is created so i will just click on root user and it opens a new session and we are now locked into the server so note this is not the host operating system this is a node that is running inside the teleport docker container so if we execute the top here for example we can see okay there are these processes running in the container and we can also use a tctl command from inside this shell here so you don't need to execute the docker compose command anymore you can simply just use the web interface to manage your server all those sessions are also automatically recorded so if we exit this session here for example just uh close this window here and go to the audit lock you can see there is a new session that is ended and if we click on options here we can go to the session player and it automatically plays back what we have done here on the machine so it's really helpful if you do technical research and you cannot remember what you have changed on your server you can easily replay that but also if you're running this in a corporate environment it is very important to have full control over what your users or engineers and developers are doing on these servers so i think this is really really an awesome feature okay so let's also have a look how we can add new servers here to manage in our teleport cluster and i want to create a new server on my cloud instance here so i just go to digitalocean and i can show you how easy this is so create a new droplet here so this is automatically creating a new cloud server i will choose ubuntu image because this is what i'm used to yeah i will create this in frankfurt the data center location go back insert my ssh keys and i want to create one droplet that is called teleport node 1 for example i can also add text here for example i want to add the development tag and create this in the testing project here i don't need backups for this and i simply can create the droplets so this is not trading so what we then need to do is we need to download the teleport client and add a new node on our teleport auth server so we can manage this later so once this is creating here give them a few seconds we will then create a new container but wait we can just simply go here and use this tctl command inside the docker container here so this is pretty easy if we uh i cannot write today so if we execute tcdl we can create a new node here so just simply add notes add and hit enter so this will create a new invitation token and usually you can execute this command on your linux server but note this is a bit different here because the auth server is using the internal ip address of the docker container so this is not the correct ip address and we need to change that later but i will show you a very easy method without using this simple command here because i prefer to have static configuration files on my nodes note the here is they see a pin and the token so don't share this stuff with anyone else this is only available for 30 minutes then it expires so let's go to our new server and let's create a static configuration file and add those values in here so that server can connect to our teleport cluster and yeah this server is now just finished so that was a perfect timing here so i can just copy the public ip address go to my shell so because i've added my private and public keys i should be able to log in and this is working now so that's great now we need to download teleport so to do that just simply go to the home page of gravitational.com go to docs teleport and then simply click on download so then search for the correct file so note this is here a new release this is the version 5.0 beta version but i have used the version 4.3 on my docker container so that is very important that we choose the same version here so otherwise there can be problems okay so we need to search for the 64-bit debian file here so this is this one here i will just copy the link go to my server and download this with wget so this is pretty easy then we will just simply execute oh we don't need sudo here dpkg dash i for install teleport debian file and this is automatically installed okay great that was everything now we need to create a new yaml file in the etc folder so i will go back to my visual studio code here and add a new remote connection to the host and i have already created a template so note you don't need to write down everything as as always just go to my written blog article there you can just copy and paste those templates and customize this so let's save this file at and this is very important to place this in the etc folder as teleport dot yaml and then we need to change some things here so note the off server is def.digitallive.com3025 and now it is very important that you have added on your load balancer the tcp protocol that forwards this connection to your teleport server yeah okay so now we need to set the off token and the ca pin we have can just obtain from our shell here so let's just copy the token and replace this off token here just go back and replace the ca pin and replace this with a ca pin here now let's check if the file was created successful and yeah that is working fine now so note i have seen this many many times if you then execute teleport start i've seen an error that says well there is a certification error or certificate signed by unauthorized authority here so this error can occur if you have done something wrong and the ca pinning is not working it can be the case that there is some information cached so if you see that error here you probably should also remove the var lip teleport so if you do this the cache is being removed and you should retry again the good thing about this is if you have set this uh teleport.yml configuration folder on your node you simply can now just execute systemctl enable teleport double dash now so that will automatically create a symlink and start the teleport service in the background if we execute a ps aux and grab for teleport you can also see there is a new process that is running and this is automatically handled by the system d so this is very important if you reboot your server the teleport daemon is automatically started in the background so this is the best way to easily do that on your notes and if we go to our web interface here and do a reload you can see there is a new node here this is called teleport node one so this is depending on what we have entered here as a node name so you can also change the name if you want to do that and let's simply just connect as a root user to this node so if you see something like this here this is a private ip address for some reason yeah and of course the connection doesn't work then so if you want to change the ip address of a node you need to change that and add an attribute in the static configuration file so go back to our teleport configuration file and now we need to add a new attribute that is called at advertise ip and then we can simply just enter any ip address that is accessible from the public internet so we just go back to our our cloud environment and copy the public ip address of our node here add this as an advertise ip address and then we can simply just save and restart the teleport demon by system ctl restart teleport and if we go back to our web interface do a reload you can see the ip address has now changed so now we should be able to access the public ip address when we click on connect and add root user and you can see i'm now logged into my teleport note one so this is how you can easily add different notes to your teleport server and manage multiple servers with that so i think this is pretty awesome but what if you have a server that is behind a not firewall just like i do everything on my home network is basically behind and not firewall and i cannot do a port forwarding so if you want to manage those kind of servers behind the nut firewall or if you have iot devices behind anything you can also use the reverse tunnel to connect these machines from inside your networks so this establishes the connection from inside your local network to your cloud instance and then you can basically just use this reverse tunnel to manage your ssh servers behind not firewalls from anywhere so let's also have a look at how to do this and i will create a new virtual machine i will quickly install this with vagrant so let's have a look at this so let's create a new virtual machine because i need a new virtual server here and let's just quickly install a new virtual machine on my local area network how i would do this simply create a new project folder ubuntu test one for example and then i will simply copy a vagrant file go to the folder and enter vagrant up so this will automatically create and provision a new virtual machine on my hypervisor so if you want to know how i do this this is pretty easy and awesome i also did a video about vagrant and how you can easily provision new virtual machines with vagrant i've put your link to the video in the description below and just check it out just go to my vagrant machine and just download the image here and install this via dpkg install teleport enter a new teleport.yaml configuration file in the etc folder and simply just use the template i've used on my other machine here so the first change we need to do is we need to delete the advertised ip address and replace this with a complete new token because we cannot use the same token on another server so let's just uh go to our cluster here connect a new shell with root user and enter the tctl nodes add that would create a new invitation token we can just simply copy so the ca pin didn't change so we can simply do that so note we now want to create a reverse down here the only thing you need to change is the port of the auth server here and set this to the proxy port the three zero eight zero write this and simply execute teleport start sudo we need to run this with sudo permissions okay so this error happens because i have forgot to set up the public ip address of the proxy server in the teleport.yaml configuration file on the main server so let's go back to the visual studio code and let's add those entries here so as i said i have already added the public address for the art servers but we also need to do the same for the proxy service and this is very important when you want to set up a reverse tunnel so we first want to add a public underscore adr and thus simply just enter dev.digitallive.com you don't need to specify a part here and we also want to add ssh public underscore iddr def dot thedigitallive.com and now we simply again just save this and restart the docker container so if you don't see anything here that should be fine let's go back to our web interface and let's reload the page and there you can see we have a new entry where this has the same name because i probably have forgot to specify the name so let's go back to our server and let's quickly edit this file here and change the name to teleport node 2 for example let's just restart the container or we can simply just now enter system ctl enable teleport double dash now so this will automatically start the teleport service in the background again and let's go back to our cluster let's refresh that and let's try to connect to teleport node 2. so we now need to choose the vagrant user because we cannot simply just use the root user and this is why i have added multiple users because i knew i wanted to create a new vagrant machine and now we are in the vagrant machine so now this is connected via reverse tunnel and this is pretty awesome because you can easily use that to connect iot devices or any servers that are behind a nut firewall or that uses shared ipv4 connections from your isp so this is amazing so this is how you could easily install teleport and use that to manage all your ssh connections no matter if you are doing this on your home lab or if you want to implement this in a company environment i think this is a very great software and i think this is absolutely amazing so one thing i have not covered on this video is the tsh client so there is also a terminal application from teleport you can easily download and install on your windows subsystem fully looks on any client wherever you want to use that and use this as a terminal application and you can simply just use this like a normal ssh connection you can also copy files like scp with that you should just simply have a look at the documentation but you could also leave me a comment if i should do another video about the tsh client how to copy files with that and so on and also if you enjoyed this video please don't forget to hit the like button remember i always do some content about this stuff so about linux servers deployment methods devops stuff and i also do mainly everything that is geared towards it professional so if you like this please don't forget to subscribe to this channel and if you have any questions you can come anytime on my discord community or jump on my live streams remember i stream every wednesday and thursday on twitch and sometimes youtube so check out my live streams and we can have a discussion about this so before i go i want to thank all my supporters on patreon especially mason who is the producer of this show so without you the community this whole project wouldn't be possible at all so thanks everybody for watching enjoy the rest of your day take care of yourself and i see you soon
Info
Channel: The Digital Life
Views: 12,582
Rating: 4.949367 out of 5
Keywords: linux, cloud, ssh, ssh proxy, ssh manager linux, teleport, gravitational, ssh teleport, manage ssh, manage ssh connections, zero trust security model, zero trust, zero trust architecture, linux ssh, linux ssh servers, ssh server, linux ssh server, ssh servers, ssh proxy servers
Id: nk1jfIAL5qE
Channel Id: undefined
Length: 33min 28sec (2008 seconds)
Published: Sun Nov 08 2020
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.