What is Teleport?
Teleport consolidates access to your infrastructure into a single platform with:
SSH Access Management
Replace SSH keys with short-lived certificates
Session Recording
Capture and replay SSH sessions for compliance
RBAC
Fine-grained role-based access control
Multi-Factor Auth
Built-in MFA and SSO support
Prerequisites & VPS Selection
Before starting, ensure you have:
- Ubuntu 22.04 LTS or Rocky Linux 9
- Root or sudo access
- Domain name pointed to your VPS (for Let's Encrypt SSL)
- Ports 443 and 3080 open in firewall
2
Initial Server Setup
Update your system and configure the firewall:
Ubuntu/Debian
Update and Configure UFW
# Update system packages
sudo apt update && sudo apt upgrade -y
# Install required dependencies
sudo apt install -y curl wget gnupg2 software-properties-common
# Configure UFW firewall
sudo ufw allow 22/tcp
sudo ufw allow 443/tcp
sudo ufw allow 3080/tcp
sudo ufw enableRocky Linux
Update and Configure Firewalld
# Update system
sudo dnf update -y
# Install dependencies
sudo dnf install -y curl wget
# Configure firewalld
sudo firewall-cmd --permanent --add-port=443/tcp
sudo firewall-cmd --permanent --add-port=3080/tcp
sudo firewall-cmd --reload3
Install Teleport
4
Configure Teleport
Create the Teleport configuration with automatic SSL:
Generate Configuration
sudo mkdir -p /etc/teleport
sudo teleport configure -o /etc/teleport/teleport.yaml \
--cluster-name=teleport.yourdomain.com \
--public-addr=teleport.yourdomain.com:443 \
--acme=true \
--acme-email=admin@yourdomain.comteleport.yaml (Production)
version: v3
teleport:
nodename: teleport-node-1
data_dir: /var/lib/teleport
log:
output: stderr
severity: INFO
auth_service:
enabled: true
cluster_name: teleport.yourdomain.com
listen_addr: 0.0.0.0:3025
authentication:
type: local
second_factor: otp
session_recording: node
proxy_service:
enabled: true
web_listen_addr: 0.0.0.0:3080
public_addr: teleport.yourdomain.com:443
acme:
enabled: true
email: admin@yourdomain.com
ssh_service:
enabled: true
listen_addr: 0.0.0.0:3022
labels:
env: production
role: teleport-server5
Create Systemd Service
Create Service File
sudo tee /etc/systemd/system/teleport.service <<EOF
[Unit]
Description=Teleport SSH Service
After=network.target
[Service]
Type=simple
Restart=on-failure
RestartSec=5
ExecStart=/usr/local/bin/teleport start --config=/etc/teleport/teleport.yaml
ExecReload=/bin/kill -HUP $MAINPID
PIDFile=/run/teleport.pid
LimitNOFILE=8192
[Install]
WantedBy=multi-user.target
EOFEnable and Start
sudo systemctl daemon-reload
sudo systemctl enable teleport
sudo systemctl start teleport
sudo systemctl status teleport6
Create Admin User
Create Initial Admin
sudo tctl users add admin --roles=editor,access --logins=root,ubuntuThis outputs a signup link. Open it in your browser to set up your admin account and configure MFA.
Access the Web UI
Navigate to your Teleport instance:
Web UI URL
https://teleport.yourdomain.com:443- Create your password
- Configure two-factor authentication (OTP or WebAuthn)
- Download the recovery codes
7
Add Additional Nodes
Generate Join Token
On Auth Server
sudo tctl tokens add --type=node --ttl=1hConfigure Target Node
On Node to Add
sudo mkdir -p /etc/teleport
sudo tee /etc/teleport/teleport.yaml <<EOF
version: v3
teleport:
nodename: server-node-1
data_dir: /var/lib/teleport
auth_token: YOUR_JOIN_TOKEN_HERE
auth_servers:
- teleport.yourdomain.com:443
ssh_service:
enabled: true
labels:
env: production
role: web-server
auth_service:
enabled: false
proxy_service:
enabled: false
EOF
sudo systemctl enable teleport
sudo systemctl start teleport8
Configure User Access
Create Developer Role
Create Role
sudo tctl create <<EOF
kind: role
version: v6
metadata:
name: developer
spec:
allow:
logins: ['ubuntu', 'developer']
node_labels:
'env': 'production'
'role': 'web-server'
rules:
- resources: [session]
verbs: [list, read]
options:
max_session_ttl: 8h
port_forwarding: true
forward_agent: false
EOFAdd Users
Add Developer User
sudo tctl users add developer-user --roles=developer --logins=ubuntu9
Connect via TSH Client
Login and Connect
TSH Commands
# Login to Teleport
tsh login --proxy=teleport.yourdomain.com:443 --user=admin
# List available nodes
tsh ls
# Connect to a node
tsh ssh ubuntu@server-node-1
# Start port forwarding
tsh ssh -L 8080:localhost:80 ubuntu@server-node-110
Session Recording
Configure Session Storage
auth_service:
enabled: true
cluster_name: teleport.yourdomain.com
session_recording: node
# Configure audit log storage
audit_events_uri:
- 'file:///var/lib/teleport/log'
audit_sessions_uri: 'file:///var/lib/teleport/sessions'Restart Teleport
sudo systemctl restart teleport11
Security Best Practices
Enforce MFA for All Users
Edit Auth Preference
sudo tctl edit cluster_auth_preferenceCluster Auth Config
kind: cluster_auth_preference
metadata:
name: cluster-auth-preference
spec:
type: local
second_factor: on
webauthn:
rp_id: teleport.yourdomain.comBackup Script
Automated Backup
#!/bin/bash
BACKUP_DIR="/backup/teleport"
DATE=$(date +%Y%m%d)
mkdir -p $BACKUP_DIR
sudo tar -czf $BACKUP_DIR/teleport-$DATE.tar.gz /var/lib/teleport
sudo tar -czf $BACKUP_DIR/teleport-config-$DATE.tar.gz /etc/teleport
# Keep only last 7 days
find $BACKUP_DIR -name "teleport-*.tar.gz" -mtime +7 -delete12
Monitoring & Maintenance
Check Cluster Status
# View cluster status
sudo tctl status
# List connected nodes
sudo tctl nodes ls
# View active sessions
sudo tctl sessions ls
# View audit log
sudo tctl events --type=session.start --from="2024-01-01"Monitor Logs
# View Teleport logs
sudo journalctl -u teleport -f
# Check for errors
sudo journalctl -u teleport --since "1 hour ago" | grep ERROR