
Show HN: Teleport – SSH for Clusters and Teams - twakefield
http://gravitational.com/teleport/
======
gfloyd
This looks like a really cool project. I'm excited to see it develop.

How would authentication work with configuration management? I see that new
nodes are authenticated with a one-time token generated from the auth server,
but that seems like it could be tricky to implement in a dynamic cluster (like
an AWS auto scaling group).

~~~
alexk
Thanks! One time provisioning token helps node to connect and get a host
certificate signed by the right CA key. All further authentication happens
using OpenSSH host certificates. This also means that new nodes can simply
join the cluster as long as they have the right certs, not using provisioning
tokens at all. This allows you to have an external authority bootstrapping new
nodes without talking to existing auth server.

------
old-gregg
Hello everyone, the Teleport team is here to answer any questions.

Internally we use Teleport as a library to connect multiple clusters into a
structured system of doing ops with solid identity management, but we figured
it deserves to be its own tool, especially because so many larger companies in
the Valley have built something similar internally.

~~~
otterley
1) How does session archiving work with non-line-oriented applications? (e.g.
top and its brethren)

2) Does it ever capture passwords (or any other non-echoed characters) by
accident?

3) Does it require a TTY?

4) Can it multiplex sessions across multiple servers?

~~~
alexk
> 1) How does session archiving work with non-line-oriented applications?
> (e.g. top and its brethren)

We capture and replay the whole stream, so playback works well with
top/mc/emacs/vim etc

> 2) Does it ever capture passwords (or any other non-echoed characters) by
> accident?

If you accidentally type in password in your active session that will be
visible, session capture will record it, yes. We plan on encrypting everything
just in case at rest though:

[https://github.com/gravitational/teleport/issues/262](https://github.com/gravitational/teleport/issues/262)

> 3) Does it require a TTY?

You'd need PTY for interactive sessions, however `exec` will work through ssh
just as well (as long as teleport talks vanilla SSH)

> 4) Can it multiplex sessions across multiple servers?

Yes, we just did not expose it in the UI yet

~~~
otterley
Can you post a demo of multiplexing? That'd be extremely interesting.

Also, most importantly, are there man pages?

~~~
alexk
We'll work on the multiplexing demo, sure! Man pages are a good idea, we wrote
a bunch of docs:

[http://gravitational.com/teleport/docs/quickstart/](http://gravitational.com/teleport/docs/quickstart/)

but haven't packaged it all into man pages yet

------
dang
Also [https://www.lvh.io/posts/introducing-
teleport.html](https://www.lvh.io/posts/introducing-teleport.html) via
[https://news.ycombinator.com/item?id=11356008](https://news.ycombinator.com/item?id=11356008).

------
pritambaral
This solves a problem we were looking at my last job: recording and replaying
sessions. Identity management and bastion setup are solved problems, but it is
nice to have an all in one package.

Of course, this raises a few security questions:

1\. Do I have to run this as a server on every host I intend to ssh into? Or
can it use existing installations of openssh for that? 2\. Is this re-
inventing any authentication mechanism? If yes, how robust is it and how
thoroughly has it been tested? (I'm guess not much right now, since this isn't
production ready yet, but the question will remain for a while.) 3\. Do I have
to use a different client? Or are existing ssh clients fully sufficient? The
article does mention compatibility with OpenSSH, but does not detail. It also
mentions using HTTPS as a transport instead of SSH, which is concerning in the
case of compatibility.

~~~
old-gregg
Sure:

1\. You don't have to. [http://gravitational.com/teleport/docs/admin-
guide/#using-te...](http://gravitational.com/teleport/docs/admin-guide/#using-
teleport-with-openssh)

2\. It uses existing SSH protocol features, that's why OpenSSH clients and
servers are fully compatible.

3\. See above. Regular `ssh` will work, but `tsh` may be a bit more
convenient.

4\. HTTPS is used to perform 2nd factor authentication initially. Once you
received your session key, it switches to SSH for the duration of a session.

Edit: formatting

~~~
pritambaral
Why do I need to add keys to my local authorized_keys file in order to ssh
out? Does Teleport shell into MY computer?! That is a bit fishy...

------
s0l1dsnak3123
This looks great. How feasible would it be to have server and tag data
synchronized between Teleport and AWS?

~~~
old-gregg
Dynamic tags are implemented as external processes that run on schedule and
their stdout becomes a value of a tag. So if you have, say, a CLI command
which spits out AWS labels of a node, hook it up and they'll appear as
Teleport tags.

------
microcolonel
One thing of note: though they do say it's "fully compatible with OpenSSH", it
is not compatible with ed25519 keyed SSH, as Golang SSH does not support it.

Otherwise looks like a cleverly designed system. Being able to use a standard
terminal emulator to connect would be nice though.

~~~
alexk
Hey, good catch - "fully compatible" was an overstatement, so we've updated
the landing page!

------
visarga
Can teleport run the same command on a group of servers, then collect the
output and prefix it with the name of the server it came from? For example we
could run a "df" on a batch of servers and see if they have enough free space,
all in one line.

~~~
mikeokner
Ansible-shell can do that. ([https://github.com/dominis/ansible-
shell/blob/master/README....](https://github.com/dominis/ansible-
shell/blob/master/README.md))

------
Shamiq
Awesome project! This is a step in the right direction for better access
management.

------
en4bz
How is this any different from the very common LDAP + Kerberos + RADIUS
solution that is usually deployed in large companies. This seems like it's re-
inventing things that already exist and have been used successfully for years.
It seems to me that a tool that makes deployment of LDAP/RADIUS/Kerberos
easier would be more practical.

~~~
aren
Congrats to the Gravitational team on teleport! LDAP/RADIUS/etc are often
useful only for internal employee access. Teleport brings (among other things)
a new level of flexibility for secure remote management (say, by a vendor
perhaps), so I don't see it as a replacement for the traditional auth
protocols.

In terms of making LDAP/RADIUS easier, well, we're a YC company that does just
that! Foxpass (S15) [https://www.foxpass.com/](https://www.foxpass.com/).

------
felipebrnd
Look like an amazing tool to have.

With it one would be able to connect only through wweb console ? (couldn't
find it on the docs)

~~~
alexk
hey, thanks!

you can connect using standard ssh client

[http://gravitational.com/teleport/docs/admin-guide/#using-
te...](http://gravitational.com/teleport/docs/admin-guide/#using-teleport-
with-openssh)

or use little tsh tool we wrote:

[http://gravitational.com/teleport/docs/user-
manual/#interact...](http://gravitational.com/teleport/docs/user-
manual/#interactive-shell)

they all work well, as it's all standard SSH protocol behind the scenes

------
visarga
It would be nice if it made backups of small files uploaded/deleted/modified
through SFTP. That, along with the session history, would allow recovery from
accidental deletion or overwrite (time machine for small files edited by
hand).

~~~
alexk
we don't support sftp (yet), but we emulate SCP, so we can do the backup and
upload for sure. We had this use-case in mind when building SCP feature set.
Where would you like to push files (e.g. S3?)

------
pmuk
Is this compatible with deployment automation systems like Ansible? Do you
have any plans to write an Ansible Galaxy role for installation?

~~~
alexk
Sure, Ansible works in it's OpenSSH client mode, check out

[https://gravitational.com/teleport/docs/admin-
guide/#using-t...](https://gravitational.com/teleport/docs/admin-guide/#using-
teleport-with-openssh) \- Ansible section

We are also thinking about deeper integration with state of the art automation
and deployment tools.

------
philsnow
This name ("teleport") is really close to this other piece of software, which
looks to be very much in the same space:
[https://github.com/petar/goteleport](https://github.com/petar/goteleport)

------
ukd1
Looks awesome! does it support mosh by any chance?

~~~
alexk
Thanks! I don't think teleport will work with mosh as mosh uses custom UDP-
based protocol that we'd have to support, however if we'll get lots of feature
requests for it, we'll definitely consider implementing it!

------
peterwwillis
So, they implemented Active Directory/RADIUS, a terminal proxy, screen, and a
web gui? Does this not seem to anyone else like a weird mix of features for
one tool?

~~~
noobermin
Perhaps the mix into one tool is what makes it novel?

I'll be honest, my first knee-jerk, HN conditioned, reaction to this was
similar to yours, but I've been trying to temper my first reactions,
especially when they are negative.

Not the most central thing, but something that put me off a little was that
they offer a command to filter the listings...had these people never heard of
grep? The playback of terminal sessions is cool though, although I swear I've
seen someone else do that somewhere...

~~~
abstractbeliefs
Perhaps the playback tool you're thinking of is asciinema?
[https://asciinema.org/](https://asciinema.org/)

~~~
noobermin
Yup, that is it.

