
Teleport 4.3: Modern Replacement for OpenSSH - gk1
https://gravitational.com/blog/introducing-teleport-4-point-3-modern-replacement-for-openssh/
======
akerro
Why is this "modern replacement for OpenSSH" when people use ssh specifically
because it's so simple and doesn't have webui? There have been many ssh webuis
in the last decade, none of them were "replacements" of ssh, just wrappers for
people scared of terminals. What exactly does it do that 20 other ssh wrappers
(or even portainer for containers) don't?

~~~
chucky_z
It's really slick, and provides a client/server architecture with a bunch of
extra security on-top. It generates 1:1 certificates between the api layer and
the clients, using a full auth service.

I deployed it at a previous position and stopped SSH across all hosts
entirely, and just used this.

It rotated all it's own certificates every 4 hours, and each SSH connection
used a unique certificate.

I never had any issues with it, and I had the web UI straight up exposed to
the internet. It enforces TOTP and user management with the OSS stuff is
pretty trivial.

It also did something really cool, which is that I had multiple bastions
federated together through a single API, instead of having singular multiple
bastions. This meant no configuration to access hosts between prod/stage/test,
all a single entry point, it was awesome.

I don't use it today in my current position for a number of reasons, but if I
were to go back to a smaller company and had the choice, I would deploy it
with no hesitation.

------
lucb1e
Aside from shivering at the mention of "Web UI", I don't quite get what this
does that SSH doesn't. The landing page is super useless, and the blog post
doesn't exactly explain why a VPN service (since it "removes the need for
VPN", it's a VPN) is a replacement for ssh.

Like, "glorious portal radiating encrypted beams into all of your clouds and
smart devices", umm yeah okay.

~~~
mcpherrinm
Seems like this mainly notes changes in this release.

[https://gravitational.com/teleport](https://gravitational.com/teleport) is
the landing page with more feature details.

I think a short list of features interesting to me is:

* SSH CA integrated with whatever SSO you have, removing need to distribute SSH authorized_keys files.

* SSH Bastion & Server with audit logging. Record sessions, who did what. Needed for many security-sensitive environments.

* Reverse-tunnel mode, where devices without public IPs (or a vpn) can connect to your bastion server. Useful if you're deploying computers "in the field" that you want remote access to, without needing additional VPN or port forwarding, etc.

~~~
stinkytaco
> Reverse-tunnel mode, where devices without public IPs (or a vpn) can connect
> to your bastion server.

This may be a ridiculous question, but what's wrong with a VPN in this
scenario? Or even a SOCKS proxy, which is already widely deployed and
supported? You say "without needing additional VPN or port forwarding", but
I'm curious what advantages it offers over using a VPN.

~~~
mcpherrinm
Just extra pieces to manage. With a VPN, now you need to start worrying about
firewall rules (do you isolate clients? What internal resources do they get
access to?), IP assignment (now you need to run a DHCP server, or handle
static IP allocations). What subnets do you use for your VPN, and what happens
if they conflict with the network at some of your locations? Or maybe buy a
VPN appliance to do that for you. Then you need to handle VPN
authentication...

Lots of that is largely un-needed effort. If you just want to be able to SSH
into computers, it's simpler to just have your ssh server connect back.

At small scale, where an ops team can keep track of all the computers
individually? yeah, VPN is probably fine, especially if you've already got
one. But I think these days, a lot of people are looking at avoiding VPNs
outright.

~~~
jon-wood
These complications are particularly relevant if you're managing a fleet of
devices on networks you don't control, such as on-prem versions of SaaS
systems, or consumer IoT devices. In that situation you definitely don't want
the device to be sitting around with a back door into your network, and subnet
conflicts are often impossible to resolve.

------
jon-wood
For all the people complaining about the web UI, it’s optional, Teleport also
has a CLI and if you really want to you can use OpenSSH as the client.
Teleport’s benefit isn’t really the web UI, it’s the fact it manages a
certificate authority for authentication, hooked into the same authentication
used for other things, and full audit logging of what people are doing via
SSH.

------
AshamedCaptain
"modern replacement for X" looks to me like about the worst title one could
choose for advertising a product.

In networking (and a bit everywhere in engineering) people seem to associate
"modern" with negatives, at least as a first impression; so if the tagline you
try to sell your product is only "Modern replacement of X", it likely starts
at -1 in the minds of most of your targets.

------
scarygliders
Why!?!?

Why do people do this!?

If I want to ssh, I'll use ssh. I do not want or need a "web UI" in or for my
ssh client.

Is it because I'm getting old? Do I not understand why these darn kids do what
they do? Or has my 51 years on this planet taught me that the KISS principle
reigns supreme and that "those who don't learn from history, are doomed to
repeat it"?

Is it, in fact, just me who is mildly abhorred by this? Grimacing like Clint
Eastwood from Gran Torino?

~~~
dljsjr
Teleport solves SSH'ing in to a ton of machines on private networks from
outside the private network. Teleport handles the auth at its entry point, so
you don't need a keypair for every node in your cloud. Just one for Teleport.
That's the short pitch.

You can do the same thing w/ a VPN and a good secret store. But Teleport is
just another way of doing it and it has some nice tools around it for folks
that want it :shrug:

~~~
throw0101a
> _Teleport handles the auth at its entry point, so you don 't need a keypair
> for every node in your cloud. Just one for Teleport._

From ssh(1):

    
    
         -J destination
                 Connect to the target host by first making a ssh connection to
                 the jump host described by destination and then establishing a
                 TCP forwarding to the ultimate destination from there.  Multiple
                 jump hops may be specified separated by comma characters.  This
                 is a shortcut to specify a ProxyJump configuration directive.
    

Auth to the jump/bastion host and then have key(s) on that, or tunnel back the
internal auth requests over to your desktop via ssh-agent(1) forwarding:

* [http://www.unixwiz.net/techtips/ssh-agent-forwarding.html#fw...](http://www.unixwiz.net/techtips/ssh-agent-forwarding.html#fwd)

* [https://www.cloudsavvyit.com/25/what-is-ssh-agent-forwarding...](https://www.cloudsavvyit.com/25/what-is-ssh-agent-forwarding-and-how-do-you-use-it/)

~~~
cronos
There are a few differences between an OpenSSH jump host and Teleport: \- you
have to actively manage authorized_keys for every person using openssh;
Teleport manages a PKI and can be backed by your existing SSO \- it hard to
restrict any given user to a subset of hosts (e.g. only allow select few to
access prod database); Teleport has RBAC \- hosts with Teleport also get SSH
certificates, so you don't need to trust-on-first-use (which everyone has been
conditioned to ignore)

------
johnklos
There's little more than marketing bull on that site. Web user interface? No
need for VPN? They precisely miss the whole reason for ssh. It's as if they
have no clue what ssh is or does.

~~~
adamzegelin
> It's as if they have no clue what ssh is or does.

It's marketing speak geared towards managers who have no idea what SSH is or
does.

------
benarent
Hey HN! I Director of Product for Teleport, and that does include CLI and YAML
experience. This is a bumper release, with a bunch of fixes
[https://github.com/gravitational/teleport/releases/tag/v4.3....](https://github.com/gravitational/teleport/releases/tag/v4.3.0)
. Even for OpenSSH users using Teleport in Recording Proxy mode.

As always I love some HN comments. While you do need a running proxy. You can
use Teleport without ever having to use the UI.

Here to answer any questions.

~~~
skratlo
Hey, tell your marketing people that they did a really poor job. Taking a stab
at everyone's beloved ssh? Calling your offering a replacement for it?!
Daring! No wonder you're getting all that hate here on HN

~~~
benarent
We love OpenSSH, and you can even setup Teleport in Recording mode.
[https://gravitational.com/teleport/docs/architecture/telepor...](https://gravitational.com/teleport/docs/architecture/teleport_proxy/#recording-
proxy-mode)

but there are many good reasons to use the Teleport Library.
[https://gravitational.com/blog/openssh-vs-
teleport/](https://gravitational.com/blog/openssh-vs-teleport/)

------
rob-olmos
I wish RBAC was part of core rather than a paid addon. Oh well.

~~~
benarent
Hey Rob, We are considering this. Send me mail, it would be good to get more
feedback ben@gravitational.com

------
jle17
For those who are looking for a simple ssh bastion but have no need for all of
Teleport features, there is also
[https://github.com/moul/sshportal](https://github.com/moul/sshportal).
Administration and registration is done through ssh, with no need for a
special client or a web ui, and the whole thing is just a single binary which
stores its configuration in sqlite (by default).

------
solotronics
Is this compatible with SCP?

~~~
benarent
Yes [https://gravitational.com/teleport/docs/user-
manual/#copying...](https://gravitational.com/teleport/docs/user-
manual/#copying-files)

but beware of SCP [https://gravitational.com/blog/scp-familiar-simple-
insecure-...](https://gravitational.com/blog/scp-familiar-simple-insecure-
slow/)

~~~
solotronics
Interesting. Thanks!

------
markhahn
bleah. solving made-up problems.

~~~
webvictim
The problems are very real if you work at any large organisation which has
compliance requirements.

