
Teleport 2.0 Released: Modern SSH for clusters and teams - craigkerstiens
http://gravitational.com/blog/teleport_2.0_released/
======
puzzle
I seem to remember that the features now available as Enterprise-only were not
listed as such during development. Even if that's not the case, it's still a
bummer. And it really sucks having to go through a salesperson's spiel just to
get an idea of the costs. I hate it when companies don't post list prices on
their site. I'm also looking at you, Hashicorp, and your Vault Enterprise.

~~~
alexk
To be honest, it takes one email to get our pricing, and we mostly use it to
stay in touch and understand your use-case better.

Thanks for feedback though, we will work on making it easier to get the
pricing and explain the split between enterprise and OSS parts of teleport
better.

~~~
artellectual
Actually by not posting your price upfront, is actually wasting time for both
you and the client. You see if I have a budget for a solution of 60USD and
your solution starts at 6000USD I know to look elsewhere. But if you don't
what will happen is you will collect my email to "stay in touch" about a
product I have no use for, increasing my spam by 1. My email address in your
mailing list is wasting my inbox space and your time. In fact your mailing
list is probably what you use to give your sales person. But it's counter
productive instead of having 100 potential customer who have accepted your
pricing for your product, now you have 10000 people who may or may not be
interested. So now your sales staff have to spend time chasing up cold leads
instead of focusing on 100 customers whom they have a higher chance of
closing. So you see by not posting the price you are causing harm to your own
sales pipeline and one more person to make you as a spammer.

~~~
infinite8s
Chances are if you need to contact the company for pricing details their
product is not going to be in the sub-$100 range (or possibly even the
sub-$1000 range)

------
SEJeff
Here is a question for teleport developers:

Why teleport over kerberos + ssh? What can this provide that RHEL7 + a
kerberized LDAP like IPA + sssd already provides?

~~~
feld
Kerberos + ssh is amazing. I don't know why more people aren't aware of this
holy grail setup.

~~~
edgan
Kerberos is really complicated. I am currently setting up LDAP, and have it
storing SSH keys. Which is a far simpler setup.

~~~
feld
We do both. Ssh keys are the backup if there's ever a kerberos outage.

Also make sure to deploy the ssh keys somewhere the users can't write for
extra security. Don't allow them to control their own authorized_keys files!
:-)

------
twakefield
Hey HN, we (gravitational) are pretty excited about this release. We'll be
monitoring the thread in case you have any questions.

~~~
atonse
Hi twakefield, congrats on the release!

So does this seem like a typical use in an AWS VPC:

\- SSH bastion server with public IP with security groups for each user

\- Every other server only has private IPs, only allowing access between each
other and then the bastion server

How do you generate and store keys? Are you using something like Hashicorp's
Vault?

~~~
russjones
Hi atonse, Russell from Gravitational here.

As far as configuring your VPC having the bastion (Proxy) as the only server
with a public address is reasonable. One of the nice things about Teleport is
that the Teleport Proxy itself doesn't have access to much, so exposing it to
the Internet is fine. The Auth Server is the one that holds sensitive
information and we recommend you create a security group for it and only allow
it to be accessed from Teleport Proxies or Teleport Nodes.

With respect to keys, they are stored and accessed via the Auth Server in
Teleport. We recommend you have strong access controls on the Auth Server. If
you are using the default backend (BoltDB) or directory based backend that's
all you need to do. If you are using etcd we recommend you have strong access
controls on the server that runs etcd as well as etcd itself, we have an
example in our Teleport repo for etcd configuration if you're interested[1].
If you are using DynamoDB, we recommend having a strong IAM policy. We are not
using Vault at the moment.

[1]
[https://github.com/gravitational/teleport/tree/master/exampl...](https://github.com/gravitational/teleport/tree/master/examples/etcd)

~~~
walrus01
> Teleport Proxy itself doesn't have access to much, so exposing it to the
> Internet is fine.

yeah this is a bad idea in general. If you have critical stuff you need to SSH
into from the public internet, keep it all in private IP space and have an
openvpn gateway (or IPSEC VPN) with a public interface, and a private
interface facing inwards towards the hosts.

you should not even be able to _route_ to the IP of the thing you want to SSH
to unless you've authenticated to the VPN and your client device has been
handed out an IP in your RFC1918 IP space.

a machine like an openvpn gateway can also serve the purpose of getting you
access into an OOB network (example: a public facing IP on a 100Mbps DIA
circuit you've bought from a totally diverse ISP in the same colo, with a
static /30), which has access into internal IP space devices such as serial
console servers and ssh bastion hosts.

authenticate the clients by a unique public/private key pair per client
device. Easy to revoke a specific device's key from the server side if needed.

~~~
rsync
"yeah this is a bad idea in general. If you have critical stuff you need to
SSH into from the public internet, keep it all in private IP space and have an
openvpn gateway (or IPSEC VPN) with a public interface, and a private
interface facing inwards towards the hosts."

That's a _ton of complexity_ when you could just run knockd on public facing
sshds and make them disappear that way.

It's extremely tight, simple code - consisting of a single binary - and it
never crashes or hangs.

No, I am not suggesting that you get rid of all of your keys and passwords and
_rely only on the knock_ for your security. (I have to write that because
response-comment-numero-uno will strawman that to death). Keep your keys and
passphrases in place and add the knock.

Port knocking is just the best thing.

~~~
walrus01
Port knocking, what is this, 2002? Security through obscurity is not any form
of security at all. Properly implemented public / private key crypto is not
rocket science anymore.

~~~
rsync
As predicted.

The idea is, _in addition to the normal security measures you use with sshd_
you also hide the service with port knocking.

Nobody anywhere, at any time, has ever suggested using port knocking as the
sole means of securing your sshd.

~~~
anon263626
Port knocking and some even obscurity are valid additional layers of defense-
in-depth if combined fundamentals of A3E.

State actors can afford millions to spend on build/buying sploits for [insert
technology]. For example, use different standard for OS at edges where
possible to reduce attack surface. Preferably scrub network traffic at edges
(not just web traffic) and really lock down traffic to remote access boxes.

------
rsync
Did you know that you can do this:

    
    
      ssh -t user@machineB ssh user@machineA
    

That is, you can execute an ssh client command, over ssh. The '-t' option is
required.

~~~
X-Istence
The -t creates a terminal on the remote host, so in essence it is the same as
SSH'ing to machineB and then running the ssh command.

Even cooler is the use of SSH tunneling to set up a ProxyCommand.

~~~
secure
To expand on this, the reason why it’s “even cooler” is because you can use
keys to login (as opposed to password) without forwarding your ssh-agent
(which is a security risk).

I wrote more about this technique at
[https://michael.stapelberg.de/Artikel/ssh-conditional-
tunnel...](https://michael.stapelberg.de/Artikel/ssh-conditional-tunneling)

In a nutshell:

    
    
        Host home
            Hostname home.zekjur.net
            ProxyCommand ssh -4 dualstack -W %h:%p
    

Then, “ssh home” will log into “home.zekjur.net” via an IPv4 connection
through “dualstack”. This is useful in environments where you don’t have IPv6
and your only use-case is SSH'ing home.

------
robotmay
This is a very timely post for me, as I may have a very good use for Teleport
and I hadn't heard about it before :)

~~~
mdekkers
have a look at jumpcloud

------
pwarner
Is there an architecture overview for this case?

> Software vendors: they like Teleport for providing remote support of their
> products. Teleport can be used as a “remote control” to assist their
> customers with any issues of their software installed and running on-
> premise.

How does the customer control access to the app deployed on their premise?

Thanks!

~~~
alexk
Here's the overview of the feature we call "Trusted clusters"

[http://gravitational.com/teleport/docs/2.0/admin-
guide/#trus...](http://gravitational.com/teleport/docs/2.0/admin-
guide/#trusted-clusters)

~~~
pwarner
Thanks, this is perfect. Will try it out!

------
bogomipz
Has anyone else used Teleport in production? I would be curious to hear any
feedback?

~~~
Operyl
I tried it during the 1.x phase, and at rest the daemons would eat a core :/.

~~~
russjones
Hi Operyl, Russell from Gravitational here.

We've made improvements in resource utilization for Teleport 2.0 and hunting
down any further resource utilization issues is definitely one of my focus
areas for Teleport 2.x.

If you run into issues like this again please reach out and send us your
teleport.yaml, we want to run these issues down and resolve them.

~~~
Operyl
Just difficult to want to deploy it all again, I guess. Especially since you
guys _still_ lack basic packages for common distributions.

~~~
bogomipz
That's unfortunate, thanks for the response.

------
technofiend
Have you guys considered buying Fox Technologies? Do you have a
compare/contrast between their ssh replacement and yours?

------
dagi3d
Anyone using it in production? How does it differ from other possible
products/solutions?

------
giantahead
This is awesome! Much interested to read audit results.

