
Teleport 2.3 Released - twakefield
http://gravitational.com/blog/teleport-release-2-3/
======
MildlySerious
> Before we dive into the 2.3 release notes, let us introduce Teleport to the
> new readers of this blog.

I can't thank you enough for this.

It's so frustrating when you open up a post from HN and find no description of
the product. Then you click on the company logo, end up on the homepage of the
blog and then have to manually edit the URL to get to the companies actual
frontpage. Which sometitimes still doesn't explain the product.

~~~
ghgr
I often find myself going to Wikipedia to find out what the company is
supposed to do.

------
mfontani
> At the end of a successful login, tsh login command now sends the SSH
> certificate to an active SSH agent.

Will it ever be able to create, and use, a DIFFERENT agent?

I use [https://github.com/ccontavalli/ssh-
ident](https://github.com/ccontavalli/ssh-ident) in order to have a different
agent per "kind" of hosts, so that if I mistakenly ssh to Mallory's ssh server
with my default agent, they won't be able to, say, also pull all my private
Github repos.

To use teleport as securely, I'd have to - again - concoct a script or
something to "pass through ssh-ident". This is tiresome :|

~~~
old-gregg
As you probably know, the agent is defined via environment variables, so
you're right the same inconvenience would exist. BTW, have you looked into
configuring different per-host (or per-environment) credentials via
`~/.ssh/config`? Agent forwarding in general is often seen as a weak mechanism
to propagate trust and from Teleport's team perspective it's a backward
compatibility feature.

Speaking generally, Teleport solves the similar problem (trust propagation and
role based access control for SSH) by not using public keys at all, and
instead issuing role-based certificates, i.e. enforcing corporate policies
like "developers must never touch production data" or cross-organizational
policies like "these contractors can only touch this sandbox).

------
mrmondo
Certainly a very interesting product and something I see gaining increasing
popularity, I was wondering if there have been have publicly published
independent security reviews on the product / code, default configuration and
recommended configuration for production deployment?

(I did a quick search and checked the readme and nothing popped up but I may
have missed something while on my phone and commuting)

~~~
russjones
We had a security audit of Teleport performed by Cure53 with the release of
Teleport 2.2 which we released publicly. You can view the report here:

[https://cure53.de/pentest-report_teleport.pdf](https://cure53.de/pentest-
report_teleport.pdf)

~~~
mrmondo
Fantastic! Thank you for taking the time to respond.

------
oneplane
I wonder why people want to move away from Kerberos and LDAP so bad... FreeIPA
works great!

------
LukeHoersten
I'd prefer an apt repo to the `make install` provided.

~~~
LukeHoersten
Spoke with them about this. They are working on getting into Deb repos but in
the mean time, teleport is a single binary so no need to worry about `make
install`. `cp` will work just fine.

------
CSDude
Would love to hear people’s experiences with Teleport, we are considering it
for security and audits.

~~~
twakefield
Let me know if you'd like me to try and introduce you to a couple of our
customers - taylor@

------
krn1p4n1c
This is awesome. Big fan of this product.

------
someone_iusr
Really excited for this.

