
Teleport 1.3 adds support for SSH authentication with U2F keys - twakefield
http://gravitational.com/blog/teleport-now-supports-u2f/
======
sandstrom
A somewhat related tool is Vault SSH Helper:
[https://github.com/hashicorp/vault-ssh-
helper](https://github.com/hashicorp/vault-ssh-helper)

It provides an audit log (without session history/playback) and one-time
passwords for login. It avoids copying of ssh certificates to every host,
similar to teleport.

One nice advantage with Teleport is the recording of sessions. On the other I
like how Vault's tool use standard ssh on the client-side.

Some type of merge between the two would be a dream :D

~~~
alexk
BTW you can use Teleport with standard SSH clients as well:

[http://gravitational.com/teleport/docs/admin-guide/#using-
te...](http://gravitational.com/teleport/docs/admin-guide/#using-teleport-
with-openssh)

tsh can work in agent mode, or you can generate certificates yourself.

------
provost
Curious if anyone here has hands-on experience with Teleport, and would mind
providing a review?

~~~
mcx
Same, would love to hear someones thoughts on using this in production,
especially compared to BLESS by Netflix
([https://github.com/Netflix/bless](https://github.com/Netflix/bless)).

~~~
Karunamon
Unfortunately, it doesn't appear BLESS is an option if you want to keep your
authentication stuff behind your firewall.

~~~
pquerna
you might be interested in ScaleFT, we offer our product in a behind the
firewall edition with similar goals/features to BLESS:

[https://www.scaleft.com/product/](https://www.scaleft.com/product/)

(I'm a ScaleFT co-founder)

------
sandGorgon
How does one combine something like teleport with policies and audit logging?
I'm referring to the recent controversy around Uber employees playing with
sensitive data.

Can you use Teleport (or anything else really) to enforce access policies and
most importantly audit logging. Especially when combined with hardware tokens
like u2f keys,etc

~~~
alexk
We've recently added RBAC in master to provide a bit more fine-grained access
to various user roles:

[https://github.com/gravitational/teleport/issues/620](https://github.com/gravitational/teleport/issues/620)

This will be out in 1.5 release. Using this RBAC you can deny access to
machines based on user's role (e.g. prevent developers from accessing nodes
labelled as DB) and limit their logins as unprivileged users.

But this works on a server level, not on DB/connection level. Teleport's audit
logs will help to inspect the event after the fact, however to prevent data
exfiltration one needs to deploy a solution that oversees SSH, TLS and all
other possible connections to enforce policies on all possible data paths.

~~~
sandGorgon
Is there any documentation about your audit logs. In general, most startups
will generally be inclined towards detailed audit logging than upfront
security for your developers.

Would your logs also trap all commands that were executed after logging in ?
How do you tie an SSH session with activity of that session.

~~~
alexk
We don't have detailed docs on our audit logs yet.

Here's short description:

Teleport's SSH servers capture PTY output and send logs to the audit server
alongside with session metadata.

Every SSH session has a unique identifier, teleport users participated in this
session and captured activity.

Sessions (structured events) and audit logs can be stored in various sources,
for example recently we've implemented SumoLogic for audit events and S3 for
session recordings for some of our customers to upload and store this
information.

Obviously, you could do various things (especially if you are root) to tamper
with this system. For these use cases I would use something like
[https://github.com/draios/falco](https://github.com/draios/falco) to capture
all application-level activity.

~~~
sandGorgon
This is awesome ! Would love to see a doc for detailed audit logging when you
have one up.

This in itself is a killer app !

EDIT: one more request, please make you docs/makefile a little more beginner
friendly. For example, your get-started page (or your makefile target) does
not have systemd targets in place. I _think_ you guys take care of necessary
selinux permissions inside code.. but not sure if it does so for
/var/lib/teleport. it might be useful to consider using ansible (which will
make this very practical for devops)

~~~
alexk
Thanks for your feedback, I've created an issue to track:

[https://github.com/gravitational/teleport/issues/677](https://github.com/gravitational/teleport/issues/677)

Docs will be out with 1.5 release

------
tokenizerrr
What about access control? I'd like to assign which user gets to access which
server.

~~~
twakefield
RBAC should land in mid-January:
[https://github.com/gravitational/teleport/issues/620](https://github.com/gravitational/teleport/issues/620)

~~~
tokenizerrr
Awesome! Thanks for pointing me to that issue. Will re-evaluate then,
hopefully it shouldn't be too difficult to integrate into my existing setup.
Some kind of ldap support (or pluggable scripts) would be fantastic.

~~~
twakefield
Yes, we'll also write up some sample identity provider integrations.

~~~
tokenizerrr
Really looking forward to this. Teleport with RBAC + U2F should be really
good. Thanks for your continued work!

------
flyinprogramer
Super stoked about this release!

Minor nitpick Sasha:

Now we are happy to announce that Teleport natively supports the Universal
Second Factor (UTF).

Should probably be:

Now we are happy to announce that Teleport natively supports Universal 2nd
Factor (U2F).

~~~
alexk
Good catch, fixed!

------
agwa
What's the advantage of using U2F for SSH compared to using public-key
authentication with a password-protected smart card (e.g. a Yubikey 4)? I can
think of one big disadvantage, which is that with U2F the password has to be
shared with the remote end, which is inferior to a password that never leaves
the local device.

~~~
alexk
Sasha, one of Teleport authors here.

Not sharing password is definitely an advantage in this use case.

On the other hand, thanks to pass + 2nd factor flow, Teleport creates unified
Web and CLI SSH access using the same set of credentials.

In addition to that Teleport relies on short lived certificates vs public
keys, so they don't need to be explicitly revoked, don't need to be copied on
every box.

~~~
agwa
Thanks for the reply. The unified set of credentials makes a lot of sense.

Short lived certs are nice too. You can issue short-lived certificates for
keys stored on smart cards as well.

~~~
alexk
sure thing, but then you'd need to authenticate/authorize first to get a
proper set of principals and TTL, that's why Teleport authz works in a more
traditional "web app" way.

