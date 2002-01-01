Same here. If SpaceX can openly advertise their prices, then so can you.
This kind of attitude really rubs me the wrong way. On follow up from their sales I simply told them I opted for an open source UI from Github.
While I want to support the work Hashicorp are doing, I want to be treated as someone who understands that I don't need to spend money on the product. It's a concern to me that as these open source projects find ways to monetise they start to slowly make their way back to the type of ecosystem that I wanted to avoid in the first place.
Thanks for feedback though, we will work on making it easier to get the pricing and explain the split between enterprise and OSS parts of teleport better.
It instantly makes me think "this will be expensive" and "if I call and it's not right for me, I'll be getting hassled by sales people forever more"
Now, neither of these things may be true for your software, but people who've experienced the pain of buying "enterprise" software before will likely be put off by this approach.
It also gives the impression that pricing isn't fixed and that the sales process will involve lots of haggling, which also puts people who don't like haggling off.
If you're selling to only Fortune 100s, that's fine. If you're aiming a little lower than that, not giving a public price of some kind up front is driving away a lot of potential customers.
Why teleport over kerberos + ssh? What can this provide that RHEL7 + a kerberized LDAP like IPA + sssd already provides?
But with ever-growing complexity and volume of the infrastructure, the expertise required and time to manage these things are in short supply. Teleport is mainly the opinionated and simplified way to deliver SSH best practices.
Additionally, it has a few neat usability features (like a nice Web UI) and directly addresses the use case of managing the infrastructure that's not yours (MSP use case) where you can have multiple clusters owned by different organizations where you can set up cross-cluster trust via certificate authorities (CA)s [1], well... that's just what's on top of my head.
There's more here: http://gravitational.com/teleport/ or feel free to reach out and chat, we're a friendly bunch! :)
[1] That's our use case, Teleport was originally built to set up and manage Kubernetes clusters on infrastructure located behind firewalls, see our flagship here: http://gravitational.com/telekube/
We're talking about the ssh command here, right ? And associated key generation and config files ? Are there people who are "experts" at that ? Like, the same way there are people who are "experts" at can openers and chip clips ?
"Additionally, it has a few neat usability features (like a nice Web UI) and directly addresses the use case of managing the infrastructure that's not yours (MSP use case) where you can have multiple clusters owned by different organizations where you can set up cross-cluster trust via certificate authorities (CA)s [1], well... that's just what's on top of my head."
You just wrote slide #3 in a future blackhat presentation.
Vault also has SSH backends that you could find useful
Also make sure to deploy the ssh keys somewhere the users can't write for extra security. Don't allow them to control their own authorized_keys files! :-)
So does this seem like a typical use in an AWS VPC:
- SSH bastion server with public IP with security groups for each user
- Every other server only has private IPs, only allowing access between each other and then the bastion server
How do you generate and store keys? Are you using something like Hashicorp's Vault?
As far as configuring your VPC having the bastion (Proxy) as the only server with a public address is reasonable. One of the nice things about Teleport is that the Teleport Proxy itself doesn't have access to much, so exposing it to the Internet is fine. The Auth Server is the one that holds sensitive information and we recommend you create a security group for it and only allow it to be accessed from Teleport Proxies or Teleport Nodes.
With respect to keys, they are stored and accessed via the Auth Server in Teleport. We recommend you have strong access controls on the Auth Server. If you are using the default backend (BoltDB) or directory based backend that's all you need to do. If you are using etcd we recommend you have strong access controls on the server that runs etcd as well as etcd itself, we have an example in our Teleport repo for etcd configuration if you're interested[1]. If you are using DynamoDB, we recommend having a strong IAM policy. We are not using Vault at the moment.
yeah this is a bad idea in general. If you have critical stuff you need to SSH into from the public internet, keep it all in private IP space and have an openvpn gateway (or IPSEC VPN) with a public interface, and a private interface facing inwards towards the hosts.
you should not even be able to route to the IP of the thing you want to SSH to unless you've authenticated to the VPN and your client device has been handed out an IP in your RFC1918 IP space.
a machine like an openvpn gateway can also serve the purpose of getting you access into an OOB network (example: a public facing IP on a 100Mbps DIA circuit you've bought from a totally diverse ISP in the same colo, with a static /30), which has access into internal IP space devices such as serial console servers and ssh bastion hosts.
authenticate the clients by a unique public/private key pair per client device. Easy to revoke a specific device's key from the server side if needed.
This is not a bad idea in general. In fact, teleport proxy implements this exact model you have just described, where only proxy is available and acts as a jump host to the set of machines available only on the private net. The only difference is that instead of open VPN gateway it uses SSH jumphost model.
Teleport proxy uses OpenSSH cert auth, in addition to that teleport node also does cert auth.
Not everyone needs to always set up VPN, sometimes jumphosts + cert auth are perfectly fine.
Plus, this commercial thing doesn't do anything pam ldap and config mgmt can't do. Just reinventing the wheel yet again to charge people money for proprietary "solutions."
* first when connecting to the jumphost public ip and requesting to execute a subsystem to allow proxying to some internal IP/host
Jumphost does not terminate the SSH and in fact it is MITM capabilities are very limited.
* Second time authentication and authorization happens when ssh client connects to the target SSH node.
This pattern is in fact quite modern and is being expanded in the beyond corp architecture.
It deprecates perimeter security model that you mention via VPN gateways and replaces it with on-demand end to end access via controlling gateway.
With the VPN as your boundary, you can configure it so the VPN doesn't even respond to packets unless they are TLS authenticated. A huge security win, you're not exposed to random attempts to do remote code execution against your open sockets!
If exposing Teleport (or OpenSSH or any piece of software to be honest) to the internet is a significant concern, the solution I recommend is to put it behind spiped. Spiped has a very small and well written code base and well suited for this problem.
That's a ton of complexity when you could just run knockd on public facing sshds and make them disappear that way.
It's extremely tight, simple code - consisting of a single binary - and it never crashes or hangs.
No, I am not suggesting that you get rid of all of your keys and passwords and rely only on the knock for your security. (I have to write that because response-comment-numero-uno will strawman that to death). Keep your keys and passphrases in place and add the knock.
Port knocking is just the best thing.
The idea is, in addition to the normal security measures you use with sshd you also hide the service with port knocking.
Nobody anywhere, at any time, has ever suggested using port knocking as the sole means of securing your sshd.
State actors can afford millions to spend on build/buying sploits for [insert technology]. For example, use different standard for OS at edges where possible to reduce attack surface. Preferably scrub network traffic at edges (not just web traffic) and really lock down traffic to remote access boxes.
Plus, there's already plenty of ways to AAA OpenSSH using puppet/chef, PAM, RFC 4255, google authenticator (via pam plugin). It's really easy to set up if you've done it before.
a) laptop
b) home office desktop
c) android or ios device (phone/tablet)
then, of course, once connected to the vpn, to authenticate to ssh the person will probably be using their per person ssh public/private key pair from their workstation.
So we have the ability to revoke an individual client device's vpn keys separately. In event of total compromise we can revoke both vpn keys for device(s) and the person's ssh key.
I would have dropped the money in their pocket if they would have responded. But I wasn't asking for a license for a company but for myself... so they got stupid
the only possible exception may be a company with literally $0 revenue, i.e. looking for their first customer.
guess what: so does everyone else. also guess what: there isn't any money in that, because that time:revenue isn't built in to their business model, because they are a software company.
$5000 is a lot to an individual. when an individual spends $5000, they want to feel important. to a real company, $5000 isn't even a single paycheck for a single senior software engineer, let alone sales person.
If you are not transparent on pricing, I start to wonder what the next guy is paying, and also, what else you are not transparent about.
ssh -t user@machineB ssh user@machineA
Even cooler is the use of SSH tunneling to set up a ProxyCommand.
I wrote more about this technique at https://michael.stapelberg.de/Artikel/ssh-conditional-tunnel...
In a nutshell:
Host home
Hostname home.zekjur.net
ProxyCommand ssh -4 dualstack -W %h:%p
ssh -W user@jumpHost user@destination
> Software vendors: they like Teleport for providing remote support of their products. Teleport can be used as a “remote control” to assist their customers with any issues of their software installed and running on-premise.
How does the customer control access to the app deployed on their premise?
Thanks!
We've made improvements in resource utilization for Teleport 2.0 and hunting down any further resource utilization issues is definitely one of my focus areas for Teleport 2.x.
If you run into issues like this again please reach out and send us your teleport.yaml, we want to run these issues down and resolve them.