开源堡垒机 Teleport 入门教程
由于业务需求,以前账号管理混乱,所以很多人有生产服务器的 root 权限;所以目前需要一个能 SSH 登录线上服务器的工具,同时具有简单的审计功能。
为了解决以上问题我找到了 Teleport 这个功能强大的开源工具,Teleport 是一款简单易用的使用 Go 语言编写的开源堡垒机系统,具有小巧、易用的特点,支持 RDP/SSH/SFTP/Telnet 协议的远程连接和审计管理。
Teleport 不仅可以同时管理大量服务器还可以作为一个终端录制工具,它提供了一个直观的 Web 界面来显示终端,也就是说你可以在浏览器操作服务器,在浏览器录制、分享。
Teleport 官网: https://www.tp4a.com/
一、环境准备
目前准备了 3 台虚拟机,两台位于内网 NAT 之后,一台位于公网可以直接链接;使用时客户端通过工具连接到公网跳板机上,然后实现自动跳转到内网任意主机;并且具有相应的操作回放审计,通过宿主机账户限制用户权限
ip | 节点 |
---|---|
92.223.67.84 | 公网 Master |
172.16.0.80 | 内网 Master |
172.16.0.81 | 内网 Node |
二、Teleport 工作模式
Teleport 工作时从宏观上看是以集群为单位,也就是说公网算作一个集群,内网算作另一个集群,内网集群通过 ssh 隧道保持跟公网的链接状态,同时内网机群允许公网集群用户连接,大体工作模式如下
三、搭建公网 Master
3.1、配置 Systemd
首先下载相关可执行文件并复制到 Path 目录下,然后创建一下配置目录等
wget https://github.com/gravitational/teleport/releases/download/v2.3.5/teleport-v2.3.5-linux-amd64-bin.tar.gztar -zxvf teleport-v2.3.5-linux-amd64-bin.tar.gzmv teleport/tctl teleport/teleport teleport/tsh /usr/local/binmkdir -p /etc/teleport /data/teleport
然后为了让服务后台运行创建一个 systemd service 配置文件
cat > /etc/systemd/system/teleport.service <<EOF[Unit]Description=Teleport SSH ServiceAfter=network.target[Service]Type=simpleRestart=alwaysExecStart=/usr/local/bin/teleport start -c /etc/teleport/teleport.yaml[Install]WantedBy=multi-user.targetEOF
3.2、配置 Teleport
Systemd 配置完成后,就需要写一个 Teleport 的配置文件来让 Teleport 启动,具体选项含义可以参考 官方文档;以下为我的配置样例
# By default, this file should be stored in /etc/teleport.yaml# This section of the configuration file applies to all teleport# services.teleport: # nodename allows to assign an alternative name this node can be reached by. # by default it's equal to hostname nodename: mritd.master # Data directory where Teleport keeps its data, like keys/users for # authentication (if using the default BoltDB back-end) data_dir: /data/teleport # one-time invitation token used to join a cluster. it is not used on # subsequent starts auth_token: jYektagNTmhjv9Dh # when running in multi-homed or NATed environments Teleport nodes need # to know which IP it will be reachable at by other nodes advertise_ip: 92.223.67.84 # list of auth servers in a cluster. you will have more than one auth server # if you configure teleport auth to run in HA configuration auth_servers: - 0.0.0.0:3025 - 0.0.0.0:3025 # Teleport throttles all connections to avoid abuse. These settings allow # you to adjust the default limits connection_limits: max_connections: 1000 max_users: 250 # Logging configuration. Possible output values are 'stdout', 'stderr' and # 'syslog'. Possible severity values are INFO, WARN and ERROR (default). log: output: stdout severity: INFO # Type of storage used for keys. You need to configure this to use etcd # backend if you want to run Teleport in HA configuration. storage: type: bolt # Cipher algorithms that the server supports. This section only needs to be # set if you want to override the defaults. ciphers: - aes128-ctr - aes192-ctr - aes256-ctr - aes128-gcm@openssh.com - arcfour256 - arcfour128 # Key exchange algorithms that the server supports. This section only needs # to be set if you want to override the defaults. kex_algos: - curve25519-sha256@libssh.org - ecdh-sha2-nistp256 - ecdh-sha2-nistp384 - ecdh-sha2-nistp521 - diffie-hellman-group14-sha1 - diffie-hellman-group1-sha1 # Message authentication code (MAC) algorithms that the server supports. # This section only needs to be set if you want to override the defaults. mac_algos: - hmac-sha2-256-etm@openssh.com - hmac-sha2-256 - hmac-sha1 - hmac-sha1-96# This section configures the 'auth service':auth_service: # Turns 'auth' role on. Default is 'yes' enabled: yes authentication: # default authentication type. possible values are 'local', 'oidc' and 'saml' # only local authentication (Teleport's own user DB) is supported in the open # source version type: local # second_factor can be off, otp, or u2f second_factor: otp # this section is used if second_factor is set to 'u2f' #u2f: # # app_id must point to the URL of the Teleport Web UI (proxy) accessible # # by the end users # app_id: https://localhost:3080 # # facets must list all proxy servers if there are more than one deployed # facets: # - https://localhost:3080 # IP and the port to bind to. Other Teleport nodes will be connecting to # this port (AKA "Auth API" or "Cluster API") to validate client # certificates listen_addr: 0.0.0.0:3025 # Pre-defined tokens for adding new nodes to a cluster. Each token specifies # the role a new node will be allowed to assume. The more secure way to # add nodes is to use `ttl node add --ttl` command to generate auto-expiring # tokens. # # We recommend to use tools like `pwgen` to generate sufficiently random # tokens of 32+ byte length. tokens: - "proxy,node:jYektagNTmhjv9Dh" - "auth:jYektagNTmhjv9Dh" # Optional "cluster name" is needed when configuring trust between multiple # auth servers. A cluster name is used as part of a signature in certificates # generated by this CA. # # By default an automatically generated GUID is used. # # IMPORTANT: if you change cluster_name, it will invalidate all generated # certificates and keys (may need to wipe out /var/lib/teleport directory) cluster_name: "mritd"# This section configures the 'node service':ssh_service: # Turns 'ssh' role on. Default is 'yes' enabled: yes # IP and the port for SSH service to bind to. listen_addr: 0.0.0.0:3022 # See explanation of labels in "Labeling Nodes" section below labels: role: master # List of the commands to periodically execute. Their output will be used as node labels. # See "Labeling Nodes" section below for more information. commands: - name: arch # this command will add a label like 'arch=x86_64' to a node command: [uname, -p] period: 1h0m0s # enables reading ~/.tsh/environment before creating a session. by default # set to false, can be set true here or as a command line flag. permit_user_env: false# This section configures the 'proxy servie'proxy_service: # Turns 'proxy' role on. Default is 'yes' enabled: yes # SSH forwarding/proxy address. Command line (CLI) clients always begin their # SSH sessions by connecting to this port listen_addr: 0.0.0.0:3023 # Reverse tunnel listening address. An auth server (CA) can establish an # outbound (from behind the firewall) connection to this address. # This will allow users of the outside CA to connect to behind-the-firewall # nodes. tunnel_listen_addr: 0.0.0.0:3024 # The HTTPS listen address to serve the Web UI and also to authenticate the # command line (CLI) users via password+HOTP web_listen_addr: 0.0.0.0:3080 # TLS certificate for the HTTPS connection. Configuring these properly is # critical for Teleport security. #https_key_file: /var/lib/teleport/webproxy_key.pem #https_cert_file: /var/lib/teleport/webproxy_cert.pem
然后启动 Teleport 即可
systemctl enable teleportsystemctl start teleport
如果启动出现如下错误
error: Could not load host key: /etc/ssh/ssh_host_ecdsa_keyerror: Could not load host key: /etc/ssh/ssh_host_ed25519_key
请执行 ssh-keygen 命令自行生成相关秘钥
ssh-keygen -t ecdsa -f /etc/ssh/ssh_host_ecdsa_keyssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key
3.3、添加用户
公网这台 Teleport 将会作为主要的接入机器,所以在此节点内添加的用户将有权限登录所有集群,包括内网的另一个集群;所以为了方便以后操作先添加一个用户
# 添加一个用户名为 mritd 的用户,该用户在所有集群具有 root 用户权限tctl --config /etc/teleport/teleport.yaml users add mritd root
添加成功后会返回一个 OTP 认证初始化地址,浏览器访问后可以使用 Google 扫描 OTP 二维码从而在登录时增加一层 OTP 认证
访问该地址后初始化密码及 OTP
四、搭建内网 Master
内网搭建 Master 和公网类似,只不过为了安全将所有 0.0.0.0
的地址全部换成内网 IP 即可,以下为内网的配置信息
# By default, this file should be stored in /etc/teleport.yaml# This section of the configuration file applies to all teleport# services.teleport: # nodename allows to assign an alternative name this node can be reached by. # by default it's equal to hostname nodename: mritd.test1 # Data directory where Teleport keeps its data, like keys/users for # authentication (if using the default BoltDB back-end) data_dir: /data/teleport # one-time invitation token used to join a cluster. it is not used on # subsequent starts auth_token: jYektagNTmhjv9Dh # when running in multi-homed or NATed environments Teleport nodes need # to know which IP it will be reachable at by other nodes advertise_ip: 172.16.0.80 # list of auth servers in a cluster. you will have more than one auth server # if you configure teleport auth to run in HA configuration auth_servers: - 172.16.0.80:3025 # Teleport throttles all connections to avoid abuse. These settings allow # you to adjust the default limits connection_limits: max_connections: 1000 max_users: 250 # Logging configuration. Possible output values are 'stdout', 'stderr' and # 'syslog'. Possible severity values are INFO, WARN and ERROR (default). log: output: stdout severity: INFO # Type of storage used for keys. You need to configure this to use etcd # backend if you want to run Teleport in HA configuration. storage: type: bolt # Cipher algorithms that the server supports. This section only needs to be # set if you want to override the defaults. ciphers: - aes128-ctr - aes192-ctr - aes256-ctr - aes128-gcm@openssh.com - arcfour256 - arcfour128 # Key exchange algorithms that the server supports. This section only needs # to be set if you want to override the defaults. kex_algos: - curve25519-sha256@libssh.org - ecdh-sha2-nistp256 - ecdh-sha2-nistp384 - ecdh-sha2-nistp521 - diffie-hellman-group14-sha1 - diffie-hellman-group1-sha1 # Message authentication code (MAC) algorithms that the server supports. # This section only needs to be set if you want to override the defaults. mac_algos: - hmac-sha2-256-etm@openssh.com - hmac-sha2-256 - hmac-sha1 - hmac-sha1-96# This section configures the 'auth service':auth_service: # Turns 'auth' role on. Default is 'yes' enabled: yes authentication: # default authentication type. possible values are 'local', 'oidc' and 'saml' # only local authentication (Teleport's own user DB) is supported in the open # source version type: local # second_factor can be off, otp, or u2f second_factor: otp # this section is used if second_factor is set to 'u2f' #u2f: # # app_id must point to the URL of the Teleport Web UI (proxy) accessible # # by the end users # app_id: https://localhost:3080 # # facets must list all proxy servers if there are more than one deployed # facets: # - https://localhost:3080 # IP and the port to bind to. Other Teleport nodes will be connecting to # this port (AKA "Auth API" or "Cluster API") to validate client # certificates listen_addr: 172.16.0.80:3025 # Pre-defined tokens for adding new nodes to a cluster. Each token specifies # the role a new node will be allowed to assume. The more secure way to # add nodes is to use `ttl node add --ttl` command to generate auto-expiring # tokens. # # We recommend to use tools like `pwgen` to generate sufficiently random # tokens of 32+ byte length. tokens: - "proxy,node:jYektagNTmhjv9Dh" - "auth:jYektagNTmhjv9Dh" # Optional "cluster name" is needed when configuring trust between multiple # auth servers. A cluster name is used as part of a signature in certificates # generated by this CA. # # By default an automatically generated GUID is used. # # IMPORTANT: if you change cluster_name, it will invalidate all generated # certificates and keys (may need to wipe out /var/lib/teleport directory) cluster_name: "nat"# This section configures the 'node service':ssh_service: # Turns 'ssh' role on. Default is 'yes' enabled: yes # IP and the port for SSH service to bind to. listen_addr: 172.16.0.80:3022 # See explanation of labels in "Labeling Nodes" section below labels: role: master # List of the commands to periodically execute. Their output will be used as node labels. # See "Labeling Nodes" section below for more information. commands: - name: arch # this command will add a label like 'arch=x86_64' to a node command: [uname, -p] period: 1h0m0s # enables reading ~/.tsh/environment before creating a session. by default # set to false, can be set true here or as a command line flag. permit_user_env: false# This section configures the 'proxy servie'proxy_service: # Turns 'proxy' role on. Default is 'yes' enabled: yes # SSH forwarding/proxy address. Command line (CLI) clients always begin their # SSH sessions by connecting to this port listen_addr: 172.16.0.80:3023 # Reverse tunnel listening address. An auth server (CA) can establish an # outbound (from behind the firewall) connection to this address. # This will allow users of the outside CA to connect to behind-the-firewall # nodes. tunnel_listen_addr: 172.16.0.80:3024 # The HTTPS listen address to serve the Web UI and also to authenticate the # command line (CLI) users via password+HOTP web_listen_addr: 172.16.0.80:3080 # TLS certificate for the HTTPS connection. Configuring these properly is # critical for Teleport security. #https_key_file: /var/lib/teleport/webproxy_key.pem #https_cert_file: /var/lib/teleport/webproxy_cert.pem
配置完成后直接启动即可
systemctl enable teleportsystemctl start teleport
五、将内网集群链接至公网
上文已经讲过,Teleport 通过公网链接内网主机的方式是让内网集群向公网打通一条 ssh 隧道,然后再进行通讯;具体配置如下
5.1、公网 Master 开启授信集群
在公网 Master 增加 Token 配置,以允许持有该 Token 的其他内网集群连接到此,修改 /etc/teleport/teleport.yaml
增加一个 token 即可
tokens: - "proxy,node:jYektagNTmhjv9Dh" - "auth:jYektagNTmhjv9Dh" - "trusted_cluster:xiomwWcrKinFw4Vs"
然后重启 Teleport
systemctl restart teleport
5.2、内网 Master 链接公网 Master
当公网集群开启了允许其他集群链接后,内网集群只需要创建配置进行连接即可,创建配置(cluster.yaml)如下
# cluster.yamlkind: trusted_clusterversion: v2metadata: # the trusted cluster name MUST match the 'cluster_name' setting of the # cluster name: local_clusterspec: # this field allows to create tunnels that are disabled, but can be enabled later. enabled: true # the token expected by the "main" cluster: token: xiomwWcrKinFw4Vs # the address in 'host:port' form of the reverse tunnel listening port on the # "master" proxy server: tunnel_addr: 92.223.67.84:3024 # the address in 'host:port' form of the web listening port on the # "master" proxy server: web_proxy_addr: 92.223.67.84:3080
执行以下命令使内网集群通过 ssh 隧道连接到公网集群
tctl --config /etc/teleport/teleport.yaml create /etc/teleport/cluster.yaml
注意,如果在启动公网和内网集群时没有指定受信的证书( https_cert_file
、https_key_file
),那么默认 Teleport 将会生成一个自签名证书,此时在 create 受信集群时将会产生如下错误:
the trusted cluster uses misconfigured HTTP/TLS certificate
此时需要在 待添加集群(内网) 启动时增加 --insecure
参数,即 Systemd 配置修改如下
[Unit]Description=Teleport SSH ServiceAfter=network.target[Service]Type=simpleRestart=alwaysExecStart=/usr/local/bin/teleport start --insecure -c /etc/teleport/teleport.yaml[Install]WantedBy=multi-user.target
然后再进行 create 就不会报错。
六、添加其他节点
两台节点打通后,此时如果有其他机器则可以将其加入到对应集群中,以下以另一台内网机器为例
由于在主节点 auth_service
中已经预先指定了一个 static Token 用于其他节点加入( proxy,node:jYektagNTmhjv9Dh
),所以其他节点只需要使用这个 Token 加入即可,在另一台内网主机上修改 Systemd 配置如下,然后启动即可
[Unit]Description=Teleport SSH ServiceAfter=network.target[Service]Type=simpleRestart=alwaysExecStart=/usr/local/bin/teleport start --roles=node,proxy \ --token=jYektagNTmhjv9Dh \ --auth-server=172.16.0.80[Install]WantedBy=multi-user.target
此时在内网的 Master 上可以查看到 Node 已经加入
test1.node ➜ tctl --config /etc/teleport/teleport.yaml nodes lsHostname UUID Address Labels----------- ------------------------------------ ---------------- -----------------------test2.node abc786fe-9a60-4480-80f7-8edc20710e58 172.16.0.81:3022mritd.test1 be9080fb-bdba-4823-9fb6-294e0b0dcce3 172.16.0.80:3022 arch=x86_64,role=master
七、连接测试
7.1、Web 测试
Teleport 支持 Web 页面访问,直接访问 https://公网IP:3080
,然后登陆即可,登陆后如下
通过 Cluster 选项可以切换不同集群,点击后面的用户名可以选择不同用户登录到不同主机(用户授权在添加用户时控制),登陆成功后如下
通过 Teleport 进行的所有操作可以通过审计菜单进行操作回放
7.2、命令行测试
类 Uninx 系统下我们还是习惯使用终端登录,终端登录需要借助 Teleport 的命令行工具 tsh
,tsh
在下载的 release 压缩版中已经有了,具体使用文档请自行 help 和参考官方文档,以下为简单的使用示例
登录跳板机: 短时间内只需要登录一次即可,登录时需要输入密码及 OTP 口令
export TELEPORT_PROXY=92.223.67.84export TELEPORT_USER=mritdtsh login --insecure
登录主机: 完成上一步 login 后就可以免密码登录任意主机
# cluster 名字是上面设置的,在 web 界面也能看到tsh ssh --cluster nat root@test2.node
复制文件: 复制文件时不显示进度,并非卡死
tsh scp --cluster nat teleport-v2.3.5-linux-amd64-bin.tar.gz root@test2.node:/-> teleport-v2.3.5-linux-amd64-bin.tar.gz (16797035)
注:本文中使用的 Teleport 版本相对比较旧了,目前最新版本为 3.10。转载这篇文章主要是为了推荐这个优秀的工具,如果你需要使用新版本 Teleport,也可以直接参考官方文档进行部署:https://docs.tp4a.com/
来源:漠然的博客
原文:http://t.cn/AiNmMKsJ
题图:来自谷歌图片搜索
版权:本文版权归原作者所有
投稿:欢迎投稿,投稿邮箱: editor@hi-linux.com
推荐阅读
浅谈 TCP 的三次握手和四次挥手
从零开始搭建创业公司后台技术栈
漫谈云计算、虚拟化、容器化
史上最全的 Linux 运维工程师面试问答录
推荐一个在线测试服务器延迟和丢包的工具 Ping.pe
开源堡垒机 Teleport 入门教程相关推荐
- 开源堡垒机 Jumpserver 入门教程
背景 笔者最近想起此前公司使用过的堡垒机系统,觉得用的很方便,而现在的公司并没有搭建此类系统,想着以后说不定可以用上:而且最近也有点时间,因此来了搭建堡垒机系统的兴趣,在搭建过程中参考了比较多的文档, ...
- jumpserver 使用教程_开源堡垒机 Jumpserver 入门教程
原标题:开源堡垒机 Jumpserver 入门教程 背景 笔者最近想起此前公司使用过的堡垒机系统,觉得用的很方便,而现在的公司并没有搭建此类系统,想着以后说不定可以用上:而且最近也有点时间,因此来了搭 ...
- Linux部署开源堡垒机JumpServer详细教程
堡垒机,也叫做运维安全审计系统,它的核心功能是 4A: 身份验证 Authentication 账号管理 Account 授权控制 Authorization 安全审计 Audit 简单总结一句话:堡 ...
- 开源堡垒机 Teleport
Teleport官网 Teleport是一款简单易用的开源堡垒机系统,具有小巧.易用的特点,支持 RDP/SSH/SFTP/Telnet 协议的远程连接和审计管理. Teleport由两大部分构成: ...
- 【推荐】开源堡垒机Teleport
推荐一款开源的堡垒机软件Teleport,极易部署,二次开发,安全增强,单点登录,按需授权,运维审计,大家有兴趣可以去官方网站下载体验http://teleport.eomsoft.net 个人认为比 ...
- 开源堡垒机Teleport
仅需一分钟,就可以安装部署一套您自己的堡垒机系统!! 1.安装teleport # cd /software # wget https://tp4a.com/static/download/telep ...
- 服务器管理神器 开源堡垒机 jumpserver 实战教程
一.简介 前面我们聊到了openvpn的部署和使用,它能够实现从互联网通过openvpn连接到公司内网服务器,从而进行远程管理. 但openvpn有一个缺点不能记录用户内部网服务器上操作了什么,拥有客 ...
- java 堡垒机_开源堡垒机系统Teleport部署教程
认识Teleport 在开源堡垒机领域, 很多人都知道jumpserver, 但是jumpserver安装相对较复杂, 新手容易出现各种坑. 在这里介绍一款简单易用的开源堡垒机系统: Teleport ...
- 开源轻量堡垒机——Teleport的安装配置和使用
一.堡垒机简介 1.1.现状 目前随着信息化的发展,越来越多的企业开始有更多的服务器.业务资源,有更多样化的员工,拥有更多的账号:导致访问混乱化,越权访问难以规范:甚至恶意命令攻击事件(如删库.删除业 ...
最新文章
- Java正則表達式入门
- visual studio输入法打不了中文_我为什么不用Mac自带输入法
- DRAGAN + SRCNN 的简单理解
- linux系统日常管理复习题讲解
- python re模块compile_Python re模块的match方法
- java 面试700问_JAVA面试700问(一)
- windows安装logstash6.2.3
- 5G 时代的车联网混战!
- WebRTC之RFC协议下载(八)
- 数字电路设计之数字电路工程师面试集锦
- 【前端】【HTML+CSS+JavaScript(JS)】简易工资计算器的实现
- 《学会提问》——批判性思维的思考
- 英文版-Plan9汇编器-A Manual for the Plan 9 assembler
- Could not load file or assembly 'XXXXXXXX' or one of its dependencies. 试图加载格式不正确的程
- 求助:如何实现EA自动判断趋势,寻找高低点,并获取高低点K线价格数据,然后根据价格画出支撑阻力区域.
- 知人者智,自知者明。 胜人者有力,自胜者强。 知足者富。 强行者有志。 不失其所者久。 死而不亡者寿。
- 理财投资理念黄金法则
- STM32探索之路——使用JLink仿真器烧写固件的原理
- java中flush函数作用_Java语言中flush()函数作用及使用方法详解
- 利用棋盘格图案完成相机标定
热门文章
- 智能质检-提高了坐席效率与客户满意度
- Mac电脑QQ输入两个短横(--)自动变成一个短横(——)----------小白的天堂
- c语言免杀程序源码,Window下基于C/C++源码免杀理论及思路(新手篇)
- 贺州学院田径运动会成绩管理系统
- UltraEdit下载
- 苹果库克:选购安卓手机是个错误
- php护卫神网站日志,联机日志主控中心-使用简介_护卫神
- Python学习笔记-PyQt6对话框
- 手把手叫你 制作一个不需要任何工具 从网页上安装ipa包的办法
- C语言提供了几个标准库函数 itoa() atoi()