由于业务需求,以前账号管理混乱,所以很多人有生产服务器的 root 权限;所以目前需要一个能 SSH 登录线上服务器的工具,同时具有简单的审计功能。

为了解决以上问题我找到了 Teleport 这个功能强大的开源工具,Teleport 是一款简单易用的使用 Go 语言编写的开源堡垒机系统,具有小巧、易用的特点,支持 RDP/SSH/SFTP/Telnet 协议的远程连接和审计管理。

Teleport 不仅可以同时管理大量服务器还可以作为一个终端录制工具,它提供了一个直观的 Web 界面来显示终端,也就是说你可以在浏览器操作服务器,在浏览器录制、分享。

Teleport 官网: https://www.tp4a.com/

一、环境准备

目前准备了 3 台虚拟机,两台位于内网 NAT 之后,一台位于公网可以直接链接;使用时客户端通过工具连接到公网跳板机上,然后实现自动跳转到内网任意主机;并且具有相应的操作回放审计,通过宿主机账户限制用户权限

ip 节点
92.223.67.84 公网 Master
172.16.0.80 内网 Master
172.16.0.81 内网 Node

二、Teleport 工作模式

Teleport 工作时从宏观上看是以集群为单位,也就是说公网算作一个集群,内网算作另一个集群,内网集群通过 ssh 隧道保持跟公网的链接状态,同时内网机群允许公网集群用户连接,大体工作模式如下

三、搭建公网 Master

3.1、配置 Systemd

首先下载相关可执行文件并复制到 Path 目录下,然后创建一下配置目录等

wget https://github.com/gravitational/teleport/releases/download/v2.3.5/teleport-v2.3.5-linux-amd64-bin.tar.gztar -zxvf teleport-v2.3.5-linux-amd64-bin.tar.gzmv teleport/tctl teleport/teleport teleport/tsh /usr/local/binmkdir -p /etc/teleport /data/teleport

然后为了让服务后台运行创建一个 systemd service 配置文件

cat > /etc/systemd/system/teleport.service <<EOF[Unit]Description=Teleport SSH ServiceAfter=network.target[Service]Type=simpleRestart=alwaysExecStart=/usr/local/bin/teleport start -c /etc/teleport/teleport.yaml[Install]WantedBy=multi-user.targetEOF

3.2、配置 Teleport

Systemd 配置完成后,就需要写一个 Teleport 的配置文件来让 Teleport 启动,具体选项含义可以参考 官方文档;以下为我的配置样例

# By default, this file should be stored in /etc/teleport.yaml# This section of the configuration file applies to all teleport# services.teleport:    # nodename allows to assign an alternative name this node can be reached by.    # by default it's equal to hostname    nodename: mritd.master    # Data directory where Teleport keeps its data, like keys/users for    # authentication (if using the default BoltDB back-end)    data_dir: /data/teleport    # one-time invitation token used to join a cluster. it is not used on    # subsequent starts    auth_token: jYektagNTmhjv9Dh    # when running in multi-homed or NATed environments Teleport nodes need    # to know which IP it will be reachable at by other nodes    advertise_ip: 92.223.67.84    # list of auth servers in a cluster. you will have more than one auth server    # if you configure teleport auth to run in HA configuration    auth_servers:        - 0.0.0.0:3025        - 0.0.0.0:3025    # Teleport throttles all connections to avoid abuse. These settings allow    # you to adjust the default limits    connection_limits:        max_connections: 1000        max_users: 250    # Logging configuration. Possible output values are 'stdout', 'stderr' and    # 'syslog'. Possible severity values are INFO, WARN and ERROR (default).    log:        output: stdout        severity: INFO    # Type of storage used for keys. You need to configure this to use etcd    # backend if you want to run Teleport in HA configuration.    storage:        type: bolt    # Cipher algorithms that the server supports. This section only needs to be    # set if you want to override the defaults.    ciphers:      - aes128-ctr      - aes192-ctr      - aes256-ctr      - aes128-gcm@openssh.com      - arcfour256      - arcfour128    # Key exchange algorithms that the server supports. This section only needs    # to be set if you want to override the defaults.    kex_algos:      - curve25519-sha256@libssh.org      - ecdh-sha2-nistp256      - ecdh-sha2-nistp384      - ecdh-sha2-nistp521      - diffie-hellman-group14-sha1      - diffie-hellman-group1-sha1    # Message authentication code (MAC) algorithms that the server supports.    # This section only needs to be set if you want to override the defaults.    mac_algos:      - hmac-sha2-256-etm@openssh.com      - hmac-sha2-256      - hmac-sha1      - hmac-sha1-96# This section configures the 'auth service':auth_service:    # Turns 'auth' role on. Default is 'yes'    enabled: yes    authentication:        # default authentication type. possible values are 'local', 'oidc' and 'saml'        # only local authentication (Teleport's own user DB) is supported in the open        # source version        type: local        # second_factor can be off, otp, or u2f        second_factor: otp        # this section is used if second_factor is set to 'u2f'        #u2f:        #    # app_id must point to the URL of the Teleport Web UI (proxy) accessible        #    # by the end users        #    app_id: https://localhost:3080        #    # facets must list all proxy servers if there are more than one deployed        #    facets:        #    - https://localhost:3080    # IP and the port to bind to. Other Teleport nodes will be connecting to    # this port (AKA "Auth API" or "Cluster API") to validate client    # certificates    listen_addr: 0.0.0.0:3025    # Pre-defined tokens for adding new nodes to a cluster. Each token specifies    # the role a new node will be allowed to assume. The more secure way to    # add nodes is to use `ttl node add --ttl` command to generate auto-expiring    # tokens.    #    # We recommend to use tools like `pwgen` to generate sufficiently random    # tokens of 32+ byte length.    tokens:        - "proxy,node:jYektagNTmhjv9Dh"        - "auth:jYektagNTmhjv9Dh"    # Optional "cluster name" is needed when configuring trust between multiple    # auth servers. A cluster name is used as part of a signature in certificates    # generated by this CA.    #    # By default an automatically generated GUID is used.    #    # IMPORTANT: if you change cluster_name, it will invalidate all generated    # certificates and keys (may need to wipe out /var/lib/teleport directory)    cluster_name: "mritd"# This section configures the 'node service':ssh_service:    # Turns 'ssh' role on. Default is 'yes'    enabled: yes    # IP and the port for SSH service to bind to.    listen_addr: 0.0.0.0:3022    # See explanation of labels in "Labeling Nodes" section below    labels:        role: master    # List of the commands to periodically execute. Their output will be used as node labels.    # See "Labeling Nodes" section below for more information.    commands:    - name: arch             # this command will add a label like 'arch=x86_64' to a node      command: [uname, -p]      period: 1h0m0s    # enables reading ~/.tsh/environment before creating a session. by default    # set to false, can be set true here or as a command line flag.    permit_user_env: false# This section configures the 'proxy servie'proxy_service:    # Turns 'proxy' role on. Default is 'yes'    enabled: yes    # SSH forwarding/proxy address. Command line (CLI) clients always begin their    # SSH sessions by connecting to this port    listen_addr: 0.0.0.0:3023    # Reverse tunnel listening address. An auth server (CA) can establish an    # outbound (from behind the firewall) connection to this address.    # This will allow users of the outside CA to connect to behind-the-firewall    # nodes.    tunnel_listen_addr: 0.0.0.0:3024    # The HTTPS listen address to serve the Web UI and also to authenticate the    # command line (CLI) users via password+HOTP    web_listen_addr: 0.0.0.0:3080    # TLS certificate for the HTTPS connection. Configuring these properly is    # critical for Teleport security.    #https_key_file: /var/lib/teleport/webproxy_key.pem    #https_cert_file: /var/lib/teleport/webproxy_cert.pem

然后启动 Teleport 即可

systemctl enable teleportsystemctl start teleport

如果启动出现如下错误

error: Could not load host key: /etc/ssh/ssh_host_ecdsa_keyerror: Could not load host key: /etc/ssh/ssh_host_ed25519_key

请执行 ssh-keygen 命令自行生成相关秘钥

ssh-keygen -t ecdsa -f /etc/ssh/ssh_host_ecdsa_keyssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key

3.3、添加用户

公网这台 Teleport 将会作为主要的接入机器,所以在此节点内添加的用户将有权限登录所有集群,包括内网的另一个集群;所以为了方便以后操作先添加一个用户

# 添加一个用户名为 mritd 的用户,该用户在所有集群具有 root 用户权限tctl --config /etc/teleport/teleport.yaml users add mritd root

添加成功后会返回一个 OTP 认证初始化地址,浏览器访问后可以使用 Google 扫描 OTP 二维码从而在登录时增加一层 OTP 认证

访问该地址后初始化密码及 OTP

四、搭建内网 Master

内网搭建 Master 和公网类似,只不过为了安全将所有 0.0.0.0 的地址全部换成内网 IP 即可,以下为内网的配置信息

# By default, this file should be stored in /etc/teleport.yaml# This section of the configuration file applies to all teleport# services.teleport:    # nodename allows to assign an alternative name this node can be reached by.    # by default it's equal to hostname    nodename: mritd.test1    # Data directory where Teleport keeps its data, like keys/users for    # authentication (if using the default BoltDB back-end)    data_dir: /data/teleport    # one-time invitation token used to join a cluster. it is not used on    # subsequent starts    auth_token: jYektagNTmhjv9Dh    # when running in multi-homed or NATed environments Teleport nodes need    # to know which IP it will be reachable at by other nodes    advertise_ip: 172.16.0.80    # list of auth servers in a cluster. you will have more than one auth server    # if you configure teleport auth to run in HA configuration    auth_servers:        - 172.16.0.80:3025    # Teleport throttles all connections to avoid abuse. These settings allow    # you to adjust the default limits    connection_limits:        max_connections: 1000        max_users: 250    # Logging configuration. Possible output values are 'stdout', 'stderr' and    # 'syslog'. Possible severity values are INFO, WARN and ERROR (default).    log:        output: stdout        severity: INFO    # Type of storage used for keys. You need to configure this to use etcd    # backend if you want to run Teleport in HA configuration.    storage:        type: bolt    # Cipher algorithms that the server supports. This section only needs to be    # set if you want to override the defaults.     ciphers:      - aes128-ctr      - aes192-ctr      - aes256-ctr      - aes128-gcm@openssh.com      - arcfour256      - arcfour128    # Key exchange algorithms that the server supports. This section only needs    # to be set if you want to override the defaults.    kex_algos:      - curve25519-sha256@libssh.org      - ecdh-sha2-nistp256      - ecdh-sha2-nistp384      - ecdh-sha2-nistp521      - diffie-hellman-group14-sha1      - diffie-hellman-group1-sha1    # Message authentication code (MAC) algorithms that the server supports.    # This section only needs to be set if you want to override the defaults.    mac_algos:      - hmac-sha2-256-etm@openssh.com      - hmac-sha2-256      - hmac-sha1      - hmac-sha1-96# This section configures the 'auth service':auth_service:    # Turns 'auth' role on. Default is 'yes'    enabled: yes    authentication:        # default authentication type. possible values are 'local', 'oidc' and 'saml'        # only local authentication (Teleport's own user DB) is supported in the open        # source version        type: local        # second_factor can be off, otp, or u2f        second_factor: otp        # this section is used if second_factor is set to 'u2f'        #u2f:        #    # app_id must point to the URL of the Teleport Web UI (proxy) accessible        #    # by the end users        #    app_id: https://localhost:3080        #    # facets must list all proxy servers if there are more than one deployed        #    facets:        #    - https://localhost:3080    # IP and the port to bind to. Other Teleport nodes will be connecting to    # this port (AKA "Auth API" or "Cluster API") to validate client    # certificates    listen_addr: 172.16.0.80:3025    # Pre-defined tokens for adding new nodes to a cluster. Each token specifies    # the role a new node will be allowed to assume. The more secure way to    # add nodes is to use `ttl node add --ttl` command to generate auto-expiring    # tokens.    #    # We recommend to use tools like `pwgen` to generate sufficiently random    # tokens of 32+ byte length.    tokens:        - "proxy,node:jYektagNTmhjv9Dh"        - "auth:jYektagNTmhjv9Dh"    # Optional "cluster name" is needed when configuring trust between multiple    # auth servers. A cluster name is used as part of a signature in certificates    # generated by this CA.    #    # By default an automatically generated GUID is used.    #    # IMPORTANT: if you change cluster_name, it will invalidate all generated    # certificates and keys (may need to wipe out /var/lib/teleport directory)    cluster_name: "nat"# This section configures the 'node service':ssh_service:    # Turns 'ssh' role on. Default is 'yes'    enabled: yes    # IP and the port for SSH service to bind to.    listen_addr: 172.16.0.80:3022    # See explanation of labels in "Labeling Nodes" section below    labels:        role: master    # List of the commands to periodically execute. Their output will be used as node labels.    # See "Labeling Nodes" section below for more information.    commands:    - name: arch             # this command will add a label like 'arch=x86_64' to a node      command: [uname, -p]      period: 1h0m0s    # enables reading ~/.tsh/environment before creating a session. by default    # set to false, can be set true here or as a command line flag.    permit_user_env: false# This section configures the 'proxy servie'proxy_service:    # Turns 'proxy' role on. Default is 'yes'    enabled: yes    # SSH forwarding/proxy address. Command line (CLI) clients always begin their    # SSH sessions by connecting to this port    listen_addr: 172.16.0.80:3023    # Reverse tunnel listening address. An auth server (CA) can establish an    # outbound (from behind the firewall) connection to this address.    # This will allow users of the outside CA to connect to behind-the-firewall    # nodes.    tunnel_listen_addr: 172.16.0.80:3024    # The HTTPS listen address to serve the Web UI and also to authenticate the    # command line (CLI) users via password+HOTP    web_listen_addr: 172.16.0.80:3080    # TLS certificate for the HTTPS connection. Configuring these properly is    # critical for Teleport security.    #https_key_file: /var/lib/teleport/webproxy_key.pem    #https_cert_file: /var/lib/teleport/webproxy_cert.pem

配置完成后直接启动即可

systemctl enable teleportsystemctl start teleport

五、将内网集群链接至公网

上文已经讲过,Teleport 通过公网链接内网主机的方式是让内网集群向公网打通一条 ssh 隧道,然后再进行通讯;具体配置如下

5.1、公网 Master 开启授信集群

在公网 Master 增加 Token 配置,以允许持有该 Token 的其他内网集群连接到此,修改 /etc/teleport/teleport.yaml 增加一个 token 即可

tokens:    - "proxy,node:jYektagNTmhjv9Dh"    - "auth:jYektagNTmhjv9Dh"    - "trusted_cluster:xiomwWcrKinFw4Vs"

然后重启 Teleport

systemctl restart teleport

5.2、内网 Master 链接公网 Master

当公网集群开启了允许其他集群链接后,内网集群只需要创建配置进行连接即可,创建配置(cluster.yaml)如下

# cluster.yamlkind: trusted_clusterversion: v2metadata:  # the trusted cluster name MUST match the 'cluster_name' setting of the  # cluster  name: local_clusterspec:  # this field allows to create tunnels that are disabled, but can be enabled later.  enabled: true  # the token expected by the "main" cluster:  token: xiomwWcrKinFw4Vs  # the address in 'host:port' form of the reverse tunnel listening port on the  # "master" proxy server:  tunnel_addr: 92.223.67.84:3024  # the address in 'host:port' form of the web listening port on the  # "master" proxy server:  web_proxy_addr: 92.223.67.84:3080

执行以下命令使内网集群通过 ssh 隧道连接到公网集群

tctl --config /etc/teleport/teleport.yaml create /etc/teleport/cluster.yaml

注意,如果在启动公网和内网集群时没有指定受信的证书( https_cert_filehttps_key_file ),那么默认 Teleport 将会生成一个自签名证书,此时在 create 受信集群时将会产生如下错误:

the trusted cluster uses misconfigured HTTP/TLS certificate

此时需要在 待添加集群(内网) 启动时增加 --insecure 参数,即 Systemd 配置修改如下

[Unit]Description=Teleport SSH ServiceAfter=network.target[Service]Type=simpleRestart=alwaysExecStart=/usr/local/bin/teleport start --insecure -c /etc/teleport/teleport.yaml[Install]WantedBy=multi-user.target

然后再进行 create 就不会报错。

六、添加其他节点

两台节点打通后,此时如果有其他机器则可以将其加入到对应集群中,以下以另一台内网机器为例

由于在主节点 auth_service 中已经预先指定了一个 static Token 用于其他节点加入( proxy,node:jYektagNTmhjv9Dh ),所以其他节点只需要使用这个 Token 加入即可,在另一台内网主机上修改 Systemd 配置如下,然后启动即可

[Unit]Description=Teleport SSH ServiceAfter=network.target[Service]Type=simpleRestart=alwaysExecStart=/usr/local/bin/teleport start --roles=node,proxy \                                        --token=jYektagNTmhjv9Dh \                                        --auth-server=172.16.0.80[Install]WantedBy=multi-user.target

此时在内网的 Master 上可以查看到 Node 已经加入

test1.node ➜ tctl --config /etc/teleport/teleport.yaml nodes lsHostname    UUID                                 Address          Labels----------- ------------------------------------ ---------------- -----------------------test2.node  abc786fe-9a60-4480-80f7-8edc20710e58 172.16.0.81:3022mritd.test1 be9080fb-bdba-4823-9fb6-294e0b0dcce3 172.16.0.80:3022 arch=x86_64,role=master

七、连接测试

7.1、Web 测试

Teleport 支持 Web 页面访问,直接访问 https://公网IP:3080,然后登陆即可,登陆后如下

通过 Cluster 选项可以切换不同集群,点击后面的用户名可以选择不同用户登录到不同主机(用户授权在添加用户时控制),登陆成功后如下

通过 Teleport 进行的所有操作可以通过审计菜单进行操作回放

7.2、命令行测试

类 Uninx 系统下我们还是习惯使用终端登录,终端登录需要借助 Teleport 的命令行工具 tshtsh在下载的 release 压缩版中已经有了,具体使用文档请自行 help 和参考官方文档,以下为简单的使用示例

  • 登录跳板机: 短时间内只需要登录一次即可,登录时需要输入密码及 OTP 口令

export TELEPORT_PROXY=92.223.67.84export TELEPORT_USER=mritdtsh login --insecure

  • 登录主机: 完成上一步 login 后就可以免密码登录任意主机

# cluster 名字是上面设置的,在 web 界面也能看到tsh ssh --cluster nat root@test2.node

  • 复制文件: 复制文件时不显示进度,并非卡死

tsh scp --cluster nat teleport-v2.3.5-linux-amd64-bin.tar.gz root@test2.node:/-> teleport-v2.3.5-linux-amd64-bin.tar.gz (16797035)

注:本文中使用的 Teleport 版本相对比较旧了,目前最新版本为 3.10。转载这篇文章主要是为了推荐这个优秀的工具,如果你需要使用新版本 Teleport,也可以直接参考官方文档进行部署:https://docs.tp4a.com/

来源:漠然的博客
原文:http://t.cn/AiNmMKsJ
题图:来自谷歌图片搜索 
版权:本文版权归原作者所有
投稿:欢迎投稿,投稿邮箱: editor@hi-linux.com


推荐阅读

  • 浅谈 TCP 的三次握手和四次挥手

  • 从零开始搭建创业公司后台技术栈

  • 漫谈云计算、虚拟化、容器化

  • 史上最全的 Linux 运维工程师面试问答录

  • 推荐一个在线测试服务器延迟和丢包的工具 Ping.pe

开源堡垒机 Teleport 入门教程相关推荐

  1. 开源堡垒机 Jumpserver 入门教程

    背景 笔者最近想起此前公司使用过的堡垒机系统,觉得用的很方便,而现在的公司并没有搭建此类系统,想着以后说不定可以用上:而且最近也有点时间,因此来了搭建堡垒机系统的兴趣,在搭建过程中参考了比较多的文档, ...

  2. jumpserver 使用教程_开源堡垒机 Jumpserver 入门教程

    原标题:开源堡垒机 Jumpserver 入门教程 背景 笔者最近想起此前公司使用过的堡垒机系统,觉得用的很方便,而现在的公司并没有搭建此类系统,想着以后说不定可以用上:而且最近也有点时间,因此来了搭 ...

  3. Linux部署开源堡垒机JumpServer详细教程

    堡垒机,也叫做运维安全审计系统,它的核心功能是 4A: 身份验证 Authentication 账号管理 Account 授权控制 Authorization 安全审计 Audit 简单总结一句话:堡 ...

  4. 开源堡垒机 Teleport

    Teleport官网 Teleport是一款简单易用的开源堡垒机系统,具有小巧.易用的特点,支持 RDP/SSH/SFTP/Telnet 协议的远程连接和审计管理. Teleport由两大部分构成: ...

  5. 【推荐】开源堡垒机Teleport

    推荐一款开源的堡垒机软件Teleport,极易部署,二次开发,安全增强,单点登录,按需授权,运维审计,大家有兴趣可以去官方网站下载体验http://teleport.eomsoft.net 个人认为比 ...

  6. 开源堡垒机Teleport

    仅需一分钟,就可以安装部署一套您自己的堡垒机系统!! 1.安装teleport # cd /software # wget https://tp4a.com/static/download/telep ...

  7. 服务器管理神器 开源堡垒机 jumpserver 实战教程

    一.简介 前面我们聊到了openvpn的部署和使用,它能够实现从互联网通过openvpn连接到公司内网服务器,从而进行远程管理. 但openvpn有一个缺点不能记录用户内部网服务器上操作了什么,拥有客 ...

  8. java 堡垒机_开源堡垒机系统Teleport部署教程

    认识Teleport 在开源堡垒机领域, 很多人都知道jumpserver, 但是jumpserver安装相对较复杂, 新手容易出现各种坑. 在这里介绍一款简单易用的开源堡垒机系统: Teleport ...

  9. 开源轻量堡垒机——Teleport的安装配置和使用

    一.堡垒机简介 1.1.现状 目前随着信息化的发展,越来越多的企业开始有更多的服务器.业务资源,有更多样化的员工,拥有更多的账号:导致访问混乱化,越权访问难以规范:甚至恶意命令攻击事件(如删库.删除业 ...

最新文章

  1. Java正則表達式入门
  2. visual studio输入法打不了中文_我为什么不用Mac自带输入法
  3. DRAGAN + SRCNN 的简单理解
  4. linux系统日常管理复习题讲解
  5. python re模块compile_Python re模块的match方法
  6. java 面试700问_JAVA面试700问(一)
  7. windows安装logstash6.2.3
  8. 5G 时代的车联网混战!
  9. WebRTC之RFC协议下载(八)
  10. 数字电路设计之数字电路工程师面试集锦
  11. 【前端】【HTML+CSS+JavaScript(JS)】简易工资计算器的实现
  12. 《学会提问》——批判性思维的思考
  13. 英文版-Plan9汇编器-A Manual for the Plan 9 assembler
  14. Could not load file or assembly 'XXXXXXXX' or one of its dependencies. 试图加载格式不正确的程
  15. 求助:如何实现EA自动判断趋势,寻找高低点,并获取高低点K线价格数据,然后根据价格画出支撑阻力区域.
  16. 知人者智,自知者明。 胜人者有力,自胜者强。 知足者富。 强行者有志。 不失其所者久。 死而不亡者寿。
  17. 理财投资理念黄金法则
  18. STM32探索之路——使用JLink仿真器烧写固件的原理
  19. java中flush函数作用_Java语言中flush()函数作用及使用方法详解
  20. 利用棋盘格图案完成相机标定

热门文章

  1. 智能质检-提高了坐席效率与客户满意度
  2. Mac电脑QQ输入两个短横(--)自动变成一个短横(——)----------小白的天堂
  3. c语言免杀程序源码,Window下基于C/C++源码免杀理论及思路(新手篇)
  4. 贺州学院田径运动会成绩管理系统
  5. UltraEdit下载
  6. 苹果库克:选购安卓手机是个错误
  7. php护卫神网站日志,联机日志主控中心-使用简介_护卫神
  8. Python学习笔记-PyQt6对话框
  9. 手把手叫你 制作一个不需要任何工具 从网页上安装ipa包的办法
  10. C语言提供了几个标准库函数 itoa() atoi()