開源堡壘機 Teleport 入門教程

運維之美2019-07-02 14:32:59


由於業務需求,以前賬號管理混亂,所以很多人有生產服務器的 root 權限;所以目前需要一個能 SSH 登錄線上服務器的工具,同時具有簡單的審計功能。


為了解決以上問題我找到了 Teleport 這個功能強大的開源工具,Teleport 是一款簡單易用的使用 Go 語言編寫的開源堡壘機系統,具有小巧、易用的特點,支持 RDP/SSH/SFTP/Telnet 協議的遠程連接和審計管理。


Teleport 不僅可以同時管理大量服務器還可以作為一個終端錄製工具,它提供了一個直觀的 Web 界面來顯示終端,也就是説你可以在瀏覽器操作服務器,在瀏覽器錄製、分享。


Teleport 官網: https://www.tp4a.com/

一、環境準備

目前準備了 3 台虛擬機,兩台位於內網 NAT 之後,一台位於公網可以直接鏈接;使用時客户端通過工具連接到公網跳板機上,然後實現自動跳轉到內網任意主機;並且具有相應的操作回放審計,通過宿主機賬户限制用户權限

ip節點
92.223.67.84公網 Master
172.16.0.80內網 Master
172.16.0.81內網 Node

二、Teleport 工作模式

Teleport 工作時從宏觀上看是以集羣為單位,也就是説公網算作一個集羣,內網算作另一個集羣,內網集羣通過 ssh 隧道保持跟公網的鏈接狀態,同時內網機羣允許公網集羣用户連接,大體工作模式如下

三、搭建公網 Master

3.1、配置 Systemd

首先下載相關可執行文件並複製到 Path 目錄下,然後創建一下配置目錄等

wget https://github.com/gravitational/teleport/releases/download/v2.3.5/teleport-v2.3.5-linux-amd64-bin.tar.gz
tar -zxvf teleport-v2.3.5-linux-amd64-bin.tar.gz
mv teleport/tctl teleport/teleport teleport/tsh /usr/local/bin
mkdir -p /etc/teleport /data/teleport

然後為了讓服務後台運行創建一個 systemd service 配置文件

cat > /etc/systemd/system/teleport.service EOF
[Unit]
Description=Teleport SSH Service
After=network.target

[Service]
Type=simple
Restart=always
ExecStart=/usr/local/bin/teleport start -c /etc/teleport/teleport.yaml

[Install]
WantedBy=multi-user.target
EOF

3.2、配置 Teleport

Systemd 配置完成後,就需要寫一個 Teleport 的配置文件來讓 Teleport 啟動,具體選項含義可以參考 官方文檔;以下為我的配置樣例

# By default, this file should be stored in /etc/teleport.yaml

# This section of the configuration file applies to all teleport
# services.
teleport:
# nodename allows to assign an alternative name this node can be reached by.
# by default it's equal to hostname
nodename: mritd.master

# Data directory where Teleport keeps its data, like keys/users for
# authentication (if using the default BoltDB back-end)
data_dir: /data/teleport

# one-time invitation token used to join a cluster. it is not used on
# subsequent starts
auth_token: jYektagNTmhjv9Dh

# when running in multi-homed or NATed environments Teleport nodes need
# to know which IP it will be reachable at by other nodes
advertise_ip: 92.223.67.84

# list of auth servers in a cluster. you will have more than one auth server
# if you configure teleport auth to run in HA configuration
auth_servers:
- 0.0.0.0:3025
- 0.0.0.0:3025

# Teleport throttles all connections to avoid abuse. These settings allow
# you to adjust the default limits
connection_limits:
max_connections: 1000
max_users: 250

# Logging configuration. Possible output values are 'stdout', 'stderr' and
# 'syslog'. Possible severity values are INFO, WARN and ERROR (default).
log:
output: stdout
severity: INFO

# Type of storage used for keys. You need to configure this to use etcd
# backend if you want to run Teleport in HA configuration.
storage:
type: bolt

# Cipher algorithms that the server supports. This section only needs to be
# set if you want to override the defaults.
ciphers:
- aes128-ctr
- aes192-ctr
- aes256-ctr
- [email protected]
- arcfour256
- arcfour128

# Key exchange algorithms that the server supports. This section only needs
# to be set if you want to override the defaults.
kex_algos:
- [email protected]
- ecdh-sha2-nistp256
- ecdh-sha2-nistp384
- ecdh-sha2-nistp521
- diffie-hellman-group14-sha1
- diffie-hellman-group1-sha1

# Message authentication code (MAC) algorithms that the server supports.
# This section only needs to be set if you want to override the defaults.
mac_algos:
- [email protected]
- hmac-sha2-256
- hmac-sha1
- hmac-sha1-96

# This section configures the 'auth service':
auth_service:
# Turns 'auth' role on. Default is 'yes'
enabled: yes

authentication:
# default authentication type. possible values are 'local', 'oidc' and 'saml'
# only local authentication (Teleport's own user DB) is supported in the open
# source version
type: local
# second_factor can be off, otp, or u2f
second_factor: otp
# this section is used if second_factor is set to 'u2f'
#u2f:
# # app_id must point to the URL of the Teleport Web UI (proxy) accessible
# # by the end users
# app_id: https://localhost:3080
# # facets must list all proxy servers if there are more than one deployed
# facets:
# - https://localhost:3080

# IP and the port to bind to. Other Teleport nodes will be connecting to
# this port (AKA "Auth API" or "Cluster API") to validate client
# certificates
listen_addr: 0.0.0.0:3025

# Pre-defined tokens for adding new nodes to a cluster. Each token specifies
# the role a new node will be allowed to assume. The more secure way to
# add nodes is to use `ttl node add --ttl` command to generate auto-expiring
# tokens.
#
# We recommend to use tools like `pwgen` to generate sufficiently random
# tokens of 32+ byte length.
tokens:
- "proxy,node:jYektagNTmhjv9Dh"
- "auth:jYektagNTmhjv9Dh"

# Optional "cluster name" is needed when configuring trust between multiple
# auth servers. A cluster name is used as part of a signature in certificates
# generated by this CA.
#
# By default an automatically generated GUID is used.
#
# IMPORTANT: if you change cluster_name, it will invalidate all generated
# certificates and keys (may need to wipe out /var/lib/teleport directory)
cluster_name: "mritd"

# This section configures the 'node service':
ssh_service:
# Turns 'ssh' role on. Default is 'yes'
enabled: yes

# IP and the port for SSH service to bind to.
listen_addr: 0.0.0.0:3022
# See explanation of labels in "Labeling Nodes" section below
labels:
role: master

# List of the commands to periodically execute. Their output will be used as node labels.
# See "Labeling Nodes" section below for more information.
commands:
- name: arch # this command will add a label like 'arch=x86_64' to a node
command: [uname, -p]
period: 1h0m0s

# enables reading ~/.tsh/environment before creating a session. by default
# set to false, can be set true here or as a command line flag.
permit_user_env: false

# This section configures the 'proxy servie'
proxy_service:
# Turns 'proxy' role on. Default is 'yes'
enabled: yes

# SSH forwarding/proxy address. Command line (CLI) clients always begin their
# SSH sessions by connecting to this port
listen_addr: 0.0.0.0:3023

# Reverse tunnel listening address. An auth server (CA) can establish an
# outbound (from behind the firewall) connection to this address.
# This will allow users of the outside CA to connect to behind-the-firewall
# nodes.
tunnel_listen_addr: 0.0.0.0:3024

# The HTTPS listen address to serve the Web UI and also to authenticate the
# command line (CLI) users via password+HOTP
web_listen_addr: 0.0.0.0:3080

# TLS certificate for the HTTPS connection. Configuring these properly is
# critical for Teleport security.
#https_key_file: /var/lib/teleport/webproxy_key.pem
#https_cert_file: /var/lib/teleport/webproxy_cert.pem

然後啟動 Teleport 即可

systemctl enable teleport
systemctl start teleport

如果啟動出現如下錯誤

error: Could not load host key: /etc/ssh/ssh_host_ecdsa_key
error: Could not load host key: /etc/ssh/ssh_host_ed25519_key

請執行 ssh-keygen 命令自行生成相關祕鑰

ssh-keygen -t ecdsa -f /etc/ssh/ssh_host_ecdsa_key
ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key

3.3、添加用户

公網這台 Teleport 將會作為主要的接入機器,所以在此節點內添加的用户將有權限登錄所有集羣,包括內網的另一個集羣;所以為了方便以後操作先添加一個用户

# 添加一個用户名為 mritd 的用户,該用户在所有集羣具有 root 用户權限
tctl --config /etc/teleport/teleport.yaml users add mritd root

添加成功後會返回一個 OTP 認證初始化地址,瀏覽器訪問後可以使用 Google 掃描 OTP 二維碼從而在登錄時增加一層 OTP 認證

訪問該地址後初始化密碼及 OTP

四、搭建內網 Master

內網搭建 Master 和公網類似,只不過為了安全將所有 0.0.0.0 的地址全部換成內網 IP 即可,以下為內網的配置信息

# By default, this file should be stored in /etc/teleport.yaml

# This section of the configuration file applies to all teleport
# services.
teleport:
# nodename allows to assign an alternative name this node can be reached by.
# by default it's equal to hostname
nodename: mritd.test1

# Data directory where Teleport keeps its data, like keys/users for
# authentication (if using the default BoltDB back-end)
data_dir: /data/teleport

# one-time invitation token used to join a cluster. it is not used on
# subsequent starts
auth_token: jYektagNTmhjv9Dh

# when running in multi-homed or NATed environments Teleport nodes need
# to know which IP it will be reachable at by other nodes
advertise_ip: 172.16.0.80

# list of auth servers in a cluster. you will have more than one auth server
# if you configure teleport auth to run in HA configuration
auth_servers:
- 172.16.0.80:3025

# Teleport throttles all connections to avoid abuse. These settings allow
# you to adjust the default limits
connection_limits:
max_connections: 1000
max_users: 250

# Logging configuration. Possible output values are 'stdout', 'stderr' and
# 'syslog'. Possible severity values are INFO, WARN and ERROR (default).
log:
output: stdout
severity: INFO

# Type of storage used for keys. You need to configure this to use etcd
# backend if you want to run Teleport in HA configuration.
storage:
type: bolt

# Cipher algorithms that the server supports. This section only needs to be
# set if you want to override the defaults.
ciphers:
- aes128-ctr
- aes192-ctr
- aes256-ctr
- [email protected]
- arcfour256
- arcfour128

# Key exchange algorithms that the server supports. This section only needs
# to be set if you want to override the defaults.
kex_algos:
- [email protected]
- ecdh-sha2-nistp256
- ecdh-sha2-nistp384
- ecdh-sha2-nistp521
- diffie-hellman-group14-sha1
- diffie-hellman-group1-sha1

# Message authentication code (MAC) algorithms that the server supports.
# This section only needs to be set if you want to override the defaults.
mac_algos:
- [email protected]
- hmac-sha2-256
- hmac-sha1
- hmac-sha1-96

# This section configures the 'auth service':
auth_service:
# Turns 'auth' role on. Default is 'yes'
enabled: yes

authentication:
# default authentication type. possible values are 'local', 'oidc' and 'saml'
# only local authentication (Teleport's own user DB) is supported in the open
# source version
type: local
# second_factor can be off, otp, or u2f
second_factor: otp
# this section is used if second_factor is set to 'u2f'
#u2f:
# # app_id must point to the URL of the Teleport Web UI (proxy) accessible
# # by the end users
# app_id: https://localhost:3080
# # facets must list all proxy servers if there are more than one deployed
# facets:
# - https://localhost:3080

# IP and the port to bind to. Other Teleport nodes will be connecting to
# this port (AKA "Auth API" or "Cluster API") to validate client
# certificates
listen_addr: 172.16.0.80:3025

# Pre-defined tokens for adding new nodes to a cluster. Each token specifies
# the role a new node will be allowed to assume. The more secure way to
# add nodes is to use `ttl node add --ttl` command to generate auto-expiring
# tokens.
#
# We recommend to use tools like `pwgen` to generate sufficiently random
# tokens of 32+ byte length.
tokens:
- "proxy,node:jYektagNTmhjv9Dh"
- "auth:jYektagNTmhjv9Dh"

# Optional "cluster name" is needed when configuring trust between multiple
# auth servers. A cluster name is used as part of a signature in certificates
# generated by this CA.
#
# By default an automatically generated GUID is used.
#
# IMPORTANT: if you change cluster_name, it will invalidate all generated
# certificates and keys (may need to wipe out /var/lib/teleport directory)
cluster_name: "nat"

# This section configures the 'node service':
ssh_service:
# Turns 'ssh' role on. Default is 'yes'
enabled: yes

# IP and the port for SSH service to bind to.
listen_addr: 172.16.0.80:3022
# See explanation of labels in "Labeling Nodes" section below
labels:
role: master

# List of the commands to periodically execute. Their output will be used as node labels.
# See "Labeling Nodes" section below for more information.
commands:
- name: arch # this command will add a label like 'arch=x86_64' to a node
command: [uname, -p]
period: 1h0m0s

# enables reading ~/.tsh/environment before creating a session. by default
# set to false, can be set true here or as a command line flag.
permit_user_env: false

# This section configures the 'proxy servie'
proxy_service:
# Turns 'proxy' role on. Default is 'yes'
enabled: yes

# SSH forwarding/proxy address. Command line (CLI) clients always begin their
# SSH sessions by connecting to this port
listen_addr: 172.16.0.80:3023

# Reverse tunnel listening address. An auth server (CA) can establish an
# outbound (from behind the firewall) connection to this address.
# This will allow users of the outside CA to connect to behind-the-firewall
# nodes.
tunnel_listen_addr: 172.16.0.80:3024

# The HTTPS listen address to serve the Web UI and also to authenticate the
# command line (CLI) users via password+HOTP
web_listen_addr: 172.16.0.80:3080

# TLS certificate for the HTTPS connection. Configuring these properly is
# critical for Teleport security.
#https_key_file: /var/lib/teleport/webproxy_key.pem
#https_cert_file: /var/lib/teleport/webproxy_cert.pem

配置完成後直接啟動即可

systemctl enable teleport
systemctl start teleport

五、將內網集羣鏈接至公網

上文已經講過,Teleport 通過公網鏈接內網主機的方式是讓內網集羣向公網打通一條 ssh 隧道,然後再進行通訊;具體配置如下

5.1、公網 Master 開啟授信集羣

在公網 Master 增加 Token 配置,以允許持有該 Token 的其他內網集羣連接到此,修改 /etc/teleport/teleport.yaml 增加一個 token 即可

tokens:
- "proxy,node:jYektagNTmhjv9Dh"
- "auth:jYektagNTmhjv9Dh"
- "trusted_cluster:xiomwWcrKinFw4Vs"

然後重啟 Teleport

systemctl restart teleport

5.2、內網 Master 鏈接公網 Master

當公網集羣開啟了允許其他集羣鏈接後,內網集羣只需要創建配置進行連接即可,創建配置(cluster.yaml)如下

# cluster.yaml
kind: trusted_cluster
version: v2
metadata:
# the trusted cluster name MUST match the 'cluster_name' setting of the
# cluster
name: local_cluster
spec:
# this field allows to create tunnels that are disabled, but can be enabled later.
enabled: true
# the token expected by the "main" cluster:
token: xiomwWcrKinFw4Vs
# the address in 'host:port' form of the reverse tunnel listening port on the
# "master" proxy server:
tunnel_addr: 92.223.67.84:3024
# the address in 'host:port' form of the web listening port on the
# "master" proxy server:
web_proxy_addr: 92.223.67.84:3080

執行以下命令使內網集羣通過 ssh 隧道連接到公網集羣

tctl --config /etc/teleport/teleport.yaml create /etc/teleport/cluster.yaml

注意,如果在啟動公網和內網集羣時沒有指定受信的證書( https_cert_filehttps_key_file ),那麼默認 Teleport 將會生成一個自簽名證書,此時在 create 受信集羣時將會產生如下錯誤:

the trusted cluster uses misconfigured HTTP/TLS certificate

此時需要在 待添加集羣(內網) 啟動時增加 --insecure 參數,即 Systemd 配置修改如下

[Unit]
Description=Teleport SSH Service
After=network.target

[Service]
Type=simple
Restart=always
ExecStart=/usr/local/bin/teleport start --insecure -c /etc/teleport/teleport.yaml

[Install]
WantedBy=multi-user.target

然後再進行 create 就不會報錯。

六、添加其他節點

兩台節點打通後,此時如果有其他機器則可以將其加入到對應集羣中,以下以另一台內網機器為例

由於在主節點 auth_service 中已經預先指定了一個 static Token 用於其他節點加入( proxy,node:jYektagNTmhjv9Dh ),所以其他節點只需要使用這個 Token 加入即可,在另一台內網主機上修改 Systemd 配置如下,然後啟動即可

[Unit]
Description=Teleport SSH Service
After=network.target

[Service]
Type=simple
Restart=always
ExecStart=/usr/local/bin/teleport start --roles=node,proxy \
--token=jYektagNTmhjv9Dh \
--auth-server=172.16.0.80

[Install]
WantedBy=multi-user.target

此時在內網的 Master 上可以查看到 Node 已經加入

test1.node ➜ tctl --config /etc/teleport/teleport.yaml nodes ls
Hostname UUID Address Labels
----------- ------------------------------------ ---------------- -----------------------
test2.node abc786fe-9a60-4480-80f7-8edc20710e58 172.16.0.81:3022
mritd.test1 be9080fb-bdba-4823-9fb6-294e0b0dcce3 172.16.0.80:3022 arch=x86_64,role=master

七、連接測試

7.1、Web 測試

Teleport 支持 Web 頁面訪問,直接訪問 https://公網IP:3080,然後登陸即可,登陸後如下

通過 Cluster 選項可以切換不同集羣,點擊後面的用户名可以選擇不同用户登錄到不同主機(用户授權在添加用户時控制),登陸成功後如下

通過 Teleport 進行的所有操作可以通過審計菜單進行操作回放

7.2、命令行測試

類 Uninx 系統下我們還是習慣使用終端登錄,終端登錄需要藉助 Teleport 的命令行工具 tshtsh在下載的 release 壓縮版中已經有了,具體使用文檔請自行 help 和參考官方文檔,以下為簡單的使用示例

  • 登錄跳板機: 短時間內只需要登錄一次即可,登錄時需要輸入密碼及 OTP 口令

export TELEPORT_PROXY=92.223.67.84
export TELEPORT_USER=mritd
tsh login --insecure


  • 登錄主機: 完成上一步 login 後就可以免密碼登錄任意主機

# cluster 名字是上面設置的,在 web 界面也能看到
tsh ssh --cluster nat [email protected]


  • 複製文件: 複製文件時不顯示進度,並非卡死

tsh scp --cluster nat teleport-v2.3.5-linux-amd64-bin.tar.gz [email protected]:/

-> teleport-v2.3.5-linux-amd64-bin.tar.gz (16797035)

注:本文中使用的 Teleport 版本相對比較舊了,目前最新版本為 3.10。轉載這篇文章主要是為了推薦這個優秀的工具,如果你需要使用新版本 Teleport,也可以直接參考官方文檔進行部署:https://docs.tp4a.com/

來源:漠然的博客
原文:http://t.cn/AiNmMKsJ
題圖:
來自谷歌圖片搜索 
版權:
本文版權歸原作者所有
投稿:歡迎投稿,投稿郵箱: [email protected]



推薦閲讀

  • 淺談 TCP 的三次握手和四次揮手

  • 從零開始搭建創業公司後台技術棧

  • 漫談雲計算、虛擬化、容器化

  • 史上最全的 Linux 運維工程師面試問答錄

  • 推薦一個在線測試服務器延遲和丟包的工具 Ping.pe




https://hk.wxwenku.com/d/201045715