In today’s fast-paced digital world, securing your server infrastructure is of utmost importance. One powerful tool that can help you achieve this is Teleport, an open-source access plane that provides zero-trust access to various services such as servers, Kubernetes clusters, database servers, and more. In this comprehensive guide, we will walk you through the process of setting up a Teleport Cluster on Rocky Linux 9, ensuring a secure and efficient access plane for your infrastructure.
Prerequisites
Before we dive into the installation and configuration process, let’s go over the prerequisites for setting up a Teleport Cluster on Rocky Linux 9:
- Rocky Linux 9 server: Ensure that you have a Rocky Linux 9 server with a valid hostname and IP address.
- Non-root user with sudo/root administrator privileges: Create a non-root user with sudo or root privileges to perform the necessary configurations.
- Domain name pointed to your server IP address: Have a domain name pointed to your server’s IP address for secure access.
- SSL Certificates: Generate SSL certificates using services like Certbot and Letsencrypt to ensure secure communication.
- SELinux in permissive mode: Set SELinux to permissive mode to avoid any conflicts during the installation process.
- Two-Factor Authentication application: Install a reliable Two-Factor Authentication application like KeepassXC, Aegis (for Android users), or Google Authentication (for iOS users).
Additionally, you will need additional servers/nodes to add to your Teleport Cluster. While any Linux distribution can be used, we will be using two additional Rocky Linux servers named ‘client1’ and ‘client2’ in this guide.
Now that we have the prerequisites covered, let’s move on to the installation process.
Installing Teleport on Rocky Linux 9
To install Teleport on Rocky Linux 9, we will first need to add the Teleport repository to the system and then proceed with the installation. Follow the steps below:
- Add the Teleport repository to your Rocky Linux system by running the following command:
sudo dnf config-manager --add-repo https://rpm.releases.teleport.dev/teleport.repo
- Verify the list of active repositories by running the command:
sudo dnf repolist
- Install the Teleport package by running the command:
sudo dnf install teleport
- Verify the installation by checking the list of Teleport command lines:
ls /usr/local/bin/
- Add the ‘/usr/local/bin’ directory to the sudoers secure_path to allow running Teleport command lines with sudo:
echo "Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin" > /etc/sudoers.d/secure_path sudo chmod 440 /etc/sudoers.d/secure_path
- Finally, verify the Teleport version by running the following commands:
sudo teleport version sudo tsh version sudo tctl version
Congratulations! You have successfully installed Teleport on your Rocky Linux 9 server. Now, let’s move on to the configuration process.
Configuring Teleport Server
Before we can start using Teleport, we need to configure the Teleport server itself. This involves ensuring that your domain name is pointed to the server’s IP address and generating SSL certificates. Follow the steps below to configure the Teleport server:
- After installing Teleport, initialize the Teleport cluster and enable the Teleport web service by running the following command:
sudo teleport configure -o file \ --cluster-name=teleport.example.io \ --public-addr=teleport.example.io:443 \ --cert-file=/etc/letsencrypt/live/teleport.example.io/fullchain.pem \ --key-file=/etc/letsencrypt/live/teleport.example.io/privkey.pem
- Open the Teleport configuration file ‘/etc/teleport.yaml’ using the nano editor:
sudo nano /etc/teleport.yaml
- Add the following lines to the file to enable the Teleport Web Service:
app_service: enabled: yes apps: - name: "teleport-webapp" uri: "http://localhost:9000" public_addr: "teleport.example.io"
- Save and close the file.
- Start and enable the Teleport service by running the following commands:
sudo systemctl start teleport sudo systemctl enable teleport
- Verify that the Teleport service is running by running the command:
sudo systemctl status teleport
- Open the necessary ports for the Teleport service by running the following firewall-cmd command:
sudo firewall-cmd --add-port={443/tcp,3021/tcp,3022/tcp,3025/tcp,3028/tcp} --permanent
- Reload the firewall to apply the changes and verify the list of firewall rules:
sudo firewall-cmd --reload sudo firewall-cmd --list-all
- Finally, open your web browser and visit your Teleport domain name (e.g.,https://teleport.example.io/) to access the Teleport login page.
By following these steps, you have successfully configured the Teleport server on Rocky Linux 9. In the next section, we will create and set up a Teleport user for managing the Teleport Cluster.
Adding a Teleport User
To manage the Teleport Cluster, we need to create and set up a Teleport user. This user will have the necessary privileges to access and administer the Teleport Cluster. Follow the steps below to add a Teleport user:
- On the ‘teleport-rocky’ server, run the following command to create a new Teleport user named ‘teleport-admin’ with the roles ‘editor’ and ‘access’:
sudo tctl users add teleport-admin --roles=editor,access --logins=root,rocky,ec2-user
- Copy the generated link displayed after running the command. This link will be used to configure the new Teleport user.
- Open the link in your web browser and follow the instructions to set up the new Teleport user. This will include setting a username, password, and enabling Two-Factor Authentication (2FA) using your preferred 2FA application.
- Once the Teleport user is set up, you can access the Teleport administration dashboard using the credentials you provided.
With the Teleport user created and set up, you can now manage the Teleport Cluster using both the command line and the administration dashboard. In the next sections, we will explore how to manage the Teleport Cluster using these methods.
Managing the Teleport Cluster via Command Line
The Teleport package provides two command line tools, ‘tsh’ and ‘tctl’, for managing the Teleport Cluster. Let’s explore how to use these command line tools to manage the Teleport Cluster.
- Log in to the ‘teleport-rocky’ server as the non-root user you created earlier.
- Authenticate to your Teleport Cluster using the ‘tsh’ command. Replace ‘teleport.example.io’ with your Teleport domain and ‘teleport-admin’ with the Teleport user you created:
tsh login --proxy=teleport.example.io --user=teleport-admin
- Enter the password for the ‘teleport-admin’ user and the OTP authentication code from your 2FA application.
- Once authenticated, you can check the status of your connection using the ‘tsh’ command:
tsh status
- To manage resources in the Teleport Cluster, you can use the ‘tsh’ command. For example, to list the available hosts/nodes/servers in the Teleport Cluster, run the following command:
tsh ls
- You can also check the enabled applications in the Teleport Cluster using the following command:
tsh apps ls
- To log in to a specific node in the Teleport Cluster via SSH, use the ‘tsh ssh’ command. For example, to log in to the ‘teleport-rocky’ node as the user ‘root’, run the following command:
tsh ssh root@teleport-rocky
- To log in as a different user, replace ‘root’ with the desired username.
Additionally, you can use the ‘tctl’ command with sudo or root privileges to set up and configure the Teleport Auth Service. For example, to check the list of available nodes/servers in the Teleport Cluster, run the following command:
sudo tctl nodes ls
By following these steps, you can effectively manage your Teleport Cluster using the command line tools provided. Now, let’s move on to adding nodes/servers to the Teleport Cluster.
Adding Nodes to the Teleport Cluster
To expand your Teleport Cluster, you can add additional nodes/servers to it. There are two methods for adding nodes: automatically via the Teleport administration dashboard and manually via the command line. Let’s explore both methods.
Adding Nodes via the Teleport Administration Dashboard
Before adding nodes to the Teleport Cluster, ensure that the necessary ports are open on the target nodes. Follow these steps to add nodes via the Teleport administration dashboard:
- Open the Teleport web administration dashboard and click the ‘ADD SERVER’ button.
- Select the resource type you want to add (e.g., SERVERS) and click ‘NEXT’.
- Follow the instructions on the dashboard to generate an installer script or command line for the target node (e.g., ‘client1’).
- Log in to the target node and run the generated installer script or command line.
- Once the installation process is complete, return to the Teleport administration dashboard and click ‘NEXT’.
- Specify the usernames that will be allowed to access the added node and click ‘NEXT’.
- Verify the connections to the added node using the provided steps.
- Click ‘FINISH’ to complete the process.
Adding Nodes Manually
To add nodes manually to the Teleport Cluster, follow these steps:
- Check the ‘CA pin’ fingerprint of your Teleport Cluster by running the following command on the ‘teleport-rocky’ server:
sudo tctl status
- Generate a new token for the node you want to add by running the following command on the ‘teleport-rocky’ server:
sudo tctl nodes add --ttl=30m --roles=node | grep"invite token:" | grep -Eo "[0-9a-z]{32}"
- Connect to the target node (e.g., ‘client2’) and open the necessary ports using the firewall-cmd command.
- Add the Teleport repository to the target node by running the following command:
sudo dnf config-manager --add-repo https://rpm.releases.teleport.dev/teleport.repo
- Install Teleport on the target node by running the following command:
sudo dnf install teleport
- Add the ‘/usr/local/bin’ directory to the sudoers secure_path by running the following commands:
echo "Defaults secure_path = /sbin:/bin: /usr/sbin:/usr/bin:/usr/local/bin" > /etc/sudoers.d/secure_path sudo chmod 440 /etc/sudoers.d/secure_path
- Create a Teleport configuration file ‘/etc/teleport.yaml’ on the target node using the nano editor:
sudo nano /etc/teleport.yaml
- Add the necessary configuration details to the file, including the Teleport Cluster’s CA pin fingerprint, nodename, and more. Refer to the Teleport documentation for the exact configuration details.
- Save and close the file.
- Start and enable the Teleport service on the target node by running the following commands:
sudo systemctl start teleport sudo systemctl enable teleport
- Verify the Teleport service status by running the following command:
sudo systemctl status teleport
- Finally, go back to the Teleport administration dashboard and verify that the manually added node is available in the Teleport Cluster.
By following these steps, you can add nodes to your Teleport Cluster, both automatically via the administration dashboard and manually via the command line. With your cluster expanded, you can now enjoy secure and efficient access to your infrastructure.
Conclusion
Congratulations! You have successfully set up a Teleport Cluster on Rocky Linux 9, providing a secure access plane for your infrastructure. By following the steps outlined in this comprehensive guide, you have installed Teleport, configured the Teleport server, added Teleport users, and managed the Teleport Cluster using both the command line and the administration dashboard. This ensures that your server infrastructure is protected and accessible only through Teleport, bolstering your security measures.
As a business, it is essential to rely on a reliable and capable hosting provider to ensure the smooth operation of your server infrastructure. Shape.host is a leading provider of Cloud VPS services, offering scalable and secure hosting solutions. With their expertise and dedication to customer satisfaction, Shape.host can help you optimize your server infrastructure and achieve your business goals. Trust Shape.host for all your cloud hosting needs!