How we can integrate teleport with Capistrano?

Hello Team,

Can you please help me how we can integrate teleport with Capistrano for deployment?

Thanks.

Are you proposing to completely replace ssh/sshd with tsh/teleport or are you looking for a kind of hybrid solution?

When you successfully log into a Teleport cluster (with tsh login --proxy teleport.example.com) the certificate you’re issued will be loaded into your local SSH agent.

At this point, assuming your sshd on the remote servers trusts the CA that issues the Teleport certificates (see https://gravitational.com/teleport/docs/admin-guide/#integrating-with-openssh-servers for examples) then Capistrano should be able to SSH into the machines as usual until the Teleport-issued certificate expires (12 hours by default).

Is this the sort of thing you were thinking?

Hello Gus,

Thank you for your response.

We are looking for hybrid solution. So that admin user can login via teleport as well as have access via SSH also in case something went wrong with teleport the admin user can access the machine via SSH.

tsh login --proxy localhost --user=tek

When i am running the above command able to login into cluster.

I am able to access the machine from teleport dashboard for all users which are created over teleport and mapped with OS users.

Can you please list down the further steps i am little bit confused. Its last part of our testing. Once its completed we will discuss with our management and purchase the license.

Please help me.

Thanks.

When you run tsh login --proxy localhost --user=tek, you should get a certificate loaded into your local ssh-agent. You can confirm this by running ssh-add -l - here’s example output from my machine:

$ ssh-add -l
2048 SHA256:ol1bgz+RDmpniVSVO0L96F73EKqo6nzVyI+fybyCMYA teleport:gus@gravitational.com (RSA-CERT)
2048 SHA256:ol1bgz+RDmpniVSVO0L96F73EKqo6nzVyI+fybyCMYA teleport:gus@gravitational.com (RSA)

This certificate (RSA-CERT) is generated and signed by Teleport’s internal certificate authority (CA), much the same way as SSL/TLS certificates are issued and signed.

You can configure the sshd on the target machine (we’ll call it target_machine) to automatically trust all certificates that are issued by Teleport’s CA. This is a very simple way to use Teleport for authentication without needing to change the SSH backend used by Capistrano or other administrative tools. It will also mean that you can still SSH in via more conventional methods if needed.

  1. As described in https://gravitational.com/teleport/docs/admin-guide/#integrating-with-openssh-servers, to configure the sshd to trust the Teleport CA, you first run this command on the Teleport auth server:
# tctl auth export --type=user > teleport-user-ca.pub
  1. Take that exported teleport-user-ca.pub file and copy it into /etc/ssh on target_machine, then edit the /etc/ssh/sshd_config on target_machine and add this line:
TrustedUserCAKeys /etc/ssh/teleport-user-ca.pub
  1. Restart the sshd on target_machine:
# systemctl restart sshd.service

Once this is done and you have the Teleport-issued certificate showing in ssh-add -l as shown at the beginning of the post, you should be able to run ssh user@target_machine and log in as you would do usually. This should also mean that Capistrano can SSH to the machine and run as it expects to.

Hello Gus,

One more question for you.

We need to run the below command for each teleport user:
--proxy localhost --user=tek

user name will be different instead of tek it can be xyz and then need to add the public certificate into each target machine for each user?

Please guide me.

Adding TrustedUserCAKeys to the sshd configuration as described in the post above will cause that machine to automatically trust any Teleport-issued certificate for any user. You would just need to make sure that this is present and configured on all machines that a user would need to log into.

Hello Gus,

If i am understanding correctly we can create once we login into cluster using any user and that certificate will show using ssh-add -l we need to export them in a file using below command:

# tctl auth export --type=user > teleport-user-ca.pub

and need to add them on target machine and it will work for all user and no need to login in cluster using all user.

I am thinking in right way or wrong?

Please suggest.

Thanks.

No, you are incorrect here. The way it works is that you run tctl auth export --type=user > teleport-user-ca.pub once on the auth server and follow the procedure I detailed beforehand. Once that is done, all users will be able to log in - there’s no per-user procedure needed.

Hello Gus,

I need to run ssh command from auth server? I have followed all the steps which are suggested by you. Now i am trying to SSH on target machine from auth server machine. But i am getting permission denied error.

Can you please help me little bit more?

Thanks.

You need to run the ssh command on whichever machine has the certificate loaded into the ssh-agent - in this case, yes, it’s the auth server (because you’re running it on localhost)

  1. What is the output of ssh-add -l after logging into the Teleport cluster?

  2. Have you restarted sshd on the target machine after adding TrustedUserCAKeys /etc/ssh/teleport-user-ca.pub or similar?

  3. Can you post the ssh command that you are running to try and log in?

Hello Gus,

root@teleport:~# ssh-add -l
2048 SHA256:aM8CRifm7F4diAk/6RkpVbXpImNny//XSaD+x/KELUU teleport:tek (RSA-CERT)
2048 SHA256:aM8CRifm7F4diAk/6RkpVbXpImNny//XSaD+x/KELUU teleport:tek (RSA)

Yes, i have restarted the SSH service
on target machine after copying the certificate in /etc/ssh/teleport-user-ca.pub file and adding the line TrustedUserCAKeys /etc/ssh/teleport-user-ca.pub in /etc/ssh/sshd_config.

Please suggest me.

Thanks.

Hello Gus,

Can you please help me little bit more on above issue?

Thanks.

Please post this command as well.

Hello Gus,

I am using the below command from my auth server:

# ssh tek@target_machine_ip

Note: tek user is created over teleport server and mapped with tek (OS) user over target machine.

Can you please post the output of:

  1. The tsh login command that you are using with --proxy etc, plus its output
  2. ssh -v tek@target_machine_ip

It’s hard to say what’s causing the issue currently.

Hello Gus,
Please find the output of requested commands:

root@teleport:~# tsh login --proxy localhost --user=tek
Enter password for Teleport user tek:
Enter your OTP token:
129472
> Profile URL:  https://localhost:3080
  Logged in as: tek
  Cluster:      localhost
  Roles:        admin*
  Logins:       tek, root
  Valid until:  2019-06-13 15:55:22 +0000 UTC [valid for 12h0m0s]
  Extensions:   permit-agent-forwarding, permit-port-forwarding, permit-pty


* RBAC is only available in Teleport Enterprise
  https://gravitational.com/teleport/docs/enterprise
root@teleport:~# ssh-add -l
2048 SHA256:YhxIynTCZDa4gT6zMFSQv3RFYkqBu83f4kAAQXznTKk teleport:tek (RSA-CERT)
2048 SHA256:YhxIynTCZDa4gT6zMFSQv3RFYkqBu83f4kAAQXznTKk teleport:tek (RSA)

Output for above command:

root@teleport:~# ssh -v tek@1.2.3.4
OpenSSH_7.2p2 Ubuntu-4ubuntu2.8, OpenSSL 1.0.2g  1 Mar 2016
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to 1.2.3.4 [1.2.3.4] port 22.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_rsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.8
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.2p2 Ubuntu-4ubuntu2.8
debug1: match: OpenSSH_7.2p2 Ubuntu-4ubuntu2.8 pat OpenSSH* compat 0x04000000
debug1: Authenticating to 1.2.3.4:22 as 'tek'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256@libssh.org
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:1XCXW7z1CDphXXPRxGZMb6UhKIcfLx9P5p5VsqMiU0s
debug1: Host '1.2.3.4' is known and matches the ECDSA host key.
debug1: Found key in /root/.ssh/known_hosts:1
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<rsa-sha2-256,rsa-sha2-512>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering RSA-CERT public key: teleport:tek
debug1: Authentications that can continue: publickey
debug1: Offering RSA public key: teleport:tek
debug1: Authentications that can continue: publickey
debug1: Trying private key: /root/.ssh/id_rsa
debug1: Trying private key: /root/.ssh/id_dsa
debug1: Trying private key: /root/.ssh/id_ecdsa
debug1: Trying private key: /root/.ssh/id_ed25519
debug1: No more authentication methods to try.
Permission denied (publickey).

Note: I have replaced the actual public IP of target machine with 1.2.3.4.

Please help me.

Thanks.

One other thing I’ve just remembered (as it states in https://gravitational.com/teleport/docs/admin-guide/#integrating-with-openssh-servers)

You will need to edit /etc/ssh/teleport-user-ca.pub on target_machine and remove the cert-authority from the beginning of the line, so it just starts with ssh-rsa. After this, restart sshd and try again.

Hello Gus,

Thank you very much for your guidance. Now i am able to SSH on target machine from auth server.

Because users will not use the auth server. Users will use own machine for deployment.

Now i have one question how will capistrano work with this? What changes we need to make at capistrano end? I am not developer so its little bit confusing for me.

Please guide me.

Thanks.

I would suggest following the advice here: https://gravitational.com/teleport/docs/user-manual/#ssh-certificates-for-automation

You could issue a long-lived SSH certificate for Capistrano, then make it use that certificate to connect. Unfortunately specific assistance with Capistrano is out of the scope of what I can provide you but there should be good examples online.

Hello Gus,

Thank you for you assistance.

:slight_smile:

1 Like