[Question] About direct connection to nodes


Suppose worst case scenario and cluster goes down. Is it possible to connect directly to nodes with only teleport running on them (ssh teleport-node -p 3022) ? (i.e. how and where to embed backup ssh public key on teleport-node?)

If you have a certificate issued by tsh login which is still valid, you can use this to log into the node directly on port 3022 with a command similar to that which you mentioned.

One way to mitigate against this sort of situation where the auth and proxy servers are down is to issue longer-lived certificates for emergency access using tctl auth sign on the auth server. You can find instructions on how to do this in our documentation here: https://gravitational.com/teleport/docs/user-manual/#ssh-certificates-for-automation

1 Like

I just wanted to ask another question but it relates a little bit. Is it possible to force teleport to listen on 3022 on the nodes that use IoT tunneling mode? Because the teleport daemon does not create listening socket when in this mode so i can’t connect directly to it.
Also, i can’t find where ~/.tsh/config or something similar is where i could insert, for example, “always ForwardAgent”, instead of typing “tsh ssh -A node” all the time?

No, this isn’t possible when the nodes are running in IoT mode. The Teleport proxy is in charge of knowing how to connect to IoT nodes, so all communication has to go through there.

The most likely file would be ~/.tsh/profile, but it looks like setting a permanent ForwardAgent isn’t currently implemented in there.

You could potentially run something like alias tssh=tsh ssh -A, then type tssh node rather than tsh ssh -A node.