Introduction to Teleport

Teleport is an open source, identity-aware, access proxy with an integrated certificate authority. It is used by smart engineering teams to access various computing resources on public and private clouds, such as:

  • SSH servers
  • Kubernetes clusters
  • Internal web apps
  • MySQL and PostgreSQL databases

Teleport consists of just two dependency-free binaries: the teleport daemon runs on servers, and the tsh CLI runs on clients. The server daemon can perform several functions:

  • The Proxy accepts connections from the clients.
  • The Certificate Authority (CA) issues short-lived certificates for clients.
  • Sidecars maintain a persistent reverse tunnel to a proxy which allows clients to connect to databases that are running anywhere in the world.

The diagram below shows how this all comes together.

  • When a user types tsh login db-access.proxy.com, they trigger the login sequence. The Teleport proxy running on db-access.proxy.com accepts the login request and forwards the client to the company’s identity platform. This could be any identity provider: Google apps, GitHub, Okta, Active Directory, etc.
  • After the user completes the login process, the Teleport certificate authority (CA) issues an x.509 certificate, filled with the user’s identity metadata (roles, etc.) which is returned to the client.
  • The tsh client is now aware of all databases available to this user. tsh also configures the user’s command line environment, so psql knows to talk to the proxy.
  • Meanwhile, Teleport’s database service process (shown as “sidecar” in the diagram) is running on the same network as a database. The sidecar establishes an outgoing persistent reverse SSH tunnel to the proxy. These tunnels are how database instances are registered as “online”.
  • When a user decides to connect to a specific DB instance, the connection goes from psql to a proxy, then (via an appropriate reverse SSH tunnel) to the corresponding sidecar and from there, via mutual TLS, to the target database instance.

Teleport was originally born as a modern, identity-based way of accessing SSH servers, because we wanted the world to move away from archaic SSH keys, bastion hosts, VPNs, “server inventories” and the other pains of legacy SSH.

But SSH is not enough. Modern computing environments are getting more and more complex. In addition to SSH, our users want to access all kinds of computing resources in order to build software faster: Kubernetes clusters, internal web dashboards and, of course, databases!

Moreover, the location of these resources should be irrelevant. We are big believers in the future of environment-free computing, when the entire planet will feel like a giant multi-tenant supercomputer. That supercomputer must provide a simple and secure way of accessing it, and that’s what Teleport is evolving into.

The above is a brief about Teleport. Watch this space for more updates on the latest trends in Technology.

Leave a Reply

Your email address will not be published. Required fields are marked *