It provides an audit log (without session history/playback) and one-time passwords for login. It avoids copying of ssh certificates to every host, similar to teleport.
One nice advantage with Teleport is the recording of sessions. On the other I like how Vault's tool use standard ssh on the client-side.
Some type of merge between the two would be a dream :D
Disclaimer: I am a friend and former coworker of the Gravitational people and I was an early reviewer of the Teleport spec and had some early design input. I also reviewed the blog post.
I think Teleport is the bees knees.
It's a solid, open source way to map your existing authentication scheme to authenticating to servers. It does anything you can teach it, although it supports e.g. OpenID Connect, so you can connect it with Google Apps, and now you can use U2F directly. Consolidating authentication is one of those nice tidbits that you can do for security but really accidentally ends up giving you better UX.
Having bastion hosts is interesting from a security perspective. Teleport is designed in such a way that you can use plain old OpenSSH everywhere, but you can also use it as a web app and get cool features like live collaboration with chats and recordings. This is another example how even though I think of Teleport as a security feature, it's nice how what you experience is nicer collaborative and knowledge sharing tools, not just passive security (although that's also a fine reason to do things).
I dunno if Gravitational is interested in providing support contracts beyond the best effort open source software support. They're pretty friendly regardless. There are all sorts of decent reasons for wanting to go with a commercial product; maybe commercial support, but also integrations with other systems or custom commercial development or whatever. Historically, that's only been a thing for large companies. With Teleport, there's one less reason for that to be the case.
> I dunno if Gravitational is interested in providing support contracts beyond the best effort open source software support.
They do offer commercial support. I talked to them earlier in the summer just to get a feeling for the company after playing around with teleport some.
I agree about Teleport being the bees knees. They keep adding great features. Only problem is we need something cross platform at work that can do RDP/windows with all the same auditing; so I'm stuck trying to justify the cost of Bomgar PAM or CyberArk, which are INSANELY expensive.
Apache Guacamole does some. I am not sure how much auditing it does internally, but it does translate Vnc/RDP/ssh to some unified protocol that is translated over http (maybe also wrbsockets), so with the proper Certificate setup, you should be able to audit with any http audit tool.
You are probably looking for a more unbiased opinion than I can deliver (I work at Gravitational and am the OP). However, I will say that Teleport is an integral component to our Telekube platform[0] which is used in production with customers like Mulesoft and Clustrix. So at least I can confirm it's not shelfware and it's crucial to the well being of our company.
How does one combine something like teleport with policies and audit logging? I'm referring to the recent controversy around Uber employees playing with sensitive data.
Can you use Teleport (or anything else really) to enforce access policies and most importantly audit logging. Especially when combined with hardware tokens like u2f keys,etc
This will be out in 1.5 release. Using this RBAC you can deny access to machines based on user's role (e.g. prevent developers from accessing nodes labelled as DB) and limit their logins as unprivileged users.
But this works on a server level, not on DB/connection level. Teleport's audit logs will help to inspect the event after the fact, however to prevent data exfiltration one needs to deploy a solution that oversees SSH, TLS and all other possible connections to enforce policies on all possible data paths.
Is there any documentation about your audit logs. In general, most startups will generally be inclined towards detailed audit logging than upfront security for your developers.
Would your logs also trap all commands that were executed after logging in ? How do you tie an SSH session with activity of that session.
We don't have detailed docs on our audit logs yet.
Here's short description:
Teleport's SSH servers capture PTY output and send logs to the audit server alongside with session metadata.
Every SSH session has a unique identifier, teleport users participated in this session and captured activity.
Sessions (structured events) and audit logs can be stored in various sources, for example recently we've implemented SumoLogic for audit events and S3 for session recordings for some of our customers to upload and store this information.
Obviously, you could do various things (especially if you are root) to tamper with this system. For these use cases I would use something like https://github.com/draios/falco to capture all application-level activity.
This is awesome ! Would love to see a doc for detailed audit logging when you have one up.
This in itself is a killer app !
EDIT: one more request, please make you docs/makefile a little more beginner friendly. For example, your get-started page (or your makefile target) does not have systemd targets in place. I think you guys take care of necessary selinux permissions inside code.. but not sure if it does so for /var/lib/teleport.
it might be useful to consider using ansible (which will make this very practical for devops)
Awesome! Thanks for pointing me to that issue. Will re-evaluate then, hopefully it shouldn't be too difficult to integrate into my existing setup. Some kind of ldap support (or pluggable scripts) would be fantastic.
What's the advantage of using U2F for SSH compared to using public-key authentication with a password-protected smart card (e.g. a Yubikey 4)? I can think of one big disadvantage, which is that with U2F the password has to be shared with the remote end, which is inferior to a password that never leaves the local device.
Not sharing password is definitely an advantage in this use case.
On the other hand, thanks to pass + 2nd factor flow, Teleport creates unified Web and CLI SSH access using the same set of credentials.
In addition to that Teleport relies on short lived certificates vs public keys, so they don't need to be explicitly revoked, don't need to be copied on every box.
sure thing, but then you'd need to authenticate/authorize first to get a proper set of principals and TTL, that's why Teleport authz works in a more traditional "web app" way.
It provides an audit log (without session history/playback) and one-time passwords for login. It avoids copying of ssh certificates to every host, similar to teleport.
One nice advantage with Teleport is the recording of sessions. On the other I like how Vault's tool use standard ssh on the client-side.
Some type of merge between the two would be a dream :D