Presented by: Allen Vailliencourt
Presented at the All Things Open 2021
Raleigh, NC, USA
Raleigh Convention Center
Abstract: There is a better way to manage access to servers, Databases, and Kubernetes than using passwords and/or public and private keys. Come and see how this is done with short-lived certificates and see a demo of Teleport!
4. 4
What about your servers? How long is this “authorized_keys” list?
Do you even know which keys are valid?
More of our current setup...
5. PKA Pros
● For years we have been using the Public Key Authentication for accessing our
resources. PKA isn’t going anywhere anytime soon.
● Better security is the motivation behind Public Key Authentication. With a good
PKA system in place users do not have to remember complicated passwords for
each and every system.
● With PKA you can automate processes (CI/CD, Ansible, GitHub, etc.).
● Keys are easy to create and deploy. Ex: ssh-keygen -t ed25519
● It’s hard to find a system that doesn’t support PKA.
5
6. So why change from using Keys to Certificates for authentication?
6
7. PKA Cons
● What happens when your user moves on (new job, new role, etc)?
● What if their device/laptop is compromised/stolen?
7
(source: https://www.ssh.com/academy/iam/ssh-key-management)
8. PKA Cons
● What about when someone accidentally commits a private key to their public
repo? Within minutes that key could be utilized to login to a service and cause
chaos.
● Scaling out key deployments can be challenging. Businesses are using home-grown
methods to rotate keys or commercial/open-sourced vaults to manage this.
● Keys do not expire.
8
9. Did You Know?
Did you know that OpenSSH added support for SSH certificates back in v5.4?
9
* Add support for certificate authentication of users and hosts using a
new, minimal OpenSSH certificate format (not X.509). Certificates
contain a public key, identity information and some validity
constraints and are signed with a standard SSH public key using
ssh-keygen(1). CA keys may be marked as trusted in authorized_keys
or via a TrustedUserCAKeys option in sshd_config(5) (for user
authentication), or in known_hosts (for host authentication).
Documentation for certificate support may be found in ssh-keygen(1),
sshd(8) and ssh(1) and a description of the protocol extensions in
PROTOCOL.certkeys.
(https://www.openssh.com/txt/release-5.4)
OpenSSH 5.4 was released on 2010-03-08
10. SSH Certificates in an image!
10
https://goteleport.com/blog/ssh-certificates/
12. Teleport
Access Plane
Allows engineers and security professionals to unify access across
all environments and behind NAT
Server Access Kubernetes Access Database Access
For SSH servers For K8s clusters For databases
Application Access
For web applications
goteleport.com
13. Security vs. Agility
This tension manifests itself in key areas:
- Access Workflows
- Credential Management
- Compliance and Auditing
14. INTRODUCING TELEPORT
Allows users to retrieve their SSH credentials via
your single sign-on (SSO) provider. Teleport
supports all SAML/OIDC based SSO solutions.
IDENTITY CERTIFICATES
EASILY IMPLEMENT SECURITY AND COMPLIANCE
goteleport.com
15. We believe in complete transparency. That means
publishing our roadmap, product previews, and
design documents.
OPEN SOURCE
TELEPORT COMMUNITY
$ teleport start
10.1 k
goteleport.com
16. Teleport Access Plane empowers organizations like NASDAQ,
IBM and Snowflake to implement security, enforce compliance
and reduce operational overhead.
Who Uses Teleport?
goteleport.com 16
18. Unified RBAC
18
OSS Features
goteleport.com
Synchronize role-based access across all Kubernetes
clusters, SSH nodes, Databases, and Applications with
Teleport’s role-based access controls tied to your identity
provider - GitHub OIDC.
19. Unified Audit Log
19
Restricting access and granting specific permissions
through role-based access controls is the first step to
securing your infrastructure. The next step is to log all
activity across your infrastructure.
OSS Features
goteleport.com
20. SSH & Kubectl Session
Recording
20
Playback the session contents from Kubernetes
exec and SSH Sessions via the web and desktop.
OSS Features
goteleport.com
21. Real time User On/Off
Boarding
21
Users can get real-time access to Kubernetes and servers
securely. For off boarding users, sessions can be
terminated in real-time to end access.
OSS Features
goteleport.com
22. Trust Federation
22
Teleport allows organizations to partition their
infrastructure and grant access to each other.
Managed service providers and contract-based
DevOps teams use Teleport to manage computing
infrastructure for their clients.
OSS Features
goteleport.com
23. Remote Access to IoT and Edge
23
OSS Features
goteleport.com
Access devices that are located anywhere in the world,
behind NAT and firewalls, such as infrastructure on 3rd
party networks or devices on a cellular connection (for
Kubernetes & SSH access).
26. Where to begin?
● Contribute on GitHub
○ https://github.com/gravitational/teleport
● Join our Slack community
○ https://goteleport.com/slack
● Participate in our discussions
○ https://github.com/gravitational/teleport/discussions
● Run it today!
○ https://goteleport.com/docs/getting-started/
26
27. We’re Hiring!
● Series B Funded!
https://www.crunchbase.com/organization/gravitational
● 30+ Openings across Engineering, Sales, Product, Marketing, and more.
● 100+ distributed employees all over the world!
● Building out awesome open-source products!
● https://jobs.lever.co/teleport?lever-via=9fjQy9w9aE
27