I’ve been having some fun with Teleport recently, a “bastion” host, in so much as it's the device I can connect to which I can ssh into the servers on my home network.
I’m not paid by Teleport or anyone connected with them, I wrote this post because I like the product, use it and wanted to share that.
I’m just using it for SSH access, however, the project site has it as much more
The open source access platform used by DevSecOps teams for SSH, Kubernetes, databases, internal web applications and Windows. Teleport prevents phishing by relying on biometrics and machine identity, stops attacker pivots with the Zero Trust architecture, is compatible with everything you have, comes as a cloud service or a self-hosted option and doesn’t get in the way of an engineer’s productivity.
I’ve installed Teleport as a DigitalOcean Droplet locked down as accessible from my home network. So if I’m connected to Tailscale and the right exit node and open the right URL I’m greeted with a login page like so.
After logging in can see a list of servers I can SSH to, this can be controlled along with all the other Kubernetes, database etc with RBAC
If I then click on connect to the right of a host I’m provided with a username I can login to the host with. for mysetup its simple a single name, for a larger setup this might be root, a service account etc
Once the name is selected I’m taken to a web based ssh terminal which supports copy and paste
I can open multiple “tabs” in the interface by clicking on the + and selecting a new host
Which results in
The little up and down arrows are SFTP sessions for uploading and downloading files.
How do I get this working?
I’m going to focus on the self-hosted community version, there is a paid for Cloud Enterprise version of Teleport available.
How does it work?
I could type a lot here, however, I’m going to point you to the really comprehensive Teleport documentation
How to set this up?
To install this on your own server is out of scope for this post, however there are the detailed instructions to do this on the Teleport Documentation site here:
I found it easier to run the Digitalocean Droplet
and follow the post-install instructions, then set up UFW and iptables to whitelist only access to my home IP.
After you create Teleport One-Click Droplet, to finish the Teleport configuration, you will need:
A cluster name — A Fully Qualified Domain Name (FQDN) whose DNS A record points to this droplet IP.
An email address — To retrieve a TLS certificate from LetsEncrypt.
An initial username — A user who can authenticate with Teleport or manage Teleport.
A two-factor authenticator app (e.g., Google Authenticator).
Once you are ready with the above prerequisites,
SSH to your droplet —
Enter cluster name, email address, and Teleport username when prompted by the startup wizard.
The startup wizard will automatically configure a Teleport cluster for you based on your input.
A registration link will be printed on the terminal to complete the initial user registration process.
The WebUI will be available at
In addition to the package installation, the Teleport One-Click Droplet also:
Requests a LetsEncrypt TLS certificate for your Fully Qualified Domain Name (FQDN)
Runs through an initial configuration wizard on the first login
Make it a Cluster
What I’ve built is a single stand-alone server, the idea however in a more business-like environment would be to build a cluster of Teleport servers
The instructions around clusters are here https://goteleport.com/docs/deploy-a-cluster/introduction/
There are options for Kubernetes/Help or Virtual machine deployments on the cloud hyperscalers.
Adding servers to ssh onto is simple
Login to the Teleport admin interface and select servers in the menu on the left. then on the right click add server
This will take you to the Enroll new resource screen
The Nix-based systems are guided installations.
Click on Ubuntu
A command will be displayed to run on the Linux server you would like to access from Teleport.
The WebUI will listen for a poll from that server and when it receives it, tell you the installation is complete, ask you to test it, and then connect to it.
While I’m not 100% sure if you can use tsh to install the teleport service, once the teleport service is installed you can use the teleports tsh command rather than the webGUI
More details here
Once the remote server is connected to the cluster it will appear in the allowed server list
Click on connect and choose a user and you’re ssh’ed in
Once in the server, there are several management options available by swapping from Resources to Management in the drop-down on the left.
This will display the following options
Users and Roles
This provides a good RBAC solution if you have a few people in a small company, and the users can be added manually here
Authentication connectors allow Teleport to authenticate users via an external identity source such as Okta, Active Directory, GitHub, etc. This authentication method is frequently called single sign-on (SSO).
The Open Source Teleport supports only GitHub connectors.
Enrol New Resource
This was the menu we used to connect to the SSH endpoint(s) clicking on it in this view lists all the available application and database connectors.
As the name suggests Teleport offers you the ability to audit what was done during an ssh session with a screen report of that session.
As you might expect, this is the server/cluster audit log.
Provides a quick management interface for managing server clusters.
Trusted Clusters allow Teleport administrators to connect multiple clusters together and establish trust between them. Users of Trusted Clusters can seamlessly access the nodes of the cluster from the root cluster.
There are a huge number of integrations available with the paid packages, most of the enterprise software and some non-enterprise software is listed
I’ve added this here as a reference for myself. The software gets updates a lot, and you’ll need to update the server and the nodes . there isn’t a button (which I can see) which does this from the webGUI, so I wrote a small ansible script. It might provide you with some inspritation
- hosts: ubuntu become: true become_user: root gather_facts: no tasks: - name: Update apt repo and cache on all Debian/Ubuntu boxes apt: update_cache=yes force_apt_get=yes cache_valid_time=3600 - name: Install apache httpd (state=present is optional) ansible.builtin.apt: name: teleport state: latest - name: Restart Teleport Service ansible.builtin.service: name: teleport state: restarted - name: Execute the command in remote shell; stdout goes to the specified file on the remote ansible.builtin.shell: /usr/local/bin/teleport version register: command_output - debug: var: command_output.stdout_lines
I originally installed this because my preferred local Chromebook client Terminux just didn’t play well on the Chromebook for me and there was also no ARM64 version of the installer, so I was looking for a way to SSH onto the home servers and this provided a nice simple web interface.
Part of what makes my config quite nice (for me) is I have now blocked the DigitalOcean droplet from the internet and am providing access to Teleport over the Tailscale network. I’m also using Tailscale as the remote ssh user manager and grouping the tailscale nodes with an ACL so some require authentication each time I login and some devices don’t.
The two systems play nice with each other.
I’ve also found that using the Linux Shell client on the Chromebook also works well, however I like the screen recording and audit features of Teleport.
Teleport Docs — https://goteleport.com/docs/
Youtube Channel — https://www.youtube.com/@goteleport