From ab1f027ce1332d0a8030c44ef0b45452219bb4ca Mon Sep 17 00:00:00 2001 From: Paul Gottschling Date: Fri, 20 May 2022 16:02:08 -0400 Subject: [PATCH] Respond to PR feedback --- docs/pages/architecture/tls-routing.mdx | 2 +- docs/pages/server-access/guides/openssh.mdx | 33 +++++++++++++++++---- 2 files changed, 29 insertions(+), 6 deletions(-) diff --git a/docs/pages/architecture/tls-routing.mdx b/docs/pages/architecture/tls-routing.mdx index 8d4fb92efa04a..4e11fe8b44041 100644 --- a/docs/pages/architecture/tls-routing.mdx +++ b/docs/pages/architecture/tls-routing.mdx @@ -85,7 +85,7 @@ which can be used as a `ProxyCommand`. Similarly to `tsh ssh`, `tsh proxy ssh` establishes a TLS tunnel to Teleport proxy with `teleport-ssh-proxy` ALPN protocol, which `ssh` then connects over. -See [OpenSSH client](../server-access/guides/openssh.mdx) guide for details on +See the [OpenSSH client](../server-access/guides/openssh.mdx) guide for details on how it's configured. ## Reverse tunnels diff --git a/docs/pages/server-access/guides/openssh.mdx b/docs/pages/server-access/guides/openssh.mdx index 435288c607874..16dd681544142 100644 --- a/docs/pages/server-access/guides/openssh.mdx +++ b/docs/pages/server-access/guides/openssh.mdx @@ -31,8 +31,12 @@ We've outlined these reasons in [OpenSSH vs Teleport SSH for Servers?](https://g ## Step 1/4. Configure `sshd` to trust the Teleport CA -`sshd` must be told to allow users to log in with certificates generated by the -Teleport Auth Service. Start by exporting the Teleport CA public key. +Later in this guide, we will generate an SSH client configuration that will use +a certificate signed by the Teleport Auth Service to authenticate to your SSH +server. For this to work, `sshd` must be told to allow users to log in with +certificates generated by the Teleport Auth Service. + +Start by exporting the Teleport CA public key. On your local machine, print the Teleport certificate authority certificate to stdout: @@ -68,7 +72,11 @@ Now, `sshd` will trust users who present a Teleport-issued certificate. ## Step 2/4. Configure host authentication -Next, ask Teleport to issue a valid host certificate for your `sshd` host. +Next, ask Teleport to issue a valid host certificate for your `sshd` host. Later +in this guide, we will configure your SSH client to trust the certificate, +authenticating your `sshd` host for your SSH client. Like the user certificate +we created earlier, the host certificate will be signed by the Teleport Auth +Service. ### Ensure that your user has the correct privileges @@ -208,7 +216,10 @@ Restart `sshd`. ## Step 3/4. Generate an SSH client configuration The next step is to configure your OpenSSH client to connect to your `sshd` host -using credentials managed by Teleport. +using credentials managed by Teleport. This configuration will use the SSH agent +and your user's Teleport-issued certificate to authenticate to the `sshd` host. +It will also authenticate the `sshd` host using the host certificate you +generated earlier. First, make sure you are running OpenSSH's `ssh-agent` and have logged in to your Teleport cluster: @@ -303,6 +314,18 @@ establishes an SSH connection to the Proxy Service. This command, through the Proxy Service to your chosen host (including a host in a Trusted Cluster). +The `tsh proxy ssh` command requests the `proxy` subsystem through a command +similar to the following, which assumes you are logging in to a Node called +`mynode` as `root` with a cluster called `teleport.example.com`: + +```code +$ /usr/bin/ssh -l root -A -o UserKnownHostsFile=/root/.tsh/known_hosts -p 11105 teleport.example.com -s proxy:mynode:3022@teleport.example.com +``` + +Notice that the `known_hosts` file used by the command is managed by `tsh`. +Since the `sshd` host's information is listed in this file, your SSH client can +authenticate the host via the certificate we generated earlier. +
@@ -371,7 +394,7 @@ $ ssh -p ${PORT?} -F ssh_config_teleport "${USER?}@${ADDR?}.${CLUSTER?}" ``` This will connect to the node `node1` on your Teleport cluster. This name does -not need to be DNS accessible as the connection will be routed through your +not need to be resolvable via DNS as the connection will be routed through your Teleport Proxy Service.