Recording Proxy Proposal #1510
Labels
documentation
feature-request
Used for new features in Teleport, improvements to current should be #enhancements
Milestone
Introduction
Teleport clusters implement session recording by having the end nodes submit session data to the audit/auth server. Some Teleport users have expressed interest in having the proxy act as a session recorder. There are pros and cons for both designs.
Node-based recording:
sshd
(OpenSSH servers) on legacy fleet behind a Teleport proxy will not be recorded.Proposal
This proposal introduces a new mode of operation, AKA +"Recording Proxy Mode"_ in which:
The original node-based recording is called "Pass-Through Proxy Mode". Lets review the difference in more detail:
Pass-Through Proxy Mode
To better illustrate the current default cluster mode, take a look at this diagram:
In the current design, the SSH proxy only performs authentication on the initial connection, after that, it simply acts as a bridge for SSH connections without ability to decrypt the traffic. The advantage of this design are:
Disadvantages of this “Pass-Through mode” include:
Recording Proxy Mode
This document proposes a new method for proxying SSH connections, it’s called “terminating proxy” mode. In this mode the Teleport proxy performs a much bigger role. Consider the following diagram:
In the “terminating proxy mode” the connection between Alice and the sshd server is not simply proxied, but it gets terminated on the proxy level.
These are the steps of establishing an SSH session between the client (Alice) and the SSH server running sshd:
ssh host
command. Her SSH client is configured to use [work.example.com] as a proxy server for such connection. The configuration of an SSH client will be covered below.The primary advantage of the “terminating proxy” mode is that the OpenSSH
sshd
daemon can be used without the loss of the session recording. The primary disadvantage is that a proxy becomes a privileged node within the cluster, increasing the potential attack surface.Client Configuration
A user has a choice of two SSH clients to use: the Teleport client
tsh
and OpenSSH clientssh
. Regardless of the chosen method, a user must request the session credentials from the corporate proxy [work.example.com]. Typically this happens once a day, to receive SSH certificate valid for 8-12 hours by executing:This command will print a login URL which leads to a SAML-powered single sign-on (SSO) page where a user will have to enter their corporate identity credentials.
When successful,
tsh login
will place the ephemeral SSH certificate (again, the TTL can be configured by a user role) into~/.tsh/work.example.com/keys
and also the certificate will be loaded into the active SSH agent, if present, which can be verified by executing:If storing SSH certificates in
~/.tsh
directory or in the ssh agent is not desired, a user can telltsh login
to save the certificate into an identity file by adding--out=alice.pem
CLI flag. The identity filealice.pem
can be used later via-i
flag of ssh.Using Teleport SSH client
After
tsh login
a user may connect to any SSH server behind [work.example.com] SSH proxy simply typing:In this case the name resolution of ‘addr’ will be happening on the proxy. This means that internal, behind-firewall IP addresses may be used.
If typing
tsh ssh
becomes tiresome, or if easy compatibility with existing scripts is required,tsh
binary can be simply renamed tossh
or a symlink can be createdtsh -> ssh
which will make all standard ssh commands work, like:Using OpenSSH Client
To start using OpenSSH client with a Teleport proxy [work.example.com], Alice needs to configure ssh to connect via work.example.com for certain hostnames. This can be accomplished by modifying her
~/.ssh/config
:Now she can connect to any server behind work.example.com by typing something like this:
Note: the identity flag
-i
is not necessary iftsh login
was allowed to store Alice’s cluster certificate in the ssh-agent.Server Configuration
Every OpenSSH node running sshd would need to be configured to accept SSH certificates issued by the Teleport CA. This can be done by exporting a cluster cert into a file and copying it to every SSH node as shown in the Teleport documentation.
On Teleport auth node:
On every sshd node you can do one of the following:
Append the .pub file to
~/.ssh/authorized_keys
Remove “cert-authority” substring from ca.pub and update
/etc/ssh/sshd_config
with the following line:TrustedUserCAKeys /path/to/ca.pub
The text was updated successfully, but these errors were encountered: