Machine ID Getting Started Guide
In this getting started guide, you will configure Machine ID to issue certificates that enable a bot user to connect to a remote host.
Here's an overview of what you will do:
- Download and install
tbot
on the host that will run Machine ID. - Create a bot user.
- Start Machine ID.
- Use certificates issued by Machine ID to connect to a remote machine with SSH.
This guide covers configuring Machine ID for development and learning purposes. For a production-ready configuration of Machine ID, visit the Deploying Machine ID guides.
Prerequisites
- A host that you wish to assign an identity to using Machine ID.
-
A running Teleport cluster version 14.3.33 or above. If you want to get started with Teleport, sign up for a free trial or set up a demo environment.
-
The
tctl
admin tool andtsh
client tool.Visit Installation for instructions on downloading
tctl
andtsh
.
To check that you can connect to your Teleport cluster, sign in with tsh login
, then
verify that you can run tctl
commands using your current credentials.
tctl
is supported on macOS and Linux machines.
For example:
$ tsh login --proxy=teleport.example.com --user=email@example.com
$ tctl status
# Cluster teleport.example.com
# Version 14.3.33
# CA pin sha256:abdc1245efgh5678abdc1245efgh5678abdc1245efgh5678abdc1245efgh5678
If you can connect to the cluster and run the tctl status
command, you can use your
current credentials to run subsequent tctl
commands from your workstation.
If you host your own Teleport cluster, you can also run tctl
commands on the computer that
hosts the Teleport Auth Service for full permissions.
Step 1/4. Download and install Teleport
In this step, you will be downloading and installing Teleport binaries onto the machine you wish to assign an identity to.
Each Teleport package hosted on our downloads page ships with several useful
binaries, including teleport
, tctl
, tsh
, and tbot
:
teleport
is the daemon used to initialize a Teleport cluster; this binary is not used in this guidetctl
is the administrative tool you will use to create the bot user (step 1/4)tsh
is the client tool you will use to log in to the Teleport Cluster (steps 2/4 and 4/4)tbot
is the Machine ID tool you will use to associate a bot user with a machine (step 3/4)
Download the appropriate Teleport package for your platform:
Select an edition, then follow the instructions for that edition to install Teleport.
- Teleport Community Edition
- Teleport Enterprise
- Teleport Enterprise Cloud
The following command updates the repository for the package manager on the local operating system and installs the provided Teleport version:
$ curl https://cdn.teleport.dev/install-v14.3.33.sh | bash -s 14.3.33
- Debian 9+/Ubuntu 16.04+ (apt)
- Amazon Linux 2/RHEL 7 (yum)
- Amazon Linux 2/RHEL 7 (zypper)
- Amazon Linux 2023/RHEL 8+ (dnf)
- SLES 12 SP5+ and 15 SP5+ (zypper)
- Tarball
# Download Teleport's PGP public key
$ sudo curl https://apt.releases.teleport.dev/gpg \
-o /usr/share/keyrings/teleport-archive-keyring.asc
# Source variables about OS version
$ source /etc/os-release
# Add the Teleport APT repository for v14. You'll need to update this
# file for each major release of Teleport.
$ echo "deb [signed-by=/usr/share/keyrings/teleport-archive-keyring.asc] \
https://apt.releases.teleport.dev/${ID?} ${VERSION_CODENAME?} stable/v14" \
| sudo tee /etc/apt/sources.list.d/teleport.list > /dev/null
$ sudo apt-get update
$ sudo apt-get install teleport-ent
For FedRAMP/FIPS-compliant installations, install the teleport-ent-fips
package instead:
$ sudo apt-get install teleport-ent-fips
# Source variables about OS version
$ source /etc/os-release
# Add the Teleport YUM repository for v14. You'll need to update this
# file for each major release of Teleport.
# First, get the major version from $VERSION_ID so this fetches the correct
# package version.
$ VERSION_ID=$(echo $VERSION_ID | grep -Eo "^[0-9]+")
$ sudo yum install -y yum-utils
$ sudo yum-config-manager --add-repo "$(rpm --eval "https://yum.releases.teleport.dev/$ID/$VERSION_ID/Teleport/%{_arch}/stable/v14/teleport.repo")"
$ sudo yum install teleport-ent
#
# Tip: Add /usr/local/bin to path used by sudo (so 'sudo tctl users add' will work as per the docs)
# echo "Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin" > /etc/sudoers.d/secure_path
For FedRAMP/FIPS-compliant installations, install the teleport-ent-fips
package instead:
$ sudo yum install teleport-ent-fips
# Source variables about OS version
$ source /etc/os-release
# Add the Teleport Zypper repository for v14. You'll need to update this
# file for each major release of Teleport.
# First, get the OS major version from $VERSION_ID so this fetches the correct
# package version.
$ VERSION_ID=$(echo $VERSION_ID | grep -Eo "^[0-9]+")
# Use zypper to add the teleport RPM repo
$ sudo zypper addrepo --refresh --repo $(rpm --eval "https://zypper.releases.teleport.dev/$ID/$VERSION_ID/Teleport/%{_arch}/stable/cloud/teleport-zypper.repo")
$ sudo yum install teleport-ent
#
# Tip: Add /usr/local/bin to path used by sudo (so 'sudo tctl users add' will work as per the docs)
# echo "Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin" > /etc/sudoers.d/secure_path
For FedRAMP/FIPS-compliant installations, install the teleport-ent-fips
package instead:
$ sudo yum install teleport-ent-fips
# Source variables about OS version
$ source /etc/os-release
# Add the Teleport YUM repository for v14. You'll need to update this
# file for each major release of Teleport.
# First, get the major version from $VERSION_ID so this fetches the correct
# package version.
$ VERSION_ID=$(echo $VERSION_ID | grep -Eo "^[0-9]+")
# Use the dnf config manager plugin to add the teleport RPM repo
$ sudo dnf config-manager --add-repo "$(rpm --eval "https://yum.releases.teleport.dev/$ID/$VERSION_ID/Teleport/%{_arch}/stable/v14/teleport.repo")"
# Install teleport
$ sudo dnf install teleport-ent
# Tip: Add /usr/local/bin to path used by sudo (so 'sudo tctl users add' will work as per the docs)
# echo "Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin" > /etc/sudoers.d/secure_path
For FedRAMP/FIPS-compliant installations, install the teleport-ent-fips
package instead:
$ sudo dnf install teleport-ent-fips
# Source variables about OS version
$ source /etc/os-release
# Add the Teleport Zypper repository.
# First, get the OS major version from $VERSION_ID so this fetches the correct
# package version.
$ VERSION_ID=$(echo $VERSION_ID | grep -Eo "^[0-9]+")
# Use Zypper to add the teleport RPM repo
$ sudo zypper addrepo --refresh --repo $(rpm --eval "https://zypper.releases.teleport.dev/$ID/$VERSION_ID/Teleport/%{_arch}/stable/v14/teleport-zypper.repo")
# Install teleport
$ sudo zypper install teleport-ent
For FedRAMP/FIPS-compliant installations, install the teleport-ent-fips
package instead:
$ sudo zypper install teleport-ent-fips
In the example commands below, update $SYSTEM_ARCH
with the appropriate
value (amd64
, arm64
, or arm
). All example commands using this variable
will update after one is filled out.
$ curl https://cdn.teleport.dev/teleport-ent-v14.3.33-linux-$SYSTEM_ARCH-bin.tar.gz.sha256
# <checksum> <filename>
$ curl -O https://cdn.teleport.dev/teleport-ent-v14.3.33-linux-$SYSTEM_ARCH-bin.tar.gz
$ shasum -a 256 teleport-ent-v14.3.33-linux-$SYSTEM_ARCH-bin.tar.gz
# Verify that the checksums match
$ tar -xvf teleport-ent-v14.3.33-linux-$SYSTEM_ARCH-bin.tar.gz
$ cd teleport-ent
$ sudo ./install
For FedRAMP/FIPS-compliant installations of Teleport Enterprise, package URLs will be slightly different:
$ curl https://cdn.teleport.dev/teleport-ent-v14.3.33-linux-$SYSTEM_ARCH-fips-bin.tar.gz.sha256
# <checksum> <filename>
$ curl -O https://cdn.teleport.dev/teleport-ent-v14.3.33-linux-$SYSTEM_ARCH-fips-bin.tar.gz
$ shasum -a 256 teleport-ent-v14.3.33-linux-$SYSTEM_ARCH-fips-bin.tar.gz
# Verify that the checksums match
$ tar -xvf teleport-ent-v14.3.33-linux-$SYSTEM_ARCH-fips-bin.tar.gz
$ cd teleport-ent
$ sudo ./install
OS repository channels
The following channels are available for APT, YUM, and Zypper repos. They may be used in place of
stable/v14
anywhere in the Teleport documentation.
Channel name | Description |
---|---|
stable/<major> | Receives releases for the specified major release line, i.e. v14 |
stable/cloud | Rolling channel that receives releases compatible with current Cloud version |
stable/rolling | Rolling channel that receives all published Teleport releases |
- Debian 9+/Ubuntu 16.04+ (apt)
- Amazon Linux 2/RHEL 7/CentOS 7 (yum)
- Amazon Linux 2023/RHEL 8+ (dnf)
- SLES 12 SP5+ and 15 SP5+ (zypper)
Add the Teleport repository to your repository list:
# Download Teleport's PGP public key
$ sudo curl https://apt.releases.teleport.dev/gpg \
-o /usr/share/keyrings/teleport-archive-keyring.asc
# Source variables about OS version
$ source /etc/os-release
# Add the Teleport APT repository for cloud.
$ echo "deb [signed-by=/usr/share/keyrings/teleport-archive-keyring.asc] \
https://apt.releases.teleport.dev/${ID?} ${VERSION_CODENAME?} stable/cloud" \
| sudo tee /etc/apt/sources.list.d/teleport.list > /dev/null
# Provide your Teleport domain to query the latest compatible Teleport version
$ export TELEPORT_DOMAIN=example.teleport.com
$ export TELEPORT_VERSION="$(curl https://$TELEPORT_DOMAIN/v1/webapi/automaticupgrades/channel/default/version | sed 's/v//')"
# Update the repo and install Teleport and the Teleport updater
$ sudo apt-get update
$ sudo apt-get install "teleport-ent=$TELEPORT_VERSION" teleport-ent-updater
# Source variables about OS version
$ source /etc/os-release
# Add the Teleport YUM repository for cloud.
# First, get the OS major version from $VERSION_ID so this fetches the correct
# package version.
$ VERSION_ID=$(echo $VERSION_ID | grep -Eo "^[0-9]+")
$ sudo yum install -y yum-utils
$ sudo yum-config-manager --add-repo "$(rpm --eval "https://yum.releases.teleport.dev/$ID/$VERSION_ID/Teleport/%{_arch}/stable/cloud/teleport-yum.repo")"
# Provide your Teleport domain to query the latest compatible Teleport version
$ export TELEPORT_DOMAIN=example.teleport.com
$ export TELEPORT_VERSION="$(curl https://$TELEPORT_DOMAIN/v1/webapi/automaticupgrades/channel/default/version | sed 's/v//')"
# Install Teleport and the Teleport updater
$ sudo yum install "teleport-ent-$TELEPORT_VERSION" teleport-ent-updater
# Tip: Add /usr/local/bin to path used by sudo (so 'sudo tctl users add' will work as per the docs)
# echo "Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin" > /etc/sudoers.d/secure_path
# Source variables about OS version
$ source /etc/os-release
# Add the Teleport YUM repository for cloud.
# First, get the OS major version from $VERSION_ID so this fetches the correct
# package version.
$ VERSION_ID=$(echo $VERSION_ID | grep -Eo "^[0-9]+")
# Use the dnf config manager plugin to add the teleport RPM repo
$ sudo dnf config-manager --add-repo "$(rpm --eval "https://yum.releases.teleport.dev/$ID/$VERSION_ID/Teleport/%{_arch}/stable/cloud/teleport-yum.repo")"
# Provide your Teleport domain to query the latest compatible Teleport version
$ export TELEPORT_DOMAIN=example.teleport.com
$ export TELEPORT_VERSION="$(curl https://$TELEPORT_DOMAIN/v1/webapi/automaticupgrades/channel/default/version | sed 's/v//')"
# Install Teleport and the Teleport updater
$ sudo dnf install "teleport-ent-$TELEPORT_VERSION" teleport-ent-updater
# Tip: Add /usr/local/bin to path used by sudo (so 'sudo tctl users add' will work as per the docs)
# echo "Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin" > /etc/sudoers.d/secure_path
# Source variables about OS version
$ source /etc/os-release
# Add the Teleport Zypper repository for cloud.
# First, get the OS major version from $VERSION_ID so this fetches the correct
# package version.
$ VERSION_ID=$(echo $VERSION_ID | grep -Eo "^[0-9]+")
# Use Zypper to add the teleport RPM repo
$ sudo zypper addrepo --refresh --repo $(rpm --eval "https://zypper.releases.teleport.dev/$ID/$VERSION_ID/Teleport/%{_arch}/stable/cloud/teleport-zypper.repo")
# Provide your Teleport domain to query the latest compatible Teleport version
$ export TELEPORT_DOMAIN=example.teleport.com
$ export TELEPORT_VERSION="$(curl https://$TELEPORT_DOMAIN/v1/webapi/automaticupgrades/channel/default/version | sed 's/v//')"
# Install Teleport and the Teleport updater
$ sudo zypper install "teleport-ent-$TELEPORT_VERSION" teleport-ent-updater
OS repository channels
The following channels are available for APT, YUM, and Zypper repos. They may be used in place of
stable/v14
anywhere in the Teleport documentation.
Channel name | Description |
---|---|
stable/<major> | Receives releases for the specified major release line, i.e. v14 |
stable/cloud | Rolling channel that receives releases compatible with current Cloud version |
stable/rolling | Rolling channel that receives all published Teleport releases |
Is my Teleport instance compatible with Teleport Enterprise Cloud?
Before installing a teleport
binary with a version besides v16,
read our compatibility rules to ensure that the binary is compatible with
Teleport Enterprise Cloud.
Teleport uses Semantic Versioning. Version numbers
include a major version, minor version, and patch version, separated by dots.
When running multiple teleport
binaries within a cluster, the following rules
apply:
- Patch and minor versions are always compatible, for example, any 8.0.1 component will work with any 8.0.3 component and any 8.1.0 component will work with any 8.3.0 component.
- Servers support clients that are one major version behind, but do not support
clients that are on a newer major version. For example, an 8.x.x Proxy Service
instance is compatible with 7.x.x agents and 7.x.x
tsh
, but we don't guarantee that a 9.x.x agent will work with an 8.x.x Proxy Service instance. This also means you must not attempt to upgrade from 6.x.x straight to 8.x.x. You must upgrade to 7.x.x first. - Proxy Service instances and agents do not support Auth Service instances that
are on an older major version, and will fail to connect to older Auth Service
instances by default. You can override version checks by passing
--skip-version-check
when starting agents and Proxy Service instances.
Step 2/4. Create a bot user
Before you create a bot user, you need to determine which role(s) you want to
assign to it. You can use the tctl
command below to examine what roles exist
on your system.
- Teleport Enterprise Cloud
- Self-Hosted
On your client machine, log in to Teleport using tsh
, then use tctl
to examine
what roles exist on your system.
Connect to the Teleport Auth Server and use tctl
to examine what roles exist on
your system.
$ tctl get roles --format=text
You will see something like the output below on a fresh install of Teleport with the
default roles—your cluster may have different roles. In this example, let's
assume you want to give the bot the access
role to allow it to connect to
machines within your cluster.
Role Allowed to login as Node Labels Access to resources
------- --------------------------------------------- ----------- ----------------------------------------
access {{internal.logins}} <all nodes> event:list,read,session:read,list
auditor no-login-6566121f-b602-47f1-a118-c9c618ee5aec session:list,read,event:list,read
editor user:list,create,read,update,delete,...
The internal.logins
trait is replaced with values from the Teleport local user
database. For full details on how traits work in Teleport roles, see the
Teleport Access Controls
Reference.
Machine ID can join with a token or the IAM Method on AWS.
Assuming that you are using the default access
role, ensure that you use the
--logins
flag when adding your bot to specify the SSH logins that you wish to
allow the bot to access on hosts. For our example, we will be using root
.
- Token-based Joining
- IAM Method
$ tctl bots add robot --roles=access --logins=root
First, create an IAM method token that specifies the AWS account from which
the bot can join. Create the below file as iam-token.yaml
then run tctl create -f iam-token.yaml
.
kind: token
version: v2
metadata:
# The token name is not a secret because instances must prove that they are
# running in your AWS account to use this token.
name: iam-token
spec:
# Only allow bots to join using this token.
roles: [Bot]
# Set the join method to be IAM.
join_method: iam
# Define the name of the bot that will be allowed to use this token.
bot_name: robot
allow:
# Restrict the AWS account and (optionally) ARN that can use this token.
# This information can be obtained from running the
# "aws sts get-caller-identity" command from the CLI.
- aws_account: "111111111111"
aws_arn: "arn:aws:sts::111111111111:assumed-role/teleport-bot-role/i-*"
Next, create the bot user.
$ tctl bots add robot --token=iam-token --roles=access --logins=root
Step 3/4. Start Machine ID
Now start Machine ID using the tbot
binary. The tbot start
command will
start running Machine ID in a loop, writing renewable certificates to
/var/lib/teleport/bot
and the short-lived certificates your application will
use to /opt/machine-id
.
In a production environment you will want to run Machine ID in the background using a service manager like systemd. However, in this guide you will run it in the foreground to better understand how it works.
- Token-based Joining
- IAM Method
$ export TELEPORT_ANONYMOUS_TELEMETRY=1
$ sudo tbot start \
--data-dir=/var/lib/teleport/bot \
--destination-dir=/opt/machine-id \
--token=abcd123-insecure-do-not-use-this \
--join-method=token \
--proxy-server=example.teleport.sh:443
$ export TELEPORT_ANONYMOUS_TELEMETRY=1
$ sudo tbot start \
--data-dir=/var/lib/teleport/bot \
--destination-dir=/opt/machine-id \
--token=iam-token \
--join-method=iam \
--proxy-server=example.teleport.sh:443
TELEPORT_ANONYMOUS_TELEMETRY
enables the submission of anonymous usage
telemetry. This helps us shape the future development of tbot
. You can disable
this by omitting this.
Replace the following fields with values from your own cluster.
- Teleport Enterprise Cloud
- Self-Hosted
token
is the token output by thetctl bots add
command or the name of your IAM method token.destination-dir
is where Machine ID writes user certificates that can be used by applications and tools.data-dir
is where Machine ID writes its private data, including its own short-lived renewable certificates. These should not be used by applications and tools.auth-server
is the address of your Teleport Cloud Proxy Server, for exampleexample.teleport.sh:443
.
token
is the token output by thetctl bots add
command or the name of your IAM method token.ca-pin
is the CA Pin for your Teleport cluster, and is output by thetctl bots add
command.destination-dir
is where Machine ID writes user certificates that can be used by applications and tools.data-dir
is where Machine ID writes its private data, including its own short-lived renewable certificates. These should not be used by applications and tools.auth-server
is typically the address of your Teleport Proxy Server (teleport.example.com:443
), but can also be the address of the Auth Server is direct connectivity is available.teleport.example.com:443
.
Now that Machine ID has successfully started, let's investigate the
/opt/machine-id
directory to see what was written to disk.
$ tree /opt/machine-id
machine-id
├── identity
├── key
├── key-cert.pub
├── key.pub
├── known_hosts
├── ssh_config
├── teleport-database-ca.crt
├── teleport-host-ca.crt
├── teleport-user-ca.crt
└── tlscert
0 directories, 10 files
This directory contains private key material in the key.*
files, SSH
certificates in the identity
file, X.509 certificates in the tls*
and
*.crt
files, OpenSSH configuration in the ssh_config
and
known_hosts
files to make it easy to integrate Machine ID with external
applications and tools.
Step 4/4. Use certificates issued by Machine ID
To use Machine ID, find a host that you want to connect to within your cluster
using tsh ls
. You might see output like the following on your system.
$ tsh ls
Node Name Address Labels
--------- -------------- -----------------------------
node-name 127.0.0.1:3022 arch=x86_64,group=api-servers
Not seeing Nodes?
When Teleport's Auth Service receives a request to list Teleport Nodes (e.g., to
display Nodes in the Web UI or via tsh ls
), it only returns the Nodes that the
current user is authorized to view.
For each Node in the user's Teleport cluster, the Auth Service applies the following checks in order and, if one check fails, hides the Node from the user:
- None of the user's roles contain a
deny
rule that matches the Node's labels. - At least one of the user's roles contains an
allow
rule that matches the Node's labels.
If you are not seeing Nodes when expected, make sure that your user's roles
include the appropriate allow
and deny
rules as documented in the
Teleport Access Controls Reference.
To use Machine ID with the OpenSSH integration, run the following command to
connect to node-name
within cluster example.com
.
$ ssh -F /opt/machine-id/ssh_config root@node-name.example.com
In addition to the ssh
client you can use tsh
. Replace the --proxy
parameter
with your proxy address.
- Self-Hosted
- Teleport Enterprise Cloud
$ tsh ssh --proxy=teleport.example.com -i /opt/machine-id/identity root@node-name
$ tsh ssh --proxy=mytenant.teleport.sh -i /opt/machine-id/identity root@node-name
The below error can occur when the bot does not have permission to log in to a node as the requested user:
$ ssh -F /opt/machine-id/ssh_config root@node-name.example.com
root@node-name: Permission denied (publickey).
kex_exchange_identification: Connection closed by remote host
This can happen in two circumstances:
- The user you are trying to log in as is not specified under
logins
in the role you are using - If you have used
--logins
when creating the bot user, the role the bot is impersonating does not have the{{ internal.logins }}
variable specified.
If you have been following along with the access
role, do the following.
- Export the role by running
tctl get roles/access > access.yaml
- Edit the
logins
field inaccess.yaml
- Update the role by running
tctl create -f access.yaml
Now you can replace any invocations of ssh
with the above command to provide
your applications and tools a machine identity that can be rotated, audited,
and controlled with all the familiar Teleport access controls.
Next Steps
- Read the architecture overview to learn about how Machine ID works in more detail.
- Check out the deployment guides to learn about
configuring
tbot
in a production-ready way for your platform. - Check out the access guides to learn about configuring
tbot
for different use cases than SSH. - Read the configuration reference to explore all the available configuration options.
- More information about
TELEPORT_ANONYMOUS_TELEMETRY
.