From 5b356de8128fc4eb5b2e8588ab10400af9711d08 Mon Sep 17 00:00:00 2001 From: Ben Arent Date: Fri, 17 Jul 2020 08:26:19 -0700 Subject: [PATCH] Move around references (#4063) * Move around references --- docs/4.3.yaml | 6 +- docs/4.3/admin-guide.md | 400 +++++++++-------------------------- docs/4.3/api_reference.md | 62 ++++++ docs/4.3/cli-docs.md | 8 +- docs/4.3/config_reference.md | 320 ++++++++++++++++++++++++++++ 5 files changed, 486 insertions(+), 310 deletions(-) create mode 100644 docs/4.3/api_reference.md create mode 100644 docs/4.3/config_reference.md diff --git a/docs/4.3.yaml b/docs/4.3.yaml index 5c4aa081e2c12..1a79ed153ec16 100644 --- a/docs/4.3.yaml +++ b/docs/4.3.yaml @@ -83,5 +83,7 @@ nav: - Advanced Features: - Enhanced Session Rec.: features/enhanced_session_recording.md - Using Teleport with PAM: features/ssh_pam.md - - CLI Reference: - - CLI Reference: cli-docs.md \ No newline at end of file + - Reference: + - YAML: config_reference.md + - CLI: cli-docs.md + - API: api_reference.md \ No newline at end of file diff --git a/docs/4.3/admin-guide.md b/docs/4.3/admin-guide.md index 91b6465ee7a5b..2741bd2168420 100644 --- a/docs/4.3/admin-guide.md +++ b/docs/4.3/admin-guide.md @@ -126,7 +126,10 @@ Docs](cli-docs.md#teleport-start) or run `teleport start --help` ### Configuration File Teleport uses the YAML file format for configuration. A sample configuration -file is shown below. By default, it is stored in `/etc/teleport.yaml` +file is shown below. By default, it is stored in `/etc/teleport.yaml`, below is +an expanded and commented version from `teleport configure`. + +For a complete reference, see our [Configuration Reference - teleport.yaml](config_reference.md#teleportyaml) !!! note "IMPORTANT" @@ -135,315 +138,102 @@ file is shown below. By default, it is stored in `/etc/teleport.yaml` tab characters. ``` yaml -# By default, this file should be stored in /etc/teleport.yaml - -# This section of the configuration file applies to all teleport -# services. +# +# Sample Teleport configuration file +# Creates a single proxy, auth and node server. +# +# Things to update: +# 1. ca_pin: Obtain the CA pin hash for joining more nodes by running 'tctl status' +# on the auth server once Teleport is running. +# 2. license-if-using-teleport-enterprise.pem: If you are an Enterprise customer, +# obtain this from https://dashboard.gravitational.com/web/ +# teleport: - # nodename allows to assign an alternative name this node can be reached by. - # by default it's equal to hostname - nodename: graviton - - # Data directory where Teleport daemon keeps its data. - # See "Filesystem Layout" section above for more details. - data_dir: /var/lib/teleport - - # Invitation token used to join a cluster. it is not used on - # subsequent starts - auth_token: xxxx-token-xxxx - - # Optional CA pin of the auth server. This enables more secure way of adding new - # nodes to a cluster. See "Adding Nodes" section above. - ca_pin: "sha256:7e12c17c20d9cb504bbcb3f0236be3f446861f1396dcbb44425fe28ec1c108f1" - - # When running in multi-homed or NATed environments Teleport nodes need - # to know which IP it will be reachable at by other nodes - # - # This value can be specified as FQDN e.g. host.example.com - advertise_ip: 10.1.0.5 - - # list of auth servers in a cluster. you will have more than one auth server - # if you configure teleport auth to run in HA configuration. - # If adding a node located behind NAT, use the Proxy URL. e.g. - # auth_servers: - # - teleport-proxy.example.com:3080 - auth_servers: - - 10.1.0.5:3025 - - 10.1.0.6:3025 - - # Teleport throttles all connections to avoid abuse. These settings allow - # you to adjust the default limits - connection_limits: - max_connections: 1000 - max_users: 250 - - # Logging configuration. Possible output values to disk via '/var/lib/teleport/teleport.log', - # 'stdout', 'stderr' and 'syslog'. Possible severity values are INFO, WARN - # and ERROR (default). - log: - output: /var/lib/teleport/teleport.log - severity: ERROR - - # Configuration for the storage back-end used for the cluster state and the - # audit log. Several back-end types are supported. See "High Availability" - # section of this Admin Manual below to learn how to configure DynamoDB, - # S3, etcd and other highly available back-ends. - storage: - # By default teleport uses the `data_dir` directory on a local filesystem - type: dir - - # Array of locations where the audit log events will be stored. by - # default they are stored in `/var/lib/teleport/log` - audit_events_uri: ['file:///var/lib/teleport/log', 'dynamodb://events_table_name', 'firestore://events_table_name', 'stdout://'] - - # Use this setting to configure teleport to store the recorded sessions in - # an AWS S3 bucket or use GCP Storage with 'gs://'. See "Using Amazon S3" - # chapter for more information. - audit_sessions_uri: 's3://example.com/path/to/bucket?region=us-east-1' - - # CA Signing algorithm used for OpenSSH Certificates - # Defaults to rsa-sha2-512 in 4.3 and above. - # valid values are: ssh-rsa, rsa-sha2-256, rsa-sha2-512; ssh-rsa is SHA1 - ca_signature_algo: “rsa-sha2-512” - - # Cipher algorithms that the server supports. This section only needs to be - # set if you want to override the defaults. - ciphers: - - aes128-ctr - - aes192-ctr - - aes256-ctr - - aes128-gcm@openssh.com - - chacha20-poly1305@openssh.com - - # Key exchange algorithms that the server supports. This section only needs - # to be set if you want to override the defaults. - kex_algos: - - curve25519-sha256@libssh.org - - ecdh-sha2-nistp256 - - ecdh-sha2-nistp384 - - ecdh-sha2-nistp521 - - # Message authentication code (MAC) algorithms that the server supports. - # This section only needs to be set if you want to override the defaults. - mac_algos: - - hmac-sha2-256-etm@openssh.com - - hmac-sha2-256 - - # List of the supported ciphersuites. If this section is not specified, - # only the default ciphersuites are enabled. - ciphersuites: - - tls-ecdhe-rsa-with-aes-128-gcm-sha256 - - tls-ecdhe-ecdsa-with-aes-128-gcm-sha256 - - tls-ecdhe-rsa-with-aes-256-gcm-sha384 - - tls-ecdhe-ecdsa-with-aes-256-gcm-sha384 - - tls-ecdhe-rsa-with-chacha20-poly1305 - - tls-ecdhe-ecdsa-with-chacha20-poly1305 - -# This section configures the 'auth service': -auth_service: - # Turns 'auth' role on. Default is 'yes' - enabled: yes - - # A cluster name is used as part of a signature in certificates - # generated by this CA. - # - # We strongly recommend to explicitly set it to something meaningful as it - # becomes important when configuring trust between multiple clusters. - # - # By default an automatically generated name is used (not recommended) - # - # IMPORTANT: if you change cluster_name, it will invalidate all generated - # certificates and keys (may need to wipe out /var/lib/teleport directory) - cluster_name: "main" - - authentication: - # default authentication type. possible values are 'local' and 'github' for OSS - # and 'oidc', 'saml' and 'false' for Enterprise. - # 'false' is required for FedRAMP / FIPS, see - # https://gravitational.com/teleport/docs/enterprise/ssh_fips#teleport-auth-server - # only local authentication (Teleport's own user DB) & Github is supported in the open - # source version - type: local - # second_factor can be off, otp, or u2f - second_factor: otp - # this section is used if second_factor is set to 'u2f' - u2f: - # app_id must point to the URL of the Teleport Web UI (proxy) accessible - # by the end users - app_id: https://localhost:3080 - # facets must list all proxy servers if there are more than one deployed - facets: - - - https://localhost:3080 - - # IP and the port to bind to. Other Teleport nodes will be connecting to - # this port (AKA "Auth API" or "Cluster API") to validate client - # certificates - listen_addr: 0.0.0.0:3025 - - # The optional DNS name the auth server if located behind a load balancer. - # (see public_addr section below) - public_addr: auth.example.com:3025 - - # Pre-defined tokens for adding new nodes to a cluster. Each token specifies - # the role a new node will be allowed to assume. The more secure way to - # add nodes is to use `ttl node add --ttl` command to generate auto-expiring - # tokens. - # - # We recommend to use tools like `pwgen` to generate sufficiently random - # tokens of 32+ byte length. - tokens: - - "proxy,node:xxxxx" - - "auth:yyyy" - - # Optional setting for configuring session recording. Possible values are: - # "node" : sessions will be recorded on the node level (the default) - # "proxy" : recording on the proxy level, see "recording proxy mode" section. - # "off" : session recording is turned off - session_recording: "node" - - # This setting determines if a Teleport proxy performs strict host key checks. - # Only applicable if session_recording=proxy, see "recording proxy mode" for details. - proxy_checks_host_keys: yes - - # Determines if SSH sessions to cluster nodes are forcefully terminated - # after no activity from a client (idle client). - # Examples: "30m", "1h" or "1h30m" - client_idle_timeout: never - - # Determines if the clients will be forcefully disconnected when their - # certificates expire in the middle of an active SSH session. (default is 'no') - disconnect_expired_cert: no - - # Determines the interval at which Teleport will send keep-alive messages. The - # default value mirrors sshd at 15 minutes. keep_alive_count_max is the number - # of missed keep-alive messages before the server tears down the connection to the - # client. - keep_alive_interval: 15 - keep_alive_count_max: 3 - - # License file to start auth server with. Note that this setting is ignored - # in open-source Teleport and is required only for Teleport Pro, Business - # and Enterprise subscription plans. - # - # The path can be either absolute or relative to the configured `data_dir` - # and should point to the license file obtained from Teleport Download Portal. - # - # If not set, by default Teleport will look for the `license.pem` file in - # the configured `data_dir` . - license_file: /var/lib/teleport/license.pem + # nodename allows to assign an alternative name this node can be reached by. + # by default it's equal to hostname + nodename: NODE_NAME + data_dir: /var/lib/teleport + + # Invitation token used to join a cluster. it is not used on + # subsequent starts + auth_token: xxxx-token-xxxx + + # Optional CA pin of the auth server. This enables more secure way of adding new + # nodes to a cluster. See "Adding Nodes" section above. + ca_pin: "sha256:ca-pin-hash-goes-here" + + # list of auth servers in a cluster. you will have more than one auth server + # if you configure teleport auth to run in HA configuration. + # If adding a node located behind NAT, use the Proxy URL. e.g. + # auth_servers: + # - teleport-proxy.example.com:3080 + auth_servers: + - 10.1.0.5:3025 + - 10.1.0.6:3025 - # DEPRECATED in Teleport 3.2 (moved to proxy_service section) - kubeconfig_file: /path/to/kubeconfig + # Logging configuration. Possible output values to disk via '/var/lib/teleport/teleport.log', + # 'stdout', 'stderr' and 'syslog'. Possible severity values are INFO, WARN + # and ERROR (default). + log: + output: stderr + severity: INFO -# This section configures the 'node service': +auth_service: + enabled: "yes" + # A cluster name is used as part of a signature in certificates + # generated by this CA. + # + # We strongly recommend to explicitly set it to something meaningful as it + # becomes important when configuring trust between multiple clusters. + # + # By default an automatically generated name is used (not recommended) + # + # IMPORTANT: if you change cluster_name, it will invalidate all generated + # certificates and keys (may need to wipe out /var/lib/teleport directory) + cluster_name: "teleport-aws-us-east-1" + + # IP and the port to bind to. Other Teleport nodes will be connecting to + # this port (AKA "Auth API" or "Cluster API") to validate client + # certificates + listen_addr: 0.0.0.0:3025 + + tokens: + - proxy,node:xxxx-token-xxxx + # license_file: /path/to/license-if-using-teleport-enterprise.pem + + authentication: + # default authentication type. possible values are 'local' and 'github' for OSS + # and 'oidc', 'saml' and 'false' for Enterprise. + type: local + # second_factor can be off, otp, or u2f + second_factor: otp ssh_service: - # Turns 'ssh' role on. Default is 'yes' - enabled: yes - - # IP and the port for SSH service to bind to. - listen_addr: 0.0.0.0:3022 - - # The optional public address the SSH service. This is useful if administrators - # want to allow users to connect to nodes directly, bypassing a Teleport proxy - # (see public_addr section below) - public_addr: node.example.com:3022 - - # See explanation of labels in "Labeling Nodes" section below - labels: - role: leader - type: postgres - - # List of the commands to periodically execute. Their output will be used as node labels. - # See "Labeling Nodes" section below for more information and more examples. - commands: - # this command will add a label 'arch=x86_64' to a node - - name: arch - command: ['/bin/uname', '-p'] - period: 1h0m0s - - # enables reading ~/.tsh/environment before creating a session. by default - # set to false, can be set true here or as a command line flag. - permit_user_env: false - - # Enhanced Session Recording was introduced with Teleport 4.2. For more details - # see https://gravitational.com/teleport/docs/features/enhanced_session_recording - enhanced_recording: - # Enable or disable enhanced auditing for this node. Default value: - # false. - enabled: false - - # command_buffer_size is optional with a default value of 8 pages. - command_buffer_size: 8 - - # disk_buffer_size is optional with default value of 128 pages. - disk_buffer_size: 128 - - # network_buffer_size is optional with default value of 8 pages. - network_buffer_size: 8 - - # Controls where cgroupv2 hierarchy is mounted. Default value: - # /cgroup2. - cgroup_path: /cgroup2 - - # configures PAM integration. see below for more details. - pam: - enabled: no - service_name: teleport - -# This section configures the 'proxy service' + enabled: "yes" + labels: + teleport: static-label-example + commands: + - name: hostname + command: [/usr/bin/hostname] + period: 1m0s + - name: arch + command: [/usr/bin/uname, -p] + period: 1h0m0s proxy_service: - # Turns 'proxy' role on. Default is 'yes' - enabled: yes - - # SSH forwarding/proxy address. Command line (CLI) clients always begin their - # SSH sessions by connecting to this port - listen_addr: 0.0.0.0:3023 - - # Reverse tunnel listening address. An auth server (CA) can establish an - # outbound (from behind the firewall) connection to this address. - # This will allow users of the outside CA to connect to behind-the-firewall - # nodes. - tunnel_listen_addr: 0.0.0.0:3024 - - # The HTTPS listen address to serve the Web UI and also to authenticate the - # command line (CLI) users via password+HOTP - web_listen_addr: 0.0.0.0:3080 - - # The DNS name the proxy HTTPS endpoint as accessible by cluster users. - # Defaults to the proxy's hostname if not specified. If running multiple - # proxies behind a load balancer, this name must point to the load balancer - # (see public_addr section below) - public_addr: proxy.example.com:3080 - - # The DNS name of the proxy SSH endpoint as accessible by cluster clients. - # Defaults to the proxy's hostname if not specified. If running multiple proxies - # behind a load balancer, this name must point to the load balancer. - # Use a TCP load balancer because this port uses SSH protocol. - ssh_public_addr: proxy.example.com:3023 - - # TLS certificate for the HTTPS connection. Configuring these properly is - # critical for Teleport security. - https_key_file: /var/lib/teleport/webproxy_key.pem - https_cert_file: /var/lib/teleport/webproxy_cert.pem - - # This section configures the Kubernetes proxy service - kubernetes: - # Turns 'kubernetes' proxy on. Default is 'no' - enabled: yes - - # Kubernetes proxy listen address. - listen_addr: 0.0.0.0:3026 - - # The DNS name of the Kubernetes proxy server that is accessible by cluster clients. - # If running multiple proxies behind a load balancer, this name must point to the - # load balancer. - public_addr: ['kube.example.com:3026'] - - # This setting is not required if the Teleport proxy service is - # deployed inside a Kubernetes cluster. Otherwise, Teleport proxy - # will use the credentials from this file: - kubeconfig_file: /path/to/kube/config + enabled: "yes" + listen_addr: 0.0.0.0:3023 + web_listen_addr: 0.0.0.0:3080 + tunnel_listen_addr: 0.0.0.0:3024 + + # The DNS name of the proxy HTTPS endpoint as accessible by cluster users. + # Defaults to the proxy's hostname if not specified. If running multiple + # proxies behind a load balancer, this name must point to the load balancer + # (see public_addr section below) + public_addr: TELEPORT_PUBLIC_DNS_NAME:3022 + + # TLS certificate for the HTTPS connection. Configuring these properly is + # critical for Teleport security. + https_key_file: /etc/letsencrypt/live/TELEPORT_PUBLIC_DNS_NAME/privkey.pem + https_cert_file: /etc/letsencrypt/live/TELEPORT_PUBLIC_DNS_NAME/fullchain.pem ``` #### Public Addr diff --git a/docs/4.3/api_reference.md b/docs/4.3/api_reference.md new file mode 100644 index 0000000000000..99a834238cdf4 --- /dev/null +++ b/docs/4.3/api_reference.md @@ -0,0 +1,62 @@ +# Teleport API Reference + +Teleport is currently working on documenting our API. + +!!! warning + + We are currently working on this project. If you have an API suggestion, [please complete our survey](https://docs.google.com/forms/d/1HPQu5Asg3lR0cu5crnLDhlvovGpFVIIbDMRvqclPhQg/edit). + +## Authentication +In order to interact with the Access Request API, you will need to provision appropriate +TLS certificates. In order to provision certificates, you will need to create a +user with appropriate permissions: + +```bash +$ cat > rscs.yaml < -[tsh](#tsh)
-[tctl](#tctl) +Teleport is made up of three CLI tools. + +- [teleport](#teleport): The Teleport daemon that runs the Teleport Service, and acts as a daemon on a node allowing SSH connections. +- [tsh](#tsh): A tool that let's end users interact with Teleport nodes. This replaces `ssh`. +- [tctl](#tctl): An administrative tool that can configure Teleport Auth Service. ## teleport diff --git a/docs/4.3/config_reference.md b/docs/4.3/config_reference.md new file mode 100644 index 0000000000000..ba028fb8bace8 --- /dev/null +++ b/docs/4.3/config_reference.md @@ -0,0 +1,320 @@ +# Teleport Configuration Reference + +## teleport.yaml + +Teleport uses the YAML file format for configuration. A full configuration reference +file is shown below, this provides comments and all available options for `teleport.yaml` +By default, it is stored in `/etc/teleport.yaml`. + + +```yaml +# By default, this file should be stored in /etc/teleport.yaml + +# This section of the configuration file applies to all teleport +# services. +teleport: + # nodename allows to assign an alternative name this node can be reached by. + # by default it's equal to hostname + nodename: graviton + + # Data directory where Teleport daemon keeps its data. + # See "Filesystem Layout" section above for more details. + data_dir: /var/lib/teleport + + # Invitation token used to join a cluster. it is not used on + # subsequent starts + auth_token: xxxx-token-xxxx + + # Optional CA pin of the auth server. This enables more secure way of adding new + # nodes to a cluster. See "Adding Nodes" section above. + ca_pin: "sha256:7e12c17c20d9cb504bbcb3f0236be3f446861f1396dcbb44425fe28ec1c108f1" + + # When running in multi-homed or NATed environments Teleport nodes need + # to know which IP it will be reachable at by other nodes + # + # This value can be specified as FQDN e.g. host.example.com + advertise_ip: 10.1.0.5 + + # list of auth servers in a cluster. you will have more than one auth server + # if you configure teleport auth to run in HA configuration. + # If adding a node located behind NAT, use the Proxy URL. e.g. + # auth_servers: + # - teleport-proxy.example.com:3080 + auth_servers: + - 10.1.0.5:3025 + - 10.1.0.6:3025 + + # Teleport throttles all connections to avoid abuse. These settings allow + # you to adjust the default limits + connection_limits: + max_connections: 1000 + max_users: 250 + + # Logging configuration. Possible output values to disk via '/var/lib/teleport/teleport.log', + # 'stdout', 'stderr' and 'syslog'. Possible severity values are INFO, WARN + # and ERROR (default). + log: + output: /var/lib/teleport/teleport.log + severity: ERROR + + # Configuration for the storage back-end used for the cluster state and the + # audit log. Several back-end types are supported. See "High Availability" + # section of this Admin Manual below to learn how to configure DynamoDB, + # S3, etcd and other highly available back-ends. + storage: + # By default teleport uses the `data_dir` directory on a local filesystem + type: dir + + # Array of locations where the audit log events will be stored. by + # default they are stored in `/var/lib/teleport/log` + audit_events_uri: ['file:///var/lib/teleport/log', 'dynamodb://events_table_name', 'firestore://events_table_name', 'stdout://'] + + # Use this setting to configure teleport to store the recorded sessions in + # an AWS S3 bucket or use GCP Storage with 'gs://'. See "Using Amazon S3" + # chapter for more information. + audit_sessions_uri: 's3://example.com/path/to/bucket?region=us-east-1' + + # CA Signing algorithm used for OpenSSH Certificates + # Defaults to rsa-sha2-512 in 4.3 and above. + # valid values are: ssh-rsa, rsa-sha2-256, rsa-sha2-512; ssh-rsa is SHA1 + ca_signature_algo: “rsa-sha2-512” + + # Cipher algorithms that the server supports. This section only needs to be + # set if you want to override the defaults. + ciphers: + - aes128-ctr + - aes192-ctr + - aes256-ctr + - aes128-gcm@openssh.com + - chacha20-poly1305@openssh.com + + # Key exchange algorithms that the server supports. This section only needs + # to be set if you want to override the defaults. + kex_algos: + - curve25519-sha256@libssh.org + - ecdh-sha2-nistp256 + - ecdh-sha2-nistp384 + - ecdh-sha2-nistp521 + + # Message authentication code (MAC) algorithms that the server supports. + # This section only needs to be set if you want to override the defaults. + mac_algos: + - hmac-sha2-256-etm@openssh.com + - hmac-sha2-256 + + # List of the supported ciphersuites. If this section is not specified, + # only the default ciphersuites are enabled. + ciphersuites: + - tls-ecdhe-rsa-with-aes-128-gcm-sha256 + - tls-ecdhe-ecdsa-with-aes-128-gcm-sha256 + - tls-ecdhe-rsa-with-aes-256-gcm-sha384 + - tls-ecdhe-ecdsa-with-aes-256-gcm-sha384 + - tls-ecdhe-rsa-with-chacha20-poly1305 + - tls-ecdhe-ecdsa-with-chacha20-poly1305 + +# This section configures the 'auth service': +auth_service: + # Turns 'auth' role on. Default is 'yes' + enabled: yes + + # A cluster name is used as part of a signature in certificates + # generated by this CA. + # + # We strongly recommend to explicitly set it to something meaningful as it + # becomes important when configuring trust between multiple clusters. + # + # By default an automatically generated name is used (not recommended) + # + # IMPORTANT: if you change cluster_name, it will invalidate all generated + # certificates and keys (may need to wipe out /var/lib/teleport directory) + cluster_name: "main" + + authentication: + # default authentication type. possible values are 'local' and 'github' for OSS + # and 'oidc', 'saml' and 'false' for Enterprise. + # 'false' is required for FedRAMP / FIPS, see + # https://gravitational.com/teleport/docs/enterprise/ssh_fips#teleport-auth-server + # only local authentication (Teleport's own user DB) & Github is supported in the open + # source version + type: local + # second_factor can be off, otp, or u2f + second_factor: otp + # this section is used if second_factor is set to 'u2f' + u2f: + # app_id must point to the URL of the Teleport Web UI (proxy) accessible + # by the end users + app_id: https://localhost:3080 + # facets must list all proxy servers if there are more than one deployed + facets: + + - https://localhost:3080 + + # IP and the port to bind to. Other Teleport nodes will be connecting to + # this port (AKA "Auth API" or "Cluster API") to validate client + # certificates + listen_addr: 0.0.0.0:3025 + + # The optional DNS name the auth server if located behind a load balancer. + # (see public_addr section below) + public_addr: auth.example.com:3025 + + # Pre-defined tokens for adding new nodes to a cluster. Each token specifies + # the role a new node will be allowed to assume. The more secure way to + # add nodes is to use `ttl node add --ttl` command to generate auto-expiring + # tokens. + # + # We recommend to use tools like `pwgen` to generate sufficiently random + # tokens of 32+ byte length. + tokens: + - "proxy,node:xxxxx" + - "auth:yyyy" + + # Optional setting for configuring session recording. Possible values are: + # "node" : sessions will be recorded on the node level (the default) + # "proxy" : recording on the proxy level, see "recording proxy mode" section. + # "off" : session recording is turned off + session_recording: "node" + + # This setting determines if a Teleport proxy performs strict host key checks. + # Only applicable if session_recording=proxy, see "recording proxy mode" for details. + proxy_checks_host_keys: yes + + # Determines if SSH sessions to cluster nodes are forcefully terminated + # after no activity from a client (idle client). + # Examples: "30m", "1h" or "1h30m" + client_idle_timeout: never + + # Determines if the clients will be forcefully disconnected when their + # certificates expire in the middle of an active SSH session. (default is 'no') + disconnect_expired_cert: no + + # Determines the interval at which Teleport will send keep-alive messages. The + # default value mirrors sshd at 15 minutes. keep_alive_count_max is the number + # of missed keep-alive messages before the server tears down the connection to the + # client. + keep_alive_interval: 15 + keep_alive_count_max: 3 + + # License file to start auth server with. Note that this setting is ignored + # in open-source Teleport and is required only for Teleport Pro, Business + # and Enterprise subscription plans. + # + # The path can be either absolute or relative to the configured `data_dir` + # and should point to the license file obtained from Teleport Download Portal. + # + # If not set, by default Teleport will look for the `license.pem` file in + # the configured `data_dir` . + license_file: /var/lib/teleport/license.pem + + # DEPRECATED in Teleport 3.2 (moved to proxy_service section) + kubeconfig_file: /path/to/kubeconfig + +# This section configures the 'node service': +ssh_service: + # Turns 'ssh' role on. Default is 'yes' + enabled: yes + + # IP and the port for SSH service to bind to. + listen_addr: 0.0.0.0:3022 + + # The optional public address the SSH service. This is useful if administrators + # want to allow users to connect to nodes directly, bypassing a Teleport proxy + # (see public_addr section below) + public_addr: node.example.com:3022 + + # See explanation of labels in "Labeling Nodes" section below + labels: + role: leader + type: postgres + + # List of the commands to periodically execute. Their output will be used as node labels. + # See "Labeling Nodes" section below for more information and more examples. + commands: + # this command will add a label 'arch=x86_64' to a node + - name: arch + command: ['/bin/uname', '-p'] + period: 1h0m0s + + # enables reading ~/.tsh/environment before creating a session. by default + # set to false, can be set true here or as a command line flag. + permit_user_env: false + + # Enhanced Session Recording was introduced with Teleport 4.2. For more details + # see https://gravitational.com/teleport/docs/features/enhanced_session_recording + enhanced_recording: + # Enable or disable enhanced auditing for this node. Default value: + # false. + enabled: false + + # command_buffer_size is optional with a default value of 8 pages. + command_buffer_size: 8 + + # disk_buffer_size is optional with default value of 128 pages. + disk_buffer_size: 128 + + # network_buffer_size is optional with default value of 8 pages. + network_buffer_size: 8 + + # Controls where cgroupv2 hierarchy is mounted. Default value: + # /cgroup2. + cgroup_path: /cgroup2 + + # configures PAM integration. see below for more details. + pam: + enabled: no + service_name: teleport + +# This section configures the 'proxy service' +proxy_service: + # Turns 'proxy' role on. Default is 'yes' + enabled: yes + + # SSH forwarding/proxy address. Command line (CLI) clients always begin their + # SSH sessions by connecting to this port + listen_addr: 0.0.0.0:3023 + + # Reverse tunnel listening address. An auth server (CA) can establish an + # outbound (from behind the firewall) connection to this address. + # This will allow users of the outside CA to connect to behind-the-firewall + # nodes. + tunnel_listen_addr: 0.0.0.0:3024 + + # The HTTPS listen address to serve the Web UI and also to authenticate the + # command line (CLI) users via password+HOTP + web_listen_addr: 0.0.0.0:3080 + + # The DNS name of the proxy HTTPS endpoint as accessible by cluster users. + # Defaults to the proxy's hostname if not specified. If running multiple + # proxies behind a load balancer, this name must point to the load balancer + # (see public_addr section below) + public_addr: proxy.example.com:3080 + + # The DNS name of the proxy SSH endpoint as accessible by cluster clients. + # Defaults to the proxy's hostname if not specified. If running multiple proxies + # behind a load balancer, this name must point to the load balancer. + # Use a TCP load balancer because this port uses SSH protocol. + ssh_public_addr: proxy.example.com:3023 + + # TLS certificate for the HTTPS connection. Configuring these properly is + # critical for Teleport security. + https_key_file: /var/lib/teleport/webproxy_key.pem + https_cert_file: /var/lib/teleport/webproxy_cert.pem + + # This section configures the Kubernetes proxy service + kubernetes: + # Turns 'kubernetes' proxy on. Default is 'no' + enabled: yes + + # Kubernetes proxy listen address. + listen_addr: 0.0.0.0:3026 + + # The DNS name of the Kubernetes proxy server that is accessible by cluster clients. + # If running multiple proxies behind a load balancer, this name must point to the + # load balancer. + public_addr: ['kube.example.com:3026'] + + # This setting is not required if the Teleport proxy service is + # deployed inside a Kubernetes cluster. Otherwise, Teleport proxy + # will use the credentials from this file: + kubeconfig_file: /path/to/kube/config +``` \ No newline at end of file