Setting up a bastion host that uses Teleport

This tutorial shows you one way that can be used to meet the IBM Cloud Framework for Financial Services requirements that are related to bastion host. There are various ways to implement a compliant bastion solution, but we show you how to configure a bastion host in your VPC by using Teleport Enterprise Edition, along with Object Storage and App ID for enhanced security. You will learn how to set up a Teleport-based solution that meets the previously described IBM Cloud Framework for Financial Services requirements.

We provide guidance, but you are solely responsible for installing, configuring, and operating IBM third-party software in a way that satisfies IBM Cloud Framework for Financial Services requirements. In addition, IBM does not provide support for third-party software. So, if you choose to use Teleport and encounter issues with the Teleport software that require support, you should contact Teleport.

To implement your bastion host solution, you must complete the following high-level steps:

Provision an instance of Object Storage and configure a bucket for storing session recordings.
Provision an instance of App ID and configure a SAML-based identity provider.
Provision a virtual server instance, install Teleport, and complete the Teleport configuration for unified access to your infrastructure.

Before you begin

Before you deploy and configure a bastion host into a virtual server instance running on the VPC reference architecture, make sure you have completed the following prerequisites:

Acquire a Teleport Enterprise Edition license
Configure a VPC like VPC 0 (Edge Network) in the architecture diagram

IBM Cloud for Financial Services reference architecture with bastion host — Figure 1. Single-region IBM Cloud for Financial Services reference architecture for VPC with bastion host

Limitations

The following limitations currently apply for the bastion host solution that is described:

Windows is not supported.
RDP is not supported.

Configure Object Storage

Complete the following steps to configure Object Storage.

Provision a IBM Cloud® Object Storage instance with the Standard Plan.
Create a custom bucket for storing session recordings with the following configuration:
- Storage class set to Standard
- Resiliency set to Regional
- Location set to the region of your VPC
- Retention set to 12 months
Generate a new set of service credentials with the bucket permissions of Object Write access and the advanced option of Include HMAC Credentials enabled.

Teleport session recordings can contain sensitive information. You should have policies to ensure that operators do not enter secrets on the command line interface. In addition, you need to employ least privilege and make sure that access to these recordings is restricted only to those employees who need the recordings to do their jobs (such as your security incident response team).

Configure App ID

Provision an IBM Cloud® App ID instance with the Graduated tier Plan.
If you have your own SAML-based identity provider, complete the following steps:
1. Configure your SAML-based identity provider within App ID.
2. Set up MFA by using a physical hardware-based security key and your identity provider.
3. Set up the following password policies:
- Lock user accounts after three (3) consecutive failed logon attempts within 15 minutes.
- Lock user accounts for 30 minutes after more than three unsuccessful logon attempts. When the lockout period ends, the user can reset their password. Internal privileged accounts must remain locked until they are released by an administrator.
- Set sessions to time out after 15 minutes of inactivity.
Generate a service credential with the role of Reader.
From your App ID service dashboard, click Manage Authentication > Authentication Settings and add the web direct URLs of https://<virtual server instance FQDN>:3080/v1/webapi/oidc/callback.

Provision virtual server instances for Teleport Enterprise

Provision a virtual server instance within each zone of the VPC cluster.
- Profile: cx2-4x8 with 4 vCPUs, 8 GB RAM, 8 Gbps.
- Linux-based operating system (CentOS, Debian, RHEL, Ubuntu).
If your identity provider is hosted publicly and not accessible directly from the Teleport virtual server instance in the VPC, you must provision a public gateway.
Register each virtual server instance that you plan to run Teleport into a Domain Name Server.
Generate an SSL certificate for each of the provisioned virtual server instances or use a wildcard certificate.

Configure a security group for your virtual server instances

Configure the Security group for your virtual server instances.

Bastion host: Security group inbound rules
This table shows the security group rules needed for the bastion server.
Protocol	Source type	Source	Port
TCP	IP address or CIDR Block	IP address or CIDR Block value	Ports 22-22
TCP	IP address or CIDR Block	IP address or CIDR Block value	Ports 3023-3025
TCP	IP address or CIDR Block	IP address or CIDR Block value	Ports 3080-3080

Bastion host: Security group outbound rules
This table shows the security group rules needed for the bastion server.
Protocol	Destination type	Destination	Value
TCP	IP address or CIDR Block	IP address or CIDR Block value	Ports Any

Add any additional security group rules that are needed for connectivity to your resources.

Configure an access control list

Configure the access control list for the subnets that the bastion virtual server instances use to Allow inbound and outbound traffic. Make sure that there is a rule for each bastion virtual server instance if the ACL is used for multiple subnets.

Bastion host: Access control list inbound rules
This table shows the Access control list rules needed for the bastion server.
Protocol	Source type	Source Value	Source Port	Destination type	Destination Value	Destination Port
TCP	IP address or CIDR Block	IP address or CIDR Block value	Any	IP address	IP address of bastion server	22
TCP	IP address or CIDR Block	IP address or CIDR Block value	Any	IP address	IP address of bastion server	3023-3025
TCP	IP address or CIDR Block	IP address or CIDR Block value	Any	IP address	IP address of bastion server	3080

Bastion host: Access control list outbound rules
This table shows the Access control list rules needed for the bastion server.
Protocol	Source type	Source Value	Source Port	Destination type	Destination Value	Destination Port
TCP	IP address	IP address of bastion server	22	IP address or CIDR Block	IP address or CIDR Block value	Any
TCP	IP address	IP address of bastion server	3023-3025	IP address or CIDR Block	IP address or CIDR Block value	Any
TCP	IP address	IP address of bastion server	3080	IP address or CIDR Block	IP address or CIDR Block value	Any

Add any additional access control list rules that are needed for connectivity to your resources.

Configure virtual server instances for Teleport Enterprise

With your virtual server instances provisioned and set-up with a security group and ACL, you can continue configuring the instance and installing Teleport. Then, complete the Teleport configuration for unified access to your infrastructure.

Connect to your virtual server instance by using SSH.
Download Teleport Enterprise version 7.1.0 and extract its contents. Copy the following packages to the /usr/local/bin directory:
- cp <path of extracted contents>/teleport /usr/local/bin
- cp <path of extracted contents>/tctl /usr/local/bin
- cp <path of extracted contents>/tsh /usr/local/bin
Create the directory /var/lib/teleport on the file system of your virtual server instance. This directory might exist depending on your installation method.
Copy your license file from Teleport Enterprise into the file /var/lib/teleport/license.pem.
Copy your SSL certificate for the virtual server instance into /var/lib/teleport/. You should have a file for the certificate and key. If you have an intermediate certificate, make sure it is after your certificate.

Create the file teleport.yaml in the directory /etc and copy the sample content from the following example into the file. Ensure the appropriate changes where noted with <variables>.

#teleport.yaml
teleport:
  nodename: <fqdn of node>
  data_dir: /var/lib/teleport
  log:
    output: stderr
    severity: DEBUG 
  storage:
    audit_sessions_uri: "s3://<Bucket>?endpoint=<COS Endpoint>&region=ibm"

auth_service:
  enabled: "yes"
  listen_addr: 0.0.0.0:3025
  authentication:
    type: oidc
    local_auth: false
  license_file: /var/lib/teleport/license.pem
  message_of_the_day: "<banner message to be displayed to a user that must be acknowledged before logging into the bastion>"

ssh_service:
  enabled: "yes"
  commands:
  - name: hostname
    command: [hostname]
    period: 1m0s
  - name: arch
    command: [uname, -p]
    period: 1h0m0s

proxy_service:
  enabled: "yes"
  listen_addr: 0.0.0.0:3023
  web_listen_addr: 0.0.0.0:3080
  tunnel_listen_addr: 0.0.0.0:3024
  https_cert_file: /var/lib/teleport/<SSL Certificate PEM File>
  https_key_file: /var/lib/teleport/<SSL Certificate Key PEM File>

Create the file /etc/systemd/system/teleport.service with the following example content. Make sure to enter your HMAC credentials that you generated previously in this procedure. For more information, see Systemd Unit File. Ensure the appropriate changes where noted with <variables>.

[Unit]
Description=Teleport Service
After=network.target

[Service]
Type=simple
Restart=on-failure
Environment=AWS_ACCESS_KEY_ID="<HMAC access_key_id>"
Environment=AWS_SECRET_ACCESS_KEY="<HMAC secret_access_key>"
ExecStart=/usr/local/bin/teleport start --config=/etc/teleport.yaml --pid-file=/run/teleport.pid
ExecReload=/bin/kill -HUP $MAINPID
PIDFile=/run/teleport.pid

[Install]
WantedBy=multi-user.target

Issue the following systemctl to load the teleport service.

sudo systemctl daemon-reload
sudo systemctl start teleport
sudo systemctl enable teleport

Some operating systems have open firewalls but if your operating system limits traffic, you must add firewall rules to allow TCP traffic for ports 3023, 3024, 3025, and 3080. CentOS is an example of an operating system that blocks traffic by default.
Start the Teleport process systemctl start teleport.

Create a Teleport Role. For more information, see Create Teleport Roles. For more information on settings for a Teleport role, see Teleport Access Control Reference.

Create the file role.yaml within the directory /var/lib/teleport. The following sample role provides full access to the system. You can also create roles within the Teleport web console under Teams -> Roles.

#example role
kind: "role"
version: "v3"
metadata:
  name: "teleport-admin"
spec:
  options:
    max_connections: 3
    cert_format: standard
    client_idle_timeout: 15m
    disconnect_expired_cert: no
    enhanced_recording:
    - command
    - network
    forward_agent: true
    max_session_ttl: 1h
    port_forwarding: false
  allow:
    logins: [root]
    node_labels:
      "*": "*"
    rules:
    - resources: ["*"]
      verbs: ["*"]

Create the OIDC connector.

Create the file oidc.yaml within the directory /var/lib/teleport by using the following example content. Ensure the appropriate changes where noted with <variables>. For more information, see OIDC Authentication.

#oidc connector
kind: oidc
version: v2
metadata:
  name: appid
spec:
  redirect_url: "https://<virtual server instance DNS FQDN>:3080/v1/webapi/oidc/callback"
  client_id: "<Client ID from AppID Service Credentials>"
  display: AppID
  client_secret: "<secret from AppID Service Credentials>"
  issuer_url: "<oauthServerUrl from AppID Service Credentials>"
  scope: ["openid", "email"]
  claims_to_roles: 
  - {claim: "email", value: "<Email Address>", roles: ["teleport-admin"]}

Example claim names can be email, family_name, given_name, or name. The value is what that claims value will be set to.

Using the tctl to apply the yamls:
- tctl create /var/lib/teleport/role.yaml
- tctl create /var/lib/teleport/oidc.yaml
Set up forwarding of Teleport logs and system logs. Teleport logs are located in the directory /var/lib/teleport and system logs in /var/logs.

Logs must be forwarded to an operational logging solution. For more information, see operational logging

You can log in to the bastion host through the web console or tsh client as described in the following sections.

Log in through the the web console

Access the web console on port 3080.

https://<fqdn of node>:3080
Start a terminal session under Servers. There should be a single server with a connect button. Click connect and select the user that you would like to log in with.

Log in through the tsh client

Install the Teleport client tool tsh.
Log in using tsh.

tsh login --proxy=<fqdn of telport server>:3080
Run shell or execute a command on a remote SSH node by using the tsh ssh command

tsh ssh <[user@]host>

Install tools

Now that the bastion host is set up and configured, you can install the tools that are needed to interact with your infrastructure, such as:

IBM Cloud CLI and associated plug-ins.
OpenShift Origin CLI.

For information on accessing your Red Hat OpenShift on IBM Cloud cluster via the tools above, see accessing Red Hat OpenShift clusters.

Remove SSH port from security group and access control list

Now that Teleport is installed and setup, remove SSH port 22 from the allowed list of ports within the configured security group and access control list that is assigned to the virtual server and subnet.