IBM Cloud Docs
Setting up a bastion host that uses Teleport

Setting up a bastion host that uses Teleport

This tutorial shows you one way that can be used to meet the IBM Cloud Framework for Financial Services requirements that are related to bastion host. There are various ways to implement a compliant bastion solution, but we show you how to configure a bastion host in your VPC by using Teleport Enterprise Edition, along with Object Storage and App ID for enhanced security. You will learn how to set up a Teleport-based solution that meets the previously described IBM Cloud Framework for Financial Services requirements.

We provide guidance, but you are solely responsible for installing, configuring, and operating IBM third-party software in a way that satisfies IBM Cloud Framework for Financial Services requirements. In addition, IBM does not provide support for third-party software. So, if you choose to use Teleport and encounter issues with the Teleport software that require support, you should contact Teleport.

To implement your bastion host solution, you must complete the following high-level steps:

  1. Provision an instance of Object Storage and configure a bucket for storing session recordings.
  2. Provision an instance of App ID and configure a SAML-based identity provider.
  3. Provision a virtual server instance, install Teleport, and complete the Teleport configuration for unified access to your infrastructure.

Before you begin

Before you deploy and configure a bastion host into a virtual server instance running on the VPC reference architecture, make sure you have completed the following prerequisites:

  • Acquire a Teleport Enterprise Edition license
  • Configure a VPC like VPC 0 (Edge Network) in the architecture diagram

IBM Cloud for Financial Services reference architecture with bastion host
Figure 1. Single-region IBM Cloud for Financial Services reference architecture for VPC with bastion host

Limitations

The following limitations currently apply for the bastion host solution that is described:

  • Windows is not supported.
  • RDP is not supported.

Configure Object Storage

Complete the following steps to configure Object Storage.

  1. Provision a IBM Cloud® Object Storage instance with the Standard Plan.
  2. Create a custom bucket for storing session recordings with the following configuration:
    • Storage class set to Standard
    • Resiliency set to Regional
    • Location set to the region of your VPC
    • Retention set to 12 months
  3. Generate a new set of service credentials with the bucket permissions of Object Write access and the advanced option of Include HMAC Credentials enabled.

Teleport session recordings can contain sensitive information. You should have policies to ensure that operators do not enter secrets on the command line interface. In addition, you need to employ least privilege and make sure that access to these recordings is restricted only to those employees who need the recordings to do their jobs (such as your security incident response team).

Configure App ID

  1. Provision an IBM Cloud® App ID instance with the Graduated tier Plan.
  2. If you have your own SAML-based identity provider, complete the following steps:
    1. Configure your SAML-based identity provider within App ID.
    2. Set up MFA by using a physical hardware-based security key and your identity provider.
    3. Set up the following password policies:
    • Lock user accounts after three (3) consecutive failed logon attempts within 15 minutes.
    • Lock user accounts for 30 minutes after more than three unsuccessful logon attempts. When the lockout period ends, the user can reset their password. Internal privileged accounts must remain locked until they are released by an administrator.
    • Set sessions to time out after 15 minutes of inactivity.
  3. Generate a service credential with the role of Reader.
  4. From your App ID service dashboard, click Manage Authentication > Authentication Settings and add the web direct URLs of https://<virtual server instance FQDN>:3080/v1/webapi/oidc/callback.

Provision virtual server instances for Teleport Enterprise

  1. Provision a virtual server instance within each zone of the VPC cluster.
    • Profile: cx2-4x8 with 4 vCPUs, 8 GB RAM, 8 Gbps.
    • Linux-based operating system (CentOS, Debian, RHEL, Ubuntu).
  2. If your identity provider is hosted publicly and not accessible directly from the Teleport virtual server instance in the VPC, you must provision a public gateway.
  3. Register each virtual server instance that you plan to run Teleport into a Domain Name Server.
  4. Generate an SSL certificate for each of the provisioned virtual server instances or use a wildcard certificate.

Configure a security group for your virtual server instances

Configure the Security group for your virtual server instances.

Bastion host: Security group inbound rules
This table shows the security group rules needed for the bastion server.
Protocol Source type Source Port
TCP IP address or CIDR Block IP address or CIDR Block value Ports 22-22
TCP IP address or CIDR Block IP address or CIDR Block value Ports 3023-3025
TCP IP address or CIDR Block IP address or CIDR Block value Ports 3080-3080
Bastion host: Security group outbound rules
This table shows the security group rules needed for the bastion server.
Protocol Destination type Destination Value
TCP IP address or CIDR Block IP address or CIDR Block value Ports Any

Add any additional security group rules that are needed for connectivity to your resources.

Configure an access control list

Configure the access control list for the subnets that the bastion virtual server instances use to Allow inbound and outbound traffic. Make sure that there is a rule for each bastion virtual server instance if the ACL is used for multiple subnets.

Bastion host: Access control list inbound rules
This table shows the Access control list rules needed for the bastion server.
Protocol Source type Source Value Source Port Destination type Destination Value Destination Port
TCP IP address or CIDR Block IP address or CIDR Block value Any IP address IP address of bastion server 22
TCP IP address or CIDR Block IP address or CIDR Block value Any IP address IP address of bastion server 3023-3025
TCP IP address or CIDR Block IP address or CIDR Block value Any IP address IP address of bastion server 3080
Bastion host: Access control list outbound rules
This table shows the Access control list rules needed for the bastion server.
Protocol Source type Source Value Source Port Destination type Destination Value Destination Port
TCP IP address IP address of bastion server 22 IP address or CIDR Block IP address or CIDR Block value Any
TCP IP address IP address of bastion server 3023-3025 IP address or CIDR Block IP address or CIDR Block value Any
TCP IP address IP address of bastion server 3080 IP address or CIDR Block IP address or CIDR Block value Any

Add any additional access control list rules that are needed for connectivity to your resources.

Configure virtual server instances for Teleport Enterprise

With your virtual server instances provisioned and set-up with a security group and ACL, you can continue configuring the instance and installing Teleport. Then, complete the Teleport configuration for unified access to your infrastructure.

  1. Connect to your virtual server instance by using SSH.

  2. Download Teleport Enterprise version 7.1.0 and extract its contents. Copy the following packages to the /usr/local/bin directory:

    • cp <path of extracted contents>/teleport /usr/local/bin
    • cp <path of extracted contents>/tctl /usr/local/bin
    • cp <path of extracted contents>/tsh /usr/local/bin
  3. Create the directory /var/lib/teleport on the file system of your virtual server instance. This directory might exist depending on your installation method.

  4. Copy your license file from Teleport Enterprise into the file /var/lib/teleport/license.pem.

  5. Copy your SSL certificate for the virtual server instance into /var/lib/teleport/. You should have a file for the certificate and key. If you have an intermediate certificate, make sure it is after your certificate.

  6. Create the file teleport.yaml in the directory /etc and copy the sample content from the following example into the file. Ensure the appropriate changes where noted with <variables>.

    #teleport.yaml
    teleport:
      nodename: <fqdn of node>
      data_dir: /var/lib/teleport
      log:
        output: stderr
        severity: DEBUG
      storage:
        audit_sessions_uri: "s3://<Bucket>?endpoint=<COS Endpoint>&region=ibm"
    
    auth_service:
      enabled: "yes"
      listen_addr: 0.0.0.0:3025
      authentication:
        type: oidc
        local_auth: false
      license_file: /var/lib/teleport/license.pem
      message_of_the_day: "<banner message to be displayed to a user that must be acknowledged before logging into the bastion>"
    
    ssh_service:
      enabled: "yes"
      commands:
      - name: hostname
        command: [hostname]
        period: 1m0s
      - name: arch
        command: [uname, -p]
        period: 1h0m0s
    
    proxy_service:
      enabled: "yes"
      listen_addr: 0.0.0.0:3023
      web_listen_addr: 0.0.0.0:3080
      tunnel_listen_addr: 0.0.0.0:3024
      https_cert_file: /var/lib/teleport/<SSL Certificate PEM File>
      https_key_file: /var/lib/teleport/<SSL Certificate Key PEM File>
    
  7. Create the file /etc/systemd/system/teleport.service with the following example content. Make sure to enter your HMAC credentials that you generated previously in this procedure. For more information, see Systemd Unit File. Ensure the appropriate changes where noted with <variables>.

    [Unit]
    Description=Teleport Service
    After=network.target
    
    [Service]
    Type=simple
    Restart=on-failure
    Environment=AWS_ACCESS_KEY_ID="<HMAC access_key_id>"
    Environment=AWS_SECRET_ACCESS_KEY="<HMAC secret_access_key>"
    ExecStart=/usr/local/bin/teleport start --config=/etc/teleport.yaml --pid-file=/run/teleport.pid
    ExecReload=/bin/kill -HUP $MAINPID
    PIDFile=/run/teleport.pid
    
    [Install]
    WantedBy=multi-user.target
    
  8. Issue the following systemctl to load the teleport service.

    sudo systemctl daemon-reload
    sudo systemctl start teleport
    sudo systemctl enable teleport
    
  9. Some operating systems have open firewalls but if your operating system limits traffic, you must add firewall rules to allow TCP traffic for ports 3023, 3024, 3025, and 3080. CentOS is an example of an operating system that blocks traffic by default.

  10. Start the Teleport process systemctl start teleport.

  11. Create a Teleport Role. For more information, see Create Teleport Roles. For more information on settings for a Teleport role, see Teleport Access Control Reference.

    1. Create the file role.yaml within the directory /var/lib/teleport. The following sample role provides full access to the system. You can also create roles within the Teleport web console under Teams -> Roles.
    #example role
    kind: "role"
    version: "v3"
    metadata:
      name: "teleport-admin"
    spec:
      options:
        max_connections: 3
        cert_format: standard
        client_idle_timeout: 15m
        disconnect_expired_cert: no
        enhanced_recording:
        - command
        - network
        forward_agent: true
        max_session_ttl: 1h
        port_forwarding: false
      allow:
        logins: [root]
        node_labels:
          "*": "*"
        rules:
        - resources: ["*"]
          verbs: ["*"]
    
  12. Create the OIDC connector.

    1. Create the file oidc.yaml within the directory /var/lib/teleport by using the following example content. Ensure the appropriate changes where noted with <variables>. For more information, see OIDC Authentication.
    #oidc connector
    kind: oidc
    version: v2
    metadata:
      name: appid
    spec:
      redirect_url: "https://<virtual server instance DNS FQDN>:3080/v1/webapi/oidc/callback"
      client_id: "<Client ID from AppID Service Credentials>"
      display: AppID
      client_secret: "<secret from AppID Service Credentials>"
      issuer_url: "<oauthServerUrl from AppID Service Credentials>"
      scope: ["openid", "email"]
      claims_to_roles:
      - {claim: "email", value: "<Email Address>", roles: ["teleport-admin"]}
    

    Example claim names can be email, family_name, given_name, or name. The value is what that claims value will be set to.

  13. Using the tctl to apply the yamls:

    • tctl create /var/lib/teleport/role.yaml
    • tctl create /var/lib/teleport/oidc.yaml
  14. Set up forwarding of Teleport logs and system logs. Teleport logs are located in the directory /var/lib/teleport and system logs in /var/logs.

Logs must be forwarded to an operational logging solution. For more information, see operational logging

Log in to the bastion host

You can log in to the bastion host through the web console or tsh client as described in the following sections.

Log in through the the web console

  1. Access the web console on port 3080.

    https://<fqdn of node>:3080

  2. Start a terminal session under Servers. There should be a single server with a connect button. Click connect and select the user that you would like to log in with.

Log in through the tsh client

  1. Install the Teleport client tool tsh.

  2. Log in using tsh.

    tsh login --proxy=<fqdn of telport server>:3080

  3. Run shell or execute a command on a remote SSH node by using the tsh ssh command

    tsh ssh <[user@]host>

Install tools

Now that the bastion host is set up and configured, you can install the tools that are needed to interact with your infrastructure, such as:

  1. IBM Cloud CLI and associated plug-ins.
  2. OpenShift Origin CLI.

For information on accessing your Red Hat OpenShift on IBM Cloud cluster via the tools above, see accessing Red Hat OpenShift clusters.

Remove SSH port from security group and access control list

Now that Teleport is installed and setup, remove SSH port 22 from the allowed list of ports within the configured security group and access control list that is assigned to the virtual server and subnet.

Related controls in IBM Cloud Framework for Financial Services

See the related controls for bastion host.