Secure Your Infrastructure: A Guide to Installing Teleport Access Plane on Linux
In today’s complex IT environments, managing secure access to servers, Kubernetes clusters, and internal applications is a critical challenge. Traditional methods like VPNs and bastion hosts often create security bottlenecks and administrative headaches. A modern solution is needed to provide identity-aware, audited access to your entire infrastructure stack.
This is where the Teleport Access Plane comes in. By setting up this central component on a Linux server, you can create a single gateway for all your infrastructure, enforcing strong authentication, fine-grained authorization, and comprehensive session logging. This guide provides a step-by-step walkthrough for installing and configuring the Teleport Access Plane.
What is the Teleport Access Plane?
Think of the Teleport Access Plane as the central nervous system for your secure access strategy. It is the core service that acts as a single point of entry for users and services. It is responsible for three primary functions:
- Authentication: Verifying user identities, often by integrating with Single Sign-On (SSO) providers like Okta, GitHub, or Active Directory.
- Authorization: Enforcing Role-Based Access Control (RBAC) to ensure users can only access the resources they are explicitly permitted to use.
- Auditing: Recording every session, command, and event in a detailed audit log, providing complete visibility for security and compliance purposes.
By centralizing these functions, you eliminate the need for scattered credentials, shared SSH keys, and unmonitored access points, dramatically improving your security posture.
Prerequisites for Installation
Before you begin, ensure you have the following in place:
- A dedicated Linux server: A fresh installation of a modern Linux distribution like Ubuntu 20.04+, Debian 11+, or RHEL/CentOS 8+ is recommended.
- A public DNS name: Your Teleport cluster must be accessible via a fully qualified domain name (e.g.,
teleport.yourcompany.com). - Open firewall ports: You will need to allow inbound traffic on several TCP ports, primarily
443(web UI and API),3025(SSH connections for nodes), and3080(web proxy). - Root or sudo privileges: You will need administrative access to the server to install software and configure services.
Step-by-Step Installation and Configuration
Setting up the Teleport Access Plane involves installing the software, creating a configuration file, and starting the service.
Step 1: Install the Teleport Binary
The easiest way to install Teleport is by using the official package repositories. This ensures you receive automatic updates and proper service management integration.
For Debian/Ubuntu systems:
# Add the Teleport repository and GPG key
sudo curl https://apt.releases.teleport.dev/gpg \
-o /usr/share/keyrings/teleport-archive-keyring.asc
source /etc/os-release
echo "deb [signed-by=/usr/share/keyrings/teleport-archive-keyring.asc] \
https://apt.releases.teleport.dev/${ID?} ${VERSION_CODENAME?} stable/v15" \
| sudo tee /etc/apt/sources.list.d/teleport.list > /dev/null
# Install Teleport
sudo apt-get update
sudo apt-get install teleport
For RHEL/CentOS/Fedora systems:
# Add the Teleport repository
sudo yum-config-manager --add-repo https://rpm.releases.teleport.dev/teleport.repo
# Install Teleport
sudo yum install teleport
Step 2: Configure the Teleport Service
Next, you need to create a configuration file at /etc/teleport.yaml. This file tells Teleport how to operate.
A minimal, secure configuration requires enabling the three core services (auth, proxy, and node) and specifying your cluster’s public address.
Create the file /etc/teleport.yaml with the following content, replacing teleport.yourcompany.com with your public DNS name and [email protected] with your email address for automatic Let’s Encrypt certificate generation.
teleport:
data_dir: /var/lib/teleport
# The public address of the proxy service.
public_addr: teleport.yourcompany.com:443
log:
# Set logging to INFO for production use.
severity: INFO
auth_service:
enabled: "yes"
# The cluster name is visible in the Web UI.
cluster_name: "production-cluster"
# Use ACME for automatic TLS certificates.
acme:
enabled: "yes"
email: "[email protected]"
ssh_service:
enabled: "yes"
proxy_service:
enabled: "yes"
# The web_listen_addr is where the Web UI will be served.
web_listen_addr: 0.0.0.0:443
# Use ACME for TLS.
acme:
enabled: "yes"
email: "[email protected]"
This configuration automatically provisions a TLS certificate from Let’s Encrypt, which is essential for securing all traffic to and from your cluster.
Step 3: Start and Enable the Service
With the configuration in place, you can now start the Teleport service and enable it to run automatically on boot.
sudo systemctl enable --now teleport
You can check the status of the service to ensure it started correctly:
sudo systemctl status teleport
Step 4: Create Your First Admin User
The final step is to create the first administrative user for your Teleport cluster. This user will have the editor and access roles, allowing them to manage the cluster and access resources.
Execute the following command, replacing admin-user with your desired username and specifying the built-in roles.
sudo tctl users add admin-user --roles=editor,access
This command will output a secure, one-time registration link. Copy this URL and open it in your web browser immediately, as it expires after a short period. Follow the on-screen instructions to set your password and configure Two-Factor Authentication (2FA), which is mandatory for security.
Accessing and Securing Your Cluster
Once you have completed the user registration, you can log in to the Teleport Web UI at your public DNS name (e.g., https://teleport.yourcompany.com). From this dashboard, you can monitor active sessions, review audit logs, and begin adding resources like SSH servers or databases to your cluster.
Essential Security Best Practices:
- Integrate an SSO Provider: For production environments, it is highly recommended to integrate an SSO provider like Okta, Google Workspace, or GitHub instead of relying on local users. This centralizes identity management and strengthens authentication.
- Principle of Least Privilege: Use Teleport’s powerful RBAC system to create custom roles with minimal permissions. Grant users access only to the specific resources they need to perform their jobs.
- Review Audit Logs: Regularly monitor the audit log for suspicious activity. Teleport provides an immutable record of all actions taken within the cluster, which is a powerful tool for security analysis and compliance.
By following these steps, you have successfully deployed a secure and modern foundation for managing infrastructure access. The Teleport Access Plane is the first and most critical component in a system that brings zero-trust principles and operational efficiency to your entire organization.
Source: https://kifarunix.com/install-and-setup-teleport-access-plane-on-linux/
