access roles + alias to openssh host/ip

[dgiorgio]

It is not possible to define in the teleport, which users can access a host with OpenSSH.
Even if it is not possible to set the permissions via RBAC
There could be some way to limit that user X cannot access host Y.

Maybe some way to create aliases in Teleport.
ex:
alias_name=myserver-openssh
address=1.2.3.4
user=myuser
port=22

As soon as I ssh into host myserver-openssh, it automatically connects to host 1.2.3.4, and if I don't pass any user, it defaults to the user myuser.
With that, you could create "access roles", and which users can access.

[webvictim]

Have you looked into AuthorizedPrincipalsFile at all? From man sshd_config:

     AuthorizedPrincipalsFile
             Specifies a file that lists principal names that are accepted for certificate authentication.  When using certificates signed by a key listed in TrustedUserCAKeys, this file lists names, one of which must appear in the certificate for it to be ac‐
             cepted for authentication.  Names are listed one per line preceded by key options (as described in AUTHORIZED_KEYS FILE FORMAT in sshd(8)).  Empty lines and comments starting with ‘#’ are ignored.

             Arguments to AuthorizedPrincipalsFile accept the tokens described in the TOKENS section.  After expansion, AuthorizedPrincipalsFile is taken to be an absolute path or one relative to the user's home directory.  The default is none, i.e. not to use a
             principals file – in this case, the username of the user must appear in a certificate's principals list for it to be accepted.

             Note that AuthorizedPrincipalsFile is only used when authentication proceeds using a CA listed in TrustedUserCAKeys and is not consulted for certification authorities trusted via ~/.ssh/authorized_keys, though the principals= key option offers a sim‐
             ilar facility (see sshd(8) for details).

There's a good write-up on the bottom half of this page about how it works and what you can do with it: https://cottonlinux.com/ssh-certificates/

There's also a post from Facebook/Meta engineering which details how they use a similar method: https://engineering.fb.com/2016/09/12/security/scalable-and-secure-access-with-ssh/

[dgiorgio]

Interesting, I didn't know.
that way I can control access in OpenSSH.
But, I didn't understand how I'm going to use the Teleport certificates.
Will I have to generate a new certificate for each teleport user?

Imagine the following scenario.
2 locations, and 3 servers for each location.

location 1:

• server_app
• server_db
• server_apache

location 2:

• server_app
• server_db
• server_apache

each server has 4 users, for teleport users to access.

• root
• sudo_user
• common_user
• limited_user

and 3 users in the teleport:

• teleport_user1
• teleport_user2
• teleport_user3

the user teleport_user1, can access the common_user and limited_user users, from the servers that are in location1, but cannot log in any of the location2.

the user teleport_user2, can access the sudo_user, common_user and limited_user users, from the servers that are in location2, but cannot log in any of the location1.

the user teleport_user3, can access the root, sudo_user, common_user and limited_user users, from the servers that are in location1 and location2.

In sshd_config, I can create this configuration.

AuthorizedPrincipalsFile /etc/ssh/auth_principals/%u

And these "principals"

/etc/ssh/auth_principals/root
/etc/ssh/auth_principals/sudo_user
/etc/ssh/auth_principals/common_user
/etc/ssh/auth_principals/limited_user

[webvictim]

I see the problem you're talking about. Using the Teleport ssh_service instead would let you easily set labels on each machine which could control RBAC at the Teleport level.

If you don't want to do that, I think one way to make this work otherwise would be to have different Teleport users for each location with different logins allowed for each. That way each server can have a full list of all the Teleport user/login combinations that it should allow.

teleport_user1 logins:

location1_common_user
location1_limited_user

teleport_user2 logins:

location2_sudo_user
location2_common_user
location2_limited_user

teleport_user3 logins:

location1_root_user
location1_sudo_user
location1_common_user
location1_limited_user
location2_root_user
location2_sudo_user
location2_common_user
location2_limited_user

You could also theoretically just allow each Teleport user to access a login with the same name i.e. teleport1 or teleport2 and then use AuthorizedPrincipalsFile to specify whether or not a given login is allowed to access that server or not.

[dgiorgio]

I see the problem you're talking about. Using the Teleport ssh_service instead would let you easily set labels on each machine which could control RBAC at the Teleport level.

If you don't want to do that, I think one way to make this work otherwise would be to have different Teleport users for each location with different logins allowed for each. That way each server can have a full list of all the Teleport user/login combinations that it should allow.

teleport_user1 logins:

location1_common_user
location1_limited_user

teleport_user2 logins:

location2_sudo_user
location2_common_user
location2_limited_user

teleport_user3 logins:

location1_root_user
location1_sudo_user
location1_common_user
location1_limited_user
location2_root_user
location2_sudo_user
location2_common_user
location2_limited_user

You could also theoretically just allow each Teleport user to access a login with the same name i.e. teleport1 or teleport2 and then use AuthorizedPrincipalsFile to specify whether or not a given login is allowed to access that server or not.

I would like to use Teleport ssh_service, but this server, is not possível to use, because all output are blocked.
Incoming ssh access is the only option.
Today, I sync some pub keys with these servers, and I saw that it's possível to use the teleport user's pub key as well.
/home/user/.tsh/keys/teleport.sample.com/user.pub

I believe that it's not possible, but is there some way to get the pub key from teleport users, by teleport server?