Added new OpenSSH break glass admin management operations guide #49804
Conversation
Signed-off-by: Alen Haric <[email protected]>
github-actions
bot
requested review from
mmcallister,
r0mant,
xinding33 and
zmb3
deusxanima
added
the
no-changelog
|
🤖 Vercel preview here: https://docs-5h5xxnof7-goteleport.vercel.app/docs |
docs/pages/admin-guides/management/operations/breakglass-access.mdx
Outdated
Show resolved
Hide resolved
| Run the following after logging into Teleport via `tsh login` as the impersonating user: | ||
|
|
||
| ```bash | ||
| tctl auth sign --ttl 24h --user=breakglass --out=/safe/path/breakglass --format openssh |
There was a problem hiding this comment.
This user certificate is (or, at least, I really hope is) issued by the user CA, which is the signer that signs all the user certs that are given out to users, but above we configured opensshd to trust the openssh CA, which signs certificates that are only ever in possession of the proxy - a regular user won't be able to obtain such a certificate.
There was a problem hiding this comment.
Interesting. From what I can see, it looks like the CA that's exported with the proxy via the https://proxy.example.com/webapi/auth/export?type=openssh endpoint, is of type "user" instead of OpenSSH according to the extension appended at the end:
e.g.:
cert-authority ssh-rsa <my_ca> clustername=alen.teleport.sh&type=user
I can confirm that passing type=user instead during the export produces a different CA, but if the former is not expected to work with user certs generated via tctl auth sign ... --format openssh, there may be another problem altogether as I can get it to work reliably right now (unless again I'm turned around on this and misunderstanding, which very likely could be the case)
|
Hi @deusxanima, would this PR address #3760? It's one of our oldest docs issues, so it'd be great to see it cleared! |
Partially, yes. Specifically it would cover the "If Teleport Auth cluster is offline" scenario in the original request. |
Signed-off-by: Alen Haric <[email protected]>
deusxanima
temporarily deployed
to
docs-amplify
GitHub Actions
Inactive
|
Amplify deployment status
|
Signed-off-by: Alen Haric <[email protected]>
deusxanima
temporarily deployed
to
docs-amplify
GitHub Actions
Inactive
Added guide with instructions on how to configure OpenSSH break glass access with Teleport CA signed certificates for out-of-band access if Teleport server resources or cluster servers become unavailable and/or unresponsive.