Linux에 tbot 배포 (TPM)

Linux 호스트에 Machine & Workload Identity 에이전트인 `tbot`을 설치하고 구성하여 인증에 TPM 2.0을 사용하는 방법

작동 방식

사전 조건

Cluster (=teleport.url=)

Version (=teleport.version=)

CA pin (=presets.ca_pin=)

1/5단계. `tbot` 설치

`tbot`에 TPM 장치 접근 권한 부여

2/5단계. 봇 생성

3/5단계. `tpm` 조인 토큰 생성

TPM의 EKPub 해시 또는 EKCert 시리얼 확인

제조사 CA 획득

조인 토큰 생성

4/5단계. `tbot` 구성

services will be filled in during the completion of an access guide.

스토리지 디렉토리 준비

Make the bot directory and assign ownership to teleport user

systemd 서비스 생성

5/5단계. 서비스 구성

다음 단계

이 페이지에서는 Linux 호스트에 Machine & Workload Identity의 에이전트인 tbot 을 배포하고, 내장 TPM 2.0 칩의 보안 아이덴티티를 사용하여 Teleport 클러스터에 인증하는 방법을 설명합니다. tpm 조인 방법에는 클러스터의 Auth Service에 유효한 Teleport Enterprise 라이선스가 설치되어 있어야 합니다. 작동 방식 # The tpm join method is a secure way for Bots and Agents to authenticate with the Teleport Auth Service without using any shared secrets. Instead of using a shared secret, the unique identity of the host's Trusted Platform Module (TPM) and public key cryptography is used to authenticate the host. In environments where there is no other form of identity available to machines, e.g on-prem, this is the most secure method for joining. It avoids the need to distribute a shared secret as is needed for the token join method. A Trusted Platform Module (TPM) is a secure, physical cryptoprocessor that is installed on a host. TPMs can store cryptographic material and perform a number of cryptographic operations, without exposing the cryptographic material to the operating system. Each TPM has a unique key pair burned-in known as the Endorsement Key (EK). This key does not change, even if the host operating system is reinstalled. Some TPMs also contain an X.509 certificate for this key pair that is signed by the manufacturer's CA. This is known as the EK Certificate (EKCert). This certificate can be used by the TPM to prove to a third-party (who trusts the manufacturer's CA) that the TPM is genuine and abides by the TPM specification. When using the tpm join method, you must