이 페이지에서는 Linux 호스트에 머신 및 워크로드 아이덴티티의 에이전트인 tbot을 배포하고, 내장 TPM 2.0 칩의 보안 아이덴티티를 사용하여 Teleport 클러스터에 인증하는 방법을 설명합니다.

tpm 조인 방법에는 클러스터의 Auth Service에 유효한 Teleport Enterprise 라이선스가 설치되어 있어야 합니다.

작동 방식#

The tpm join method is a secure way for Bots and Agents to authenticate with the Teleport Auth Service without using any shared secrets. Instead of using a shared secret, the unique identity of the host's Trusted Platform Module (TPM) and public key cryptography is used to authenticate the host.

In environments where there is no other form of identity available to machines, e.g on-prem, this is the most secure method for joining. It avoids the need to distribute a shared secret as is needed for the token join method.

A Trusted Platform Module (TPM) is a secure, physical cryptoprocessor that is installed on a host. TPMs can store cryptographic material and perform a number of cryptographic operations, without exposing the cryptographic material to the operating system. Each TPM has a unique key pair burned-in known as the Endorsement Key (EK). This key does not change, even if the host operating system is reinstalled.

Some TPMs also contain an X.509 certificate for this key pair that is signed by the manufacturer's CA. This is known as the EK Certificate (EKCert). This certificate can be used by the TPM to prove to a third-party (who trusts the manufacturer's CA) that the TPM is genuine and abides by the TPM specification.

When using the tpm join method, you must first query the TPM's public key and then create a join token that explicitly allows this public key. To list information about the detected TPM, run the teleport tpm identify command.

If you have a large number of hosts, it may make sense to use automation tooling such as Ansible to query the TPMs across your fleet and then generate join tokens.

사전 조건#

• A running Teleport cluster. If you want to get started with Teleport, sign up for a free trial or set up a demo environment.

• The tctl and tsh clients.

  Installing `tctl` and `tsh` clients

  1. Determine the version of your Teleport cluster. The tctl and tsh clients must be at most one major version behind your Teleport cluster version. Send a GET request to the Proxy Service at /v1/webapi/find and use a JSON query tool to obtain your cluster version. Replace with the web address of your Teleport Proxy Service:

     $ TELEPORT_DOMAIN=
     $ TELEPORT_VERSION="$(curl -s https://$TELEPORT_DOMAIN/v1/webapi/find | jq -r '.server_version')"
     

  2. Follow the instructions for your platform to install tctl and tsh clients:

To check that you can connect to your Teleport cluster, sign in with tsh login, then verify that you can run tctl commands using your current credentials.

For example, run the following command, assigning to the domain name of the Teleport Proxy Service in your cluster and to your Teleport username:

$ tsh login --proxy= --user=
$ tctl status
# Cluster  (=teleport.url=)
# Version  (=teleport.version=)
# CA pin   (=presets.ca_pin=)

If you can connect to the cluster and run the tctl status command, you can use your current credentials to run subsequent tctl commands from your workstation. If you host your own Teleport cluster, you can also run tctl commands on the computer that hosts the Teleport Auth Service for full permissions.

• TPM2.0이 설치된 tbot을 설치할 Linux 호스트.
• 해당 호스트에서 tbot을 실행할 Linux 사용자. 이 가이드에서는 teleport를 사용합니다.

1/5단계. tbot 설치#

이 단계는 Linux 호스트에서 완료합니다.

먼저 머신 및 워크로드 아이덴티티를 사용할 VM에 tbot을 설치해야 합니다.

플랫폼에 적합한 Teleport 패키지를 다운로드합니다:

To install a Teleport Agent on your Linux server:

The recommended installation method is the cluster install script. It will select the correct version, edition, and installation mode for your cluster.

1. Assign to your Teleport cluster hostname and port, but not the scheme (https://).

2. Run your cluster's install script:

   $ curl "https:///scripts/install.sh" | sudo bash
   

tbot에 TPM 장치 접근 권한 부여#

tbot을 실행할 사용자가 root가 아닌 경우 사용자가 TPM 장치에 접근할 수 있도록 Linux를 구성해야 합니다.

이를 해결하는 가장 간단한 방법은 배포판에 tss 그룹이 포함되어 있는지 확인하고 해당 그룹에 사용자를 할당하는 것입니다. 그것이 불가능하거나 다른 솔루션을 찾고 있다면 TPM2 소프트웨어 스택에서 제공하는 것과 유사한 udev 규칙을 생성하는 것을 권장합니다.

2/5단계. 봇 생성#

Next, you need to create a Bot. A Bot is a Teleport identity for a machine or group of machines. Like users, bots have a set of roles and traits which define what they can access.

Create bot.yaml:

kind: bot
version: v1
metadata:
  # name is a unique identifier for the Bot in the cluster.
  name: example
spec:
  # roles is a list of roles to grant to the Bot. Don't worry if you don't know
  # what roles you need to specify here, the Access Guides will walk you through
  # creating and assigning roles to the already created Bot.
  roles: []

Make sure you replace example with a unique, descriptive name for your Bot.

Use tctl to apply this file:

$ tctl create bot.yaml

3/5단계. tpm 조인 토큰 생성#

봇이 생성되었으므로 이제 토큰을 생성해야 합니다. 이 토큰은 tbot이 Teleport 클러스터에 봇으로 인증하는 데 사용됩니다.

TPM의 EKPub 해시 또는 EKCert 시리얼 확인#

먼저 tbot을 설치할 호스트의 TPM 특성을 확인해야 합니다. 이 특성은 조인 토큰의 허용 규칙 내에서 이 특정 호스트에 대한 접근을 허용하는 데 사용됩니다.

머신에서 tbot tpm identify를 실행합니다:

$ tbot tpm identify
TPM Information
EKPub Hash: 6c5aada1c5abee6d869369a0example2fd2beb41c850d3f0227f029c4fffc4ba
EKCert Detected: true
EKCert Serial: 5e:cd:5f:8e

EKPub Hash 이후의 긴 16진수 문자열을 가져와 에 할당합니다. 이것은 이 TPM을 고유하게 식별하며 조인 토큰에 사용됩니다.

제조사 CA 획득#

이전 단계에서 EKCert Detected가 false였다면 이 섹션을 무시할 수 있습니다.

이전 단계에서 EKCert Detected가 true였다면 제조사의 CA 인증서를 획득하는 것이 권장됩니다. 이를 통해 조인 과정에서 TPM이 합법적으로 제조되었음을 검증할 수 있습니다.

EKCert CA 획득 지침은 TPM마다 다릅니다. 자세한 정보는 TPM 문서를 참조하거나 공급업체에 문의하세요.

조인 토큰 생성#

bot-token.yaml 파일을 생성합니다:

kind: token
version: v2
metadata:
  # name identifies the token. Try to ensure that this is descriptive.
  name: my-bot-token
spec:
  # For MWI joining via TPM, roles will always be "Bot" and join_method will
  # always be "tpm".
  roles: [Bot]
  join_method: tpm

  # bot_name specifies the name of the bot that this token will grant access to
  # when it is used.
  bot_name: example

  # tpm specifies the TPM join method specific configuration for this token.
  tpm:
    # ekcert_allowed_cas is a list of CA certificates that will be used to
    # validate TPM EKCerts. These should be PEM wrapped.
    #
    # When specified, joining TPMs must present an EKCert signed by one of the
    # specified CAs. TPMs that do not present an EKCert will be not permitted to
    # join.
    ekcert_allowed_cas:
      - |
        -----BEGIN CERTIFICATE-----
        ... CA Certificate Data ...
        -----END CERTIFICATE-----
    # allow is a list of Rules, the presented TPM must match one allow rule to
    # be permitted to join using this token.
    allow:
        # description is a human-readable description of the rule. It has no
        # bearing on whether a TPM is allowed to join, but can be used to
        # associate a rule with a specific host (e.g the asset tag of the server
        # in which the TPM resides).
      - description: "example-server-100"
        # ek_public_hash is the SHA256 hash of the EKPub marshaled in PKIX format
        # and encoded in hexadecimal. This value will also be checked when a TPM
        # has submitted an EKCert, and the public key in the EKCert will be used
        # for this check.
        ek_public_hash:  name="ek-public-hash" />

TPM에 EKCert가 포함되어 있고 제조사의 CA를 획득한 경우 ekcert_allowed_cas 섹션을 PEM으로 래핑된 CA 인증서로 교체합니다. 그렇지 않으면 이 섹션을 제거합니다.

동일한 봇으로 인증할 여러 호스트가 있는 경우 allow 목록에 각 호스트에 대한 추가 규칙을 추가할 수 있습니다.

tctl을 사용하여 Teleport 클러스터에 적용합니다:

$ tctl create -f bot-token.yaml

4/5단계. tbot 구성#

/etc/tbot.yaml을 생성합니다:

version: v2
proxy_server: example.teleport.sh:443
onboarding:
  join_method: tpm
  token: my-bot-token
storage:
  type: directory
  path: /var/lib/teleport/bot
# services will be filled in during the completion of an access guide.
services: []

다음을 교체합니다:

• example.teleport.sh:443을 Teleport Proxy의 주소로 교체합니다.

스토리지 디렉터리 준비#

tbot 서비스는 내부 자격 증명과 같은 상태를 재시작 간에 저장할 방법이 필요합니다. 이것을 스토리지 목적지라고 합니다.

이 예시에서는 /var/lib/teleport/bot 디렉터리를 사용합니다.

이 디렉터리는 봇의 민감한 자격 증명을 저장하므로 보호하는 것이 중요합니다. 이를 위해 tbot을 실행할 Linux 사용자만 접근할 수 있도록 디렉터리를 구성합니다.

teleport를 tbot을 실행할 Linux 사용자로 교체하여 다음을 실행합니다:

# Make the bot directory and assign ownership to teleport user
$ sudo mkdir -p /var/lib/teleport/bot
$ sudo chown teleport:teleport /var/lib/teleport/bot

systemd 서비스 생성#

By default, tbot will run in daemon mode. However, this must then be configured as a service within the service manager on the Linux host. The service manager will start tbot on boot and ensure it is restarted if it fails.

If tbot was installed using the Teleport install script or teleport-update command, the tbot systemd service is automatically created for you.

After tbot.yaml is created, enable and start the service::

$ sudo systemctl enable tbot --now

Check the service has started successfully:

$ sudo systemctl status tbot

Service properties like User and Group may be configured using systemctl edit tbot.`

If tbot was installed manually, service configuration will need to be performed manually as well.

For this guide, systemd will be demonstrated but tbot should be compatible with all common alternatives.

Use tbot install systemd to generate a systemd service file:

$ sudo tbot install systemd \
   --write \
   --config /etc/tbot.yaml \
   --user teleport \
   --group teleport \
   --anonymous-telemetry

Ensure that you replace:

• teleport with the name of Linux user you wish to run tbot as.
• /etc/tbot.yaml with the path to the configuration file you have created.

You can omit --write to print the systemd service file to the console instead of writing it to disk.

--anonymous-telemetry enables the submission of anonymous usage telemetry. This helps us shape the future development of tbot. You can disable this by omitting this.

Next, enable the service so that it will start on boot and then start the service:

$ sudo systemctl daemon-reload
$ sudo systemctl enable tbot --now

Check the service has started successfully:

$ sudo systemctl status tbot

5/5단계. 서비스 구성#

You have now prepared the base configuration for tbot. At this point, it identifies itself to the Teleport cluster and renews its own credentials but does not output any credentials for other applications to use.

Follow one of the access guides to configure a service that meets your access needs.

다음 단계#

• 환경에 맞게 tbot을 계속 구성하려면 접근 가이드를 따릅니다.
• tpm 조인에 대해 자세히 알아보려면 TPM 조인 레퍼런스를 읽어보세요.
• 모든 사용 가능한 구성 옵션을 탐색하려면 구성 레퍼런스를 읽어보세요.
• TELEPORT_ANONYMOUS_TELEMETRY에 대한 자세한 정보.