# By default, this file should be stored in /etc/teleport.yaml
# This section of the configuration file applies to all teleport # services. teleport: # nodename allows to assign an alternative name this node can be reached by. # by default it's equal to hostname nodename:mritd.master
# Data directory where Teleport keeps its data, like keys/users for # authentication (if using the default BoltDB back-end) data_dir:/data/teleport
# one-time invitation token used to join a cluster. it is not used on # subsequent starts auth_token:jYektagNTmhjv9Dh
# when running in multi-homed or NATed environments Teleport nodes need # to know which IP it will be reachable at by other nodes advertise_ip:92.223.67.84
# list of auth servers in a cluster. you will have more than one auth server # if you configure teleport auth to run in HA configuration auth_servers: -0.0.0.0:3025 -0.0.0.0:3025
# Teleport throttles all connections to avoid abuse. These settings allow # you to adjust the default limits connection_limits: max_connections:1000 max_users:250
# Logging configuration. Possible output values are 'stdout', 'stderr' and # 'syslog'. Possible severity values are INFO, WARN and ERROR (default). log: output:stdout severity:INFO
# Type of storage used for keys. You need to configure this to use etcd # backend if you want to run Teleport in HA configuration. storage: type:bolt
# Cipher algorithms that the server supports. This section only needs to be # set if you want to override the defaults. ciphers: -aes128-ctr -aes192-ctr -aes256-ctr -aes128-gcm@openssh.com -arcfour256 -arcfour128
# Key exchange algorithms that the server supports. This section only needs # to be set if you want to override the defaults. kex_algos: -curve25519-sha256@libssh.org -ecdh-sha2-nistp256 -ecdh-sha2-nistp384 -ecdh-sha2-nistp521 -diffie-hellman-group14-sha1 -diffie-hellman-group1-sha1
# Message authentication code (MAC) algorithms that the server supports. # This section only needs to be set if you want to override the defaults. mac_algos: -hmac-sha2-256-etm@openssh.com -hmac-sha2-256 -hmac-sha1 -hmac-sha1-96
# This section configures the 'auth service': auth_service: # Turns 'auth' role on. Default is 'yes' enabled:yes
authentication: # default authentication type. possible values are 'local', 'oidc' and 'saml' # only local authentication (Teleport's own user DB) is supported in the open # source version type:local # second_factor can be off, otp, or u2f second_factor:otp # this section is used if second_factor is set to 'u2f' #u2f: # # app_id must point to the URL of the Teleport Web UI (proxy) accessible # # by the end users # app_id: https://localhost:3080 # # facets must list all proxy servers if there are more than one deployed # facets: # - https://localhost:3080
# IP and the port to bind to. Other Teleport nodes will be connecting to # this port (AKA "Auth API" or "Cluster API") to validate client # certificates listen_addr:0.0.0.0:3025
# Pre-defined tokens for adding new nodes to a cluster. Each token specifies # the role a new node will be allowed to assume. The more secure way to # add nodes is to use `ttl node add --ttl` command to generate auto-expiring # tokens. # # We recommend to use tools like `pwgen` to generate sufficiently random # tokens of 32+ byte length. tokens: -"proxy,node:jYektagNTmhjv9Dh" -"auth:jYektagNTmhjv9Dh"
# Optional "cluster name" is needed when configuring trust between multiple # auth servers. A cluster name is used as part of a signature in certificates # generated by this CA. # # By default an automatically generated GUID is used. # # IMPORTANT: if you change cluster_name, it will invalidate all generated # certificates and keys (may need to wipe out /var/lib/teleport directory) cluster_name:"mritd"
# This section configures the 'node service': ssh_service: # Turns 'ssh' role on. Default is 'yes' enabled:yes
# IP and the port for SSH service to bind to. listen_addr:0.0.0.0:3022 # See explanation of labels in "Labeling Nodes" section below labels: role:master
# List of the commands to periodically execute. Their output will be used as node labels. # See "Labeling Nodes" section below for more information. commands: -name:arch# this command will add a label like 'arch=x86_64' to a node command: [uname, -p] period:1h0m0s
# enables reading ~/.tsh/environment before creating a session. by default # set to false, can be set true here or as a command line flag. permit_user_env:false
# This section configures the 'proxy servie' proxy_service: # Turns 'proxy' role on. Default is 'yes' enabled:yes
# SSH forwarding/proxy address. Command line (CLI) clients always begin their # SSH sessions by connecting to this port listen_addr:0.0.0.0:3023
# Reverse tunnel listening address. An auth server (CA) can establish an # outbound (from behind the firewall) connection to this address. # This will allow users of the outside CA to connect to behind-the-firewall # nodes. tunnel_listen_addr:0.0.0.0:3024
# The HTTPS listen address to serve the Web UI and also to authenticate the # command line (CLI) users via password+HOTP web_listen_addr:0.0.0.0:3080
# TLS certificate for the HTTPS connection. Configuring these properly is # critical for Teleport security. #https_key_file: /var/lib/teleport/webproxy_key.pem #https_cert_file: /var/lib/teleport/webproxy_cert.pem
# By default, this file should be stored in /etc/teleport.yaml
# This section of the configuration file applies to all teleport # services. teleport: # nodename allows to assign an alternative name this node can be reached by. # by default it's equal to hostname nodename:mritd.test1
# Data directory where Teleport keeps its data, like keys/users for # authentication (if using the default BoltDB back-end) data_dir:/data/teleport
# one-time invitation token used to join a cluster. it is not used on # subsequent starts auth_token:jYektagNTmhjv9Dh
# when running in multi-homed or NATed environments Teleport nodes need # to know which IP it will be reachable at by other nodes advertise_ip:172.16.0.80
# list of auth servers in a cluster. you will have more than one auth server # if you configure teleport auth to run in HA configuration auth_servers: -172.16.0.80:3025
# Teleport throttles all connections to avoid abuse. These settings allow # you to adjust the default limits connection_limits: max_connections:1000 max_users:250
# Logging configuration. Possible output values are 'stdout', 'stderr' and # 'syslog'. Possible severity values are INFO, WARN and ERROR (default). log: output:stdout severity:INFO
# Type of storage used for keys. You need to configure this to use etcd # backend if you want to run Teleport in HA configuration. storage: type:bolt
# Cipher algorithms that the server supports. This section only needs to be # set if you want to override the defaults. ciphers: -aes128-ctr -aes192-ctr -aes256-ctr -aes128-gcm@openssh.com -arcfour256 -arcfour128
# Key exchange algorithms that the server supports. This section only needs # to be set if you want to override the defaults. kex_algos: -curve25519-sha256@libssh.org -ecdh-sha2-nistp256 -ecdh-sha2-nistp384 -ecdh-sha2-nistp521 -diffie-hellman-group14-sha1 -diffie-hellman-group1-sha1
# Message authentication code (MAC) algorithms that the server supports. # This section only needs to be set if you want to override the defaults. mac_algos: -hmac-sha2-256-etm@openssh.com -hmac-sha2-256 -hmac-sha1 -hmac-sha1-96
# This section configures the 'auth service': auth_service: # Turns 'auth' role on. Default is 'yes' enabled:yes
authentication: # default authentication type. possible values are 'local', 'oidc' and 'saml' # only local authentication (Teleport's own user DB) is supported in the open # source version type:local # second_factor can be off, otp, or u2f second_factor:otp # this section is used if second_factor is set to 'u2f' #u2f: # # app_id must point to the URL of the Teleport Web UI (proxy) accessible # # by the end users # app_id: https://localhost:3080 # # facets must list all proxy servers if there are more than one deployed # facets: # - https://localhost:3080
# IP and the port to bind to. Other Teleport nodes will be connecting to # this port (AKA "Auth API" or "Cluster API") to validate client # certificates listen_addr:172.16.0.80:3025
# Pre-defined tokens for adding new nodes to a cluster. Each token specifies # the role a new node will be allowed to assume. The more secure way to # add nodes is to use `ttl node add --ttl` command to generate auto-expiring # tokens. # # We recommend to use tools like `pwgen` to generate sufficiently random # tokens of 32+ byte length. tokens: -"proxy,node:jYektagNTmhjv9Dh" -"auth:jYektagNTmhjv9Dh"
# Optional "cluster name" is needed when configuring trust between multiple # auth servers. A cluster name is used as part of a signature in certificates # generated by this CA. # # By default an automatically generated GUID is used. # # IMPORTANT: if you change cluster_name, it will invalidate all generated # certificates and keys (may need to wipe out /var/lib/teleport directory) cluster_name:"nat"
# This section configures the 'node service': ssh_service: # Turns 'ssh' role on. Default is 'yes' enabled:yes
# IP and the port for SSH service to bind to. listen_addr:172.16.0.80:3022 # See explanation of labels in "Labeling Nodes" section below labels: role:master
# List of the commands to periodically execute. Their output will be used as node labels. # See "Labeling Nodes" section below for more information. commands: -name:arch# this command will add a label like 'arch=x86_64' to a node command: [uname, -p] period:1h0m0s
# enables reading ~/.tsh/environment before creating a session. by default # set to false, can be set true here or as a command line flag. permit_user_env:false
# This section configures the 'proxy servie' proxy_service: # Turns 'proxy' role on. Default is 'yes' enabled:yes
# SSH forwarding/proxy address. Command line (CLI) clients always begin their # SSH sessions by connecting to this port listen_addr:172.16.0.80:3023
# Reverse tunnel listening address. An auth server (CA) can establish an # outbound (from behind the firewall) connection to this address. # This will allow users of the outside CA to connect to behind-the-firewall # nodes. tunnel_listen_addr:172.16.0.80:3024
# The HTTPS listen address to serve the Web UI and also to authenticate the # command line (CLI) users via password+HOTP web_listen_addr:172.16.0.80:3080
# TLS certificate for the HTTPS connection. Configuring these properly is # critical for Teleport security. #https_key_file: /var/lib/teleport/webproxy_key.pem #https_cert_file: /var/lib/teleport/webproxy_cert.pem
# cluster.yaml kind:trusted_cluster version:v2 metadata: # the trusted cluster name MUST match the 'cluster_name' setting of the # cluster name:local_cluster spec: # this field allows to create tunnels that are disabled, but can be enabled later. enabled:true # the token expected by the "main" cluster: token:xiomwWcrKinFw4Vs # the address in 'host:port' form of the reverse tunnel listening port on the # "master" proxy server: tunnel_addr:92.223.67.84:3024 # the address in 'host:port' form of the web listening port on the # "master" proxy server: web_proxy_addr:92.223.67.84:3080
