Are there any possibilities to suspend an account in teleport?

Hi! I’m new in using teleport and i’m trying to understand how can i suspend user account in teleport.

I made a user using the command

sudo tctl users add gizmo

gizmo@ubuntu:~$ sudo tctl users ls
User Allowed logins

gizmo gizmo

After that i tried to login into my Teleport UI, everything is fine here

Tried to login by SSH to the server, everything works fine too, but now, i want to suspend the user account. What i did for that.

Made config export for the user using the command

gizmo@ubuntu:~$ sudo tctl get users/gizmo
kind: user
id: 1565807912043809706
name: gizmo
time: 0001-01-01T00:00:00Z
name: f3aeb983-e1c1-4a4b-8ba0-c597e75a9780.ubuntu
expires: 0001-01-01T00:00:00Z

  • admin
    is_locked: false
    lock_expires: 0001-01-01T00:00:00Z
    locked_time: 0001-01-01T00:00:00Z
    kubernetes_groups: null
    • gizmo
      version: v2

Had change is_locked parameter in config file to a new one

is_locked: true

And applied new config file using the command

sudo tctl create -f gizmo.yaml

After that, i had tried to login to my Teleport UI or try to start SSH terminal session and everything still works and user is not locked.

Can anyone help me to explain, how can i suspend users and activate them when i needed?

There isn’t any functionality to disable a user within Teleport’s internal database at the moment - the only way to make this happen is to delete their user account. We’re adding support to disable users in Teleport’s internal database in an upcoming release.

The is_locked flag in this instance is used internally within Teleport to lock an account for a period of time after a number of failed logins.

Ok, got it. But for now, while you are realizing that functionality, if i wanna suspend the account, i need to remove him.

If i’ll start using Teleport Enterprise, i suppose that i can configure Teleport and ask to pass authorization through Google SSO. For example, in Google, i will have a group of users that can get access to Teleport nodes and when i want to suspend user account i can remove his acc from G Suite group. Can it be a solution?

Or maybe i can try to login many times to Teleport node using a user account and Teleport will lock it automatically due to big number of attempts? Then i can unlock it by applying a new yaml file for that user with flab is_locked: false ?

Yes, that’s the best way to do it. Grant a certain group access to nodes and if you don’t want someone to have access any more, just remove them from the group.

It’s worth noting that currently, any certificate a user is issued will be valid until its TTL has expired - even if they’re no longer part of the group that has access. We’re working on functionality to revoke active certificates (which will be coming out at the same time as the ability to lock/suspend users) but for now, the best remedy is to set a shorter TTL on certificates if you think there’s a possibility that you might need to suspend someone’s access at short notice.

This isn’t really a reliable solution and I wouldn’t recommend it.

Cool! It does make sense. I can configure session duration using max_session_ttl and then remove the user from the group, he will be unable to connect after session expiration and i don’t need to ask the user to make registration again.

This topic was automatically closed 12 hours after the last reply. New replies are no longer allowed.