Does Teleport support other SSH servers?

Hi there,
I’m trying to find out a way to login some of my network devices via Teleport for session recording purpose. I read the guide for OpenSSH but for another SSH server like Cisco devices is there anyway to implement Teleport? Like storing password and ssh from Teleport proxy using the password to the device?

Thank you,
Tan

Hi! Teleport only supports certificate authentication - there’s no way to make it use a public key or password to authenticate, I’m afraid.

One solution you might try could be to enforce all SSH access to non-compatible devices to go via a particular bastion host in your infrastructure running the Teleport node service so that you can record the sessions there, and keep the password in a vault or similar which can only be accessed from that host.

Thank you for clarify. I just wonder if there is any strict reason that make public key or password unusable? (I mean on recording proxy mode only). With it, I think, some of small and mid size companies with only server and network devices can use teleport for privileged account management purpose.

Teleport’s architecture specifically uses Certificate authentication. Certificates offer multiple benefits over static keys and passwords including expiration time, meta-data, SSH restrictions. Offering these other methods could create holes in the security architecture of the solution.

Teleport supports proxying and recording for servers that do not support certificates, but support SSH protocol:

  • Turn on ssh-agent forwarding
  • Load public keys in your SSH agent
  • Set up teleport in recording mode
# snippet from /etc/teleport.yaml
auth_service:
   # Session Recording must be set to Proxy to work with OpenSSH
   session_recording: "proxy"  # can also be "off" and "node" (default)
   # Not recommended for non-legacy systems. Proxy will be vulnerable to MITM attacks.
   proxy_checks_host_keys: false   
# tsh or SSH will offer public key loaded in the agent and proxy will offer the agent
# to the target node

$ tsh -A alice@host
$ ssh -A alice@host -J proxy

IMPORTANT: We recommend setting up a separate cluster with these settings.