Using Teleport's Certificate Authority with GitHub
Teleport supports exporting user SSH certificates with configurable key extensions. This allows the Teleport CA to be used in conjunction with GitHub's support for SSH Certificate Authorities. This way, users can access their organizations' repositories with short-lived, signed SSH certificates.
Prerequisites
-
A running Teleport cluster version 15.4.22 or above. If you want to get started with Teleport, sign up for a free trial or set up a demo environment.
-
The
tctl
admin tool andtsh
client tool.On Teleport Enterprise, you must use the Enterprise version of
tctl
, which you can download from your Teleport account workspace. Otherwise, visit Installation for instructions on downloadingtctl
andtsh
for Teleport Community Edition.
- Access to GitHub Enterprise and permissions to modify GitHub's SSH Certificate Authorities.
- To check that you can connect to your Teleport cluster, sign in with
tsh login
, then verify that you can runtctl
commands using your current credentials.tctl
is supported on macOS and Linux machines. For example:If you can connect to the cluster and run the$ tsh login --proxy=teleport.example.com --user=email@example.com
$ tctl status
# Cluster teleport.example.com
# Version 15.4.22
# CA pin sha256:abdc1245efgh5678abdc1245efgh5678abdc1245efgh5678abdc1245efgh5678tctl status
command, you can use your current credentials to run subsequenttctl
commands from your workstation. If you host your own Teleport cluster, you can also runtctl
commands on the computer that hosts the Teleport Auth Service for full permissions.
Step 1/3. Import the Teleport CA into GitHub
In order to export the Teleport CA, execute the following command, assigning proxy to the address of your Teleport Proxy Service:
$ curl 'https://proxy/webapi/auth/export?type=user' | sed 's/^cert-authority //g'
Next, follow the instructions in the guide below to import your Teleport CA into GitHub:
Managing your organization's SSH certificate authorities
The contents of the exported teleport.ca
file should by pasted into the "Key" field after clicking "New CA".
Step 2/3. Configure the GitHub key extension
Create or update a role to include the cert_extensions
option. The value of name
must be login@github.com
.
kind: role
version: v5
metadata:
name: developer
spec:
options:
cert_extensions:
- type: ssh
mode: extension
name: login@github.com # required to be `login@github.com`.
value: "{{ external.logins }}"
Assign the developer
role to your Teleport user by running the appropriate
commands for your authentication provider:
- Local User
- GitHub
- SAML
- OIDC
-
Retrieve your local user's roles as a comma-separated list:
$ ROLES=$(tsh status -f json | jq -r '.active.roles | join(",")')
-
Edit your local user to add the new role:
$ tctl users update $(tsh status -f json | jq -r '.active.username') \
--set-roles "${ROLES?},developer" -
Sign out of the Teleport cluster and sign in again to assume the new role.
-
Retrieve your
github
authentication connector:$ tctl get github/github --with-secrets > github.yaml
Note that the
--with-secrets
flag adds the value ofspec.signing_key_pair.private_key
to thegithub.yaml
file. Because this key contains a sensitive value, you should remove the github.yaml file immediately after updating the resource. -
Edit
github.yaml
, addingdeveloper
to theteams_to_roles
section.The team you should map to this role depends on how you have designed your organization's role-based access controls (RBAC). However, the team must include your user account and should be the smallest team possible within your organization.
Here is an example:
teams_to_roles:
- organization: octocats
team: admins
roles:
- access
+ - developer -
Apply your changes:
$ tctl create -f github.yaml
-
Sign out of the Teleport cluster and sign in again to assume the new role.
-
Retrieve your
saml
configuration resource:$ tctl get --with-secrets saml/mysaml > saml.yaml
Note that the
--with-secrets
flag adds the value ofspec.signing_key_pair.private_key
to thesaml.yaml
file. Because this key contains a sensitive value, you should remove the saml.yaml file immediately after updating the resource. -
Edit
saml.yaml
, addingdeveloper
to theattributes_to_roles
section.The attribute you should map to this role depends on how you have designed your organization's role-based access controls (RBAC). However, the group must include your user account and should be the smallest group possible within your organization.
Here is an example:
attributes_to_roles:
- name: "groups"
value: "my-group"
roles:
- access
+ - developer -
Apply your changes:
$ tctl create -f saml.yaml
-
Sign out of the Teleport cluster and sign in again to assume the new role.
-
Retrieve your
oidc
configuration resource:$ tctl get oidc/myoidc --with-secrets > oidc.yaml
Note that the
--with-secrets
flag adds the value ofspec.signing_key_pair.private_key
to theoidc.yaml
file. Because this key contains a sensitive value, you should remove the oidc.yaml file immediately after updating the resource. -
Edit
oidc.yaml
, addingdeveloper
to theclaims_to_roles
section.The claim you should map to this role depends on how you have designed your organization's role-based access controls (RBAC). However, the group must include your user account and should be the smallest group possible within your organization.
Here is an example:
claims_to_roles:
- name: "groups"
value: "my-group"
roles:
- access
+ - developer -
Apply your changes:
$ tctl create -f oidc.yaml
-
Sign out of the Teleport cluster and sign in again to assume the new role.
Step 3/3. Issue a user certificate
When you authenticated to Teleport to assume the developer
role we defined
earlier, Teleport added the certificate extensions you configured to your user
certificate. You can then refer to this path in your local SSH configuration.
For convenience, open a terminal and assign an environment variable to the location of your user certificate. Replace example.teleport.sh with the domain name of your Teleport cluster and myuser with the name of your Teleport user:
$ export TELEPORT_CERT=~/.tsh/keys/example.teleport.sh/myuser-ssh/example.teleport.sh-cert.pub
To test that authentication with this signed certificate is working correctly, SSH into github.com
with your organization's user:
$ ssh -i $TELEPORT_CERT org-<ID>@github.com
If authentication is successful, a "You've successfully authenticated" message should be displayed in the terminal.
This newly generated certificate may then be used when interacting with GitHub over SSH by adding the following to the ~/.ssh/config
file:
Host github.com
HostName github.com
IdentityFile path/to/cert.pub
When using SSH Certificate Authorities, you should retrieve your GitHub repository's SSH URL from the GitHub UI so the correct SSH user is used for authentication. For more information, see About SSH URLs with SSH certificates.