Skip to content
QCecuring Documentation

Teleport Integration

Teleport Integration

Section titled “Teleport Integration”

Integrate SSH-KLM with Gravitational Teleport for certificate-based SSH access.

Overview

Section titled “Overview”

Teleport provides certificate-based SSH access. SSH-KLM complements Teleport by:

  • Managing static keys on legacy systems
  • Discovering unauthorized keys
  • Providing key inventory across hybrid environments

Architecture

Section titled “Architecture”
┌─────────────────────────────────────────────────────────────┐
│                    SSH-KLM Platform                         │
│  ┌─────────────┐    ┌─────────────┐    ┌─────────────┐     │
│  │  Discovery  │    │  Inventory  │    │   Alerts    │     │
│  └─────────────┘    └─────────────┘    └─────────────┘     │
└──────────────────────────┬──────────────────────────────────┘
                           │ API
┌──────────────────────────▼──────────────────────────────────┐
│                   Teleport Cluster                          │
│  ┌─────────────┐    ┌─────────────┐    ┌─────────────┐     │
│  │   Auth      │    │   Proxy     │    │    Node     │     │
│  │   Server    │    │   Server    │    │   Agents    │     │
│  └─────────────┘    └─────────────┘    └─────────────┘     │
└─────────────────────────────────────────────────────────────┘

Configuration

Section titled “Configuration”

Step 1: Create Teleport Bot

Section titled “Step 1: Create Teleport Bot”
teleport-bot.yaml
kind: bot
version: v1
metadata:
  name: ssh-klm-bot
spec:
  roles:
    - ssh-klm-reader

Step 2: Configure SSH-KLM

Section titled “Step 2: Configure SSH-KLM”
integrations:
  teleport:
    enabled: true
    proxyAddr: "teleport.example.com:443"


    # Bot authentication
    identityFile: /etc/ssh-klm/teleport-identity


    # Sync settings
    syncInterval: 5m
    importNodes: true

Step 3: Import Teleport Nodes

Section titled “Step 3: Import Teleport Nodes”
// Import nodes from Teleport
await client.integrations.teleport.sync();


// List imported hosts
const hosts = await client.ssh.listHosts({
  source: 'teleport'
});

Key Discovery

Section titled “Key Discovery”

SSH-KLM can discover static keys on Teleport-managed nodes:

// Find static keys that should be removed
const staticKeys = await client.ssh.listKeys({
  hosts: { source: 'teleport' },
  type: 'static'  // Not certificate-based
});


// Alert on unauthorized static keys
staticKeys.forEach(key => {
  if (key.riskScore > 50) {
    console.log(`Unauthorized key on ${key.host}: ${key.fingerprint}`);
  }
});

Hybrid Management

Section titled “Hybrid Management”

For environments transitioning to Teleport:

// Configure hybrid policy
await client.ssh.createPolicy({
  name: 'Teleport Transition',
  rules: [
    {
      // New systems: certificate-only
      match: { label: 'teleport-managed: true' },
      action: 'alert-on-static-keys'
    },
    {
      // Legacy systems: manage static keys
      match: { label: 'teleport-managed: false' },
      action: 'rotate-static-keys'
    }
  ]
});
Section titled “Related Pages”