From 1bbd7650ff563b5391086270eeea0ca5efbda31f Mon Sep 17 00:00:00 2001 From: Marco Dinis Date: Fri, 24 Mar 2023 12:21:04 +0000 Subject: [PATCH 01/10] Docs: prefer `curl .../auth/export` instead of `tctl auth export` --- .../desktop-access/active-directory-manual.mdx | 6 ++---- docs/pages/desktop-access/getting-started.mdx | 6 ++---- docs/pages/desktop-access/troubleshooting.mdx | 10 ++-------- .../pages/management/guides/ssh-key-extensions.mdx | 10 ++-------- docs/pages/server-access/guides/openssh.mdx | 14 ++------------ .../server-access/guides/recording-proxy-mode.mdx | 3 +-- 6 files changed, 11 insertions(+), 38 deletions(-) diff --git a/docs/pages/desktop-access/active-directory-manual.mdx b/docs/pages/desktop-access/active-directory-manual.mdx index aeb50786be3c8..465540027054e 100644 --- a/docs/pages/desktop-access/active-directory-manual.mdx +++ b/docs/pages/desktop-access/active-directory-manual.mdx @@ -189,14 +189,12 @@ These steps will need to be repeated if Teleport's user certificate authority is -1. Get the Teleport user CA certificate by running: +Get the Teleport user CA certificate by running the following in the Windows machine where you can manage your group policy. ```code -$ tctl auth export --type=windows > user-ca.cer +$ curl https://teleport.example.com/webapi/auth/export?type=windows > user-ca.cer ``` -2. Transfer the `user-ca.cer` file to a Windows machine where you can manage your group policy. - Take note of the path to the `user-ca.cer` file, as you will need this in the next step. diff --git a/docs/pages/desktop-access/getting-started.mdx b/docs/pages/desktop-access/getting-started.mdx index b238be628060a..73e8f0e6b6a85 100644 --- a/docs/pages/desktop-access/getting-started.mdx +++ b/docs/pages/desktop-access/getting-started.mdx @@ -47,14 +47,12 @@ to your Windows system, and prepare it for passwordless access through Teleport. ### Import the Teleport root certificate -Use `tctl` to export the Teleport user certificate authority: +Export the Teleport user certificate authority by running the following from your Windows system: ```code -$ tctl auth export --type=windows > teleport.cer +curl 'https://teleport-proxy.example.com:443/webapi/auth/export?type=windows' > teleport.cer ``` -Copy this certificate to your Windows system, if you didn't run `tctl` from there. - ### Install the Teleport service for Windows From the Windows system, download the [Teleport Windows Auth diff --git a/docs/pages/desktop-access/troubleshooting.mdx b/docs/pages/desktop-access/troubleshooting.mdx index c572bf1b96127..455ac8cf634aa 100644 --- a/docs/pages/desktop-access/troubleshooting.mdx +++ b/docs/pages/desktop-access/troubleshooting.mdx @@ -61,20 +61,14 @@ new CA using the following command: ```code -# Log in to your cluster with tsh so you can use tctl from your local machine. -# You can also run tctl on your Auth Service host without running "tsh login" -# first. -$ tsh login --proxy=teleport.example.com --user=myuser -$ tctl auth export --type=windows >user-ca.cer +curl 'https://teleport.example.com/webapi/auth/export?type=windows' > user-ca.cer ``` ```code -# Log in to your Teleport cluster so you can use tctl remotely. -$ tsh login --proxy=mytenant.teleport.sh --user=myuser -$ tctl auth export --type=windows >user-ca.cer +curl 'https://mytenant.teleport.sh/webapi/auth/export?type=windows' > user-ca.cer ``` diff --git a/docs/pages/management/guides/ssh-key-extensions.mdx b/docs/pages/management/guides/ssh-key-extensions.mdx index 37bc899a7212e..3bebce285e8e8 100644 --- a/docs/pages/management/guides/ssh-key-extensions.mdx +++ b/docs/pages/management/guides/ssh-key-extensions.mdx @@ -18,20 +18,14 @@ In order to export the Teleport CA, execute the following command: ```code -# Log in to your cluster with tsh so you can use tctl from your local machine. -# You can also run tctl on your Auth Service host without running "tsh login" -# first. -$ tsh login --proxy=teleport.example.com --user=myuser -$ tctl auth export --type=user | sed 's/^cert-authority //g' +$ curl 'https://teleport.example.com/webapi/auth/export?type=user' | sed 's/^cert-authority //g' ``` ```code -# Log in to your Teleport cluster so you can use tctl remotely. -$ tsh login --proxy=mytenant.teleport.sh --user=myuser -$ tctl auth export --type=user | sed 's/^cert-authority //g' +$ curl 'https://mytenant.teleport.sh/webapi/auth/export?type=user' | sed 's/^cert-authority //g' ``` diff --git a/docs/pages/server-access/guides/openssh.mdx b/docs/pages/server-access/guides/openssh.mdx index ed76283e4517b..30bf2e9534837 100644 --- a/docs/pages/server-access/guides/openssh.mdx +++ b/docs/pages/server-access/guides/openssh.mdx @@ -38,20 +38,10 @@ certificates generated by the Teleport Auth Service. Start by exporting the Teleport CA public key. -On your local machine, print the Teleport certificate authority certificate to -stdout: - -```code -$ tctl auth export --type=user | sed "s/cert-authority\ //" -``` - -Copy the output. - On the host where you are running `sshd`, run the following commands. -Assign the output of the `tctl auth export` command to an environment variable: - ```code +$ curl 'https://teleport.example.com/webapi/auth/export?type=user' | sed "s/cert-authority\ //" $ export KEY="" ``` @@ -508,4 +498,4 @@ $ ssh -F ssh_config_teleport ${USER?}@node2.leafcluster.${CLUSTER} To revoke the current Teleport CA and generate a new one, run `tctl auth rotate`. Unless you've highly automated your infrastructure, we would suggest you proceed with caution as this will invalidate the user -and host CAs, meaning that the new CAs will need to be exported to every OpenSSH-based machine again using `tctl auth export` as above. +and host CAs, meaning that the new CAs will need to be exported to every OpenSSH-based machine again using `curl .../auth/export` as above. diff --git a/docs/pages/server-access/guides/recording-proxy-mode.mdx b/docs/pages/server-access/guides/recording-proxy-mode.mdx index b376ca3f6a5dd..18f018d55de4d 100644 --- a/docs/pages/server-access/guides/recording-proxy-mode.mdx +++ b/docs/pages/server-access/guides/recording-proxy-mode.mdx @@ -123,8 +123,7 @@ On your Teleport Node, export the Teleport Certificate Authority certificate into a file and update your SSH configuration to trust Teleport's CA: ```code -# tctl needs to be run on the Auth Server. -$ sudo tctl auth export --type=user | sed s/cert-authority\ // > teleport_user_ca.pub +$ curl 'https://teleport.example.com/webapi/auth/export?type=user' | sed s/cert-authority\ // > teleport_user_ca.pub $ sudo mv ./teleport_user_ca.pub /etc/ssh/teleport_user_ca.pub $ echo "TrustedUserCAKeys /etc/ssh/teleport_user_ca.pub" | sudo tee -a /etc/ssh/sshd_config ``` From eaad4b65c0fad321b3ec7703c1933d6fb92a4ba8 Mon Sep 17 00:00:00 2001 From: Marco Dinis Date: Fri, 24 Mar 2023 14:33:02 +0000 Subject: [PATCH 02/10] consistent usage of curl command --- docs/pages/desktop-access/active-directory-manual.mdx | 2 +- docs/pages/desktop-access/getting-started.mdx | 2 +- docs/pages/desktop-access/troubleshooting.mdx | 4 ++-- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/docs/pages/desktop-access/active-directory-manual.mdx b/docs/pages/desktop-access/active-directory-manual.mdx index 465540027054e..715877a71593f 100644 --- a/docs/pages/desktop-access/active-directory-manual.mdx +++ b/docs/pages/desktop-access/active-directory-manual.mdx @@ -192,7 +192,7 @@ These steps will need to be repeated if Teleport's user certificate authority is Get the Teleport user CA certificate by running the following in the Windows machine where you can manage your group policy. ```code -$ curl https://teleport.example.com/webapi/auth/export?type=windows > user-ca.cer +$ curl 'https://teleport.example.com/webapi/auth/export?type=windows' > user-ca.cer ``` diff --git a/docs/pages/desktop-access/getting-started.mdx b/docs/pages/desktop-access/getting-started.mdx index 73e8f0e6b6a85..0257dfa4c6e1f 100644 --- a/docs/pages/desktop-access/getting-started.mdx +++ b/docs/pages/desktop-access/getting-started.mdx @@ -50,7 +50,7 @@ to your Windows system, and prepare it for passwordless access through Teleport. Export the Teleport user certificate authority by running the following from your Windows system: ```code -curl 'https://teleport-proxy.example.com:443/webapi/auth/export?type=windows' > teleport.cer +$ curl 'https://teleport-proxy.example.com:443/webapi/auth/export?type=windows' > teleport.cer ``` ### Install the Teleport service for Windows diff --git a/docs/pages/desktop-access/troubleshooting.mdx b/docs/pages/desktop-access/troubleshooting.mdx index 455ac8cf634aa..bcbf2ba11c1ee 100644 --- a/docs/pages/desktop-access/troubleshooting.mdx +++ b/docs/pages/desktop-access/troubleshooting.mdx @@ -61,14 +61,14 @@ new CA using the following command: ```code -curl 'https://teleport.example.com/webapi/auth/export?type=windows' > user-ca.cer +$ curl 'https://teleport.example.com/webapi/auth/export?type=windows' > user-ca.cer ``` ```code -curl 'https://mytenant.teleport.sh/webapi/auth/export?type=windows' > user-ca.cer +$ curl 'https://mytenant.teleport.sh/webapi/auth/export?type=windows' > user-ca.cer ``` From f194f4b306f8112ae774c0a714fe15b32e38811c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marco=20Andr=C3=A9=20Dinis?= Date: Tue, 28 Mar 2023 10:57:21 +0100 Subject: [PATCH 03/10] Update docs/pages/desktop-access/active-directory-manual.mdx Co-authored-by: Paul Gottschling --- docs/pages/desktop-access/active-directory-manual.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/pages/desktop-access/active-directory-manual.mdx b/docs/pages/desktop-access/active-directory-manual.mdx index 715877a71593f..168e30f971624 100644 --- a/docs/pages/desktop-access/active-directory-manual.mdx +++ b/docs/pages/desktop-access/active-directory-manual.mdx @@ -189,7 +189,7 @@ These steps will need to be repeated if Teleport's user certificate authority is -Get the Teleport user CA certificate by running the following in the Windows machine where you can manage your group policy. +Get the Teleport user CA certificate by running the following in the Windows machine where you can manage your group policy: ```code $ curl 'https://teleport.example.com/webapi/auth/export?type=windows' > user-ca.cer From b910493df5ef8063aaba7fc9849606211bf38b3d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marco=20Andr=C3=A9=20Dinis?= Date: Tue, 28 Mar 2023 10:57:30 +0100 Subject: [PATCH 04/10] Update docs/pages/server-access/guides/openssh.mdx Co-authored-by: Paul Gottschling --- docs/pages/server-access/guides/openssh.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/pages/server-access/guides/openssh.mdx b/docs/pages/server-access/guides/openssh.mdx index 30bf2e9534837..313196bad48a9 100644 --- a/docs/pages/server-access/guides/openssh.mdx +++ b/docs/pages/server-access/guides/openssh.mdx @@ -38,7 +38,7 @@ certificates generated by the Teleport Auth Service. Start by exporting the Teleport CA public key. -On the host where you are running `sshd`, run the following commands. +On the host where you are running `sshd`, run the following commands: ```code $ curl 'https://teleport.example.com/webapi/auth/export?type=user' | sed "s/cert-authority\ //" From 218d937d0d7b4d006bca9781c3d94ba2bef81752 Mon Sep 17 00:00:00 2001 From: Marco Dinis Date: Tue, 28 Mar 2023 11:12:00 +0100 Subject: [PATCH 05/10] add proxy Var instead of using ScopedBlock --- .../desktop-access/active-directory-manual.mdx | 2 +- docs/pages/desktop-access/troubleshooting.mdx | 13 +------------ docs/pages/management/guides/ssh-key-extensions.mdx | 13 +------------ docs/pages/server-access/guides/openssh.mdx | 3 +-- .../server-access/guides/recording-proxy-mode.mdx | 2 +- 5 files changed, 5 insertions(+), 28 deletions(-) diff --git a/docs/pages/desktop-access/active-directory-manual.mdx b/docs/pages/desktop-access/active-directory-manual.mdx index 168e30f971624..469d0e55b10e4 100644 --- a/docs/pages/desktop-access/active-directory-manual.mdx +++ b/docs/pages/desktop-access/active-directory-manual.mdx @@ -192,7 +192,7 @@ These steps will need to be repeated if Teleport's user certificate authority is Get the Teleport user CA certificate by running the following in the Windows machine where you can manage your group policy: ```code -$ curl 'https://teleport.example.com/webapi/auth/export?type=windows' > user-ca.cer +$ curl 'https:///webapi/auth/export?type=windows' > user-ca.cer ``` diff --git a/docs/pages/desktop-access/troubleshooting.mdx b/docs/pages/desktop-access/troubleshooting.mdx index bcbf2ba11c1ee..6e42d128bf6ba 100644 --- a/docs/pages/desktop-access/troubleshooting.mdx +++ b/docs/pages/desktop-access/troubleshooting.mdx @@ -58,21 +58,10 @@ Policy](./active-directory-manual.mdx#create-another-gpo-and-import-the-teleport Teleport CA was rotated since the last import, you will have to fetch the new CA using the following command: - - -```code -$ curl 'https://teleport.example.com/webapi/auth/export?type=windows' > user-ca.cer -``` - - - - ```code -$ curl 'https://mytenant.teleport.sh/webapi/auth/export?type=windows' > user-ca.cer +$ curl 'https:///webapi/auth/export?type=windows' > user-ca.cer ``` - - If that doesn't help, log into the target host directly, open PowerShell and run `gpupdate.exe /force`. This forces a Group Policy sync and should pick up the new CA. diff --git a/docs/pages/management/guides/ssh-key-extensions.mdx b/docs/pages/management/guides/ssh-key-extensions.mdx index 3bebce285e8e8..bad10a18dd34b 100644 --- a/docs/pages/management/guides/ssh-key-extensions.mdx +++ b/docs/pages/management/guides/ssh-key-extensions.mdx @@ -15,21 +15,10 @@ Teleport supports exporting user SSH certificates with configurable key extensio In order to export the Teleport CA, execute the following command: - - -```code -$ curl 'https://teleport.example.com/webapi/auth/export?type=user' | sed 's/^cert-authority //g' -``` - - - - ```code -$ curl 'https://mytenant.teleport.sh/webapi/auth/export?type=user' | sed 's/^cert-authority //g' +$ curl 'https:///webapi/auth/export?type=user' | sed 's/^cert-authority //g' ``` - - Next, follow the instructions in the guide below to import your Teleport CA into GitHub: [Managing your organization's SSH certificate authorities](https://docs.github.com/en/organizations/managing-git-access-to-your-organizations-repositories/managing-your-organizations-ssh-certificate-authorities) diff --git a/docs/pages/server-access/guides/openssh.mdx b/docs/pages/server-access/guides/openssh.mdx index 313196bad48a9..0047c081cd9bf 100644 --- a/docs/pages/server-access/guides/openssh.mdx +++ b/docs/pages/server-access/guides/openssh.mdx @@ -41,8 +41,7 @@ Start by exporting the Teleport CA public key. On the host where you are running `sshd`, run the following commands: ```code -$ curl 'https://teleport.example.com/webapi/auth/export?type=user' | sed "s/cert-authority\ //" -$ export KEY="" +$ export KEY=$(curl 'https:///webapi/auth/export?type=user' | sed "s/cert-authority\ //") ``` Make the public key accessible to `sshd`: diff --git a/docs/pages/server-access/guides/recording-proxy-mode.mdx b/docs/pages/server-access/guides/recording-proxy-mode.mdx index 18f018d55de4d..9aeec6da30911 100644 --- a/docs/pages/server-access/guides/recording-proxy-mode.mdx +++ b/docs/pages/server-access/guides/recording-proxy-mode.mdx @@ -123,7 +123,7 @@ On your Teleport Node, export the Teleport Certificate Authority certificate into a file and update your SSH configuration to trust Teleport's CA: ```code -$ curl 'https://teleport.example.com/webapi/auth/export?type=user' | sed s/cert-authority\ // > teleport_user_ca.pub +$ curl 'https:///webapi/auth/export?type=user' | sed s/cert-authority\ // > teleport_user_ca.pub $ sudo mv ./teleport_user_ca.pub /etc/ssh/teleport_user_ca.pub $ echo "TrustedUserCAKeys /etc/ssh/teleport_user_ca.pub" | sudo tee -a /etc/ssh/sshd_config ``` From 25c3659f6eb7a23a8008e24c9269f4a3e909700d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marco=20Andr=C3=A9=20Dinis?= Date: Wed, 29 Mar 2023 09:20:01 +0100 Subject: [PATCH 06/10] Update docs/pages/desktop-access/active-directory-manual.mdx Co-authored-by: Paul Gottschling --- docs/pages/desktop-access/active-directory-manual.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/pages/desktop-access/active-directory-manual.mdx b/docs/pages/desktop-access/active-directory-manual.mdx index 469d0e55b10e4..ed61d54b6191d 100644 --- a/docs/pages/desktop-access/active-directory-manual.mdx +++ b/docs/pages/desktop-access/active-directory-manual.mdx @@ -189,7 +189,7 @@ These steps will need to be repeated if Teleport's user certificate authority is -Get the Teleport user CA certificate by running the following in the Windows machine where you can manage your group policy: +Get the Teleport user CA certificate by running the following in the Windows machine where you can manage your group policy, assigning to the address of your Teleport Proxy Service: ```code $ curl 'https:///webapi/auth/export?type=windows' > user-ca.cer From 053453ca2d339577b774d088888ee13eac29ac30 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marco=20Andr=C3=A9=20Dinis?= Date: Wed, 29 Mar 2023 09:20:09 +0100 Subject: [PATCH 07/10] Update docs/pages/management/guides/ssh-key-extensions.mdx Co-authored-by: Paul Gottschling --- docs/pages/management/guides/ssh-key-extensions.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/pages/management/guides/ssh-key-extensions.mdx b/docs/pages/management/guides/ssh-key-extensions.mdx index bad10a18dd34b..805af70e10ce4 100644 --- a/docs/pages/management/guides/ssh-key-extensions.mdx +++ b/docs/pages/management/guides/ssh-key-extensions.mdx @@ -13,7 +13,7 @@ Teleport supports exporting user SSH certificates with configurable key extensio ## Step 1/3. Import the Teleport CA into GitHub -In order to export the Teleport CA, execute the following command: +In order to export the Teleport CA, execute the following command, assigning to the address of your Teleport Proxy Service: ```code $ curl 'https:///webapi/auth/export?type=user' | sed 's/^cert-authority //g' From 9cb5d23f40e2d8f26893be928b37193f2bad01cd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marco=20Andr=C3=A9=20Dinis?= Date: Wed, 29 Mar 2023 09:20:18 +0100 Subject: [PATCH 08/10] Update docs/pages/desktop-access/troubleshooting.mdx Co-authored-by: Paul Gottschling --- docs/pages/desktop-access/troubleshooting.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/pages/desktop-access/troubleshooting.mdx b/docs/pages/desktop-access/troubleshooting.mdx index 6e42d128bf6ba..551b6e561b156 100644 --- a/docs/pages/desktop-access/troubleshooting.mdx +++ b/docs/pages/desktop-access/troubleshooting.mdx @@ -56,7 +56,7 @@ This means that the host does not trust the Teleport CA. First, make sure that you [import the Teleport CA into Group Policy](./active-directory-manual.mdx#create-another-gpo-and-import-the-teleport-ca). Note that if the Teleport CA was rotated since the last import, you will have to fetch the -new CA using the following command: +new CA using the following command, assigning to the address of your Teleport Proxy Service: ```code $ curl 'https:///webapi/auth/export?type=windows' > user-ca.cer From 87984f266832b9b85e66475b8249450244d7ccc3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marco=20Andr=C3=A9=20Dinis?= Date: Wed, 29 Mar 2023 09:20:28 +0100 Subject: [PATCH 09/10] Update docs/pages/server-access/guides/openssh.mdx Co-authored-by: Paul Gottschling --- docs/pages/server-access/guides/openssh.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/pages/server-access/guides/openssh.mdx b/docs/pages/server-access/guides/openssh.mdx index 0047c081cd9bf..1a1a30044e1f4 100644 --- a/docs/pages/server-access/guides/openssh.mdx +++ b/docs/pages/server-access/guides/openssh.mdx @@ -38,7 +38,7 @@ certificates generated by the Teleport Auth Service. Start by exporting the Teleport CA public key. -On the host where you are running `sshd`, run the following commands: +On the host where you are running `sshd`, run the following commands, assigning to the address of your Teleport Proxy Service: ```code $ export KEY=$(curl 'https:///webapi/auth/export?type=user' | sed "s/cert-authority\ //") From af4c98a2b5b636fffd76ed09b094ff8989d4bb63 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marco=20Andr=C3=A9=20Dinis?= Date: Wed, 29 Mar 2023 09:20:37 +0100 Subject: [PATCH 10/10] Update docs/pages/server-access/guides/recording-proxy-mode.mdx Co-authored-by: Paul Gottschling --- docs/pages/server-access/guides/recording-proxy-mode.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/pages/server-access/guides/recording-proxy-mode.mdx b/docs/pages/server-access/guides/recording-proxy-mode.mdx index 9aeec6da30911..bfb464f0b0afe 100644 --- a/docs/pages/server-access/guides/recording-proxy-mode.mdx +++ b/docs/pages/server-access/guides/recording-proxy-mode.mdx @@ -120,7 +120,7 @@ auth_service: by the Teleport User CA. Start by exporting the Teleport CA public key. On your Teleport Node, export the Teleport Certificate Authority certificate -into a file and update your SSH configuration to trust Teleport's CA: +into a file and update your SSH configuration to trust Teleport's CA. Assign to the address of your Teleport Proxy Service: ```code $ curl 'https:///webapi/auth/export?type=user' | sed s/cert-authority\ // > teleport_user_ca.pub