Gravitational Teleport is a powerful tool allowing organizations to secure access to SSH servers and Kubernetes clusters via a centralized authentication method. However, if you need to secure access to databases, Windows servers or internal web applications in addition to Linux servers/Kubernetes, there are other options to consider. This blog post looks at a few alternatives and discusses the pros and cons of each. For the impatient, I’ve put together a quick feature matrix that might answer your questions right away. For all the rest, read on.
|Feature||Teleport||Teleport Community Edition||Bastion Hosts||strongDM|
|Protects access to SSH servers||✔️||✔️||✔️||✔️|
|Protects access to databases||✔️||✔️|
|Protects access to K8s||✔️||✔️||✔️|
|Web SSH sessions||✔️||✔️|
|Audit log and session replay||✔️||✔️||✔️|
Gravitational Teleport provides privileged access management (PAM) for cloud-native infrastructure. Teleport is an access and authentication proxy for SSH and Kubernetes API access. It’s meant as a replacement for sshd and it works with existing OpenSSH clients and servers as-is. It allows administrators to set up access for users and groups to groups of servers, called clusters, and implements role-based access control (RBAC) to allow differing levels of access to different clusters. Individual server credentials are not available to users, reducing the administrative impact of rotating and removing credentials.
- Centralized access to servers and Kubernetes
- Granting user SSH access to the same usernames across a cluster of servers
- SSH access available via web UI on proxy server.
- Single sign-on (SSO) for SSH/Kubernetes and your organization identities via Github Auth, OpenID Connect or SAML with endpoints like Okta or Active Directory.
- Can use with an existing OpenSSH infrastructure
- Teleport uses SSH certificate-based access with automatic certificate expiration time
- Teleport software must be running on every server to be managed by Teleport access.
- Complex setup: in addition to the Teleport software on each server, a Teleport Proxy and TeleportAuth server must also be built and maintained for each cluster.
- CLI-only client scares off non-engineers
- User credentials are assigned across a full cluster rather than server-by-server.
- Backend configuration required to store audit logs (AWS S3 / DynamoDB, required by teleport to store session logs)
- Teleport agent audit logs are only accessible through the UI or backend storage
The open source Community Edition of Teleport is the same as the Enterprise edition, with the following exceptions:
- No RBAC
- No SSO integration
- No paid support available
Because Teleport CE is nearly identical to the Teleport Enterprise version, the same use cases apply.
- Open source code (https://github.com/gravitational/teleport)
- The same minuses as the other version of Teleport apply.
- Because it’s available free, only community support is available.
- The free version is missing important enterprise features (see above).
- Only uses local users or github for identity-based authentication
A bastion, or jump, host is simply a Linux/UNIX server that mediates access to sensitive servers/database access by requiring the user to first log into the bastion host then ‘jump’ to additional resources in the network controlled by the bastion. Organizations simply need to set up an additional server that is both accessible from external sources and is able to connect to internal resources.
- Mediate access to protected resources on a restricted network segment.
- Database clients and similar tools can work via bastion host by using port forwarding over the SSH connection.
- Free, or nearly so: the only requirement is the cost for the hardware (or virtual server) underlying the bastion host.
- Straightforward access for users who are familiar with SSH.
- Because all access to protected resources requires first logging in via command line to the bastion host, the user must have an account on the bastion and a certain level of technical acumen, especially if employing port forwarding for database access.
- The bastion host represents a single point of failure; if it is unavailable all resources behind it are inaccessible. Setting up multiple bastion hosts to mitigate against this possibility means another set of credentials to manage.
- In the case of problems, support is limited to whatever support may be available for the underlying OS running on the bastion host.
- Session logs and database/other protocol activity are not captured.
strongDM is a control plane to manage and monitor access to databases, servers, and Kubernetes. Their zero trust model means instead of distributing access across a combination of VPN, individual database credentials, and SSH keys, strongDM unifies user management in your existing SSO (Google, Onelogin, Duo, Okta, etc…) and keeps the underlying credentials hidden. Neither credentials nor keys are accessible by end users. Because strongDM deconstructs every protocol, it also logs all database queries, complete SSH and RDP sessions, and kubectl activity.
- Faster on-boarding- no need to provision database credentials, ssh keys, VPN passwords for each new hire.
- Secure off-boarding- suspend SSO access once to revoke all database, server access.
- Automatically adopt security best practices- least privilege, ephemeral permissions, audit trail.
- Comprehensive logs- log every permission change, database query, ssh & kubectl command.
- Easy deployment – self healing mesh network of proxies that auto-discovers available database, ssh nodes & kube clusters.
- No change to workflow- use any SQL client, CLI, or desktop BI tool.
- Standardize logs across any database type, Linux or Windows server, and Kubernetes.
- Graphical client for Windows and MacOS.
- See and replay all activity with session recordings
- Manage via a user-friendly web browser interface
- Credentials must be entrusted to a third party for long-term storage.
- Requires continual access to strongDM API for access to managed resources.