git: efc9e9c8f277 - main - security/teleport5: New port: Centralized access gateway using the SSH protocol
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Mon, 02 Jan 2023 08:28:25 UTC
The branch main has been updated by diizzy:
URL: https://cgit.FreeBSD.org/ports/commit/?id=efc9e9c8f277f200f794e7d6ec7a66a5aa7a0fb0
commit efc9e9c8f277f200f794e7d6ec7a66a5aa7a0fb0
Author: Michael Reim <kraileth@elderlinux.org>
AuthorDate: 2023-01-02 08:06:14 +0000
Commit: Daniel Engberg <diizzy@FreeBSD.org>
CommitDate: 2023-01-02 08:06:53 +0000
security/teleport5: New port: Centralized access gateway using the SSH protocol
This ports main purpose is to provide an upgrade path for users to
Teleport 6 and newer versions. New installations are STRONGLY
discouraged until we have version 7.X in tree.
PR: 268604
---
security/Makefile | 1 +
security/teleport5/Makefile | 77 +++++++++++++++
security/teleport5/distinfo | 5 +
.../teleport5/files/patch-lib_defaults_defaults.go | 11 +++
.../teleport5/files/patch-lib_events_auditlog.go | 11 +++
security/teleport5/files/patch-lib_events_doc.go | 110 +++++++++++++++++++++
.../teleport5/files/patch-lib_services_server.go | 11 +++
.../patch-tool_teleport_common_teleport__test.go | 20 ++++
...dor_github.com_kr_pty_ztypes__freebsd__arm64.go | 16 +++
security/teleport5/files/patch-version.mk | 8 ++
security/teleport5/files/pkg-message.in | 33 +++++++
security/teleport5/files/teleport.in | 55 +++++++++++
security/teleport5/pkg-descr | 15 +++
13 files changed, 373 insertions(+)
diff --git a/security/Makefile b/security/Makefile
index 46677816e8a9..edde728caeb9 100644
--- a/security/Makefile
+++ b/security/Makefile
@@ -1253,6 +1253,7 @@
SUBDIR += tclsasl
SUBDIR += tcpcrypt
SUBDIR += teleport
+ SUBDIR += teleport5
SUBDIR += testssl.sh
SUBDIR += tfhe
SUBDIR += tfsec
diff --git a/security/teleport5/Makefile b/security/teleport5/Makefile
new file mode 100644
index 000000000000..52d34fabe1c8
--- /dev/null
+++ b/security/teleport5/Makefile
@@ -0,0 +1,77 @@
+PORTNAME= teleport
+DISTVERSIONPREFIX= v
+DISTVERSION= 5.2.5
+CATEGORIES= security
+PKGNAMESUFFIX= 5
+
+MAINTAINER= kraileth@elderlinux.org
+COMMENT= Centralized access gateway using the SSH protocol
+WWW= https://goteleport.com/teleport
+
+LICENSE= APACHE20
+
+NOT_FOR_ARCHS= i386
+NOT_FOR_ARCHS_REASON= Uses 64bit types
+
+BUILD_DEPENDS= zip:archivers/zip
+
+# If you need the auth service to work, you need to compile this port with
+# Go 1.17 or older. In case tsh is what you're after, Go 1.19 is fine.
+USES= compiler gmake go
+
+USE_GITHUB= yes
+GH_ACCOUNT= gravitational
+GH_TUPLE= gravitational:webassets:8ace0cf:webassets/webassets
+GH_COMMIT_SHORT= f8ba4afd9
+GH_TAG_COMMIT= ${DISTVERSIONPREFIX}${DISTVERSION}-0-g${GH_COMMIT_SHORT}
+
+USE_RC_SUBR= teleport
+
+# Extra assets are stored in the binary and must not be inadvertently removed
+STRIP=
+NOPRECIOUSMAKEVARS= YES
+
+SUB_FILES= pkg-message
+
+PLIST_FILES= bin/tctl \
+ bin/teleport \
+ bin/tsh \
+ "@sample etc/teleport.yaml.sample"
+
+GO_TELEPORT_SRC_DIR= src/github.com/gravitational/teleport
+PRE_GOPATH_DIR= ${PORTNAME}-${DISTVERSION}${DISTVERSIONSUFFIX}
+
+post-patch:
+ @${MKDIR} ${WRKDIR}/${GO_TELEPORT_SRC_DIR}
+ @${REINPLACE_CMD} -e 's|%%GH_TAG_COMMIT%%|${GH_TAG_COMMIT}|' \
+ ${WRKSRC}/version.mk
+ @${FIND} ${WRKSRC}/docs/pages -iname '*.mdx' | ${XARGS} \
+ ${REINPLACE_CMD} -i '' -e 's|/var/lib|/var/db|g'
+ @${CP} -rpH ${WRKDIR}/${PRE_GOPATH_DIR}/vendor/* ${WRKDIR}/src/
+ @${CP} -rpH ${WRKDIR}/${PRE_GOPATH_DIR}/* ${WRKDIR}/${GO_TELEPORT_SRC_DIR}/
+
+do-build:
+ @cd ${WRKDIR}/${GO_TELEPORT_SRC_DIR} && \
+ ${SETENV} ${MAKE_ENV} ${BUILD_ENV} ${GO_ENV} \
+ CGO_ENABLED=1 GOPATH=${WRKDIR} \
+ ${GMAKE} full
+
+do-install:
+ ${WRKDIR}/${GO_TELEPORT_SRC_DIR}/build/teleport configure > ${STAGEDIR}${PREFIX}/etc/teleport.yaml.sample
+ @${SED} -i '' \
+ -e "s|nodename: .*|nodename: |g" \
+ -e "s|cluster-join-token||g" \
+ ${STAGEDIR}${PREFIX}/etc/teleport.yaml.sample
+ ${INSTALL_PROGRAM} ${WRKDIR}/${GO_TELEPORT_SRC_DIR}/build/teleport ${STAGEDIR}${PREFIX}/bin
+ ${INSTALL_PROGRAM} ${WRKDIR}/${GO_TELEPORT_SRC_DIR}/build/tsh ${STAGEDIR}${PREFIX}/bin
+ ${INSTALL_PROGRAM} ${WRKDIR}/${GO_TELEPORT_SRC_DIR}/build/tctl ${STAGEDIR}${PREFIX}/bin
+
+.include <bsd.port.pre.mk>
+
+# golang assumes that if clang is in use, it is called "clang" and not "cc". If
+# it's called "cc", go fails.
+.if ${COMPILER_TYPE} == clang
+BUILD_ENV= CC=clang
+.endif
+
+.include <bsd.port.post.mk>
diff --git a/security/teleport5/distinfo b/security/teleport5/distinfo
new file mode 100644
index 000000000000..cd05976249ca
--- /dev/null
+++ b/security/teleport5/distinfo
@@ -0,0 +1,5 @@
+TIMESTAMP = 1670876102
+SHA256 (gravitational-teleport-v5.2.5_GH0.tar.gz) = 81b48678ead350ca40183ffef70c4afe0ffdcf1e895d04c0bc62eab180b41065
+SIZE (gravitational-teleport-v5.2.5_GH0.tar.gz) = 41856905
+SHA256 (gravitational-webassets-8ace0cf_GH0.tar.gz) = 87b4a3beff4259ff48d30a03cb2e5ac580dc964eac5218518ac89ede450d2220
+SIZE (gravitational-webassets-8ace0cf_GH0.tar.gz) = 4719723
diff --git a/security/teleport5/files/patch-lib_defaults_defaults.go b/security/teleport5/files/patch-lib_defaults_defaults.go
new file mode 100644
index 000000000000..a0ec9693613e
--- /dev/null
+++ b/security/teleport5/files/patch-lib_defaults_defaults.go
@@ -0,0 +1,11 @@
+--- lib/defaults/defaults.go.orig 2022-02-23 04:58:43 UTC
++++ lib/defaults/defaults.go
+@@ -466,7 +466,7 @@ var (
+
+ // DataDir is where all mutable data is stored (user keys, recorded sessions,
+ // registered SSH servers, etc):
+- DataDir = "/var/lib/teleport"
++ DataDir = "/var/db/teleport"
+
+ // StartRoles is default roles teleport assumes when started via 'start' command
+ StartRoles = []string{RoleProxy, RoleNode, RoleAuthService}
diff --git a/security/teleport5/files/patch-lib_events_auditlog.go b/security/teleport5/files/patch-lib_events_auditlog.go
new file mode 100644
index 000000000000..ab0c4e04e7bf
--- /dev/null
+++ b/security/teleport5/files/patch-lib_events_auditlog.go
@@ -0,0 +1,11 @@
+--- lib/events/auditlog.go.orig 2022-02-23 04:58:43 UTC
++++ lib/events/auditlog.go
+@@ -45,7 +45,7 @@ import (
+ const (
+ // SessionLogsDir is a subdirectory inside the eventlog data dir
+ // where all session-specific logs and streams are stored, like
+- // in /var/lib/teleport/logs/sessions
++ // in /var/db/teleport/logs/sessions
+ SessionLogsDir = "sessions"
+
+ // StreamingLogsDir is a subdirectory of sessions /var/lib/teleport/logs/streaming
diff --git a/security/teleport5/files/patch-lib_events_doc.go b/security/teleport5/files/patch-lib_events_doc.go
new file mode 100644
index 000000000000..570c0aba3879
--- /dev/null
+++ b/security/teleport5/files/patch-lib_events_doc.go
@@ -0,0 +1,110 @@
+--- lib/events/doc.go.orig 2022-02-23 04:58:43 UTC
++++ lib/events/doc.go
+@@ -85,7 +85,7 @@ Main Audit Log Format
+
+ The main log files are saved as:
+
+- /var/lib/teleport/log/<auth-server-id>/<date>.log
++ /var/db/teleport/log/<auth-server-id>/<date>.log
+
+ The log file is rotated every 24 hours. The old files must be cleaned
+ up or archived by an external tool.
+@@ -111,7 +111,7 @@ Each session has its own session log stored as several
+
+ Index file contains a list of event files and chunks files associated with a session:
+
+- /var/lib/teleport/log/sessions/<auth-server-id>/<session-id>.index
++ /var/db/teleport/log/sessions/<auth-server-id>/<session-id>.index
+
+ The format of the index file contains of two or more lines with pointers to other files:
+
+@@ -120,8 +120,8 @@ The format of the index file contains of two or more l
+
+ Files:
+
+- /var/lib/teleport/log/<auth-server-id>/<session-id>-<first-event-in-file-index>.events
+- /var/lib/teleport/log/<auth-server-id>/<session-id>-<first-chunk-in-file-offset>.chunks
++ /var/db/teleport/log/<auth-server-id>/<session-id>-<first-event-in-file-index>.events
++ /var/db/teleport/log/<auth-server-id>/<session-id>-<first-chunk-in-file-offset>.chunks
+
+ Where:
+ - .events (same events as in the main log, but related to the session)
+@@ -135,7 +135,7 @@ Examples
+ In the simplest case, single auth server a1 log for a single session id s1
+ will consist of three files:
+
+-/var/lib/teleport/a1/s1.index
++/var/db/teleport/a1/s1.index
+
+ With contents:
+
+@@ -146,14 +146,14 @@ This means that all session events are located in s1-0
+ the first event with index 0 and all chunks are located in file s1-0.chunks file
+ with the byte offset from the start - 0.
+
+-File with session events /var/lib/teleport/a1/s1-0.events will contain:
++File with session events /var/db/teleport/a1/s1-0.events will contain:
+
+ {"ei":0,"event":"session.start", ...}
+ {"ei":1,"event":"resize",...}
+ {"ei":2,"ci":0, "event":"print","bytes":40,"offset":0}
+ {"ei":3,"event":"session.end", ...}
+
+-File with recorded session /var/lib/teleport/a1/s1-0.chunks will contain 40 bytes
++File with recorded session /var/db/teleport/a1/s1-0.chunks will contain 40 bytes
+ emitted by print event with chunk index 0
+
+ **Multiple Auth Servers**
+@@ -164,7 +164,7 @@ In high availability mode scenario, multiple auth serv
+ Any auth server can go down during session and clients will retry the delivery
+ to the other auth server.
+
+-Both auth servers have mounted /var/lib/teleport/log as a shared NFS folder.
++Both auth servers have mounted /var/db/teleport/log as a shared NFS folder.
+
+ To make sure that only one auth server writes to a file at a time,
+ each auth server writes to it's own file in a sub folder named
+@@ -176,37 +176,37 @@ and the second batch of event to the second server a2.
+
+ Server a1 will produce the following file:
+
+-/var/lib/teleport/a1/s1.index
++/var/db/teleport/a1/s1.index
+
+ With contents:
+
+ {"file_name":"s1-0.events","type":"events","index":0}
+ {"file_name":"s1-0.chunks","type":"chunks","offset":0}
+
+-Events file /var/lib/teleport/a1/s1-0.events will contain:
++Events file /var/db/teleport/a1/s1-0.events will contain:
+
+ {"ei":0,"event":"session.start", ...}
+ {"ei":1,"event":"resize",...}
+ {"ei":2,"ci":0, "event":"print","bytes":40,"offset":0}
+
+-Events file /var/lib/teleport/a1/s1-0.chunks will contain 40 bytes
++Events file /var/db/teleport/a1/s1-0.chunks will contain 40 bytes
+ emitted by print event with chunk index.
+
+ Server a2 will produce the following file:
+
+-/var/lib/teleport/a2/s1.index
++/var/db/teleport/a2/s1.index
+
+ With contents:
+
+ {"file_name":"s1-3.events","type":"events","index":3}
+ {"file_name":"s1-40.chunks","type":"chunks","offset":40}
+
+-Events file /var/lib/teleport/a2/s1-4.events will contain:
++Events file /var/db/teleport/a2/s1-4.events will contain:
+
+ {"ei":3,"ci":1, "event":"print","bytes":15,"ms":713,"offset":40}
+ {"ei":4,"event":"session.end", ...}
+
+-Events file /var/lib/teleport/a2/s1-40.chunks will contain 15 bytes emitted
++Events file /var/db/teleport/a2/s1-40.chunks will contain 15 bytes emitted
+ by print event with chunk index 1 and comes after delay of 713 milliseconds.
+
+ Offset 40 indicates that the first chunk stored in the file s1-40.chunks
diff --git a/security/teleport5/files/patch-lib_services_server.go b/security/teleport5/files/patch-lib_services_server.go
new file mode 100644
index 000000000000..a93f72ee384f
--- /dev/null
+++ b/security/teleport5/files/patch-lib_services_server.go
@@ -0,0 +1,11 @@
+--- lib/services/server.go.orig 2022-02-23 04:58:43 UTC
++++ lib/services/server.go
+@@ -578,7 +578,7 @@ type CommandLabelV1 struct {
+ // Period is a time between command runs
+ Period time.Duration `json:"period"`
+ // Command is a command to run
+- Command []string `json:"command"` //["/usr/bin/hostname", "--long"]
++ Command []string `json:"command"` //["/bin/hostname", "--long"]
+ // Result captures standard output
+ Result string `json:"result"`
+ }
diff --git a/security/teleport5/files/patch-tool_teleport_common_teleport__test.go b/security/teleport5/files/patch-tool_teleport_common_teleport__test.go
new file mode 100644
index 000000000000..cccc072a243f
--- /dev/null
+++ b/security/teleport5/files/patch-tool_teleport_common_teleport__test.go
@@ -0,0 +1,20 @@
+--- tool/teleport/common/teleport_test.go.orig 2022-02-23 04:58:43 UTC
++++ tool/teleport/common/teleport_test.go
+@@ -62,7 +62,7 @@ func (s *MainTestSuite) SetUpSuite(c *check.C) {
+
+ // set imprtant defaults to test-mode (non-existing files&locations)
+ defaults.ConfigFilePath = "/tmp/teleport/etc/teleport.yaml"
+- defaults.DataDir = "/tmp/teleport/var/lib/teleport"
++ defaults.DataDir = "/tmp/teleport/var/db/teleport"
+ }
+
+ func (s *MainTestSuite) TestDefault(c *check.C) {
+@@ -72,7 +72,7 @@ func (s *MainTestSuite) TestDefault(c *check.C) {
+ })
+ c.Assert(cmd, check.Equals, "start")
+ c.Assert(conf.Hostname, check.Equals, s.hostname)
+- c.Assert(conf.DataDir, check.Equals, "/tmp/teleport/var/lib/teleport")
++ c.Assert(conf.DataDir, check.Equals, "/tmp/teleport/var/db/teleport")
+ c.Assert(conf.Auth.Enabled, check.Equals, true)
+ c.Assert(conf.SSH.Enabled, check.Equals, true)
+ c.Assert(conf.Proxy.Enabled, check.Equals, true)
diff --git a/security/teleport5/files/patch-vendor_github.com_kr_pty_ztypes__freebsd__arm64.go b/security/teleport5/files/patch-vendor_github.com_kr_pty_ztypes__freebsd__arm64.go
new file mode 100644
index 000000000000..3178f17f721b
--- /dev/null
+++ b/security/teleport5/files/patch-vendor_github.com_kr_pty_ztypes__freebsd__arm64.go
@@ -0,0 +1,16 @@
+--- vendor/github.com/kr/pty/ztypes_freebsd_arm64.go.orig 2022-10-14 07:07:07 UTC
++++ vendor/github.com/kr/pty/ztypes_freebsd_arm64.go
+@@ -0,0 +1,13 @@
++// Created by cgo -godefs - DO NOT EDIT
++// cgo -godefs types_freebsd.go
++
++package pty
++
++const (
++ _C_SPECNAMELEN = 0x3f
++)
++
++type fiodgnameArg struct {
++ Len int32
++ Buf *byte
++}
diff --git a/security/teleport5/files/patch-version.mk b/security/teleport5/files/patch-version.mk
new file mode 100644
index 000000000000..1457af7a19fc
--- /dev/null
+++ b/security/teleport5/files/patch-version.mk
@@ -0,0 +1,8 @@
+--- version.mk.orig 2022-02-23 04:58:43 UTC
++++ version.mk
+@@ -1,4 +1,4 @@
+-GITREF=`git describe --dirty --long --tags`
++GITREF=%%GH_TAG_COMMIT%%
+
+ # $(VERSION_GO) will be written to version.go
+ VERSION_GO="/* DO NOT EDIT THIS FILE. IT IS GENERATED BY 'make setver'*/\n\n\
diff --git a/security/teleport5/files/pkg-message.in b/security/teleport5/files/pkg-message.in
new file mode 100644
index 000000000000..6559d0153a15
--- /dev/null
+++ b/security/teleport5/files/pkg-message.in
@@ -0,0 +1,33 @@
+[
+{ type: install
+ message: <<EOM
+ATTENTION! This version of Teleport is very old and likely to contain unfixed
+ATTENTION! vulnerabilities. It's only provided to allow for a working upgrade
+ATTENTION! path from 4.4. Watch for an upgrade to teleport6 next.
+ATTENTION! New installations are STRONGLY discouraged (wait for version 7).
+
+Quick getting started guide:
+
+1. Read through the Quick Start Guide (see below).
+2. Start teleport: su -c 'sysrc teleport_enable=YES'
+3. If not just setting up a node: su -c 'sysrc teleport_roles=auth,proxy,node'
+4. Review and edit /usr/local/etc/teleport.yaml
+5. Start teleport: su -c 'service teleport start'
+6. Add yourself as a user on the auth server: su -c "tctl users add $USER"
+7. Create a password and 2FA code using the URL emitted during
+ the previous step.
+
+To add a new node to the cluster, on the auth server:
+
+ $ tctl nodes add --ttl=5m --roles=node,proxy
+
+See the docs for additional details:
+
+Quick start: https://github.com/gravitational/teleport/blob/branch/5.0/docs/pages/quickstart.mdx
+Admin Manual: https://github.com/gravitational/teleport/blob/branch/5.0/docs/pages/admin-guide.mdx
+User Manual: https://github.com/gravitational/teleport/blob/branch/5.0/docs/pages/user-manual.mdx
+Architecture: https://github.com/gravitational/teleport/blob/branch/5.0/docs/pages/architecture/overview.mdx
+FAQ: https://github.com/gravitational/teleport/blob/branch/5.0/docs/pages/faq.mdx
+EOM
+}
+]
diff --git a/security/teleport5/files/teleport.in b/security/teleport5/files/teleport.in
new file mode 100644
index 000000000000..248b0d7dc441
--- /dev/null
+++ b/security/teleport5/files/teleport.in
@@ -0,0 +1,55 @@
+#!/bin/sh
+
+# PROVIDE: teleport
+# REQUIRE: NETWORKING SERVERS DAEMON
+# KEYWORD: shutdown
+#
+# Add the following lines to /etc/rc.conf.local or /etc/rc.conf
+# to enable this service:
+#
+# teleport_enable (bool): Set to NO by default.
+# Set it to YES to enable teleport.
+# teleport_config (str): Configuration file.
+# Default is "${LOCALBASE}/etc/teleport.yaml"
+# teleport_dir (dir): Set dir to run teleport in.
+# Default is "/var/db/teleport".
+# teleport_roles (dir): Set roles to run teleport in.
+# Default is "node".
+# Can be any combination of
+# "node", "app", "proxy" and "auth", separated by commas
+
+. /etc/rc.subr
+
+name=teleport
+rcvar=teleport_enable
+
+load_rc_config $name
+
+: ${teleport_enable:="NO"}
+: ${teleport_config:="%%PREFIX%%/etc/teleport.yaml"}
+: ${teleport_args:="--config=${teleport_config}"}
+: ${teleport_dir:="/var/db/teleport"}
+: ${teleport_roles:="node"}
+
+pidfile=/var/run/teleport.pid
+required_files="${teleport_config}"
+procname="%%PREFIX%%/bin/teleport"
+command="/usr/sbin/daemon"
+
+DAEMON=$(daemon 2>&1 | grep -q syslog ; echo $?)
+if [ ${DAEMON} -eq 0 ]; then
+ DAEMON_SYSLOG_FLAGS="-S -T teleport -s info -m 3"
+else
+ DAEMON_SYSLOG_FLAGS=""
+fi
+
+command_args="${DAEMON_SYSLOG_FLAGS} -f -p ${pidfile} /usr/bin/env ${teleport_env} ${procname} start --roles=${teleport_roles} ${teleport_args}"
+
+start_precmd="teleport_prestart"
+
+teleport_prestart()
+{
+ mkdir -p ${teleport_dir}
+}
+
+run_rc_command "$1"
diff --git a/security/teleport5/pkg-descr b/security/teleport5/pkg-descr
new file mode 100644
index 000000000000..4485b972f7a7
--- /dev/null
+++ b/security/teleport5/pkg-descr
@@ -0,0 +1,15 @@
+What is Teleport?
+=================
+Teleport is a gateway for managing access to clusters of *nix servers via
+SSH or the Kubernetes API. While it does also support connecting to
+servers running traditional OpenSSH, its own node deamon is intended to be
+used instead for additional functionality.
+
+With Teleport it is simple to adopt SSH best practices like using
+certificate-based access and enabling 2FA via TOTP (e.g. Google
+Authenticator), U2F or an SSO provider. Cluster nodes can be accessed via
+a CLI (tsh) or a Web UI which both allow for session sharing.
+
+Teleport provides centralized user management as well as full session
+recordings that can be played back for knowledge sharing or auditing
+purposes. It can also be used to protect Web applications like dashboards.