Ask HN: How did you replace Teleport?

28 points | by speedgoose 9 months ago ago

17 comments

  • gioazzi 9 months ago

    Purely for the SSH part if you’re uncomfortable using anything outside of OpenSSH itself for authentication you could consider certificates[^1]

    You’d still need something to sign the certificates based on some other identity of course (it can be done manually but kind of defeats the purpose) be it smallstep or something else

    [^1]: https://smallstep.com/blog/use-ssh-certificates/

    • speedgoose 9 months ago

      Thanks, I played today with step-ca OpenSSH certificates. I think it does thing better than Teleport in some ways. It's also lacking many features but it's a good alternative for me. I like that it's still vanilla OpenSSH and it doesn't go in the way of other authentications systems.

      I wish the step-ca documentation for OpenSSH certificates was a bit more centralised. I had to look at quite a few pages, blog posts, and shell scripts to understand what to do.

  • seungwoolee518 9 months ago

    If you need only SSH, you can try ContainerSSH[1] - it's pretty simple to setup & integrate using OPA for authorization.

    It supports to record each Session and save to various sources.

    [1]: https://github.com/ContainerSSH/ContainerSSH

  • cnkk 9 months ago

    Do you only need authentication? Give Tailscale SSH a look.

  • zxcvbn4038 9 months ago

    That is too bad, Teleport is how I learned a lot of the crypto APIs in Golang. It also provided me with a glimpse into part of openssh which was never very well thought out - signed keys.

    Since I was working in an environment where development teams tended to obtain root credentials from CI-CD pipelines and use them to change all the permissions on production servers or fill the storage with database dumps, I ditched teleport, ssh, and logins altogether! We followed the serverless model and there are no logins to any compute resource. The only way to bring data in is via unprivileged ci/cd pipelines or the application's API, the only way to get data out is via stderr or writing to a resource like S3. Nothing runs with privileges, there is no ssh, there are no admin-only access methods. Overnight that eliminated almost everything mysterious or unreproducible. No more permissions issues.

  • tlhodges 9 months ago

    I have also been priced out. Exact same situation you're in. We're crossing our fingers that something good comes quickly from Cloudflare's purchase of BastionZero. Otherwise, I've heard good things about StrongDM but don't know pricing and don't have first hand experience.

    • andriosr 9 months ago

      Fair point about StrongDM and Teleport pricing. Actually, even their enterprise features are free in Hoop. We took a different approach - core PAM stuff is all free and open source.

      We monetize on a new layer - packet manipulation, like AI data masking. So you get enterprise PAM features without the enterprise price tag.

      Might be worth a look as given the strategy these features should remain free. Could save you some serious cash. Repo's public if you wanna kick the tires: https://github.com/hoophq/hoop

  • sneakerblack 9 months ago

    Try JumpServer:

    https://github.com/jumpserver/jumpserver

    Its an open-source PAM solution

    We're not using it in-house (we're actually using teleport), and I haven't tried it, but I've heard many good things about it

  • cpach 9 months ago

    Why not use the AGPL version?

    (Announcement for those who haven’t seen it: https://goteleport.com/blog/teleport-community-license/)

    • speedgoose 9 months ago

      That's a good point.

      Compiling and distributing binaries for all users and systems doesn't sound trivial. Only taking care of the teleport `tsh` client between windows, mac, and linux, for arm64 and amd64, sounds like a lot of boring work. Add that some users will likely download the forbidden tsh binary, that may call home and bring some unexpected bills, à la Oracle or Mirantis, it's not very appealing.

      • clvx 9 months ago

        they ship a flake.nix and a devbox.json configuration. Unless stuff is missing, this should be portable to produce the required binaries for linux/mac you need. This seems to produce typescript and golang.

    • tmottabr 9 months ago

      Because the community edition is no longer AGPL and no longer being developed and the new license has this clause:

      Companies may use Teleport Community Edition on the condition they have less than 100 employees and less than $10MM in annual revenue (AR).

      Like op said in his post..

      • cpach 9 months ago

        This repo still has AGPL… and another license…

        Not sure if AGPL covers all areas of the codebase?

        https://github.com/gravitational/teleport

        • tmottabr 8 months ago

          yes, but new versions are no longer AGPL..

          You could fork the last AGPL version but you would miss on new developments and fixes made after the license was changed..

          Or you would have to work the re-develop everything from scratch..

  • andriosr 9 months ago

    Consider Hoop (https://hoop.dev) as an open source alternative. It's designed to be lightweight and developer-friendly.

    Key features that are free/open source: 1. SSH, K8s, database access 2. RBAC and just-in-time access 3. Session recording 4. IdP integration

    We monetize on advanced layer 7 features like AI data masking and firewall rules. But the core access management stuff stays free. Repo is public if you want to check it out:https://github.com/hoophq/hoop

    Good luck finding a solution that fits your needs.