diff --git a/docs/pages/admin-guides/access-controls/guides/headless.mdx b/docs/pages/admin-guides/access-controls/guides/headless.mdx index 38d5424c976cd..64571ac9777df 100644 --- a/docs/pages/admin-guides/access-controls/guides/headless.mdx +++ b/docs/pages/admin-guides/access-controls/guides/headless.mdx @@ -173,15 +173,11 @@ Teleport Connect can also be used to approve Headless WebAuthn logins. Teleport Connect will automatically detect the Headless WebAuthn login attempt and allow you to approve or cancel the request. -
![Headless Confirmation](../../../../img/headless/confirmation.png) -
You will be prompted to tap your MFA key to complete the approval process. -
![Headless WebAuthn Approval](../../../../img/headless/approval.png) -
## Troubleshooting diff --git a/docs/pages/admin-guides/deploy-a-cluster/helm-deployments/digitalocean.mdx b/docs/pages/admin-guides/deploy-a-cluster/helm-deployments/digitalocean.mdx index 8503dc760c106..3cbe508a8958b 100644 --- a/docs/pages/admin-guides/deploy-a-cluster/helm-deployments/digitalocean.mdx +++ b/docs/pages/admin-guides/deploy-a-cluster/helm-deployments/digitalocean.mdx @@ -21,15 +21,13 @@ cluster to Teleport. ## Step 1/4. Create a DigitalOcean Kubernetes cluster Create a new [DigitalOcean Kubernetes Cluster](https://cloud.digitalocean.com/kubernetes/clusters/) -
- ![Create DigitalOcean Kubernetes cluster](../../../../img/helm/digitalocean/create-k8s.png) -
+ +![Create DigitalOcean Kubernetes cluster](../../../../img/helm/digitalocean/create-k8s.png)
While the Kubernetes cluster is being provisioned, follow the "Getting Started" guide as shown below: -
- ![Set up DigitalOcean Kubernetes client](../../../../img/helm/digitalocean/setup-k8s.png) -
+ +![Set up DigitalOcean Kubernetes client](../../../../img/helm/digitalocean/setup-k8s.png) ## Step 2/4. Install Teleport @@ -116,9 +114,8 @@ teleport-cluster-auth ClusterIP 10.245.164.28 3025/TC ``` Once you get the value for the external IP (it may take a few minutes for this field to be populated), update your DNS record such that the clusterName's A record points to this IP address. For example `192.168.200.200` is the external IP in the above case. -
- ![Configure DNS](../../../../img/helm/digitalocean/fqdn.png) -
+ +![Configure DNS](../../../../img/helm/digitalocean/fqdn.png) ## Step 3/4. Create and set up Teleport user Now we create a Teleport user by executing the `tctl` command with `kubectl`. @@ -148,9 +145,8 @@ NOTE: Make sure tele.example.com:443 points at a Teleport proxy which users can Copy the link shown after executing the above command and open the link in a web browser to complete the user registration process (the link is `https://tele.example.com:443/web/invite/` in the above case). -
- ![Set up user](../../../../img/helm/digitalocean/setup-user.png) -
+ +![Set up user](../../../../img/helm/digitalocean/setup-user.png) After you complete the registration process by setting up a password and enrolling in multi-factor authentication, you will be logged in to Teleport Web UI. @@ -179,14 +175,12 @@ $ kubectl --namespace=teleport-cluster exec -i deployment/teleport-cluster-auth Now we will assign Teleport user **tadmin** with this role. The example below shows a process using Teleport Web UI: First, lets select user edit menu: -
- ![Edit user](../../../../img/helm/digitalocean/edit-user.png) -
+ +![Edit user](../../../../img/helm/digitalocean/edit-user.png) Second, update the **tadmin** user role to assign the **member** role: -
- ![Update role](../../../../img/helm/digitalocean/update-role.png) -
+ +![Update role](../../../../img/helm/digitalocean/update-role.png) We've updated the user **tadmin** to have the **member** role, which is allowed to access a Kubernetes cluster with privilege `system:master`. @@ -263,9 +257,8 @@ teleport-cluster-6cc679b6f6-7xr5h 1/1 Running 0 14h Voila! User **tadmin** was able to list the pods in their DigitalOcean Kubernetes cluster. Teleport keeps an audit log of access to a Kubernetes cluster. In the screenshot below, the Teleport audit log shows that the user **tadmin** has logged into the cluster. -
- ![View audit log](../../../../img/helm/digitalocean/view-activity.png) -
+ +![View audit log](../../../../img/helm/digitalocean/view-activity.png) ## Next steps diff --git a/docs/pages/admin-guides/deploy-a-cluster/helm-deployments/gcp.mdx b/docs/pages/admin-guides/deploy-a-cluster/helm-deployments/gcp.mdx index 5a4b44f4c499a..1d23b85f11cec 100644 --- a/docs/pages/admin-guides/deploy-a-cluster/helm-deployments/gcp.mdx +++ b/docs/pages/admin-guides/deploy-a-cluster/helm-deployments/gcp.mdx @@ -39,39 +39,27 @@ Go to the "Roles" section of Google Cloud IAM & Admin. 1. Click the "Create Role" button at the top. -
- ![Roles section](../../../../img/helm/gcp/1-roles@1.5x.png) -
+ ![Roles section](../../../../img/helm/gcp/1-roles@1.5x.png) 2. Fill in the details of a "Storage Bucket Creator" role (we suggest using the name `storage-bucket-creator-role`) -
- ![Create role](../../../../img/helm/gcp/2-createrole@1.5x.png) -
+ ![Create role](../../../../img/helm/gcp/2-createrole@1.5x.png) 3. Click the "Add Permissions" button. -
- ![Storage bucket creator role](../../../../img/helm/gcp/3-addpermissions@1.5x.png) -
+ ![Storage bucket creator role](../../../../img/helm/gcp/3-addpermissions@1.5x.png) 4. Use the "Filter" box to enter `storage.buckets.create` and select it in the list. -
- ![Filter the list](../../../../img/helm/gcp/4-storagebucketscreate@1.5x.png) -
+ ![Filter the list](../../../../img/helm/gcp/4-storagebucketscreate@1.5x.png) 5. Check the `storage.buckets.create` permission in the list and click the "Add" button to add it to the role. -
- ![Select storage.buckets.create](../../../../img/helm/gcp/5-select@1.5x.png) -
+ ![Select storage.buckets.create](../../../../img/helm/gcp/5-select@1.5x.png) 6. Once all these settings are entered successfully, click the "Create" button. -
- ![Create role](../../../../img/helm/gcp/6-createrole@1.5x.png) -
+ ![Create role](../../../../img/helm/gcp/6-createrole@1.5x.png) ### Create an IAM role granting Cloud DNS permissions @@ -79,41 +67,34 @@ Go to the "Roles" section of Google Cloud IAM & Admin. 1. Click the "Create Role" button at the top. -
- ![Roles section](../../../../img/helm/gcp/1-roles@1.5x.png) -
+ ![Roles section](../../../../img/helm/gcp/1-roles@1.5x.png) 2. Fill in the details of a "DNS Updater" role (we suggest using the name `dns-updater-role`) -
- ![Create role](../../../../img/helm/gcp/13-dns-createrole@1.5x.png) -
+ ![Create role](../../../../img/helm/gcp/13-dns-createrole@1.5x.png) 3. Click the "Add Permissions" button. -
- ![DNS updater role](../../../../img/helm/gcp/3-addpermissions@1.5x.png) -
- -4. Use the "Filter" box to find each of the following permissions in the list and add it. -You can type things like `dns.resourceRecordSets.*` to quickly filter the list. - -```console -dns.resourceRecordSets.create -dns.resourceRecordSets.delete -dns.resourceRecordSets.list -dns.resourceRecordSets.update -dns.changes.create -dns.changes.get -dns.changes.list -dns.managedZones.list -``` + ![DNS updater role](../../../../img/helm/gcp/3-addpermissions@1.5x.png) + +4. Use the "Filter" box to find each of the following permissions in the list + and add it. You can type things like `dns.resourceRecordSets.*` to quickly + filter the list. + + ```console + dns.resourceRecordSets.create + dns.resourceRecordSets.delete + dns.resourceRecordSets.list + dns.resourceRecordSets.update + dns.changes.create + dns.changes.get + dns.changes.list + dns.managedZones.list + ``` 5. Once all these settings are entered successfully, click the "Create" button. -
- ![Add DNS permissions](../../../../img/helm/gcp/14-dns-permissions-create@1.5x.png) -
+ ![Add DNS permissions](../../../../img/helm/gcp/14-dns-permissions-create@1.5x.png) ### Create a service account for the Teleport Helm chart @@ -127,15 +108,11 @@ Go to the "Service Accounts" section of Google Cloud IAM & Admin. 1. Click the "Create Service Account" button at the top. -
- ![Create service account](../../../../img/helm/gcp/7-serviceaccounts@1.5x.png) -
+ ![Create service account](../../../../img/helm/gcp/7-serviceaccounts@1.5x.png) 2. Enter details for the service account (we recommend using the name `teleport-helm`) and click the "Create" button. -
- ![Enter service account details](../../../../img/helm/gcp/8-createserviceaccount@1.5x.png) -
+ ![Enter service account details](../../../../img/helm/gcp/8-createserviceaccount@1.5x.png) 3. In the "Grant this service account access to project" section, add these four roles: @@ -146,9 +123,7 @@ Go to the "Service Accounts" section of Google Cloud IAM & Admin. | Cloud Datastore Owner | Grants permissions to create Cloud Datastore collections | | Storage Object Admin | Allows read/write/delete of Google Cloud storage objects | -
- ![Add roles](../../../../img/helm/gcp/9-addroles@1.5x.png) -
+![Add roles](../../../../img/helm/gcp/9-addroles@1.5x.png) 4. Click the "continue" button to save these settings, then click the "create" button to create the service account. @@ -158,22 +133,16 @@ Go back to the "Service Accounts" view in Google Cloud IAM & Admin. 1. Click on the `teleport-helm` service account that you just created. -
- ![Click on the service account](../../../../img/helm/gcp/10-serviceaccountdetails@1.5x.png) -
+ ![Click on the service account](../../../../img/helm/gcp/10-serviceaccountdetails@1.5x.png) 2. Click the "Keys" tab at the top and click "Add Key". Choose "JSON" and click "Create". -
- ![Create JSON key](../../../../img/helm/gcp/11-createkey.png) -
+ ![Create JSON key](../../../../img/helm/gcp/11-createkey.png) 3. The JSON private key will be downloaded to your computer. Take note of the filename (`bens-demos-24150b1a0a7f.json` in this example) as you will need it shortly. -
- ![Private key saved](../../../../img/helm/gcp/12-privatekey@1.5x.png) -
+ ![Private key saved](../../../../img/helm/gcp/12-privatekey@1.5x.png) #### Create the Kubernetes secret containing the JSON private key for the service account diff --git a/docs/pages/admin-guides/deploy-a-cluster/linux-demo.mdx b/docs/pages/admin-guides/deploy-a-cluster/linux-demo.mdx index c60cc47127990..5f547335f8bb1 100644 --- a/docs/pages/admin-guides/deploy-a-cluster/linux-demo.mdx +++ b/docs/pages/admin-guides/deploy-a-cluster/linux-demo.mdx @@ -15,10 +15,8 @@ You can also get started right away with a production-ready Teleport cluster by signing up for a [free trial of Teleport Enterprise Cloud](https://goteleport.com/signup/). -
![Architecture of the setup you will complete in this guide](../../../img/linux-server-diagram.png) -
We will run the following Teleport services: diff --git a/docs/pages/admin-guides/management/export-audit-events/fluentd.mdx b/docs/pages/admin-guides/management/export-audit-events/fluentd.mdx index 4cc6f653ffd24..feff73c5b13f6 100644 --- a/docs/pages/admin-guides/management/export-audit-events/fluentd.mdx +++ b/docs/pages/admin-guides/management/export-audit-events/fluentd.mdx @@ -14,9 +14,7 @@ This guide also serves as an explanation for the Teleport Event Handler plugin, using Fluentd as the target service. We'll create a local Docker container as a destination for the Event Handler: -
![The Teleport Fluentd plugin](../../../../img/enterprise/plugins/fluentd-diagram.png) -
You can follow the instructions below for a local proof-of-concept demo, or use any of the additional installation instructions to configure the Teleport Event Handler diff --git a/docs/pages/admin-guides/management/guides/ec2-tags.mdx b/docs/pages/admin-guides/management/guides/ec2-tags.mdx index ae9fcc317f411..32c80cbf0a38b 100644 --- a/docs/pages/admin-guides/management/guides/ec2-tags.mdx +++ b/docs/pages/admin-guides/management/guides/ec2-tags.mdx @@ -50,22 +50,17 @@ To launch a new instance with instance metadata tags enabled: 1. Ensure that `Metadata accessible` is not disabled. 1. Enable `Allow tags in metadata`. -
![Advanced Options](../../../../img/aws/launch-instance-advanced-options.png) -
To modify an existing instance to enable instance metadata tags: 1. From the instance summary, go to `Actions > Instance Settings > Allow tags in instance metadata`. -1. Enable `Allow`. -
![Instance Settings](../../../../img/aws/instance-settings.png) -
-
+1. Enable `Allow`. + ![Allow Tags](../../../../img/aws/allow-tags.png) -
### AWS CLI diff --git a/docs/pages/admin-guides/teleport-policy/integrations/entra-id.mdx b/docs/pages/admin-guides/teleport-policy/integrations/entra-id.mdx index bbd20a20676d0..23eae60779908 100644 --- a/docs/pages/admin-guides/teleport-policy/integrations/entra-id.mdx +++ b/docs/pages/admin-guides/teleport-policy/integrations/entra-id.mdx @@ -110,24 +110,18 @@ navigate to the "Access Management" tab, and choose "Enroll New Integration", th In the onboarding wizard, choose a Teleport user that will be assigned as the default owner of Access Lists that are created for your Entra groups, and click "Next". -
![First step of the Entra ID integration onboarding](../../../../img/access-graph/entra-id/integration-wizard-step-1.png) -
### Grant permissions in Azure and finish onboarding The wizard will now provide you with a script that will set up the necessary permissions in Azure. -
![Second step of the Entra ID integration onboarding](../../../../img/access-graph/entra-id/integration-wizard-step-2.png) -
Open Azure Cloud Shell by navigating to shell.azure.com, or by clicking the Cloud Shell icon in the Azure Portal. -
![Location of the Cloud Shell button in the Azure Portal](../../../../img/access-graph/entra-id/azure-cloud-shell-button.png) -
Make sure to use the Bash version of Cloud Shell. Once a Cloud Shell instance opens, paste the generated command. @@ -141,9 +135,7 @@ it prints out the data required to finish the integration onboarding. Back in the Teleport Web UI, fill out the required data and click "Finish". -
![Second step of the Entra ID integration onboarding with required fields filled in](../../../../img/access-graph/entra-id/integration-wizard-step-2-filled.png) -
diff --git a/docs/pages/admin-guides/teleport-policy/policy-connections.mdx b/docs/pages/admin-guides/teleport-policy/policy-connections.mdx index 890381551a760..ef3142c1a9e94 100644 --- a/docs/pages/admin-guides/teleport-policy/policy-connections.mdx +++ b/docs/pages/admin-guides/teleport-policy/policy-connections.mdx @@ -83,9 +83,7 @@ When you inspect a particular user's access, the Teleport Access Graph will auto To see more details about a specific database object, simply select it. -
![Details of an individual database object](../../../img/access-graph/dac/db-object-details.png) -
In the graph, database objects are connected by multiple edges: diff --git a/docs/pages/connect-your-client/gui-clients.mdx b/docs/pages/connect-your-client/gui-clients.mdx index 1b57e45c31434..efaf9cf27332b 100644 --- a/docs/pages/connect-your-client/gui-clients.mdx +++ b/docs/pages/connect-your-client/gui-clients.mdx @@ -578,9 +578,7 @@ Test and create the connection. The new connection should appear on the list. -
![SQL Developer (VS Code) Connected (basic)](../../img/database-access/guides/oracle/sql-developer-vscode-connected-basic@2x.png) -
@@ -607,9 +605,7 @@ Test and create the connection. The new connection should appear on the list. -
![SQL Developer (VS Code) Connected (JDBC)](../../img/database-access/guides/oracle/sql-developer-vscode-connected-jdbc@2x.png) -
diff --git a/docs/pages/connect-your-client/putty-winscp.mdx b/docs/pages/connect-your-client/putty-winscp.mdx index c39f7403a2b4e..c5621639181ab 100644 --- a/docs/pages/connect-your-client/putty-winscp.mdx +++ b/docs/pages/connect-your-client/putty-winscp.mdx @@ -131,15 +131,11 @@ If you don't provide a login to this command, your local Windows username is use 1. Start PuTTY to see the saved sessions available for your cluster. -
![Main PuTTY window](../../img/connect-your-client/putty-window.png) -
2. Double-click a session to connect to the host through Teleport. -
![PuTTY console](../../img/connect-your-client/putty-console.png) -
After you connect to the host, Teleport generates an audit log entry for the session's start, and appears in the list of "Active Sessions" within Teleport. @@ -192,24 +188,18 @@ transfer files to and from it. If you don't see the Site Manager "Login" dialog appear with a list of sessions to connect to when WinSCP starts, click the **Tabs** menu, choose **Sites**, then **Site Manager...** to show it. -
![WinSCP Site Manager window](../../img/connect-your-client/winscp-1.png) -
2. Click the **Tools** button at the bottom left, and choose **Import Sites**. -
![Click 'Tools', then choose 'Import Sites...'](../../img/connect-your-client/winscp-2.png) -
3. Check the box next to any saved PuTTY sessions that you wish to import into WinSCP for use, then click the "OK" button. If you don't see sessions matching the hosts that you want to connect to, close this box and run `tsh puttyconfig @` from a terminal [as described above](#summary) to add the sessions, then repeat this step. -
![Choose PuTTY sessions to import and click OK](../../img/connect-your-client/winscp-3.png) -
4. To tell WinSCP it should trust and load saved Host CAs from PuTTY, click **Tools** again at the bottom left, then choose **Preferences...** @@ -218,23 +208,17 @@ then choose **Preferences...** You can skip steps 4 and 5 if you've completed the process as this user on this PC before. -
![Click 'Tools', then choose 'Preferences...'](../../img/connect-your-client/winscp-4.png) -
5. Click the **Security** section at the left, then check the **Load authorities from PuTTY** checkbox under the *Trusted host certification authorities* section and click **OK** to exit. -
![Click 'Security', Check 'Load authorities from PuTTY' then click OK](../../img/connect-your-client/winscp-5.png) -
6. Choose the host to connect to from the list at the left-hand side and click **Login**. You can also start the session by double clicking on its name if you like. -
![Choose the host from the list and click Login](../../img/connect-your-client/winscp-6.png) -
Uploading or downloading files using WinSCP through Teleport will generate audit events. diff --git a/docs/pages/enroll-resources/auto-discovery/servers/azure-discovery.mdx b/docs/pages/enroll-resources/auto-discovery/servers/azure-discovery.mdx index 39bdc1590a814..d609f394866f4 100644 --- a/docs/pages/enroll-resources/auto-discovery/servers/azure-discovery.mdx +++ b/docs/pages/enroll-resources/auto-discovery/servers/azure-discovery.mdx @@ -182,15 +182,11 @@ you want to further limit the `assignableScopes`, you can use a resource group Now go to the [Subscriptions](https://portal.azure.com/#view/Microsoft_Azure_Billing/SubscriptionsBlade) page and select a subscription. Click on *Access control (IAM)* in the subscription and select *Add > Add custom role*: -
![IAM custom role](../../../../img/azure/add-custom-role@2x.png) -
In the custom role creation page, click the *JSON* tab and click *Edit*, then paste the JSON example and replace the subscription in `assignableScopes` with your own subscription id: -
![Create JSON role](../../../../img/server-access/guides/azure/vm-create-role-from-json@2x.png) -
### Create a role assignment for the Teleport Discovery Service principal diff --git a/docs/pages/enroll-resources/database-access/enroll-azure-databases/azure-postgres-mysql.mdx b/docs/pages/enroll-resources/database-access/enroll-azure-databases/azure-postgres-mysql.mdx index 8c5f57c92c970..427a3712fc406 100644 --- a/docs/pages/enroll-resources/database-access/enroll-azure-databases/azure-postgres-mysql.mdx +++ b/docs/pages/enroll-resources/database-access/enroll-azure-databases/azure-postgres-mysql.mdx @@ -94,15 +94,11 @@ more information. Go to the [Subscriptions](https://portal.azure.com/#view/Microsoft_Azure_Billing/SubscriptionsBlade) page and select a subscription. Click on *Access control (IAM)* in the subscription and select *Add > Add custom role*: -
![IAM custom role](../../../../img/azure/add-custom-role@2x.png) -
In the custom role creation page, click the *JSON* tab and click *Edit*, then paste the JSON example and replace the subscription in "assignableScopes" with your own subscription id: -
![Create JSON role](../../../../img/database-access/guides/azure/create-role-from-json@2x.png) -
### Create a role assignment for the Teleport Database Service principal diff --git a/docs/pages/enroll-resources/database-access/enroll-azure-databases/azure-redis.mdx b/docs/pages/enroll-resources/database-access/enroll-azure-databases/azure-redis.mdx index 215081951eda4..f6c93bc18edf2 100644 --- a/docs/pages/enroll-resources/database-access/enroll-azure-databases/azure-redis.mdx +++ b/docs/pages/enroll-resources/database-access/enroll-azure-databases/azure-redis.mdx @@ -139,15 +139,11 @@ you want to further limit the `assignableScopes`, you can use a resource group Now go to the [Subscriptions](https://portal.azure.com/#view/Microsoft_Azure_Billing/SubscriptionsBlade) page and select a subscription. Click on *Access control (IAM)* in the subscription and select *Add > Add custom role*: -
![IAM custom role](../../../../img/azure/add-custom-role@2x.png) -
In the custom role creation page, click the *JSON* tab and click *Edit*, then paste the JSON example and replace the subscription in `assignableScopes` with your own subscription id: -
![Create JSON role](../../../../img/database-access/guides/azure/redis-create-role-from-json.png) -
### Create a role assignment for the Teleport Database Service principal diff --git a/docs/pages/enroll-resources/database-access/enroll-self-hosted-databases/sql-server-ad-pkinit.mdx b/docs/pages/enroll-resources/database-access/enroll-self-hosted-databases/sql-server-ad-pkinit.mdx index 5d012041eb06c..9eb3e74b31bc9 100644 --- a/docs/pages/enroll-resources/database-access/enroll-self-hosted-databases/sql-server-ad-pkinit.mdx +++ b/docs/pages/enroll-resources/database-access/enroll-self-hosted-databases/sql-server-ad-pkinit.mdx @@ -119,9 +119,7 @@ You will need to repeat these steps if you rotate Teleport's database certificat 1. Click through the wizard, selecting your CA file (`db-ca.cer`). -
![Import Teleport CA](../../../../img/desktop-access/ca.png) -
### Enable smart card service @@ -136,9 +134,7 @@ Teleport performs certificate-based authentication by emulating a smart card. 1. Double click on `Smart Card`, select `Define this policy setting` and switch to `Automatic` then click `OK`. -
![Enable Smartcard](../../../../img/desktop-access/smartcard.png) -
You will be modifying GPOs, and sometimes GPO modifications can take some time diff --git a/docs/pages/enroll-resources/desktop-access/active-directory.mdx b/docs/pages/enroll-resources/desktop-access/active-directory.mdx index 67c2eb555f640..a944a4a88d7e9 100644 --- a/docs/pages/enroll-resources/desktop-access/active-directory.mdx +++ b/docs/pages/enroll-resources/desktop-access/active-directory.mdx @@ -205,9 +205,7 @@ logins. 1. Verify the **Teleport Service Account** is selected, then click **OK** in all the dialogs. -
![Deny interactive login](../../../img/desktop-access/deny-interactive-login.png) -
1. Repeat these steps for **Deny log on through Remote Desktop Services**. @@ -273,9 +271,7 @@ To configure the group policy object: should apply this GPO to the automatically-created OU with the NetBIOS domain name containing `Computers` and `Users` nested one level inside the domain root. -
![AWS Managed AD OU Location](../../../img/desktop-access/aws-managed-ad.png) -
1. Open **Group Policy Management** and expand Forest, Domains, your domain, and Group Policy Objects to locate the GPO you just created. @@ -289,9 +285,7 @@ To configure the group policy object: 1. Use the wizard to select and import the Teleport certificate. -
![Import Teleport CA](../../../img/desktop-access/ca.png) -
If you are using HSM-backed keys, you should repeat this step for each CA certificate. @@ -367,9 +361,7 @@ To add smart card authentication to your group policy object: 1. Select **Automatic**, then click **OK**. -
![Enable Smartcard](../../../img/desktop-access/smartcard.png) -
1. To ensure your GPO update takes effect immediately on this host, open PowerShell and run the following command (optional): @@ -401,9 +393,7 @@ Next you need to configure policies that allow remote connections to domain comp [NLA](#network-level-authentication-nla) section. -
![Disable Require](../../../img/desktop-access/disable.png) -
1. Right-click **Always prompt for password upon connection**, select **Edit**, select **Disabled**, then click **OK**. @@ -423,9 +413,7 @@ Next you need to configure policies that allow remote connections to domain comp - Select **User Mode (TCP-in)**, then click **Next**. - Select **Allow the connection**, then click **Finish**. -
![Open the Firewall](../../../img/desktop-access/firewall.png) -
1. To ensure your GPO update takes effect immediately on this host, open PowerShell and run the following command (optional): @@ -447,23 +435,17 @@ the performance of remote desktop connections. 1. Right-click **Configure RemoteFX**, select **Edit**, select **Enabled**, then click **OK**. -
![Enable RemoteFX](../../../img/desktop-access/enable-remotefx-step-1.png) -
1. Now left-click **Remote Session Environment** (**`Computer Configuration > Policies > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Remote Session Environment`** in the left pane) and from the items in the right pane, right-click **Enable RemoteFX encoding for RemoteFX clients designed for Windows Server 2008 R2 SP1**, select **Edit**, select **Enabled**, then click **OK**. -
![Enable RemoteFX](../../../img/desktop-access/enable-remotefx-step-2.png) -
1. Again left-click **Remote Session Environment** in the left pane, and from the items in the right pane, right-click **Limit maximum color depth**, select **Edit**, select **Enabled**, then click **OK**. -
![Enable RemoteFX](../../../img/desktop-access/enable-remotefx-step-3.png) -
1. Open PowerShell and run the following command to update your Teleport group policy object: @@ -543,9 +525,7 @@ To update the Teleport group policy object to use the new certificate template: 1. Right-click **Server authentication certificate template**, select **Edit**, select **Enabled**, then set the Certificate Template Name to **RemoteDesktopAccess**. -
![RDP Certificate Template](../../../img/desktop-access/rdp-certificate-template.png) -
1. Expand Computer Configuration, Policies, and Windows Settings to select **Public Key Policies**. diff --git a/docs/pages/enroll-resources/machine-id/access-guides/databases.mdx b/docs/pages/enroll-resources/machine-id/access-guides/databases.mdx index 5b37e06c3e190..b271136245ae0 100644 --- a/docs/pages/enroll-resources/machine-id/access-guides/databases.mdx +++ b/docs/pages/enroll-resources/machine-id/access-guides/databases.mdx @@ -9,9 +9,7 @@ can be used to grant machines secure, short-lived access to these databases. In this guide, you will configure `tbot` to produce credentials that can be used to access a database configured in Teleport. -
![Accessing Teleport-protected databases with Machine ID](../../../../img/machine-id/machine-id-database-access.svg) -
## Prerequisites diff --git a/docs/pages/enroll-resources/machine-id/deployment/jenkins.mdx b/docs/pages/enroll-resources/machine-id/deployment/jenkins.mdx index 35513e335dc11..aec6c8d70cb31 100644 --- a/docs/pages/enroll-resources/machine-id/deployment/jenkins.mdx +++ b/docs/pages/enroll-resources/machine-id/deployment/jenkins.mdx @@ -52,9 +52,7 @@ scope for server access, reduce the blast radius if one pipeline is compromised, and allow you to remotely audit and lock pipelines if you detect malicious behavior. -
![Jenkins Deployments](../../../../img/machine-id/jenkins.png) -
## Step 1/2 Configure and start Machine ID diff --git a/docs/pages/enroll-resources/server-access/getting-started.mdx b/docs/pages/enroll-resources/server-access/getting-started.mdx index 4e3d96d64bb09..d11df2afbb62a 100644 --- a/docs/pages/enroll-resources/server-access/getting-started.mdx +++ b/docs/pages/enroll-resources/server-access/getting-started.mdx @@ -26,13 +26,7 @@ per the instructions in this guide. Do not run the SSH Service as a Kubernetes pod, as there is no guarantee that the SSH Service pod is running on a server that a user intends to access. -
![Teleport Bastion](../../../img/server-access/getting-started-diagram.png) -
## Prerequisites @@ -145,13 +139,7 @@ Principle of Least Privilege. You should now be able to view your server in the Teleport Web UI after logging in as `myuser`: -
- ![Both servers in the Web UI](../../../img/server-access/teleport_ui.png) -
+![Both servers in the Web UI](../../../img/server-access/teleport_ui.png) ## Step 3/4. SSH into the server diff --git a/docs/pages/enroll-resources/server-access/guides/recording-proxy-mode.mdx b/docs/pages/enroll-resources/server-access/guides/recording-proxy-mode.mdx index d4ed075aa9d53..73901441c230a 100644 --- a/docs/pages/enroll-resources/server-access/guides/recording-proxy-mode.mdx +++ b/docs/pages/enroll-resources/server-access/guides/recording-proxy-mode.mdx @@ -7,13 +7,7 @@ Teleport Recording Proxy Mode was added to allow Teleport users to enable session recording for servers running `sshd`, which is helpful when gradually transitioning large server fleets to Teleport. -
- ![Teleport OpenSSH Recording Proxy](../../../../img/server-access/openssh-proxy.png) -
+![Teleport OpenSSH Recording Proxy](../../../../img/server-access/openssh-proxy.png) diff --git a/docs/pages/enroll-resources/server-access/guides/ssh-pam.mdx b/docs/pages/enroll-resources/server-access/guides/ssh-pam.mdx index 1c636728949f2..587a1debebf22 100644 --- a/docs/pages/enroll-resources/server-access/guides/ssh-pam.mdx +++ b/docs/pages/enroll-resources/server-access/guides/ssh-pam.mdx @@ -170,13 +170,7 @@ $ cat /etc/motd # WARNING: All activity on this node is being recorded by Teleport ``` -
- ![Teleport SSH with updated MOTD](../../../../img/motd/teleport-with-updated-MOTD.png) -
+![Teleport SSH with updated MOTD](../../../../img/motd/teleport-with-updated-MOTD.png) ## Create local Unix users on login diff --git a/docs/pages/enroll-resources/server-access/guides/vscode.mdx b/docs/pages/enroll-resources/server-access/guides/vscode.mdx index 80227d5236f58..a352b689bb787 100644 --- a/docs/pages/enroll-resources/server-access/guides/vscode.mdx +++ b/docs/pages/enroll-resources/server-access/guides/vscode.mdx @@ -91,17 +91,13 @@ When you see this error, re-run `tsh login` to refresh your local certificate. Install the [Remote - SSH extension][remote-ssh] in your local VS Code instance. A new "Window Indicator" (icon with two arrows) should appear in the bottom left of your VS Code window. -
![Window Indicator in bottom left corner of VS Code](../../../../img/vscode/window-indicator.png) -
Prior to connecting with a host, set the `Remote.SSH: Use Local Server` setting to false in the extension setting. You can search for `@ext:ms-vscode-remote.remote-ssh ` to find the plugin-specific settings. -
![Remote SSH Extension VS Code Settings](../../../../img/vscode/settings.png) -
To connect, click on the icon with two arrows and select "Connect to Host...". Select "+ Add New SSH Host..." @@ -112,9 +108,7 @@ For each host you wish to remotely develop on, add an entry like the following: alice@node000.foo.example.com ``` -
![Input box to add new Node](../../../../img/vscode/add-host.png) -
When prompted to choose which SSH Configuration file to update select the one we generated during Step 1. @@ -126,24 +120,18 @@ Start a Remote Development session by either: 1. Clicking "Connect" on the notification that opens after adding a new host. -
![Notification of "Host added" that has connect button](../../../../img/vscode/host-added-notification.png) -
2. Clicking on the Window Indicator again and selecting "Connect to Host". You should see the host you just added and any others in your Configuration file in the drop down. -
![Connecting to a Teleport host in VS Code](../../../../img/vscode/select-host-to-connect.png) -
On first connect, you'll be prompted to configure the remote OS. Select the proper platform and VS Code will install its server-side component. When it completes, you should be left with a working editor: -
![VS Code connected to a Teleport Node](../../../../img/vscode/connected-editor.png) -
The Window Indicator in the bottom left highlights the currently connected remote host. diff --git a/docs/pages/includes/database-access/attach-iam-policies.mdx b/docs/pages/includes/database-access/attach-iam-policies.mdx index df5fc4bb2af3a..b3c0d02eab23e 100644 --- a/docs/pages/includes/database-access/attach-iam-policies.mdx +++ b/docs/pages/includes/database-access/attach-iam-policies.mdx @@ -6,6 +6,4 @@ in the AWS Management Console, attach the created policy in the "Permissions policies" section, and set the created boundary policy in the "Permissions boundary" section. -
![IAM user](../../../img/database-access/iam@2x.png) -
diff --git a/docs/pages/includes/database-access/azure-assign-service-principal.mdx b/docs/pages/includes/database-access/azure-assign-service-principal.mdx index 8cdce90ed5c4e..602b840591085 100644 --- a/docs/pages/includes/database-access/azure-assign-service-principal.mdx +++ b/docs/pages/includes/database-access/azure-assign-service-principal.mdx @@ -5,9 +5,7 @@ Navigate to the resource scope where you want to make the role assignment. Click select *Add > Add role assignment*. Choose the custom role you created as the role and the Teleport service principal as a member. -
![Assign role](../../../img/database-access/guides/azure/create-role-assignment@2x.png) -
The role assignment should be at a high enough scope to allow the Teleport Database Service to discover diff --git a/docs/pages/includes/server-access/azure-assign-service-principal.mdx b/docs/pages/includes/server-access/azure-assign-service-principal.mdx index d4149625858ce..f3eccbc532128 100644 --- a/docs/pages/includes/server-access/azure-assign-service-principal.mdx +++ b/docs/pages/includes/server-access/azure-assign-service-principal.mdx @@ -5,9 +5,7 @@ Navigate to the resource scope where you want to make the role assignment. Click select *Add > Add role assignment*. Choose the custom role you created as the role and the Teleport service principal as a member. -
![Assign role](../../../img/server-access/guides/azure/create-role-assignment@2x.png) -
The role assignment should be at a high enough scope to allow the Teleport Discovery Service to discover diff --git a/docs/pages/reference/architecture/authentication.mdx b/docs/pages/reference/architecture/authentication.mdx index 2268f37b51682..c69898fb63077 100644 --- a/docs/pages/reference/architecture/authentication.mdx +++ b/docs/pages/reference/architecture/authentication.mdx @@ -48,15 +48,8 @@ without invalidating the certificates, so any system can validate the certificat X.509 certificates are the same certificates you use when accessing websites with a browser. They bind identity to the public key with a certificate authority's signature. -
- ![x.509 certs](../../../img/architecture/x509-cert@2x.svg) -
- Teleport uses x.509 certificates for Kubernetes clusters, databases, web services and its own internal components, such as the Proxy Service and Auth Service, to establish mutually authenticated TLS connections (mTLS). @@ -66,15 +59,8 @@ Service, to establish mutually authenticated TLS connections (mTLS). OpenSSH certificates are similar to X.509 (web) certificates and also bind identity of the user or a server to the public key with a certificate authority's signature. -
- ![SSH certs](../../../img/architecture/ssh-cert@2x.svg) -
- OpenSSH certificate contain metadata used to authenticate users and hosts: - List of principals (identities) this certificate belongs to. @@ -88,15 +74,8 @@ Expiry is a feature of certificates that makes time work in favor of security. SSH and X.509 certificates include an optional expiry date that is verified by servers in addition to a signature. -
- ![Short lived certs](../../../img/architecture/ssh-cert-short-lived@1.5x.svg) -
- In the diagram above, Alice gets a short lived SSH certificate, but the same rules apply to X.509 certificates issued by Teleport and used for Kubernetes, Databases, Web Apps and Desktops. @@ -115,14 +94,7 @@ To issue a certificate to a user, Teleport opens login screen, issues a cert and We recommend using SSO with GitHub, Okta or any other identity provider and get a cert. -
- ![SSO exchange for short-lived certs](../../../img/architecture/idp-sso-traits@1.5x.svg) -
### Short-lived Certs for Services @@ -130,14 +102,7 @@ Deployment automation services, such as Jenkins, can use Teleport's Machine ID service to receive and renew certificates. Teleport Machine ID's bot runs alongside services and rotates SSH and X.509 certificates. -
- ![Certificates for services](../../../img/architecture/certs-machine-id@1.8x.svg) -
### Internal certificates diff --git a/docs/pages/reference/architecture/authorization.mdx b/docs/pages/reference/architecture/authorization.mdx index f7b86ec2f9a7a..563b7a04f550b 100644 --- a/docs/pages/reference/architecture/authorization.mdx +++ b/docs/pages/reference/architecture/authorization.mdx @@ -68,14 +68,7 @@ Non-interactive users have to use Teleport's machine ID product to receive and r Teleport Machine ID's bot runs alongside services and rotates SSH and X.509 certificates on behalf of non-interactive users: -
- ![Certificates for services](../../../img/architecture/certs-machine-id@1.8x.svg) -
#### External non-interactive users diff --git a/docs/pages/reference/architecture/tls-routing.mdx b/docs/pages/reference/architecture/tls-routing.mdx index d05baeef68615..7ccb0cbc31ff2 100644 --- a/docs/pages/reference/architecture/tls-routing.mdx +++ b/docs/pages/reference/architecture/tls-routing.mdx @@ -55,9 +55,7 @@ these clients can connect to it. ### Diagram -
- ![TLS routing](../../../img/architecture/tls-routing.png) -
+![TLS routing](../../../img/architecture/tls-routing.png) Let's take a look at how each protocol Teleport supports implements TLS routing.