HACKER Q&A
📣 speedgoose

How did you replace Teleport?


Teleport is a good software if you can't configure your SSH servers with Kerberos, or can't figure out Kubernetes' millions of authentication and authorisations solutions.

Unfortunately, the Teleport open-source version has been discontinued and the free version doesn't allow companies above 100 employees or with more than 10 million dollars of revenue per year. Fair enough, everyone should live well.

But Teleport Enterprise is very expensive and I have been priced out. I don't know if I can share the price behind the "contact sales" but if you wonder about the price, you probably are too poor. In my case, it's quite a few orders of magnitude more than the time Teleport saves me.

So, I have been looking for a replacement that is open-source and likely to stay open-source for a while. I can pay for it, but I don't have a "contact us" budget.

For HTTPS, I never used Teleport and will stay with oauth2-proxy. For SSH, I found warpgate and sshportal, which may work but it looks a bit experimental. For Kubernetes, it's a mess but perhaps kubelogin could do.

If you replaced Teleport, how did you do it?

  👤 gioazzi Accepted Answer ✓
Purely for the SSH part if you’re uncomfortable using anything outside of OpenSSH itself for authentication you could consider certificates[^1]

You’d still need something to sign the certificates based on some other identity of course (it can be done manually but kind of defeats the purpose) be it smallstep or something else

[^1]: https://smallstep.com/blog/use-ssh-certificates/

👤 seungwoolee518
If you need only SSH, you can try ContainerSSH[1] - it's pretty simple to setup & integrate using OPA for authorization.

It supports to record each Session and save to various sources.

[1]: https://github.com/ContainerSSH/ContainerSSH

👤 cnkk
Do you only need authentication? Give Tailscale SSH a look.
👤 zxcvbn4038
That is too bad, Teleport is how I learned a lot of the crypto APIs in Golang. It also provided me with a glimpse into part of openssh which was never very well thought out - signed keys.

Since I was working in an environment where development teams tended to obtain root credentials from CI-CD pipelines and use them to change all the permissions on production servers or fill the storage with database dumps, I ditched teleport, ssh, and logins altogether! We followed the serverless model and there are no logins to any compute resource. The only way to bring data in is via unprivileged ci/cd pipelines or the application's API, the only way to get data out is via stderr or writing to a resource like S3. Nothing runs with privileges, there is no ssh, there are no admin-only access methods. Overnight that eliminated almost everything mysterious or unreproducible. No more permissions issues.

👤 tlhodges
I have also been priced out. Exact same situation you're in. We're crossing our fingers that something good comes quickly from Cloudflare's purchase of BastionZero. Otherwise, I've heard good things about StrongDM but don't know pricing and don't have first hand experience.
👤 sneakerblack
Try JumpServer:

https://github.com/jumpserver/jumpserver

Its an open-source PAM solution

We're not using it in-house (we're actually using teleport), and I haven't tried it, but I've heard many good things about it

👤 cpach
Why not use the AGPL version?

(Announcement for those who haven’t seen it: https://goteleport.com/blog/teleport-community-license/)

👤 andriosr
Consider Hoop (https://hoop.dev) as an open source alternative. It's designed to be lightweight and developer-friendly.

Key features that are free/open source: 1. SSH, K8s, database access 2. RBAC and just-in-time access 3. Session recording 4. IdP integration

We monetize on advanced layer 7 features like AI data masking and firewall rules. But the core access management stuff stays free. Repo is public if you want to check it out:https://github.com/hoophq/hoop

Good luck finding a solution that fits your needs.