PHPackages nawasara/teleport - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Admin Panels](/categories/admin) 4. / 5. nawasara/teleport ActiveLibrary[Admin Panels](/categories/admin) nawasara/teleport ================= Teleport SSO admin dashboard for Nawasara — list nodes/users/roles via Go sidecar, browser-based SSH terminal with Keycloak identity propagation. v0.1.1(1mo ago)045MITPHPPHP ^8.1 Since May 9Pushed 1mo agoCompare [ Source](https://github.com/nawasara/teleport)[ Packagist](https://packagist.org/packages/nawasara/teleport)[ RSS](/packages/nawasara-teleport/feed)WikiDiscussions main Synced 1w ago READMEChangelogDependencies (5)Versions (3)Used By (0) Nawasara Teleport ================= [](#nawasara-teleport) Teleport SSH SSO admin dashboard for the Nawasara superapp framework — list nodes/users/roles, launch browser-based SSH terminals with auto-login impersonation from Keycloak, and audit every access for forensic accountability. Features -------- [](#features) - **Node inventory** — list all SSH nodes registered in the Teleport cluster with online/offline status, hostname, address, labels, and version - **User & role browser** — list Teleport users with their roles + traits, list roles with full RBAC YAML expanded into a detail modal - **Browser SSH terminal** — click \[Connect\] on any node, terminal opens in a new tab with `xterm.js`, auto-login as the admin's Keycloak identity (no password, no key, no separate Teleport credential) - **Reconnect button** — when the WebSocket drops (network blip, shell exit, idle timeout), an in-place reconnect mints a fresh cert and rewires the WebSocket without leaving the page - **SSH session audit log** — every launch + reconnect attempt logged to `nawasara_teleport_sessions` with reason, IP, user agent, ticket UUID, and (on close) duration in seconds - **Sessions viewer page** — `/nawasara-teleport/sessions` with status filter, node filter, actor filter, search, time-window, hero stats (total/issued/failed/avg duration), and CSV export - **Cross-package audit** — `nawasara/audit` impersonation log shows Teleport sessions alongside webmail/cPanel launch-as events for unified review Architecture ------------ [](#architecture) This package is the **Laravel half** of a two-tier system. The other half is [`nawasara/teleport-bridge`](https://github.com/nawasara/teleport-bridge) — a Go sidecar that wraps the Teleport API and bridges WebSocket ↔ SSH session. ``` Browser Laravel (this package) Sidecar (Go) Teleport │ │ │ │ │ [Connect] click │ │ │ ├─────────────────────▶│ POST /api/connect │ │ │ ├─────────────────────────▶│ GenerateUserCerts │ │ │ ├──────────────────────▶│ │ │ │◀──────────────────────│ │ │◀─ {ticket_id, ws_url} │ │ │ open new tab + ws │ │ │ ├──────────────────────┼─────────────────────────▶│ ALPN dial proxy:443 │ │ │ ├──────────────────────▶│ │ ◀═══════════════════╪══════════════════════════╪═══ SSH session ═══════│ ``` Installation ------------ [](#installation) ``` composer require nawasara/teleport php artisan migrate php artisan db:seed --class="Nawasara\Teleport\Database\Seeders\PermissionSeeder" --force ``` The package is auto-discovered by Laravel. Sidecar setup ------------- [](#sidecar-setup) This package will not function without the Go sidecar reachable. Set up the sidecar first: 1. Clone `nawasara/teleport-bridge` and follow its [setup guide](https://github.com/nawasara/teleport-bridge#setup-guide) 2. The sidecar needs: - `BRIDGE_SECRET` — shared HMAC secret (also stored in Vault on the Laravel side) - `TELEPORT_PROXY` — your Teleport proxy hostname:port (e.g. `teleport.example.com:443`) - `identity.pem` — Teleport identity file generated via `tsh login` for a dedicated bot user 3. Verify the sidecar is reachable: `curl http://127.0.0.1:9181/api/health` should return `200` with `cluster_name` Storing credentials in Vault ---------------------------- [](#storing-credentials-in-vault) 1. Open Nawasara → `/nawasara-vault` 2. Choose the **Teleport** group 3. Fill in: - **Bridge URL** — sidecar HTTP endpoint, e.g. `http://127.0.0.1:9181` - **Bridge Secret** — same HMAC secret set in `BRIDGE_SECRET` on the sidecar - **Proxy Address** — Teleport proxy hostname:port, used for display only 4. Save and click **Test Connection** — should return `Connected to cluster: ` The package picks up credentials from Vault automatically. Verification ------------ [](#verification) Open **Teleport → Nodes** in the sidebar. Your registered SSH nodes should appear with their online status. Click \[Connect\] on any node to launch a browser SSH terminal. If something fails: - Check the sidecar is running: `curl http://127.0.0.1:9181/api/health` - Check the identity file is valid: on the sidecar host, run the `check-identity-ttl.sh` script bundled with the bridge - Check Vault credentials match the sidecar `.env` - Check the admin user has the `teleport.ssh.connect` permission Permissions ----------- [](#permissions) PermissionDescription`teleport.node.view`List Teleport nodes`teleport.user.view`List Teleport users`teleport.role.view`List Teleport roles`teleport.ssh.connect`Launch browser SSH terminal (impersonate as Keycloak username)`teleport.session.view`View SSH session audit log (read-only — meant for compliance reviewers)All permissions auto-assigned to the `developer` role by the seeder. `teleport.session.view` is intentionally separate from `teleport.ssh.connect` — auditors can read who accessed what without gaining the capability to launch new SSH sessions. Routes ------ [](#routes) MethodURLPermissionPurposeGET`/nawasara-teleport/nodes``teleport.node.view`Node inventory + Connect launcherGET`/nawasara-teleport/users``teleport.user.view`Teleport user listingGET`/nawasara-teleport/roles``teleport.role.view`Teleport role listingGET`/nawasara-teleport/sessions``teleport.session.view`SSH session audit logGET`/nawasara-teleport/terminal/{ticket}``teleport.ssh.connect`Fullscreen terminal page (xterm.js + ws)POST`/nawasara-teleport/terminal/{ticket}/reissue``teleport.ssh.connect`Mint fresh ticket for in-place reconnectPOST`/api/internal/teleport/session-closed`HMAC bearer (sidecar only)Webhook receiver for ws-close enrichment (duration\_seconds)How auto-login works -------------------- [](#how-auto-login-works) 1. Admin logs in to Nawasara via Keycloak SSO (handled by `nawasara/core`) 2. Admin clicks \[Connect\] on a node — Livewire opens a confirmation modal asking for an access reason 3. On submit, Laravel calls the sidecar `/api/connect` with the admin's Keycloak username + target node + OS login 4. Sidecar mints an ed25519 ephemeral keypair, signs an SSH cert via Teleport `GenerateUserCerts` API with the username field set to the Keycloak identity, issues a single-use UUID v7 ticket 5. Browser opens a new tab with the ticket in the URL; backend serves a standalone xterm.js page; JS opens a WebSocket to the sidecar 6. Sidecar dials Teleport proxy via TLS routing (ALPN protocol `teleport-proxy-ssh`), runs the `proxy:host:0@cluster` subsystem, stacks a second SSH client over the pipe, and bridges bytes between WS and the SSH session The audit row is written before the cert is minted (so failed launches still appear), and updated on `ws.onclose` with `duration_seconds` and `ended_reason` via a webhook from sidecar to Laravel. Author ------ [](#author) **Pringgo J. Saputro** <> License ------- [](#license) MIT ### Health Score 38 — LowBetter than 83% of packages Maintenance94 Actively maintained with recent releases Popularity11 Limited adoption so far Community7 Small or concentrated contributor base Maturity33 Early-stage or recently created project Bus Factor1 Top contributor holds 100% of commits — single point of failure How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Release Activity Cadence Every ~1 days Total 2 Last Release 30d ago ### Community Maintainers ![](https://avatars.githubusercontent.com/u/16914951?v=4)[Pringgo J. Saputro](/maintainers/pringgojs)[@pringgojs](https://github.com/pringgojs) ![](https://www.gravatar.com/avatar/edcf770bde3babcc9fa554e305e361b8614c1e505470e75842de75ea3e502548?d=identicon)[nawasara](/maintainers/nawasara) --- Top Contributors [![pringgojs](https://avatars.githubusercontent.com/u/16914951?v=4)](https://github.com/pringgojs "pringgojs (9 commits)") --- Tags laravelsshinfrastructureremote-accessNawasarateleport ### Embed Badge ![Health badge](/badges/nawasara-teleport/health.svg) ``` [![Health](https://phpackages.com/badges/nawasara-teleport/health.svg)](https://phpackages.com/packages/nawasara-teleport) ``` ### Alternatives [venturedrake/laravel-crm A free open source CRM built as a package for laravel projects 39910.0k](/packages/venturedrake-laravel-crm)[nasirkhan/laravel-starter A CMS like modular Laravel starter project. 1.4k2.7k](/packages/nasirkhan-laravel-starter)[tallstackui/tallstackui TallStackUI is a powerful suite of Blade components that elevate your workflow of Livewire applications. 719160.4k12](/packages/tallstackui-tallstackui)[a2insights/filament-saas Filament Saas for A2Insights 171.5k](/packages/a2insights-filament-saas)[mwguerra/web-terminal A web-based terminal component for Filament/Laravel with command whitelisting and multiple connection types 274.5k](/packages/mwguerra-web-terminal)[tomshaw/electricgrid A feature-rich Livewire package designed for projects that require dynamic, interactive data tables. 119.2k](/packages/tomshaw-electricgrid) PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)