gentoo resync : 22.10.2018

7 files changed, 402 insertions, 59 deletions

diff --git a/sys-cluster/teleport/Manifest b/sys-cluster/teleport/Manifest
index b659b5f45921..c56b4171e0e4 100644
--- a/sys-cluster/teleport/Manifest
+++ b/sys-cluster/teleport/Manifest
@@ -1,11 +1,16 @@
+AUX teleport-2.yaml 4823 BLAKE2B ed9fc1cf1d70872fb7e0798707f4bc6b121a0ac417a5062451937240abd9f51999a8990bdf6714abd9517118aa9dc87c2bfbf4f8b8e9e309a080cc5e04f10d68 SHA512 1430a78b89fd758e967acf76c3166b9c50017d6df2f4e6e23b6e683c39e5a1e5cb13012dc218482f38abaca14d45b7df7ba0a55d1598f13dd2c46732d12f1b45
 AUX teleport.conf.d 442 BLAKE2B 089128fa5d277f5b7cda5d054a079c4cfd7990b503df2ac6818c83f79ea73b7ded2abf7eed2a66cd32394483e5494502355837e03883085db8afd92e537bfb47 SHA512 e50e3d0030e467afcfaf42c8f56ba1c0397e3dc6a445981b3f1533d7a0a9e550aabdc8bff394a5b01e44d3445b1981e2e955ea38b079386f675df8a37d7d20de
 AUX teleport.init.d 940 BLAKE2B a3b5fd197e6d8e173903aac6e9db4a684a986ab7d52227d40128ec16457990e78bc8345153b3c87558d3073b6acc7337050f4d21aa9f41acde8334aae8fc1c3e SHA512 9dd26daa519e9fef30b25ef5af505b8b35d8566eaa02f0ec47a6f7805227e94eb25ffb8fd007b73e7c3a91f9e783d47391c55dd8d659d683770aa9d5a02df923
 AUX teleport.service 310 BLAKE2B 410a8ca2e1273a0b9ef1ad93f4ff21f71ecedc979e52eb4f7e1b807b5434fba2b88bd1e0a5544ac68489d6e0db641cda4d76e606bed9cc96527156088b9b088b SHA512 72a43cce5f16bbed63e3b25917d3a4d63641b735acf63975c13c3cd2624c7971f40dc697d1da0d9b94b54e675e051d0a4e863696f7ebcea14f1c4b86e9e1218b
 AUX teleport.service.conf 90 BLAKE2B 7f12f281d73ac6573c882a7910e400f901ff6392e0c576e4b7076972f4ced046f709c8898766aaf38cc38fbfcf450b526d3045ff859eed2a48e19dbd92ec3131 SHA512 d17faa0deaf3c864e5159d3567e542e36d09c6ea0ac91c663d3ae9729d1bccf7d2139f1f48fec132eccc473e023ffdaed0b8f2ee75db5dedc6ff36f637f68e1c
-AUX teleport.yaml 4823 BLAKE2B ed9fc1cf1d70872fb7e0798707f4bc6b121a0ac417a5062451937240abd9f51999a8990bdf6714abd9517118aa9dc87c2bfbf4f8b8e9e309a080cc5e04f10d68 SHA512 1430a78b89fd758e967acf76c3166b9c50017d6df2f4e6e23b6e683c39e5a1e5cb13012dc218482f38abaca14d45b7df7ba0a55d1598f13dd2c46732d12f1b45
+AUX teleport.yaml 9564 BLAKE2B e797480ebddc081a5fdbc10b5b2490aac675412638dee2f8790b289cbb061506c890156fb1a4807e28f14303e661864e5fc7922d01557815399adb13f2682930 SHA512 427e219fa6b787d0bf3a4e72f1573b50e52863d75444ca1d1da76812acb427bda3a537590856a39aad40a03415237b2a1f4893ed11e11039b287f7f5b97d2fa2
 DIST teleport-2.6.7.tar.gz 16655508 BLAKE2B a020ab999b7503cb7aec54ed81532baf9d08b98000f2c659f63859d89f7f2b5fb311c41d6fcafb7d9bf72ea1c97eecfc6ac621b7c90d74f5afe2717edb8b0402 SHA512 45002dcf7b99108ca6fffae94d6608188eb9b0bea05cd14068618bfb11c496cad5546e261f349fee70f2acb574e7fc44093683dd991001e01406da6982c5c4c3
 DIST teleport-2.7.1.tar.gz 18222601 BLAKE2B 86852a1c7f0b083d8fc46bb2e51e287f0d54ca8bd1a6306e21ad325b6f1487682f853eb313a1f6f6fc4dc4d25d93e909ed65dad6d00eb37f878904d6df30f98c SHA512 703056eb99aa91062c8d9cfa7852e3573c8968ce9dea0ff5b076d5225caf8d67b965948a47785cdc7e4341993ef3ed005677859d37653f7d22c05cb2db51efd7
-EBUILD teleport-2.6.7.ebuild 1249 BLAKE2B 01c6f8a1581bc6fd38569b67721f4e5a24447cd9c6ccf625bba939605663f5bb643e343d6c46da1091bc872d64d049e639a4be55a5a375c20ddb59d609c9e119 SHA512 c921673cf7955253255dd41b7f53954acce2a9b53b55b88c7385bf65d087b084159152966d172151f5567a67c3794c50fc5756f871ffd1b0e5c3253553ac2cc8
-EBUILD teleport-2.7.1.ebuild 1249 BLAKE2B 01c6f8a1581bc6fd38569b67721f4e5a24447cd9c6ccf625bba939605663f5bb643e343d6c46da1091bc872d64d049e639a4be55a5a375c20ddb59d609c9e119 SHA512 c921673cf7955253255dd41b7f53954acce2a9b53b55b88c7385bf65d087b084159152966d172151f5567a67c3794c50fc5756f871ffd1b0e5c3253553ac2cc8
+DIST teleport-3.0.0.tar.gz 22365657 BLAKE2B a9cfec07ec73970b1050c51819ef4820be95fcd94dce0ffbb62deca38af28a944929c83a9ed2b443a93eb21f55d0cac024b66acf81c5d6939ba8e6b6ba40438a SHA512 8cba0b7471bebe9cdac07b44f17c99b7b323061f310ef0e61a3ebe1c4ea2ca2b1c853177528c4725a83366406e8b1a5aba23ecdd5fba7290bd6cab74ada3340d
+DIST teleport-3.0.1.tar.gz 22365638 BLAKE2B 200d7612a56520607f7c157a4e1ff095f8621c2495cef520ce4db7b75f61346e7e5588ca8c9a9b9aa30b87d692c05d488343c3c7b1d30a46e90cacef42ed4172 SHA512 9a477ad174f0d7b0179cb4063731ebf0bd7cf31af22fb6db350b12839bfcdc9c8b68847bc33639546bf6b9026ee62ceb3197176f81a36d67f6b070f2eb4d65e1
+EBUILD teleport-2.6.7.ebuild 1251 BLAKE2B e03ca3a59d482d100c78a22197c205515c59ebfb0acee6286b3e6612a7bf6a71ae598d37bf935abc99a9b369de15e77ee1929d762e101d1a1a446aece769165c SHA512 da7ed88a169950fea543619e277d75d4c0a5d44d63552f43d9290deb748cbbd7b8094afeb386a088b887173332863c6a4f47ba117320d758809b7562b30d4037
+EBUILD teleport-2.7.1.ebuild 1251 BLAKE2B e03ca3a59d482d100c78a22197c205515c59ebfb0acee6286b3e6612a7bf6a71ae598d37bf935abc99a9b369de15e77ee1929d762e101d1a1a446aece769165c SHA512 da7ed88a169950fea543619e277d75d4c0a5d44d63552f43d9290deb748cbbd7b8094afeb386a088b887173332863c6a4f47ba117320d758809b7562b30d4037
+EBUILD teleport-3.0.0.ebuild 1249 BLAKE2B 01c6f8a1581bc6fd38569b67721f4e5a24447cd9c6ccf625bba939605663f5bb643e343d6c46da1091bc872d64d049e639a4be55a5a375c20ddb59d609c9e119 SHA512 c921673cf7955253255dd41b7f53954acce2a9b53b55b88c7385bf65d087b084159152966d172151f5567a67c3794c50fc5756f871ffd1b0e5c3253553ac2cc8
+EBUILD teleport-3.0.1.ebuild 1249 BLAKE2B 01c6f8a1581bc6fd38569b67721f4e5a24447cd9c6ccf625bba939605663f5bb643e343d6c46da1091bc872d64d049e639a4be55a5a375c20ddb59d609c9e119 SHA512 c921673cf7955253255dd41b7f53954acce2a9b53b55b88c7385bf65d087b084159152966d172151f5567a67c3794c50fc5756f871ffd1b0e5c3253553ac2cc8
 EBUILD teleport-9999.ebuild 1237 BLAKE2B 8b5f4312a98799074029bbb3ccc66105ba7534434b4a553905e467114fccfb2ae0636c71fe2d6556dff2c5fa2667fe9f8e36a36df74e7bf21fa4c3ff7da85a1e SHA512 e526b41dc228bbf1143ea15e879360e94e4ad6dd10764f4d31a07eb682605247ba4d653ed3d91f0e0dc076c015c796d9a24a2ff6bccbd91c73510385ca9d3030
 MISC metadata.xml 630 BLAKE2B ad22bb63ecf79ddd45b62fe0dcadd6d0d7fd475938b18ec868b56b0f4afe7ee5d3e0908eb0b13249a7c7b5031a3296bec406fea6fb487069a087c9e29dcf0ef2 SHA512 2aa911f2a91bfdea340b38715d69cbe59bcd460d34ac6d1d641f2badf2ba72f4e02cdd2f8a2ca387c9a9d19ea2c22e2be80ab4bb582d9395c1517b818f343c74
diff --git a/sys-cluster/teleport/files/teleport-2.yaml b/sys-cluster/teleport/files/teleport-2.yaml
new file mode 100644
index 000000000000..384dea937c97
--- /dev/null
+++ b/sys-cluster/teleport/files/teleport-2.yaml
@@ -0,0 +1,130 @@
+# By default, this file should be stored in /etc/teleport.yaml
+## IMPORTANT ##
+#When editing YAML configuration, please pay attention to how your editor handles white space. YAML requires consistent handling of tab characters
+# This section of the configuration file applies to all teleport
+# services.
+teleport:
+    # nodename allows to assign an alternative name this node can be reached by.
+    # by default it's equal to hostname
+    # nodename: graviton
+
+    # Data directory where Teleport keeps its data, like keys/users for 
+    # authentication (if using the default BoltDB back-end)
+    data_dir: /var/lib/teleport
+
+    # one-time invitation token used to join a cluster. it is not used on 
+    # subsequent starts
+    auth_token: xxxx-token-xxxx
+
+    # when running in multi-homed or NATed environments Teleport nodes need 
+    # to know which IP it will be reachable at by other nodes
+    # public_addr: 10.1.0.5
+
+    # list of auth servers in a cluster. you will have more than one auth server
+    # if you configure teleport auth to run in HA configuration
+    auth_servers: 
+        - localhost:3025
+
+    # Teleport throttles all connections to avoid abuse. These settings allow
+    # you to adjust the default limits
+    connection_limits:
+        max_connections: 1000
+        max_users: 250
+
+    # Logging configuration. Possible output values are 'stdout', 'stderr' and 
+    # 'syslog'. Possible severity values are INFO, WARN and ERROR (default).
+    log:
+        output: stderr
+        severity: ERROR
+
+    # Type of storage used for keys. You need to configure this to use etcd
+    # backend if you want to run Teleport in HA configuration.
+    storage:
+        type: bolt
+
+# This section configures the 'auth service':
+auth_service:
+    enabled: yes
+
+    # defines the types and second factors the auth server supports
+    authentication:
+        # second_factor can be off, otp, or u2f
+        second_factor: otp
+
+        # this section is only used if using u2f
+        u2f:
+            # app_id should point to the Web UI.
+            app_id: https://localhost:3080
+
+            # facets should list all proxy servers.
+            facets:
+            - https://localhost
+            - https://localhost:3080
+
+    # IP and the port to bind to. Other Teleport nodes will be connecting to
+    # this port (AKA "Auth API" or "Cluster API") to validate client 
+    # certificates 
+    listen_addr: 0.0.0.0:3025
+
+    # Pre-defined tokens for adding new nodes to a cluster. Each token specifies
+    # the role a new node will be allowed to assume. The more secure way to 
+    # add nodes is to use `ttl node add --ttl` command to generate auto-expiring 
+    # tokens. 
+    #
+    # We recommend to use tools like `pwgen` to generate sufficiently random
+    # tokens of 32+ byte length.
+    tokens:
+        - "proxy,node:xxxxx"
+        - "auth:yyyy"
+
+    # Optional "cluster name" is needed when configuring trust between multiple
+    # auth servers. A cluster name is used as part of a signature in certificates
+    # generated by this CA.
+    # 
+    # By default an automatically generated GUID is used.
+    #
+    # IMPORTANT: if you change cluster_name, it will invalidate all generated 
+    # certificates and keys (may need to wipe out /var/lib/teleport directory)
+    cluster_name: "main"
+
+# This section configures the 'node service':
+ssh_service:
+    enabled: yes
+    # IP and the port for SSH service to bind to. 
+    listen_addr: 0.0.0.0:3022
+    # See explanation of labels in "Labeling Nodes" section below
+    labels:
+        role: master
+        type: postgres
+    # List (YAML array) of commands to periodically execute and use
+    # their output as labels. 
+    # See explanation of how this works in "Labeling Nodes" section below
+    commands:
+    - name: hostname
+      command: [/usr/bin/hostname]
+      period: 1m0s
+    - name: arch
+      command: [/usr/bin/uname, -p]
+      period: 1h0m0s
+
+# This section configures the 'proxy servie'
+proxy_service:
+    enabled: yes
+    # SSH forwarding/proxy address. Command line (CLI) clients always begin their
+    # SSH sessions by connecting to this port
+    listen_addr: 0.0.0.0:3023
+
+    # Reverse tunnel listening address. An auth server (CA) can establish an 
+    # outbound (from behind the firewall) connection to this address. 
+    # This will allow users of the outside CA to connect to behind-the-firewall 
+    # nodes.
+    tunnel_listen_addr: 0.0.0.0:3024
+
+    # The HTTPS listen address to serve the Web UI and also to authenticate the 
+    # command line (CLI) users via password+HOTP
+    web_listen_addr: 0.0.0.0:3080
+
+    # TLS certificate for the HTTPS connection. Configuring these properly is 
+    # critical for Teleport security.
+    https_key_file: /etc/teleport/teleport.key
+    https_cert_file: /etc/teleport/teleport.crt
diff --git a/sys-cluster/teleport/files/teleport.yaml b/sys-cluster/teleport/files/teleport.yaml
index 384dea937c97..0ab548c1a46b 100644
--- a/sys-cluster/teleport/files/teleport.yaml
+++ b/sys-cluster/teleport/files/teleport.yaml
@@ -1,6 +1,5 @@
 # By default, this file should be stored in /etc/teleport.yaml
-## IMPORTANT ##
-#When editing YAML configuration, please pay attention to how your editor handles white space. YAML requires consistent handling of tab characters
+
 # This section of the configuration file applies to all teleport
 # services.
 teleport:
@@ -8,21 +7,23 @@ teleport:
     # by default it's equal to hostname
     # nodename: graviton
 
-    # Data directory where Teleport keeps its data, like keys/users for 
-    # authentication (if using the default BoltDB back-end)
+    # Data directory where Teleport daemon keeps its data. 
+    # See "Filesystem Layout" section above for more details.
     data_dir: /var/lib/teleport
 
-    # one-time invitation token used to join a cluster. it is not used on 
+    # Invitation token used to join a cluster. it is not used on
     # subsequent starts
-    auth_token: xxxx-token-xxxx
+    # auth_token: xxxx-token-xxxx
 
-    # when running in multi-homed or NATed environments Teleport nodes need 
+    # When running in multi-homed or NATed environments Teleport nodes need
     # to know which IP it will be reachable at by other nodes
-    # public_addr: 10.1.0.5
+    # 
+    # This value can be specified as FQDN e.g. host.example.com
+    # advertise_ip: 10.1.0.5
 
     # list of auth servers in a cluster. you will have more than one auth server
     # if you configure teleport auth to run in HA configuration
-    auth_servers: 
+    auth_servers:
         - localhost:3025
 
     # Teleport throttles all connections to avoid abuse. These settings allow
@@ -31,100 +32,209 @@ teleport:
         max_connections: 1000
         max_users: 250
 
-    # Logging configuration. Possible output values are 'stdout', 'stderr' and 
+    # Logging configuration. Possible output values are 'stdout', 'stderr' and
     # 'syslog'. Possible severity values are INFO, WARN and ERROR (default).
     log:
         output: stderr
         severity: ERROR
 
-    # Type of storage used for keys. You need to configure this to use etcd
-    # backend if you want to run Teleport in HA configuration.
+    # Type of storage used for keys. You need to configure this to use etcd or 
+    # a DynamoDB backend if you want to run Teleport in HA configuration.
     storage:
-        type: bolt
+        # By default teleport uses the `data_dir` directory on a local filesystem
+        type: dir
+
+        # Array of locations where the audit log events will be stored. by
+        # default they are stored in `/var/lib/teleport/log`
+        # audit_events_uri: [file:///var/lib/teleport/log, dynamo://events_table_name]
+
+        # Use this setting to configure teleport to store the recorded sessions in
+        # an AWS S3 bucket. see "Using Amazon S3" chapter for more information.
+        # audit_sessions_uri: s3://name-of-s3-bucket
+
+    # Cipher algorithms that the server supports. This section only needs to be
+    # set if you want to override the defaults.
+    ciphers:
+      - aes128-ctr
+      - aes192-ctr
+      - aes256-ctr
+      - aes128-gcm@openssh.com
+
+    # Key exchange algorithms that the server supports. This section only needs
+    # to be set if you want to override the defaults.
+    kex_algos:
+      - curve25519-sha256@libssh.org
+      - ecdh-sha2-nistp256
+      - ecdh-sha2-nistp384
+      - ecdh-sha2-nistp521
+      - diffie-hellman-group14-sha1
+      - diffie-hellman-group1-sha1
+
+    # Message authentication code (MAC) algorithms that the server supports.
+    # This section only needs to be set if you want to override the defaults.
+    mac_algos:
+      - hmac-sha2-256-etm@openssh.com
+      - hmac-sha2-256
+      - hmac-sha1
+      - hmac-sha1-96
+
+    # List of the supported ciphersuites. If this section is not specified, 
+    # only the default ciphersuites are enabled.
+    ciphersuites:
+       - tls-rsa-with-aes-128-cbc-sha # default
+       - tls-rsa-with-aes-256-cbc-sha # default
+       - tls-rsa-with-aes-128-cbc-sha256
+       - tls-rsa-with-aes-128-gcm-sha256
+       - tls-rsa-with-aes-256-gcm-sha384
+       - tls-ecdhe-ecdsa-with-aes-128-cbc-sha
+       - tls-ecdhe-ecdsa-with-aes-256-cbc-sha
+       - tls-ecdhe-rsa-with-aes-128-cbc-sha
+       - tls-ecdhe-rsa-with-aes-256-cbc-sha
+       - tls-ecdhe-ecdsa-with-aes-128-cbc-sha256
+       - tls-ecdhe-rsa-with-aes-128-cbc-sha256
+       - tls-ecdhe-rsa-with-aes-128-gcm-sha256
+       - tls-ecdhe-ecdsa-with-aes-128-gcm-sha256
+       - tls-ecdhe-rsa-with-aes-256-gcm-sha384
+       - tls-ecdhe-ecdsa-with-aes-256-gcm-sha384
+       - tls-ecdhe-rsa-with-chacha20-poly1305
+       - tls-ecdhe-ecdsa-with-chacha20-poly1305
+
 
 # This section configures the 'auth service':
 auth_service:
+    # Turns 'auth' role on. Default is 'yes'
     enabled: yes
 
-    # defines the types and second factors the auth server supports
+    # A cluster name is used as part of a signature in certificates
+    # generated by this CA. 
+    #
+    # We strongly recommend to explicitly set it to something meaningful as it 
+    # becomes important when configuring trust between multiple clusters. 
+    #
+    # By default an automatically generated name is used (not recommended)
+    #
+    # IMPORTANT: if you change cluster_name, it will invalidate all generated
+    # certificates and keys (may need to wipe out /var/lib/teleport directory)
+    cluster_name: "main"
+
     authentication:
+        # default authentication type. possible values are 'local', 'oidc' and 'saml'
+        # only local authentication (Teleport's own user DB) is supported in the open
+        # source version
+        type: local
         # second_factor can be off, otp, or u2f
         second_factor: otp
-
-        # this section is only used if using u2f
+        # this section is used if second_factor is set to 'u2f'
         u2f:
-            # app_id should point to the Web UI.
+            # app_id must point to the URL of the Teleport Web UI (proxy) accessible
+            # by the end users
             app_id: https://localhost:3080
-
-            # facets should list all proxy servers.
+            # facets must list all proxy servers if there are more than one deployed
             facets:
-            - https://localhost
             - https://localhost:3080
 
     # IP and the port to bind to. Other Teleport nodes will be connecting to
-    # this port (AKA "Auth API" or "Cluster API") to validate client 
-    # certificates 
+    # this port (AKA "Auth API" or "Cluster API") to validate client
+    # certificates
     listen_addr: 0.0.0.0:3025
 
+    # The optional DNS name the auth server if locataed behind a load balancer.
+    # (see public_addr section below)
+    # public_addr: auth.example.com:3025
+
     # Pre-defined tokens for adding new nodes to a cluster. Each token specifies
-    # the role a new node will be allowed to assume. The more secure way to 
-    # add nodes is to use `ttl node add --ttl` command to generate auto-expiring 
-    # tokens. 
+    # the role a new node will be allowed to assume. The more secure way to
+    # add nodes is to use `ttl node add --ttl` command to generate auto-expiring
+    # tokens.
     #
     # We recommend to use tools like `pwgen` to generate sufficiently random
     # tokens of 32+ byte length.
-    tokens:
-        - "proxy,node:xxxxx"
-        - "auth:yyyy"
+    # tokens:
+    #     - "proxy,node:xxxxx"
+    #     - "auth:yyyy"
 
-    # Optional "cluster name" is needed when configuring trust between multiple
-    # auth servers. A cluster name is used as part of a signature in certificates
-    # generated by this CA.
-    # 
-    # By default an automatically generated GUID is used.
-    #
-    # IMPORTANT: if you change cluster_name, it will invalidate all generated 
-    # certificates and keys (may need to wipe out /var/lib/teleport directory)
-    cluster_name: "main"
+    # Optional setting for configuring session recording. Possible values are:
+    #    "node"  : sessions will be recorded on the node level  (the default)
+    #    "proxy" : recording on the proxy level, see "recording proxy mode" section.
+    #    "off"   : session recording is turned off
+    session_recording: "node"
+
+    # This setting determines if a Teleport proxy performs strict host key checks.
+    # Only applicable if session_recording=proxy, see "recording proxy mode" for details.
+    proxy_checks_host_keys: yes
+
+    # Determines if SSH sessions to cluster nodes are forcefully terminated 
+    # after no activity from a client (idle client).
+    # Examples: "30m", "1h" or "1h30m"
+    client_idle_timeout: never
+
+    # Determines if the clients will be forcefully disconnected when their
+    # certificates expire in the middle of an active SSH session. (default is 'no')
+    disconnect_expired_cert: no
+
+    # If the auth service is deployed outside Kubernetes, but Kubernetes integration
+    # is required, you have to specify a valid kubeconfig credentials:
+    # kubeconfig_file: /path/to/kubeconfig
 
 # This section configures the 'node service':
 ssh_service:
+    # Turns 'ssh' role on. Default is 'yes'
     enabled: yes
-    # IP and the port for SSH service to bind to. 
+
+    # IP and the port for SSH service to bind to.
     listen_addr: 0.0.0.0:3022
+
+    # The optional public address the SSH service. This is useful if administrators
+    # want to allow users to connect to nodes directly, bypassing a Teleport proxy
+    # (see public_addr section below)
+    # public_addr: node.example.com:3022
+
     # See explanation of labels in "Labeling Nodes" section below
     labels:
         role: master
-        type: postgres
-    # List (YAML array) of commands to periodically execute and use
-    # their output as labels. 
-    # See explanation of how this works in "Labeling Nodes" section below
+
+    # List of the commands to periodically execute. Their output will be used as node labels.
+    # See "Labeling Nodes" section below for more information.
     commands:
-    - name: hostname
-      command: [/usr/bin/hostname]
-      period: 1m0s
-    - name: arch
-      command: [/usr/bin/uname, -p]
+    - name: arch             # this command will add a label like 'arch=x86_64' to a node
+      command: [uname, -p]
       period: 1h0m0s
 
+    # enables reading ~/.tsh/environment before creating a session. by default
+    # set to false, can be set true here or as a command line flag.
+    permit_user_env: false
+
+    # configures PAM integration. see below for more details.
+    pam:
+        enabled: no
+        service_name: teleport
+
 # This section configures the 'proxy servie'
 proxy_service:
+    # Turns 'proxy' role on. Default is 'yes'
     enabled: yes
+
     # SSH forwarding/proxy address. Command line (CLI) clients always begin their
     # SSH sessions by connecting to this port
     listen_addr: 0.0.0.0:3023
 
-    # Reverse tunnel listening address. An auth server (CA) can establish an 
-    # outbound (from behind the firewall) connection to this address. 
-    # This will allow users of the outside CA to connect to behind-the-firewall 
+    # Reverse tunnel listening address. An auth server (CA) can establish an
+    # outbound (from behind the firewall) connection to this address.
+    # This will allow users of the outside CA to connect to behind-the-firewall
     # nodes.
     tunnel_listen_addr: 0.0.0.0:3024
 
-    # The HTTPS listen address to serve the Web UI and also to authenticate the 
+    # The HTTPS listen address to serve the Web UI and also to authenticate the
     # command line (CLI) users via password+HOTP
     web_listen_addr: 0.0.0.0:3080
 
-    # TLS certificate for the HTTPS connection. Configuring these properly is 
+    # The DNS name the proxy server is accessible by cluster users. Defaults to 
+    # the proxy's hostname if not specified. If running multiple proxies behind 
+    # a load balancer, this name must point to the load balancer
+    # (see public_addr section below)
+    # public_addr: proxy.example.com:3080
+
+    # TLS certificate for the HTTPS connection. Configuring these properly is
     # critical for Teleport security.
-    https_key_file: /etc/teleport/teleport.key
-    https_cert_file: /etc/teleport/teleport.crt
+    https_key_file: /var/lib/teleport/webproxy_key.pem
+    https_cert_file: /var/lib/teleport/webproxy_cert.pem
diff --git a/sys-cluster/teleport/teleport-2.6.7.ebuild b/sys-cluster/teleport/teleport-2.6.7.ebuild
index 4a7a27e42a48..e7bfb7ce0408 100644
--- a/sys-cluster/teleport/teleport-2.6.7.ebuild
+++ b/sys-cluster/teleport/teleport-2.6.7.ebuild
@@ -35,7 +35,7 @@ src_install() {
 	dobin src/${EGO_PN%/*}/build/{tsh,tctl,teleport}
 
 	insinto /etc/${PN}
-	newins "${FILESDIR}"/${PN}.yaml ${PN}.yaml
+	newins "${FILESDIR}"/${PN}-2.yaml ${PN}.yaml
 
 	newinitd "${FILESDIR}"/${PN}.init.d ${PN}
 	newconfd "${FILESDIR}"/${PN}.conf.d ${PN}
diff --git a/sys-cluster/teleport/teleport-2.7.1.ebuild b/sys-cluster/teleport/teleport-2.7.1.ebuild
index 4a7a27e42a48..e7bfb7ce0408 100644
--- a/sys-cluster/teleport/teleport-2.7.1.ebuild
+++ b/sys-cluster/teleport/teleport-2.7.1.ebuild
@@ -35,7 +35,7 @@ src_install() {
 	dobin src/${EGO_PN%/*}/build/{tsh,tctl,teleport}
 
 	insinto /etc/${PN}
-	newins "${FILESDIR}"/${PN}.yaml ${PN}.yaml
+	newins "${FILESDIR}"/${PN}-2.yaml ${PN}.yaml
 
 	newinitd "${FILESDIR}"/${PN}.init.d ${PN}
 	newconfd "${FILESDIR}"/${PN}.conf.d ${PN}
diff --git a/sys-cluster/teleport/teleport-3.0.0.ebuild b/sys-cluster/teleport/teleport-3.0.0.ebuild
new file mode 100644
index 000000000000..4a7a27e42a48
--- /dev/null
+++ b/sys-cluster/teleport/teleport-3.0.0.ebuild
@@ -0,0 +1,49 @@
+# Copyright 1999-2018 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=6
+inherit golang-build systemd
+
+DESCRIPTION="Modern SSH server for teams managing distributed infrastructure"
+HOMEPAGE="https://gravitational.com/teleport"
+
+EGO_PN="github.com/gravitational/${PN}/..."
+
+if [[ ${PV} == "9999" ]] ; then
+	inherit git-r3 golang-vcs
+	EGIT_REPO_URI="https://github.com/gravitational/${PN}.git"
+else
+	inherit golang-vcs-snapshot
+	SRC_URI="https://github.com/gravitational/${PN}/archive/v${PV}.tar.gz -> ${P}.tar.gz"
+	KEYWORDS="~amd64 ~arm"
+fi
+
+IUSE="pam"
+LICENSE="Apache-2.0"
+RESTRICT="test strip"
+SLOT="0"
+
+DEPEND="app-arch/zip"
+RDEPEND="pam? ( sys-libs/pam )"
+
+src_compile() {
+	BUILDFLAGS="" GOPATH="${S}" emake -j1 -C src/${EGO_PN%/*} full
+}
+
+src_install() {
+	keepdir /var/lib/${PN} /etc/${PN}
+	dobin src/${EGO_PN%/*}/build/{tsh,tctl,teleport}
+
+	insinto /etc/${PN}
+	newins "${FILESDIR}"/${PN}.yaml ${PN}.yaml
+
+	newinitd "${FILESDIR}"/${PN}.init.d ${PN}
+	newconfd "${FILESDIR}"/${PN}.conf.d ${PN}
+
+	systemd_newunit "${FILESDIR}"/${PN}.service ${PN}.service
+	systemd_install_serviced "${FILESDIR}"/${PN}.service.conf ${PN}.service
+}
+
+src_test() {
+	BUILDFLAGS="" GOPATH="${S}" emake -C src/${EGO_PN%/*} test
+}
diff --git a/sys-cluster/teleport/teleport-3.0.1.ebuild b/sys-cluster/teleport/teleport-3.0.1.ebuild
new file mode 100644
index 000000000000..4a7a27e42a48
--- /dev/null
+++ b/sys-cluster/teleport/teleport-3.0.1.ebuild
@@ -0,0 +1,49 @@
+# Copyright 1999-2018 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=6
+inherit golang-build systemd
+
+DESCRIPTION="Modern SSH server for teams managing distributed infrastructure"
+HOMEPAGE="https://gravitational.com/teleport"
+
+EGO_PN="github.com/gravitational/${PN}/..."
+
+if [[ ${PV} == "9999" ]] ; then
+	inherit git-r3 golang-vcs
+	EGIT_REPO_URI="https://github.com/gravitational/${PN}.git"
+else
+	inherit golang-vcs-snapshot
+	SRC_URI="https://github.com/gravitational/${PN}/archive/v${PV}.tar.gz -> ${P}.tar.gz"
+	KEYWORDS="~amd64 ~arm"
+fi
+
+IUSE="pam"
+LICENSE="Apache-2.0"
+RESTRICT="test strip"
+SLOT="0"
+
+DEPEND="app-arch/zip"
+RDEPEND="pam? ( sys-libs/pam )"
+
+src_compile() {
+	BUILDFLAGS="" GOPATH="${S}" emake -j1 -C src/${EGO_PN%/*} full
+}
+
+src_install() {
+	keepdir /var/lib/${PN} /etc/${PN}
+	dobin src/${EGO_PN%/*}/build/{tsh,tctl,teleport}
+
+	insinto /etc/${PN}
+	newins "${FILESDIR}"/${PN}.yaml ${PN}.yaml
+
+	newinitd "${FILESDIR}"/${PN}.init.d ${PN}
+	newconfd "${FILESDIR}"/${PN}.conf.d ${PN}
+
+	systemd_newunit "${FILESDIR}"/${PN}.service ${PN}.service
+	systemd_install_serviced "${FILESDIR}"/${PN}.service.conf ${PN}.service
+}
+
+src_test() {
+	BUILDFLAGS="" GOPATH="${S}" emake -C src/${EGO_PN%/*} test
+}