---
obj: application
website: https://goteleport.com
repo: https://github.com/gravitational/teleport
---
# Teleport
Teleport provides connectivity, authentication, access controls and audit for infrastructure.
It includes an identity-aware access proxy, a CA that issues short-lived certificates, a unified access control system and a tunneling system to access resources behind the firewall.
Teleport understands the [SSH](../network/SSH.md), HTTPS, RDP, Kubernetes API, MySQL, [MongoDB](development/MongoDB.md) and PostgreSQL wire protocols, plus many others. It can integrate with Single Sign-On providers and enables you to apply access policies using infrastructure-as-code and GitOps tools.
## Setup
You need a [domain](../../internet/Domain.md) pointing at your teleport proxy instance.
Docker-Compose:
```yml
version: '3'
services:
teleport:
image: public.ecr.aws/gravitational/teleport:14
restart: unless-stopped
hostname: <yourdomain.com>
ports:
- "3080:3080" # Web UI
- "3022:3022" # SSH
- "8443:8443" # HTTPS
volumes:
- ./config/teleport.yaml:/etc/teleport/teleport.yaml
- ./data:/var/lib/teleport
```
teleport.yml:
```yml
version: v3
teleport:
nodename: <yourdomain.com>
data_dir: /var/lib/teleport
log:
output: stderr
severity: INFO
format:
output: text
ca_pin: ""
diag_addr: ""
auth_service:
enabled: "yes"
listen_addr: 0.0.0.0:3025
proxy_listener_mode: multiplex
authentication:
type: local
second_factor: true
webauthn:
rp_id: <yourdomain.com>
connector_name: passwordless
ssh_service:
enabled: "no"
proxy_service:
enabled: "yes"
public_addr: <yourdomain.com>:443
https_keypairs: []
https_keypairs_reload_interval: 0s
acme: {}
```
## [SSH](../network/SSH.md) Agent Setup
1. Install teleport on your host:
```shell
curl https://goteleport.com/static/install.sh | bash -s 14.2.0
```
2. On your teleport proxy, create a join token:
```shell
tctl tokens add --type=node --format=text > token.file
```
3. Join the server to the cluster:
```shell
sudo teleport node configure \
--output=file:///etc/teleport.yaml \
--token=/path/to/token.file \
--proxy=tele.example.com:443
```
4. Enable Teleport Service
```shell
[Unit]
Description=Teleport Service
After=network.target
[Service]
Type=simple
Restart=on-failure
EnvironmentFile=-/etc/default/teleport
ExecStart=/usr/local/bin/teleport start --config /etc/teleport.yaml --pid-file=/run/teleport.pid
ExecReload=/bin/kill -HUP $MAINPID
PIDFile=/run/teleport.pid
LimitNOFILE=524288
[Install]
WantedBy=multi-user.target
```
## `tctl`
Admin tool for the Teleport Access Platform
Usage: `tctl [<flags>] <command> [<args> ...]`
### Commands
#### users add
Generate a user invitation token.
Usage: `tctl users add --roles=ROLES [<flags>] <account>`
##### Options
| Option | Description |
| -------- | ------------------------------------------- |
| --logins | List of allowed SSH logins for the new user |
#### users update
Update user account.
Usage: `tctl users update [<flags>] <account>`
##### Options
| Option | Description |
| -------------- | ---------------------------------------------------------------- |
| `--set-roles` | List of roles for the user to assume, replaces current roles |
| `--set-logins` | List of allowed SSH logins for the user, replaces current logins |
#### users ls
Lists all user accounts.
Usage: `tctl users ls`
#### users rm
Deletes user accounts.
Usage: `tctl users rm <logins>`
#### users reset
Reset user password and generate a new token.
Usage: `tctl users reset <account>`
#### nodes add
Generate a node invitation token.
Usage: `tctl nodes add [<flags>]`
##### Options
| Option | Description |
| --------- | -------------------------------------------------------- |
| `--roles` | Comma-separated list of roles for the new node to assume |
| `--ttl` | Time to live for a generated token |
#### nodes ls
List all active SSH nodes within the cluster.
Usage: `tctl nodes ls [<flags>] [<labels>]`
#### tokens add
Create a invitation token.
Usage: `tctl tokens add --type=TYPE [<flags>]`
##### Options
| Option | Description |
| ---------- | ------------------------------------------------------------ |
| `--type` | Type(s) of token to add, e.g. `--type=node,app,db,proxy,etc` |
| `--labels` | Set token labels, e.g. `env=prod,region=us-west` |
| `--ttl` | Set expiration time for token, default is 30 minutes |
| `--format` | Output format, 'text', 'json', or 'yaml' |
#### tokens rm
Delete/revoke an invitation token.
Usage: `tctl tokens rm [<token>]`
#### tokens ls
List node and user invitation tokens.
Usage: `tctl tokens ls`
#### status
Report cluster status.
Usage: `tctl status`
## `tsh`
Teleport Command Line client for interacting with your infrastructure.
Usage: `tsh [options...] <command> [<args> ...]`
### Options
| Option | Description |
| --------- | --------------------------------------------- |
| `--proxy` | Teleport proxy address |
| `--user` | Teleport user, defaults to current local user |
### Commands
#### ssh
Run shell or execute a command on a remote SSH node.
Usage: `tsh ssh [<flags>] <[user@]host> [<command>...]`
##### scp
Transfer files to a remote SSH node.
Usage: `tsh scp [<flags>] <from, to>...`
##### ls
List remote SSH nodes.
Usage: `tsh ls [<flags>] [<labels>]`
##### login
Log in to a cluster and retrieve the session certificate.
Usage: `tsh login [<flags>] [<cluster>]`
##### logout
Delete a cluster certificate.
Usage: `tsh logout`
##### status
Display the list of proxy servers and retrieved certificates.
Usage: `tsh status`
##### config
Print [SSH](../network/SSH.md) config details.
This allows you to use regular `ssh` command to connect to teleport servers.
```shell
tsh config >> ~/.ssh/config
```