--- obj: application website: https://goteleport.com repo: https://github.com/gravitational/teleport --- # Teleport Teleport provides connectivity, authentication, access controls and audit for infrastructure. It includes an identity-aware access proxy, a CA that issues short-lived certificates, a unified access control system and a tunneling system to access resources behind the firewall. Teleport understands the [SSH](../network/SSH.md), HTTPS, RDP, Kubernetes API, MySQL, [MongoDB](../development/MongoDB.md) and PostgreSQL wire protocols, plus many others. It can integrate with Single Sign-On providers and enables you to apply access policies using infrastructure-as-code and GitOps tools. ## Setup You need a [domain](../../internet/Domain.md) pointing at your teleport proxy instance. Docker-Compose: ```yml version: '3' services: teleport: image: public.ecr.aws/gravitational/teleport:14 restart: unless-stopped hostname: ports: - "3080:3080" # Web UI - "3022:3022" # SSH - "8443:8443" # HTTPS volumes: - ./config/teleport.yaml:/etc/teleport/teleport.yaml - ./data:/var/lib/teleport ``` teleport.yml: ```yml version: v3 teleport: nodename: data_dir: /var/lib/teleport log: output: stderr severity: INFO format: output: text ca_pin: "" diag_addr: "" auth_service: enabled: "yes" listen_addr: 0.0.0.0:3025 proxy_listener_mode: multiplex authentication: type: local second_factor: true webauthn: rp_id: connector_name: passwordless ssh_service: enabled: "no" proxy_service: enabled: "yes" public_addr: :443 https_keypairs: [] https_keypairs_reload_interval: 0s acme: {} ``` ## [SSH](../network/SSH.md) Agent Setup 1. Install teleport on your host: ```shell curl https://goteleport.com/static/install.sh | bash -s 14.2.0 ``` 2. On your teleport proxy, create a join token: ```shell tctl tokens add --type=node --format=text > token.file ``` 3. Join the server to the cluster: ```shell sudo teleport node configure \ --output=file:///etc/teleport.yaml \ --token=/path/to/token.file \ --proxy=tele.example.com:443 ``` 4. Enable Teleport Service ```shell [Unit] Description=Teleport Service After=network.target [Service] Type=simple Restart=on-failure EnvironmentFile=-/etc/default/teleport ExecStart=/usr/local/bin/teleport start --config /etc/teleport.yaml --pid-file=/run/teleport.pid ExecReload=/bin/kill -HUP $MAINPID PIDFile=/run/teleport.pid LimitNOFILE=524288 [Install] WantedBy=multi-user.target ``` ## `tctl` Admin tool for the Teleport Access Platform Usage: `tctl [] [ ...]` ### Commands #### users add Generate a user invitation token. Usage: `tctl users add --roles=ROLES [] ` ##### Options | Option | Description | | -------- | ------------------------------------------- | | --logins | List of allowed SSH logins for the new user | #### users update Update user account. Usage: `tctl users update [] ` ##### Options | Option | Description | | -------------- | ---------------------------------------------------------------- | | `--set-roles` | List of roles for the user to assume, replaces current roles | | `--set-logins` | List of allowed SSH logins for the user, replaces current logins | #### users ls Lists all user accounts. Usage: `tctl users ls` #### users rm Deletes user accounts. Usage: `tctl users rm ` #### users reset Reset user password and generate a new token. Usage: `tctl users reset ` #### nodes add Generate a node invitation token. Usage: `tctl nodes add []` ##### Options | Option | Description | | --------- | -------------------------------------------------------- | | `--roles` | Comma-separated list of roles for the new node to assume | | `--ttl` | Time to live for a generated token | #### nodes ls List all active SSH nodes within the cluster. Usage: `tctl nodes ls [] []` #### tokens add Create a invitation token. Usage: `tctl tokens add --type=TYPE []` ##### Options | Option | Description | | ---------- | ------------------------------------------------------------ | | `--type` | Type(s) of token to add, e.g. `--type=node,app,db,proxy,etc` | | `--labels` | Set token labels, e.g. `env=prod,region=us-west` | | `--ttl` | Set expiration time for token, default is 30 minutes | | `--format` | Output format, 'text', 'json', or 'yaml' | #### tokens rm Delete/revoke an invitation token. Usage: `tctl tokens rm []` #### tokens ls List node and user invitation tokens. Usage: `tctl tokens ls` #### status Report cluster status. Usage: `tctl status` ## `tsh` Teleport Command Line client for interacting with your infrastructure. Usage: `tsh [options...] [ ...]` ### Options | Option | Description | | --------- | --------------------------------------------- | | `--proxy` | Teleport proxy address | | `--user` | Teleport user, defaults to current local user | ### Commands #### ssh Run shell or execute a command on a remote SSH node. Usage: `tsh ssh [] <[user@]host> [...]` ##### scp Transfer files to a remote SSH node. Usage: `tsh scp [] ...` ##### ls List remote SSH nodes. Usage: `tsh ls [] []` ##### login Log in to a cluster and retrieve the session certificate. Usage: `tsh login [] []` ##### logout Delete a cluster certificate. Usage: `tsh logout` ##### status Display the list of proxy servers and retrieved certificates. Usage: `tsh status` ##### config Print [SSH](../network/SSH.md) config details. This allows you to use regular `ssh` command to connect to teleport servers. ```shell tsh config >> ~/.ssh/config ```