Introduction to Teleport Team
- Version 15.x
- Version 14.x
- Version 13.x
- Version 12.x
- Older Versions
- Available for:
Teleport Team helps small organizations provide secure access to their infrastructure, with minimal configuration and cluster management.
With Teleport Team, the Teleport Auth Service and Teleport Proxy Service are managed for you as cloud-based services. These services provide you with immediate access to a scalable and fault tolerant certificate authority and reverse proxy that you don't need to manage or maintain. You can focus on enrolling the resources you want to protect and configuring secure role-based access for private and public networks across the globe.
After you start a free trial of Teleport Team, you can set up role-based access control (RBAC), enable single sign-on with GitHub or the Teleport identity provider, and prevent unauthorized use of organization resources.
For a detailed comparison of Teleport's editions, including how Teleport Team compares to Teleport Enterprise Cloud and Teleport Enterprise, see Choose an Edition.
This guide explains how to register a local server with a Teleport Team account. After you register the server, you can access it through the Teleport Web UI in a browser or using the terminal. You can also record your sessions, so you can review them later.
A Teleport Team account. You can sign up for a free trial at the following page:
After you sign up, you receive an email invitation to activate your account. Use this account to authenticate your identity when you access the Teleport Team cluster.
Docker installed on your workstation.
This guide illustrates how to register a server with Teleport Team using a Docker container and the Teleport SSH Service. Docker is only required for the local demo environment used in this guide. You can find installation instructions for Docker on Docker's website. If you want to register servers in Teleport Team without using Docker, see the getting started guide for server access.
tshclient tool is only required to access the server from a terminal. For installation instructions, see Installation Guide. If you don't install the
tshclient tool, you can access the server in Teleport Team using the Web UI through your browser.
To spin up a new server using Docker:
Open a terminal shell on your workstation.
Start a Docker container on your workstation to prepare a server that you want enroll as a resource in your Teleport Team cluster:docker run --interactive --tty ubuntu:22.10 /bin/bash
This command starts a new shell session in the
Run the following command to install
telnetfrom the package management repository:apt update && apt install -y curl telnet
The script that installs Teleport in this guide requires both
telnetto be installed.
Keep the new shell open in your terminal.
To install the Teleport SSH Service on your server:
Open a browser and go to the address for your Teleport Team cluster. For example, if your Teleport Team account is
Sign in with the account credentials you used to activate your Teleport Team account.
The first time you sign in, you are prompted to add your first resource:
Click Add my first resource to open Enroll New Resource.
Type server in the search box to filter the list of resources.
Click Ubuntu 14.04+ to register the server in the Docker container.
After you select Ubuntu 14.04+ as the resource type, the script to install and configure the Teleport service is displayed. For example:
The Teleport installation script uses
sudo, which is not installed on your Docker container. Before copying the command to run the installation script, you need to alias
sudoin the container terminal shell session.
In the terminal with the container shell session, alias
sudoby running the following command:alias sudo=""
Copy the command to run the installation script from the Teleport Web UI and paste it into the container shell session.
Leave the script running in the shell. After Teleport is installed on the server, you'll see a message in the Web UI that your new Teleport instance was successfully detected:
To continue, click Next.
Confirm that you want to authenticate as the
rootuser and click Next:
Click Test Connection to verify access to the server.
To start a session on the server you just added to Teleport Team:
Click Start Session to start an interactive session.
You should see a terminal prompt in a new browser window. Your Teleport Team account routes your SSH connection through the Teleport Proxy Service, which connects to your container through a reverse tunnel. Reverse tunnels allow Teleport to manage access to resources like Kubernetes clusters and remote desktops, even if these resources are running on private networks.
If you get an error connecting to your container, interrupt the
teleportprocess in the container shell with Ctrl-C, then run
teleport startto restart the process.
Execute some commands in your terminal.
exitcommand to end the remote interactive session and close the browser tab.
In the last step of Enroll New Resource, click Finish.
Click Browse existing resources to see your new server listed in the Teleport Web UI.
As Teleport Team proxies SSH connections to registered servers, it records the commands that users execute during their sessions so operators can play them back later to investigate issues.
To play back a session in the Teleport Web UI:
Set the dropdown menu on the upper left of the screen to Management.
Under Activity, click Session Recordings.
You will see the recording for your interactive session from the previous step listed. For example:
Click Play to see a full recording of your session.
To access the server using commands in a terminal:
Open a new terminal window.
Sign in to your Teleport Team cluster by running the
tsh logincommand with the URL of your cluster and the name of your Teleport user:tsh login --proxy=mytenant.teleport.sh --user=username
When prompted, authenticate using your password, authenticator app, or hardware key. The command displays information about your Teleport Team cluster and account. For example:> Profile URL: https://mytenant.teleport.sh:443 Logged in as: [email protected] Cluster: mytenant.teleport.sh Roles: access, auditor, editor Logins: root Kubernetes: enabled Valid until: 2023-07-08 01:35:20 -0700 PDT [valid for 12h0m0s] Extensions: login-ip, permit-agent-forwarding, permit-port-forwarding, permit-pty, private-key-policy
List the servers your Teleport user can access.tsh ls
You should see the name of the container you just registered. For example:Node Name Address Labels------------ ---------- ----------------------------------------------------------------------------------------node-name ⟵ Tunnel hostname=node-name
Access your server as the
rootuser:tsh ssh root@node-name
This guide introduced how you can use Teleport Team to protect your infrastructure by demonstrating how to register a server with your Teleport Team cluster.
You can provide secure access to more of your infrastructure through Teleport Team by deploying one or more Teleport agents and configuring role-based access control for users. Agents proxy traffic to all of your infrastructure resources—including servers, databases, Kubernetes clusters, cloud provider APIs, and Windows desktops. Role-based access control ensures that only authorized users are allowed access to those resources.
To learn more information about deploying agents, see Deploy Teleport Agents with Terraform.
You can deploy a limited number of agents and protect a limited number of resources during the free trial. After you finish the free trial, charges for Teleport Team are based on the number of active users, protected resources, and authorizations performed. Check the pricing page for detailed billing information.