Securing Infrastructure Access at Scale in Large Enterprises
Dec 12
Virtual
Register Now
Teleport logoTry For Free
Fork me on GitHub

Teleport

Teleport FAQ

This page includes answers to frequently asked questions about setting up, managing, and using Teleport. If you are new to Teleport, read our Getting Started Guide.

Can I use Teleport in production today?

Teleport has been deployed on server clusters with thousands of hosts at Fortune 500 companies. It has been through several security audits from nationally recognized technology security companies, so we are comfortable with the stability of Teleport from a security perspective.

Can I connect to nodes behind a firewall?

Yes, Teleport supports reverse SSH tunnels out of the box. To configure behind-firewall clusters, see Configure Trusted Clusters.

How is Teleport's Community Edition different from Enterprise?

Teleport provides two editions:

  • Teleport Enterprise
  • Teleport Community Edition

Here is a detailed breakdown of the differences between Teleport's editions.

Access Controls

Community EditionEnterpriseCloud
Dual Authorization
Hardware Key Support
Moderated Sessions
Role-Based Access Control
Single Sign-OnGitHubGitHub, Google Workspace, OIDC, SAML, TeleportGitHub, Google Workspace, OIDC, SAML, Teleport

Audit logging and session recording

Community EditionEnterpriseCloud
Enhanced Session Recording
Recording Proxy Mode
Session Recording with Playback
Structured Audit Logs

Compliance

Community EditionEnterpriseCloud
FedRAMP Control
FIPS-compliant binaries available for FedRAMP High
IP-Based Restrictions
PCI DSS FeaturesLimited
SOC 2 FeaturesLimited

Identity

Available as an add-on to Teleport Enterprise

Community EditionEnterpriseCloud
Access Monitoring & Response
Access Lists & Access Reviews
Device Trust
Endpoint Management: Jamf
JIT Access RequestsLimited
Session & Identity Locks

Infrastructure access

Community EditionEnterpriseCloud
Agentless Integration with OpenSSH Servers
Application Access
Database Access
Desktop Access
Kubernetes Access
Machine ID
Server Access

Licensing and usage management

Community EditionEnterpriseCloud
Annual or multi-year contracts, volume discounts
Anonymized Usage TrackingOpt-in
LicenseCommercialCommercialCommercial

Operations

Community EditionEnterpriseCloud
Auth Service and Proxy Service ManagementSelf-hostedSelf-hostedFully managed
Backend supportAny S3-compatible storage for session records, many managed backends for custom audit log storage.Any S3-compatible storage for session records, many managed backends for custom audit log storageAll data is stored in DynamoDB and S3 with server-side encryption.
Data storage locationCan store data anywhere in the world, on most managed cloud backendsCan store data anywhere in the world, on most managed cloud backendsData is stored in Teleport's AWS infrastructure with audit logs/sessions optionally in customer AWS accounts. Proxy Service instances are deployed across the world for low-latency access.
Hardware Security Module support for encryption at rest
Proxy Service domain nameCustomCustomA subdomain of teleport.sh
Version supportAll supported releases available to install and download.All supported releases available to install and download.Deploys last stable release with 2-3 week lag for stability.

Support

Community EditionEnterpriseCloud
SupportCommunity24x7 support with premium SLAs and account managers24x7 support with premium SLAs and account managers

Should we use Teleport Enterprise or Teleport Community Edition for connecting resources to our Teleport cluster?

Teleport Enterprise and Enterprise Cloud customers should use the Enterprise release of the teleport binary for agents. Running the Community Edition binary could result in incompatibility to these cluster editions for certain features.

To verify you have a Teleport Enterprise release installed run the teleport version command and Enterprise will be in the output.

teleport version

Teleport Enterprise v16.4.7 go1.22

Teleport Community Edition clusters should use the Teleport Community Edition releases. The teleport version command will only include Teleport in its output for those releases.

teleport version

Teleport v16.4.7 go1.22

See the Installation guide for details on installing to specific platforms with Enterprise or Teleport Community Edition releases.

Can individual agents create reverse tunnels to the Proxy Service without creating a new cluster?

Yes. When running a Teleport agent, use the --auth-server flag to point to the Proxy Service address (this would be public_addr and web_listen_addr in your file configuration). For more information, see Adding Nodes to the Cluster.

Can Nodes use a single port for reverse tunnels?

Yes, Teleport supports tunnel multiplexing on a single port. Set the tunnel_listen_addr to use the same port as the web_listen_addr address setting in the proxy_service configuration. Teleport will automatically use multiplexing with that configuration.

Can Teleport be deployed in agentless mode?

Yes. All Teleport services support agentless mode, where the service proxies traffic to an upstream infrastructure resource not available on localhost.

With Teleport in agentless mode, you can easily control access to SSH servers, Kubernetes clusters, desktops, databases, and internal applications without running any additional software on your servers. Agentless mode supports session recordings and audit logs for deep understanding into user behavior.

For capabilities such as kernel-level logging and user provisioning, we recommend Teleport as a drop in replacement for OpenSSH. Since Teleport replaces the OpenSSH agent while preserving OpenSSH's functionality, you get more functionality without a net addition of an agent on your system.

Can I use OpenSSH with a Teleport cluster?

Yes, this question comes up often and is related to the previous one. Take a look at Using OpenSSH Guide.

Can I copy files from one Teleport node to another?

Yes, Teleport supports Headless WebAuthn authentication, which allows you to perform operations like tsh ssh or tsh scp from remote systems where you are not logged in to Teleport or may not have access to a browser.

tsh is very slow on Windows, what to do?

If your host machine is joined to an Active Directory domain, you might find user lookups take a lot longer than you expect. The number of Active Directory accounts that must be scanned to perform a user lookup can cause tsh to hang waiting to get information about the current user. To fix this issue, you can use environment variables to set default account information for your Teleport user. If you are experiencing long lookup times on Windows, do the following:

  • Either set the TELEPORT_USER environment variable or set the --user flag to the name of your Teleport user.
  • Either set the TELEPORT_LOGIN environment variable or set the --login flag to the name of current host user. This setting can be overridden if you open a new SSH session on a machine as a different user.
  • Set the TELEPORT_HOME environment variable to be the home directory of your current host user + \.tsh. For example, if your home directory is C:\Users\Me, you'd set TELEPORT_HOME to C:\Users\Me\.tsh.

You can set these environment variables globally in Windows so that you don't have to set them every time you run tsh.

Which version of Teleport is supported?

Teleport releases a new major version approximately every 4 months, and provides security-critical support for the current and two previous major versions. With our typical release cadence, we usually support each major version for 12 months.

Supported versions

Here are the major versions of Teleport and their support windows:

ReleaseRelease DateEOLMinimum tsh version
v16.0June 14, 2024June 2025v15.0.0
v15.0January 29, 2024January 2025v14.0.0
v14.0September 20, 2023October 2024v13.0.0

Version compatibility

Teleport uses Semantic Versioning. Version numbers include a major version, minor version, and patch version, separated by dots. When running multiple teleport binaries within a cluster, the following rules apply:

  • Patch and minor versions are always compatible, for example, any 8.0.1 component will work with any 8.0.3 component and any 8.1.0 component will work with any 8.3.0 component.
  • Servers support clients that are one major version behind, but do not support clients that are on a newer major version. For example, an 8.x.x Proxy Service instance is compatible with 7.x.x agents and 7.x.x tsh, but we don't guarantee that a 9.x.x agent will work with an 8.x.x Proxy Service instance. This also means you must not attempt to upgrade from 6.x.x straight to 8.x.x. You must upgrade to 7.x.x first.
  • Proxy Service instances and agents do not support Auth Service instances that are on an older major version, and will fail to connect to older Auth Service instances by default. You can override version checks by passing --skip-version-check when starting agents and Proxy Service instances.

Does the Web UI support copy and paste?

Yes. You can copy and paste using a mouse.

What TCP ports does Teleport use?

Please refer to our Networking guide.

Does Teleport support authentication via OIDC, SAML, or Active Directory?

Teleport offers this feature for the Enterprise (Cloud) and Enterprise (Self-Hosted) versions of Teleport.

Why do changes to a user's role set only take effect on the log next login?

A Teleport user's assigned roles are embedded in the client certificate they receive upon logging on. This certificate remains valid and can be used until its expiry, even if the user's role set has changed.

To get a new certificate with the new role set, the user will need to log out and log back in.

Revocation of Teleport access should be done with Teleport's session and identity locks, not by removing roles.

Does Teleport support provisioning users via SCIM?

Teleport supports SCIM provisioning for Okta via the hosted Okta integration, available in the Enterprise (Cloud) and Enterprise (Self-Hosted) versions of Teleport.

Refer to the hosted Okta integration guide for details on setting up and configuring SCIM support.

Why do I see an alert that some agents are out of date?

Teleport monitors the inventory of all cluster components and compares their Teleport versions with the latest release on our GitHub page. If a component is not on the latest release, Teleport will create a cluster alert encouraging users to upgrade.

This check is performed against all cluster components, including the Proxy Service and Auth Service, as well as agents running other Teleport Services.

What is the minimum TLS version that Teleport requires?

Teleport requires a minimum of TLS version 1.2.

This means that when applications and clients establish or accept TLS connections with Teleport processes, they must use TLS 1.2 or a higher protocol version. Teleport enforces this requirement in all operations that involve TLS connections.

Can I suppress warnings about available upgrades?

Yes. The tctl alerts ack command can be used to acknowledge an alert and temporarily prevent it from being displayed to users. To acknowledge an alert, you need its ID. You can get a listing of all alerts and their IDs with the tctl alerts list command.

For detailed information on this family of commands, see the CLI Reference.

Does Teleport send any data back to the cloud?

The open source edition of Teleport does not send any information to our company, and can be used on servers without internet access.

The commercial editions of Teleport can optionally be configured to send anonymized information, depending on the license purchased. This information contains the following:

  • Teleport license identifier;
  • anonymized cluster name and Teleport auth server host ID;
  • for each Teleport user, the anonymized user name and a per-protocol count of interactions - Teleport logins, SSH and Kubernetes exec sessions, Application access web sessions and TCP connections, SSH port forwards, Kubernetes API requests, SFTP actions.

The anonymization is done by passing names and IDs through HMAC-SHA-256, with a HMAC key that's randomly generated when the Teleport cluster is initialized for the first time and is never shared with us; this makes it infeasible for anyone without access to the cluster to deanonymize the data we store.

The code that aggregates and anonymizes this data can be found in our repository on GitHub.

For more details, see the Usage Reporting and Billing guide.

Reach out to [email protected] if you have questions about the commercial editions of Teleport.

Teleport Connect

When you first start the app, Teleport Connect asks for permission to collect and send telemetry data. This includes tracking events such as:

  • Logging in to a cluster
  • Starting an SSH, database, application, or Kubernetes session
  • File transfer during an SSH session
  • Creating an Access Request
  • Reviewing an Access Request
  • Assuming an Access Request

On login, we also collect some device-related data:

  • Operating system and its version
  • App version
  • Processor architecture

Additionally, we ask for a job role (the answer is optional).

The full list of events and collected data is defined as protocol buffer messages in the Teleport source. We do not track the details of those events but merely that the given event took place. Each event includes the cluster name and user name anonymized with HMAC using the cluster's internal random UUID as the key. It is infeasible to associate this back to a specific cluster or user without access to the cluster's internal datastore.

If you no longer want to send usage data, see disabling telemetry.