Can I use Teleport in production today?
Teleport has been deployed on server clusters with thousands of hosts at Fortune 500 companies. It has been through several security audits from nationally recognized technology security companies, so we are comfortable with the stability of Teleport from a security perspective.
Can Teleport be deployed in agentless mode?
Yes.
With Teleport in agentless mode, you can easily control access to SSH servers, Kubernetes clusters, desktops, databases, and internal applications without running any additional software on your servers. Agentless mode supports session recordings and audit logs for deep understanding into user behavior.
For capabilities such as kernel-level logging and user provisioning, we recommend Teleport as a drop in replacement for OpenSSH. Since Teleport replaces the OpenSSH agent while preserving OpenSSH's functionality, you get more functionality without a net addition of an agent on your system.
Here are details about running each of Teleport's resource services in agentless mode. All resource services except for the Node/SSH Service act as proxies for client traffic:
| Service | Supports agent mode | Supports agentless mode | Notes |
|---|---|---|---|
| Application Service | ✔ | ✔ | Proxies HTTP requests to a user-configured list of applications, which can run on the same host as the teleport daemon or at a remote endpoint. |
| Database Service | ✔ | ✔ | Proxies database-specific protocol traffic to a user-configured list of databases, which can run on the same host as the teleport daemon or at a remote endpoint. |
| Kubernetes Service | ✖ | ✔ | Proxies client traffic to the API server of a registered Kubernetes cluster. |
| Node/SSH Service | ✔ | ✔ | You can configure OpenSSH clients and servers to trust Teleport's CA. See our OpenSSH guide. For full functionality, you can run the Node Service, which implements SSH, on each server in your infrastructure. |
| Windows Desktop Service | ✖ | ✔ | Proxies RDP traffic from client browsers to remote Windows servers. |
Can I use OpenSSH with a Teleport cluster?
Yes, this question comes up often and is related to the previous one. Take a look at Using OpenSSH Guide.
Can I connect to Nodes behind a firewall?
Yes, Teleport supports reverse SSH tunnels out of the box. To configure behind-firewall clusters refer to our Trusted Clusters guide.
Can individual agents create reverse tunnels to the Proxy Service without creating a new cluster?
Yes. When running a Teleport agent, use the --auth-server flag to point to the
Proxy Service address (this would be public_addr and web_listen_addr in your
file configuration). For more information, see
Adding Nodes to the Cluster.
Can Nodes use a single port for reverse tunnels?
Yes, Teleport supports tunnel multiplexing on a single port. Set the
tunnel_listen_addr to use the same port as the web_listen_addr address
setting in the proxy_service configuration. Teleport will automatically use
multiplexing with that configuration.
I'm getting ssh: subsystem request failed while I try to copy files, what to do?
Make sure that all Teleport components are at least at version 10.3.0. Older versions
don't support the SFTP protocol, and it's enabled by default in tsh v11.0.0 and OpenSSH v9.0.
How is Open Source different from Enterprise?
Teleport provides three editions:
- Open Source
- Enterprise
- Cloud
Here is a detailed breakdown of the differences between Teleport's editions.
Access controls
| Open Source | Enterprise | Cloud | |
|---|---|---|---|
| Access Requests | Limited | ✔ | ✔ |
| Single Sign-On | GitHub | GitHub, Google Workspace, OIDC, SAML | GitHub, Google Workspace, OIDC, SAML |
| Role-Based Access Control | ✔ | ✔ | ✔ |
| Moderated Sessions | ✖ | ✔ | ✔ |
| Device Trust | ✖ | ✔ | ✔ |
Infrastructure access
| Open Source | Enterprise | Cloud | |
|---|---|---|---|
| Application Access | ✔ | ✔ | ✔ |
| Server Access | ✔ | ✔ | ✔ |
| Database Access | ✔ | ✔ | ✔ |
| Desktop Access - Active Directory | ✔ | ✔ | ✔ |
| Passwordless Windows Access for Local Users | ✖ | ✔ | ✔ |
| Kubernetes Access | ✔ | ✔ | ✔ |
| Machine ID | ✔ | ✔ | ✔ |
| Agentless integration with OpenSSH servers | ✔ | ✔ | ✔ |
Session recording
| Open Source | Enterprise | Cloud | |
|---|---|---|---|
| Recording Proxy Mode | ✔ | ✔ | ✖ |
| Enhanced Session Recording | ✔ | ✔ | ✔ |
Compliance
| Open Source | Enterprise | Cloud | |
|---|---|---|---|
| FedRAMP Control | ✖ | ✔ | ✖ |
| PCI DSS Features | Limited | ✔ | ✔ |
| SOC 2 Features | Limited | ✔ | ✔ |
| FIPS-compliant binaries available for FedRAMP High | ✖ | ✔ | ✖ |
| IP-Based Restrictions | ✖ | ✔ | ✔ |
Operations
| Open Source | Enterprise | Cloud | |
|---|---|---|---|
| Auth and Proxy Service management | Self-hosted | Self-hosted | Fully managed |
| Proxy Service domain name | Custom | Custom | A subdomain of teleport.sh |
| Version support | All supported releases available to install and download. | All supported releases available to install and download. | Deploys last stable release with 2-3 week lag for stability. |
| Backend support | Any S3-compatible storage for session records, many managed backends for custom audit log storage. | Any S3-compatible storage for session records, many managed backends for custom audit log storage | All data is stored in DynamoDB and S3 with server-side encryption |
| Data storage location | Can store data anywhere in the world, on most managed cloud backends | Can store data anywhere in the world, on most managed cloud backends | Data is stored in us-west-2, with Proxy Service instances deployed across the world for low-latency access |
| Hardware Security Module support for encryption at rest | ✖ | ✔ | ✖ |
Support
| Open Source | Enterprise | Cloud | |
|---|---|---|---|
| Support | Best-effort, community | 24x7 support with premium SLAs and account managers | 24x7 support with premium SLAs and account managers |
Licensing and usage management
| Open Source | Enterprise | Cloud | |
|---|---|---|---|
| Annual or multi-year contracts, volume discounts | ✖ | ✔ | ✔ |
| License | Apache 2 | Commercial | Commercial |
| Usage tracking | ✖ | ✖ | Enables you to track the number of users per protocol. |
Which version of Teleport is supported?
Teleport provides security-critical support for the current and two previous releases. With our typical release cadence, this means a release is usually supported for 9 months.
Supported versions
Here are the major versions of Teleport and their support windows:
| Release | Release Date | EOL | Minimum tsh version |
|---|---|---|---|
| v12.0 | Feb 6, 2023 | November 2023 | v11.x.x |
| v11.0 | October 24, 2022 | July 2023 | v10.x.x |
| v10.0 | July 8, 2022 | April 2023 | v9.x.x |
See our Upgrading guide for more information.
Version compatibility
When running multiple teleport binaries within a cluster, the following rules
apply:
- Patch and minor versions are always compatible, for example, any 8.0.1 component will work with any 8.0.3 component and any 8.1.0 component will work with any 8.3.0 component.
- Servers support clients that are 1 major version behind, but do not support
clients that are on a newer major version. For example, an 8.x.x Proxy Service
is compatible with 7.x.x resource services and 7.x.x
tsh, but we don't guarantee that a 9.x.x resource service will work with an 8.x.x Proxy Service. This also means you must not attempt to upgrade from 6.x.x straight to 8.x.x. You must upgrade to 7.x.x first. - Proxy Services and resource services do not support Auth Services that are on
an older major version, and will fail to connect to older Auth Services by
default. This behavior can be overridden by passing
--skip-version-checkwhen starting Proxy Services and resource services.
Does the Web UI support copy and paste?
Yes. You can copy and paste using a mouse.
What TCP ports does Teleport use?
Please refer to our Networking guide.
Does Teleport support authentication via OAuth, SAML, or Active Directory?
Teleport offers this feature for the Enterprise versions of Teleport.
Does Teleport send any data back to the cloud?
The open source and Enterprise editions of Teleport do not send any information to our company, and can be used on servers without internet access.
The commercial editions of Teleport can optionally be configured to send anonymized information, depending on the license purchased. This information contains the following:
- Anonymized user ID: SHA256 hash of a username with a randomly generated prefix.
- Anonymized server ID: SHA256 hash of a server IP with a randomly generated prefix.
This allows Teleport Cloud and Teleport Enterprise to print a warning if users are exceeding the usage limits of their license. The reporting library code is on GitHub.
Reach out to [email protected] if you have questions about the commercial
editions of Teleport.
Teleport Connect
When you first start the app, Teleport Connect asks for permission to collect and send telemetry data. This includes tracking events such as:
- Logging in to a cluster
- Starting an SSH, database, or Kubernetes session
- File transfer during an SSH session
- Creating an Access Request
- Reviewing an Access Request
- Assuming an Access Request
On login, we also collect some device-related data:
- Operating system and its version
- App version
- Processor architecture
Additionally, we ask for a job role (answer is optional).
The full list of events and collected data is defined as protocol buffer messages in the Teleport source. We do not track the details of those events but merely that the given event took place. Each event includes the cluster name and user name anonymized with HMAC using the cluster's internal random UUID as the key. It is infeasible to associate this back to a specific cluster or user without access to the cluster's internal datastore.
If you no longer want to send usage data, see disabling telemetry.