Fork me on GitHub
Teleport

FAQ

Improve

Community FAQ

Can I use Teleport in production today?

Teleport has been deployed on server clusters with thousands of nodes at Fortune 500 companies. It has been through several security audits from nationally recognized technology security companies, so we are comfortable with the stability of Teleport from a security perspective.

Can Teleport be deployed in agentless mode?

Yes. Teleport can be deployed with a tiny footprint as an authentication gateway/proxy and you can keep your existing SSH servers on the nodes. But some innovating Teleport features, such as cluster introspection, will not be available unless the Teleport SSH daemon is present on all cluster nodes.

Can I use OpenSSH with a Teleport cluster?

Yes, this question comes up often and is related to the previous one. Take a look at Using OpenSSH Guide.

Can I connect to nodes behind a firewall?

Yes, Teleport supports reverse SSH tunnels out of the box. To configure behind-firewall clusters refer to Trusted Clusters section of the Admin Manual.

Can individual nodes create reverse tunnels to a proxy server without creating a new cluster?

This was a popular customer request that was added several in 4.0. Once you've upgraded your Teleport Cluster, change the node config option --auth-server to point to web proxy address (this would be public_addr and web_listen_addr in file configuration). As defined in Adding a node located behind NAT - Teleport Node Tunneling

Can nodes use a single port for reverse tunnels?

Yes, Teleport supports tunnel multiplexing on a single port. Set the tunnel_listen_addr to use the same port as the web_listen_addr address setting in the proxy_service configuration. Teleport will automatically use multiplexing with that configuration.

How is Open Source different from Enterprise?

Teleport provides three offerings:

  • Open Source - Apache 2 License, self-hosted.
  • Enterprise - self-hosted or cloud, commercial license.
Capability/Offering Open Source Enterprise
License Apache 2 Commercial
Role-Based Access Control
Cloud-hosted
Self-hosted
Single Sign-On Github only Github, Google, OIDC, SAML
Access Requests Limited Dual authorization, mandatory requests
FedRamp Control Compiled with FIPS-certified crypto libraries, FedRamp control features
PCI DSS Features Limited
SOC2 Features Limited
Annual or Multi-Year contracts, Volume Discounts
Support Best-effort, community 24x7 support with premium SLAs & account managers

Which version of Teleport is supported?

Teleport provides security-critical support for the current and two previous releases. With our typical release cadence, this means a release is usually supported for 9 months.

ReleaseLong Term SupportRelease DateMin tsh version
6.2NoMay 21th, 20213.0.0
6.1NoApril 9th, 20213.0.0
6YesMarch 4th, 20213.0.0
5.0YesNovember 24th, 20203.0.0
4.4YesOctober 20th, 20203.0.0
4.3 (EOL)YesJuly 8th, 20203.0.0
4.2 (EOL)YesDecember 19th, 20193.0.0
4.1 (EOL)YesOctober 1st, 20193.0.0
4.0 (EOL)YesJune 18th, 20193.0.0

How should I upgrade my cluster?

Please follow our guidelines for upgrading. We recommend that the Auth Server should be upgraded first, and the proxy bumped thereafter.

Does Web UI support copy and paste?

Yes. You can copy and paste using a mouse. If you prefer a keyboard, Teleport employs tmux-like "prefix" mode. To enter prefix mode, use the Ctrl+A keyboard shortcut.

While in prefix mode, you can press Ctrl+V to paste, or enter text selection mode by pressing [. When in text selection mode:

  • Move around using the keys h, j, k, and l.
  • Select text by toggling space.
  • And, copy it via Ctrl+C.

What TCP ports does Teleport use?

Please refer to the Ports section of the Admin Manual.

Does Teleport support authentication via OAuth, SAML, or Active Directory?

Gravitational offers this feature for the Enterprise versions of Teleport.

Does Teleport send any data back to the cloud?

The Open-Source Edition of Teleport does not send any information to Gravitational and can be used on servers without internet access. The commercial versions of Teleport may or may not be configured to send anonymized information to Gravitational, depending on the license purchased. This information contains the following:

  • Anonymized user ID: SHA256 hash of a username with a randomly generated prefix.
  • Anonymized server ID: SHA256 hash of a server IP with a randomly generated prefix.

This allows Teleport Pro to print a warning if users are exceeding the usage limits of their license. The reporting library code is on Github.

Reach out to [email protected] if you have questions about the commercial edition of Teleport.

Have a suggestion or can’t find something?
IMPROVE THE DOCS