Fork me on GitHub

Teleport

Teleport FAQ

Improve

Can I use Teleport in production today?

Teleport has been deployed on server clusters with thousands of hosts at Fortune 500 companies. It has been through several security audits from nationally recognized technology security companies, so we are comfortable with the stability of Teleport from a security perspective.

Can Teleport be deployed in agentless mode?

Yes.

With Teleport in agentless mode, you can easily control access to SSH servers, Kubernetes clusters, desktops, databases, and internal applications without running any additional software on your servers. Agentless mode supports session recordings and audit logs for deep understanding into user behavior.

For capabilities such as kernel-level logging and user provisioning, we recommend Teleport as a drop in replacement for OpenSSH. Since Teleport replaces the OpenSSH agent while preserving OpenSSH's functionality, you get more functionality without a net addition of an agent on your system.

Here are details about running each of Teleport's resource services in agentless mode. All resource services except for the Node/SSH Service act as proxies for client traffic:

ServiceSupports agent modeSupports agentless modeNotes
Application ServiceProxies HTTP requests to a user-configured list of applications, which can run on the same host as the teleport daemon or at a remote endpoint.
Database ServiceProxies database-specific protocol traffic to a user-configured list of databases, which can run on the same host as the teleport daemon or at a remote endpoint.
Kubernetes ServiceProxies client traffic to the API server of a registered Kubernetes cluster.
Node/SSH ServiceYou can configure OpenSSH clients and servers to trust Teleport's CA. See our OpenSSH guide.

For full functionality, you can run the Node Service, which implements SSH, on each server in your infrastructure.
Windows Desktop ServiceProxies RDP traffic from client browsers to remote Windows servers.

Can I use OpenSSH with a Teleport cluster?

Yes, this question comes up often and is related to the previous one. Take a look at Using OpenSSH Guide.

Can I connect to Nodes behind a firewall?

Yes, Teleport supports reverse SSH tunnels out of the box. To configure behind-firewall clusters refer to our Trusted Clusters guide.

Can individual agents create reverse tunnels to the Proxy Service without creating a new cluster?

Yes. When running a Teleport agent, use the --auth-server flag to point to the Proxy Service address (this would be public_addr and web_listen_addr in your file configuration). For more information, see Adding Nodes to the Cluster.

Can Nodes use a single port for reverse tunnels?

Yes, Teleport supports tunnel multiplexing on a single port. Set the tunnel_listen_addr to use the same port as the web_listen_addr address setting in the proxy_service configuration. Teleport will automatically use multiplexing with that configuration.

How is Open Source different from Enterprise?

Teleport provides three editions:

  • Open Source
  • Enterprise
  • Cloud

Here is a detailed breakdown of the differences between Teleport's editions.

Access controls

Open SourceEnterpriseCloud
Access RequestsLimited
Single Sign-OnGitHubGitHub, Google Workspace, OIDC, SAMLGitHub, Google Workspace, OIDC, SAML
Role-Based Access Control
Moderated Sessions

Infrastructure access

Open SourceEnterpriseCloud
Application Access
Server Access
Database Access
Desktop Access
Kubernetes Access
Machine ID
Agentless integration with OpenSSH servers

Session recording

Open SourceEnterpriseCloud
Recording Proxy Mode
Enhanced Session Recording

Compliance

Open SourceEnterpriseCloud
FedRAMP Control
PCI DSS FeaturesLimited
SOC 2 FeaturesLimited
FIPS-compliant binaries available for FedRAMP High

Operations

Open SourceEnterpriseCloud
Auth and Proxy Service managementSelf-hostedSelf-hostedFully managed
Proxy Service domain nameCustomCustomA subdomain of teleport.sh
Version supportAll supported releases available to install and download.All supported releases available to install and download.Deploys last stable release with 2-3 week lag for stability.
Backend supportAny S3-compatible storage for session records, many managed backends for custom audit log storage.Any S3-compatible storage for session records, many managed backends for custom audit log storageAll data is stored in DynamoDB and S3 with server-side encryption
Data storage locationCan store data anywhere in the world, on most managed cloud backendsCan store data anywhere in the world, on most managed cloud backendsData is stored in us-west-2, with Proxy Service instances deployed across the world for low-latency access
Hardware Security Module support for encryption at rest

Support

Open SourceEnterpriseCloud
SupportBest-effort, community24x7 support with premium SLAs and account managers24x7 support with premium SLAs and account managers

Licensing and usage management

Open SourceEnterpriseCloud
Annual or multi-year contracts, volume discounts
LicenseApache 2CommercialCommercial
Usage trackingEnables you to track the number of users per protocol.

Which version of Teleport is supported?

Teleport provides security-critical support for the current and two previous releases. With our typical release cadence, this means a release is usually supported for 9 months.

See our Upgrading guide for more information.

Does the Web UI support copy and paste?

Yes. You can copy and paste using a mouse. If you prefer a keyboard, Teleport employs tmux-like "prefix" mode. To enter prefix mode, use the Ctrl+A keyboard shortcut.

While in prefix mode, you can press Ctrl+V to paste, or enter text selection mode by pressing [. When in text selection mode:

  • Move around using the keys h, j, k, and l.
  • Select text by toggling space.
  • And, copy it via Ctrl+C.

What TCP ports does Teleport use?

Please refer to our Networking guide.

Does Teleport support authentication via OAuth, SAML, or Active Directory?

Teleport offers this feature for the Enterprise versions of Teleport.

Does Teleport send any data back to the cloud?

The open source and Enterprise editions of Teleport do not send any information to our company, and can be used on servers without internet access.

The commercial editions of Teleport can optionally be configured to send anonymized information, depending on the license purchased. This information contains the following:

  • Anonymized user ID: SHA256 hash of a username with a randomly generated prefix.
  • Anonymized server ID: SHA256 hash of a server IP with a randomly generated prefix.

This allows Teleport Cloud and Teleport Enterprise to print a warning if users are exceeding the usage limits of their license. The reporting library code is on GitHub.

Reach out to [email protected] if you have questions about the commercial editions of Teleport.