Fork me on GitHub

Teleport

Teleport FAQ

Improve

Can I use Teleport in production today?

Teleport has been deployed on server clusters with thousands of hosts at Fortune 500 companies. It has been through several security audits from nationally recognized technology security companies, so we are comfortable with the stability of Teleport from a security perspective.

Can Teleport be deployed in agentless mode?

Yes.

With Teleport in agentless mode, you can easily control access to SSH servers, Kubernetes clusters, desktops, databases, and internal applications without running any additional software on your servers. Agentless mode supports session recordings and audit logs for deep understanding into user behavior.

For capabilities such as kernel-level logging and user provisioning, we recommend Teleport as a drop in replacement for OpenSSH. Since Teleport replaces the OpenSSH agent while preserving OpenSSH's functionality, you get more functionality without a net addition of an agent on your system.

Here are details about running each of Teleport's resource services in agentless mode. All resource services except for the Node/SSH Service act as proxies for client traffic:

ServiceSupports agent modeSupports agentless modeNotes
Application ServiceProxies HTTP requests to a user-configured list of applications, which can run on the same host as the teleport daemon or at a remote endpoint.
Database ServiceProxies database-specific protocol traffic to a user-configured list of databases, which can run on the same host as the teleport daemon or at a remote endpoint.
Kubernetes ServiceProxies client traffic to the API server of a registered Kubernetes cluster.
Node/SSH ServiceYou can configure OpenSSH clients and servers to trust Teleport's CA. See our OpenSSH guide.

For full functionality, you can run the Node Service, which implements SSH, on each server in your infrastructure.
Windows Desktop ServiceProxies RDP traffic from client browsers to remote Windows servers.

Can I use OpenSSH with a Teleport cluster?

Yes, this question comes up often and is related to the previous one. Take a look at Using OpenSSH Guide.

Can I connect to Nodes behind a firewall?

Yes, Teleport supports reverse SSH tunnels out of the box. To configure behind-firewall clusters refer to our Trusted Clusters guide.

Can individual agents create reverse tunnels to the Proxy Service without creating a new cluster?

Yes. When running a Teleport agent, use the --auth-server flag to point to the Proxy Service address (this would be public_addr and web_listen_addr in your file configuration). For more information, see Adding Nodes to the Cluster.

Can Nodes use a single port for reverse tunnels?

Yes, Teleport supports tunnel multiplexing on a single port. Set the tunnel_listen_addr to use the same port as the web_listen_addr address setting in the proxy_service configuration. Teleport will automatically use multiplexing with that configuration.

I'm getting ssh: subsystem request failed while I try to copy files, what to do?

Make sure that all Teleport components are at least at version 10.3.0. Older versions don't support the SFTP protocol, and it's enabled by default in tsh v11.0.0 and OpenSSH v9.0.

How is Open Source different from Enterprise?

Teleport provides three editions:

  • Open Source
  • Enterprise
  • Cloud

Here is a detailed breakdown of the differences between Teleport's editions.

Access controls

Open SourceEnterpriseCloud
Access RequestsLimited
Single Sign-OnGitHubGitHub, Google Workspace, OIDC, SAMLGitHub, Google Workspace, OIDC, SAML
Role-Based Access Control
Moderated Sessions
Device Trust

Infrastructure access

Open SourceEnterpriseCloud
Application Access
Server Access
Database Access
Desktop Access - Active Directory
Passwordless Windows Access for Local Users
Kubernetes Access
Machine ID
Agentless integration with OpenSSH servers

Session recording

Open SourceEnterpriseCloud
Recording Proxy Mode
Enhanced Session Recording

Compliance

Open SourceEnterpriseCloud
FedRAMP Control
PCI DSS FeaturesLimited
SOC 2 FeaturesLimited
FIPS-compliant binaries available for FedRAMP High
IP-Based Restrictions

Operations

Open SourceEnterpriseCloud
Auth and Proxy Service managementSelf-hostedSelf-hostedFully managed
Proxy Service domain nameCustomCustomA subdomain of teleport.sh
Version supportAll supported releases available to install and download.All supported releases available to install and download.Deploys last stable release with 2-3 week lag for stability.
Backend supportAny S3-compatible storage for session records, many managed backends for custom audit log storage.Any S3-compatible storage for session records, many managed backends for custom audit log storageAll data is stored in DynamoDB and S3 with server-side encryption
Data storage locationCan store data anywhere in the world, on most managed cloud backendsCan store data anywhere in the world, on most managed cloud backendsData is stored in us-west-2, with Proxy Service instances deployed across the world for low-latency access
Hardware Security Module support for encryption at rest

Support

Open SourceEnterpriseCloud
SupportBest-effort, community24x7 support with premium SLAs and account managers24x7 support with premium SLAs and account managers

Licensing and usage management

Open SourceEnterpriseCloud
Annual or multi-year contracts, volume discounts
LicenseApache 2CommercialCommercial
Usage trackingEnables you to track the number of users per protocol.

Which version of Teleport is supported?

Teleport provides security-critical support for the current and two previous releases. With our typical release cadence, this means a release is usually supported for 9 months.

Supported versions

Here are the major versions of Teleport and their support windows:

ReleaseRelease DateEOLMinimum tsh version
v12.0Feb 6, 2023November 2023v11.x.x
v11.0October 24, 2022July 2023v10.x.x
v10.0July 8, 2022April 2023v9.x.x

See our Upgrading guide for more information.

Version compatibility

When running multiple teleport binaries within a cluster, the following rules apply:

  • Patch and minor versions are always compatible, for example, any 8.0.1 component will work with any 8.0.3 component and any 8.1.0 component will work with any 8.3.0 component.
  • Servers support clients that are 1 major version behind, but do not support clients that are on a newer major version. For example, an 8.x.x Proxy Service is compatible with 7.x.x resource services and 7.x.x tsh, but we don't guarantee that a 9.x.x resource service will work with an 8.x.x Proxy Service. This also means you must not attempt to upgrade from 6.x.x straight to 8.x.x. You must upgrade to 7.x.x first.
  • Proxy Services and resource services do not support Auth Services that are on an older major version, and will fail to connect to older Auth Services by default. This behavior can be overridden by passing --skip-version-check when starting Proxy Services and resource services.

Does the Web UI support copy and paste?

Yes. You can copy and paste using a mouse.

What TCP ports does Teleport use?

Please refer to our Networking guide.

Does Teleport support authentication via OAuth, SAML, or Active Directory?

Teleport offers this feature for the Enterprise versions of Teleport.

Does Teleport send any data back to the cloud?

The open source and Enterprise editions of Teleport do not send any information to our company, and can be used on servers without internet access.

The commercial editions of Teleport can optionally be configured to send anonymized information, depending on the license purchased. This information contains the following:

  • Anonymized user ID: SHA256 hash of a username with a randomly generated prefix.
  • Anonymized server ID: SHA256 hash of a server IP with a randomly generated prefix.

This allows Teleport Cloud and Teleport Enterprise to print a warning if users are exceeding the usage limits of their license. The reporting library code is on GitHub.

Reach out to [email protected] if you have questions about the commercial editions of Teleport.

Teleport Connect

When you first start the app, Teleport Connect asks for permission to collect and send telemetry data. This includes tracking events such as:

  • Logging in to a cluster
  • Starting an SSH, database, or Kubernetes session
  • File transfer during an SSH session
  • Creating an Access Request
  • Reviewing an Access Request
  • Assuming an Access Request

On login, we also collect some device-related data:

  • Operating system and its version
  • App version
  • Processor architecture

Additionally, we ask for a job role (answer is optional).

The full list of events and collected data is defined as protocol buffer messages in the Teleport source. We do not track the details of those events but merely that the given event took place. Each event includes the cluster name and user name anonymized with HMAC using the cluster's internal random UUID as the key. It is infeasible to associate this back to a specific cluster or user without access to the cluster's internal datastore.

If you no longer want to send usage data, see disabling telemetry.