Teleport has been deployed on server clusters with thousands of hosts at Fortune 500 companies. It has been through several security audits from nationally recognized technology security companies, so we are comfortable with the stability of Teleport from a security perspective.
With Teleport in agentless mode, you can easily control access to SSH servers, Kubernetes clusters, desktops, databases, and internal applications without running any additional software on your servers. Agentless mode supports session recordings and audit logs for deep understanding into user behavior.
For capabilities such as kernel-level logging and user provisioning, we recommend Teleport as a drop in replacement for OpenSSH. Since Teleport replaces the OpenSSH agent while preserving OpenSSH's functionality, you get more functionality without a net addition of an agent on your system.
Here are details about running each of Teleport's resource services in agentless mode. All resource services except for the Node/SSH Service act as proxies for client traffic:
|Service||Supports agent mode||Supports agentless mode||Notes|
|Application Service||✔||✔||Proxies HTTP requests to a user-configured list of applications, which can run on the same host as the |
|Database Service||✔||✔||Proxies database-specific protocol traffic to a user-configured list of databases, which can run on the same host as the |
|Kubernetes Service||✖||✔||Proxies client traffic to the API server of a registered Kubernetes cluster.|
|Node/SSH Service||✔||✔||You can configure OpenSSH clients and servers to trust Teleport's CA. See our OpenSSH guide.|
For full functionality, you can run the Node Service, which implements SSH, on each server in your infrastructure.
|Windows Desktop Service||✖||✔||Proxies RDP traffic from client browsers to remote Windows servers.|
Yes, this question comes up often and is related to the previous one. Take a look at Using OpenSSH Guide.
Yes, Teleport supports reverse SSH tunnels out of the box. To configure behind-firewall clusters refer to our Trusted Clusters guide.
Yes. When running a Teleport agent, use the
--auth-server flag to point to the
Proxy Service address (this would be
web_listen_addr in your
file configuration). For more information, see
Adding Nodes to the Cluster.
Yes, Teleport supports tunnel multiplexing on a single port. Set the
tunnel_listen_addr to use the same port as the
setting in the
proxy_service configuration. Teleport will automatically use
multiplexing with that configuration.
Teleport provides three editions:
- Open Source
Here is a detailed breakdown of the differences between Teleport's editions.
|Single Sign-On||GitHub||GitHub, Google Workspace, OIDC, SAML||GitHub, Google Workspace, OIDC, SAML|
|Role-Based Access Control||✔||✔||✔|
|Agentless integration with OpenSSH servers||✔||✔||✔|
|Recording Proxy Mode||✔||✔||✖|
|Enhanced Session Recording||✔||✔||✖|
|PCI DSS Features||Limited||✔||✔|
|SOC 2 Features||Limited||✔||✔|
|FIPS-compliant binaries available for FedRAMP High||✖||✔||✖|
|Auth and Proxy Service management||Self-hosted||Self-hosted||Fully managed|
|Proxy Service domain name||Custom||Custom||A subdomain of |
|Version support||All supported releases available to install and download.||All supported releases available to install and download.||Deploys last stable release with 2-3 week lag for stability.|
|Backend support||Any S3-compatible storage for session records, many managed backends for custom audit log storage.||Any S3-compatible storage for session records, many managed backends for custom audit log storage||All data is stored in DynamoDB and S3 with server-side encryption|
|Data storage location||Can store data anywhere in the world, on most managed cloud backends||Can store data anywhere in the world, on most managed cloud backends||Data is stored in |
|Hardware Security Module support for encryption at rest||✖||✔||✖|
|Support||Best-effort, community||24x7 support with premium SLAs and account managers||24x7 support with premium SLAs and account managers|
|Annual or multi-year contracts, volume discounts||✖||✔||✔|
|Usage tracking||✖||✖||Enables you to track the number of users per protocol.|
Teleport provides security-critical support for the current and two previous releases. With our typical release cadence, this means a release is usually supported for 9 months.
See our Upgrading guide for more information.
Yes. You can copy and paste using a mouse. If you prefer a keyboard, Teleport employs
tmux-like "prefix" mode. To enter prefix mode, use the
A keyboard shortcut.
While in prefix mode, you can press
V to paste, or enter text selection
mode by pressing
[. When in text selection mode:
- Move around using the keys
- Select text by toggling
- And, copy it via
Please refer to our Networking guide.
Teleport offers this feature for the Enterprise versions of Teleport.
The open source and Enterprise editions of Teleport do not send any information to our company, and can be used on servers without internet access.
The commercial editions of Teleport can optionally be configured to send anonymized information, depending on the license purchased. This information contains the following:
- Anonymized user ID: SHA256 hash of a username with a randomly generated prefix.
- Anonymized server ID: SHA256 hash of a server IP with a randomly generated prefix.
This allows Teleport Cloud and Teleport Enterprise to print a warning if users are exceeding the usage limits of their license. The reporting library code is on GitHub.
Reach out to
[email protected] if you have questions about the commercial
editions of Teleport.