Teleport has been deployed on server clusters with thousands of nodes at Fortune 500 companies. It has been through several security audits from nationally recognized technology security companies, so we are comfortable with the stability of Teleport from a security perspective.
Yes. Teleport can be deployed with a tiny footprint as an authentication gateway/proxy and you can keep your existing SSH servers on the nodes. But some innovating Teleport features, such as cluster introspection, will not be available unless the Teleport SSH daemon is present on all cluster nodes.
Yes, Teleport supports reverse SSH tunnels out of the box. To configure behind-firewall clusters refer to Trusted Clusters section of the Admin Manual.
This has been a long-standing request of Teleport and
it has been fixed with Teleport 4.0. Once you've upgraded your Teleport Cluster, change the node config
--auth-server to point to web proxy address (this would be
in file configuration). As defined in Adding a node located behind NAT - Teleport Node Tunneling
Yes, Teleport supports tunnel multiplexing on a single port. Set the
tunnel_listen_addr to use the same port as the
web_listen_addr address setting in the
proxy_service configuration. Teleport will automatically use multiplexing with that configuration.
Teleport provides three offerings:
- Open Source - Apache 2 License, self-hosted.
- Enterprise - self-hosted or cloud, commercial license.
- Pro - cloud only, commercial license.
|Role-Based Access Control||✔||✔||✔|
|Single Sign-On||Github only||Github, Google, OIDC, SAML||Github, Google, OIDC, SAML|
|Access Requests||Limited||✔ Dual authorization, mandatory requests||✔ Dual authorization, mandatory requests|
|FedRamp Control||✖||✖||Compiled with FIPS-certified crypto libraries, FedRamp control features|
|PCI DSS Features||Limited||Limited||✔|
|Annual or Multi-Year contracts, Volume Discounts||✖||✖||✔|
|Support||Best-effort, community||8x5||24x7 support with premium SLAs & account managers|
We recommend setting up Teleport with a High Availability configuration. Below is our recommended hardware for the Proxy and Auth server. If you plan to connect more than 10,000 nodes, please get in touch and we can help architect the best solution for you.
|Scenario||Max Recommended Count||Proxy||Auth server|
|Teleport nodes connected to auth server||10,000||2x 2-4 vCPUs/8GB RAM||2x 4-8 vCPUs/16GB RAM|
|Teleport nodes connected to proxy server (IoT)||2,000*||2x 2-4 vCPUs/8GB RAM||2x 4-8 vCPUs/16+GB RAM|
Teleport provides security-critical support for the current and two previous releases. With our typical release cadence, this means a release is usually supported for 9 months.
|Release||Long Term Support||Release Date||Min tsh version|
|6.2||No||May 21th, 2021||3.0.0|
|6.1||No||April 9th, 2021||3.0.0|
|6||Yes||March 4th, 2021||3.0.0|
|5.0||Yes||November 24th, 2020||3.0.0|
|4.4||Yes||October 20th, 2020||3.0.0|
|4.3 (EOL)||Yes||July 8th, 2020||3.0.0|
|4.2 (EOL)||Yes||December 19th, 2019||3.0.0|
|4.1 (EOL)||Yes||October 1st, 2019||3.0.0|
|4.0 (EOL)||Yes||June 18th, 2019||3.0.0|
How should I upgrade my cluster?
Please follow our standard guidelines for upgrading. We recommend that the Auth Server should be upgraded first, and the proxy bumped thereafter.
Yes. You can copy and paste using a mouse. If you prefer a keyboard, Teleport employs
tmux-like "prefix" mode. To enter prefix mode, use the
A keyboard shortcut.
While in prefix mode, you can press
V to paste, or enter text selection
mode by pressing
[. When in text selection mode:
- Move around using the keys
- Select text by toggling
- And, copy it via
Please refer to the Ports section of the Admin Manual.
Gravitational offers this feature for the Enterprise versions of Teleport.
The Teleport Enterprise offering gives users the following additional features:
- Role-based access control, also known as RBAC.
- Authentication via SAML and OpenID with providers like Okta, Active Directory, Auth0, etc. SSO.
- Premium support.
We also offer implementation services, to help you integrate Teleport with your existing systems and processes.
You can read more in the Teleport Enterprise section of the docs
The Open-Source Edition of Teleport does not send any information to Gravitational and can be used on servers without internet access. The commercial versions of Teleport may or may not be configured to send anonymized information to Gravitational, depending on the license purchased. This information contains the following:
- Anonymized user ID: SHA256 hash of a username with a randomly generated prefix.
- Anonymized server ID: SHA256 hash of a server IP with a randomly generated prefix.
This allows Teleport Pro to print a warning if users are exceeding the usage limits of their license. The reporting library code is on Github.
Reach out to
[email protected] if you have questions about the commercial
edition of Teleport.