Teleport

Installation

OpenSource
Enterprise
Cloud

Improve

Installing Teleport: Overview

Length: 03:04

First time trying Teleport?

If you are new to Teleport, we recommend following our getting started guides.

Operating system support

Teleport is officially supported on the platforms listed below. It is worth noting that the open-source community has been successful in building and running Teleport on UNIX variants other than Linux [1].

Operating System	`teleport` Daemon	`tctl` Admin Tool	`tsh` User Client	Web UI (via the browser)	`tbot` Daemon
Linux v2.6.23+ (RHEL/CentOS 7+, Ubuntu 14.04+, and Debian 8+) [2]	yes	yes	yes	yes	yes
macOS v10.13+ (High Sierra)	yes	yes	yes	yes	yes
Windows 10+ (rev. 1607) [3]	no	no	yes	yes	no

[1] Teleport is written in Go and it's possible to build it on any OS supported by the Golang toolchain.

[2] Enhanced Session Recording requires Linux kernel v5.8+.

[3] Teleport server does not run on Windows yet, but tsh (the Teleport client) supports most features on Windows 10 and later.

Linux

All installations include teleport, tsh, tctl, and tbot.

When running Teleport in production, we recommend that you follow the practices below to avoid security incidents. These practices may differ from the examples used in this guide, which are intended for demo environments:

Avoid using sudo in production environments unless it's necessary.
Create new, non-root, users and use test instances for experimenting with Teleport.
Run Teleport's services as a non-root user unless required. Only the SSH Service requires root access. Note that you will need root permissions (or the CAP_NET_BIND_SERVICE capability) to make Teleport listen on a port numbered < 1024 (e.g. 443).
Follow the "Principle of Least Privilege" (PoLP). Don't give users permissive roles when giving them more restrictive roles will do instead. For example, assign users the built-in access,editor roles.
When joining a Teleport resource service (e.g., the Database Service or Application Service) to a cluster, save the invitation token to a file. Otherwise, the token will be visible when examining the teleport command that started the agent, e.g., via the history command on a compromised system.

Download Teleport's PGP public key
sudo curl https://apt.releases.teleport.dev/gpg \  -o /usr/share/keyrings/teleport-archive-keyring.asc
Source variables about OS version
source /etc/os-release
Add the Teleport APT repository for v10. You'll need to update this
file for each major release of Teleport.
Note: if using a fork of Debian or Ubuntu you may need to use '$ID_LIKE'
and the codename your distro was forked from instead of '$ID' and '$VERSION_CODENAME'.
Supported versions are listed here: https://github.com/gravitational/teleport/blob/master/build.assets/tooling/cmd/build-os-package-repos/runners.go#L42-L67
echo "deb [signed-by=/usr/share/keyrings/teleport-archive-keyring.asc] \  https://apt.releases.teleport.dev/${ID?} ${VERSION_CODENAME?} stable/v10" \| sudo tee /etc/apt/sources.list.d/teleport.list > /dev/null
sudo apt-get update
sudo apt-get install teleport

Source variables about OS version
source /etc/os-release
Add the Teleport YUM repository for v10. You'll need to update this
file for each major release of Teleport.
Note: if using a fork of RHEL/CentOS or Amazon Linux you may need to use '$ID_LIKE'
and the codename your distro was forked from instead of '$ID'
Supported versions are listed here: https://github.com/gravitational/teleport/blob/master/build.assets/tooling/cmd/build-os-package-repos/runners.go#L133-L153
sudo yum-config-manager --add-repo $(rpm --eval "https://yum.releases.teleport.dev/$ID/$VERSION_ID/Teleport/%{_arch}/stable/v10/teleport.repo")
sudo yum install teleport

curl https://get.gravitational.com/teleport-v10.2.6-linux-amd64-bin.tar.gz.sha256
<checksum> <filename>
curl -O https://get.gravitational.com/teleport-v10.2.6-linux-amd64-bin.tar.gz
shasum -a 256 teleport-v10.2.6-linux-amd64-bin.tar.gz
Verify that the checksums match
tar -xzf teleport-v10.2.6-linux-amd64-bin.tar.gz
cd teleport
sudo ./install

curl https://get.gravitational.com/teleport-v10.2.6-linux-arm-bin.tar.gz.sha256
<checksum> <filename>
curl -O https://get.gravitational.com/teleport-v10.2.6-linux-arm-bin.tar.gz
shasum -a 256 teleport-v10.2.6-linux-arm-bin.tar.gz
Verify that the checksums match
tar -xzf teleport-v10.2.6-linux-arm-bin.tar.gz
cd teleport
sudo ./install

curl https://get.gravitational.com/teleport-v10.2.6-linux-arm64-bin.tar.gz.sha256
<checksum> <filename>
curl -O https://get.gravitational.com/teleport-v10.2.6-linux-arm64-bin.tar.gz
shasum -a 256 teleport-v10.2.6-linux-arm64-bin.tar.gz
Verify that the checksums match
tar -xzf teleport-v10.2.6-linux-arm64-bin.tar.gz
cd teleport
sudo ./install

Using this APT repo may result in breaking upgrades upon "apt upgrade" as all major versions will be
published under the same component. We recommend following the instructions in the
"Debian/Ubuntu (DEB)" tab instead.
Download Teleport's PGP public key
sudo curl https://deb.releases.teleport.dev/teleport-pubkey.asc \  -o /usr/share/keyrings/teleport-archive-keyring.asc
Add the Teleport APT repository
echo "deb [signed-by=/usr/share/keyrings/teleport-archive-keyring.asc] https://deb.releases.teleport.dev/ stable main" \| sudo tee /etc/apt/sources.list.d/teleport.list > /dev/null
sudo apt-get update
sudo apt-get install teleport

sudo yum-config-manager --add-repo https://rpm.releases.teleport.dev/teleport.repo
sudo yum install teleport
Optional:  Using DNF on newer distributions
$ sudo dnf config-manager --add-repo https://rpm.releases.teleport.dev/teleport.repo
$ sudo dnf install teleport

If you've previously installed Teleport via the APT repo at https://deb.releases.teleport.dev/, you can upgrade by re-running the "Debian/Ubuntu (DEB)" install instructions above.

We will also continue to maintain the legacy APT repo at https://deb.releases.teleport.dev/ for the foreseeable future.

Check the Downloads page for the most up-to-date information.

Docker

We provide pre-built Docker images for every version of Teleport.

These images are hosted on Amazon ECR Public. All tags under public.ecr.aws/gravitational/teleport are Teleport Open Source images.

Quay Docker Images

Docker images will continue to be published to quay.io until Teleport 10 is EOL.

The table below gives an idea of how our image naming scheme works. We offer images that point to a static version of Teleport as well as images that are automatically rebuilt every night. These nightly images point to the latest version of Teleport from the three most recent release branches. They are stable, and we recommend their use to keep your Teleport installation up to date.

Image name	Teleport version	Image automatically updated?	Image base
`public.ecr.aws/gravitational/teleport:10.2.6`	The latest version of Teleport Open Source	Yes	Ubuntu 20.04
`public.ecr.aws/gravitational/teleport:10.2.6`	The version specified in the image's tag (i.e. 10.2.6)	No	Ubuntu 20.04

For testing, we always recommend that you use the latest released version of Teleport, which is currently public.ecr.aws/gravitational/teleport:10.2.6.

For instructions on running containers with these images, see Getting started with Teleport using Docker.

We provide pre-built Docker images for every version of Teleport.

This table gives an idea of how our image naming scheme works. We offer images which point to a static version of Teleport Enterprise, as well as images which are automatically rebuilt every night.

Nightly images point to the latest version of Teleport Enterprise from the three most recent release branches. They are stable, and we recommend their use to easily keep your Teleport Enterprise installation up to date.

Image name	Open Source or Enterprise?	Teleport version	Image automatically updated?	Image base
`public.ecr.aws/gravitational/teleport-ent:10.2.6`	Enterprise	The latest version of Teleport Enterprise 10.0	Yes	Ubuntu 20.04
`public.ecr.aws/gravitational/teleport-ent:10.2.6-fips`	Enterprise FIPS	The latest version of Teleport Enterprise 10.0 FIPS	Yes	Ubuntu 20.04
`public.ecr.aws/gravitational/teleport-ent:10.2.6`	Enterprise	The version specified in the image's tag (i.e. 10.2.6)	No	Ubuntu 20.04
`public.ecr.aws/gravitational/teleport-ent:10.2.6-fips`	Enterprise FIPS	The version specified in the image's tag (i.e. 10.2.6)	No	Ubuntu 20.04

Quay Docker Images

Docker images will continue to be published to quay.io until Teleport 10 is EOL.

For testing, we always recommend that you use the latest release version of Teleport Enterprise, which is currently public.ecr.aws/gravitational/teleport-ent:10.2.6.

For instructions on running containers with these images, see Teleport Enterprise using Docker.

Helm

We host our own Helm chart repository, which you can add with the following command:

helm repo add teleport https://charts.releases.teleport.dev

There are two charts available to install. Please see our guide for using each chart.

Chart	Included Services	Values Reference
`teleport-cluster`	Auth Service Proxy Service Other Teleport services if using a custom configuration	Reference
`teleport-kube-agent`	Kubernetes Service Application Service Database Service	Reference

macOS

You can download one of the following .pkg installers for macOS:

Link	Binaries
`teleport-10.2.6.pkg`	`teleport` `tctl` `tsh` `tbot`
`tsh-10.2.6.pkg`	`tsh`

You can also fetch an installer via the command line:

curl -O https://get.gravitational.com/teleport-10.2.6.pkg
Installs on Macintosh HD
sudo installer -pkg teleport-10.2.6.pkg -target /
Password:
installer: Package name is teleport-10.2.6
installer: Upgrading at base path /
installer: The upgrade was successful.
which teleport
/usr/local/bin/teleport

The Teleport package in Homebrew is not maintained by Teleport and we can't guarantee its reliability or security. We recommend the use of our official Teleport packages.

Run the following command:

brew install teleport

If you choose to use Homebrew, you must verify that the versions of tsh and tctl you run on your local machine are compatible with the versions you run on your infrastructure. Homebrew usually ships the latest release of Teleport, which may be incompatible with older versions. See our compatibility policy for details.

tsh login --proxy=teleport.example.com --user=myuser

Get the version of your Teleport cluster:

tctl status
tctl status
Cluster  teleport.example.com
Version  10.2.6                                                                   
Host CA  never updated                                                           
User CA  never updated                                                           
Jwt CA   never updated                                                           
CA pin   sha256:abdc1245efgh5678abdc1245efgh5678abdc1245efgh5678abdc1245efgh5678

Get your local tsh version:

tsh version
Teleport v10.2.6 git:v10.2.6 go1.18

Get your local tctl version:

tctl version
Teleport v10.2.6 git:v10.2.6 go1.18

Windows (tsh client only)

Starting with Teleport v7.2.0, most tsh features are supported for Windows 10 1607+. The tsh ssh command can be run under cmd.exe, PowerShell, and Windows Terminal.

To install tsh on Windows, run the following commands in PowerShell:

Get the expected checksum for the Windows tsh package
$Resp = Invoke-WebRequest https://get.gravitational.com/teleport-v10.2.6-windows-amd64-bin.zip.sha256
PowerShell will return the binary representation of the response content
by default, so you need to convert it to a string
[System.Text.Encoding]::UTF8.getstring($Resp.Content)
<checksum> <filename>
curl -O teleport-v10.2.6-windows-amd64-bin.zip https://get.gravitational.com/teleport-v10.2.6-windows-amd64-bin.zip
certUtil -hashfile teleport-v10.2.6-windows-amd64-bin.zip SHA256
SHA256 hash of teleport-v10.2.6-windows-amd64-bin.zip:
<checksum>
CertUtil: -hashfile command completed successfully.

After you have verified that the checksums match, you can extract the archive. The executable will be available at teleport-v10.2.6-windows-amd64-bin\teleport\tsh.exe.

Expand-Archive teleport-v10.2.6-windows-amd64-bin.zip
cd teleport-v10.2.6-windows-amd64-bin\teleport
.\tsh.exe version
Teleport v10.2.6 git:v10.2.6 go1.18

Make sure to move tsh.exe into your PATH.

Building from source

Teleport is written in Go, and currently requires go v1.18 or newer. Detailed instructions for building from source are available in the README.

Checksums

If you want to verify the integrity of a Teleport binary, SHA256 checksums are available for all downloads on our downloads page.

If you download Teleport via an automated system, you can programmatically obtain the checksum by adding .sha256 to the download link. This is the method shown in the installation examples.

export version=v10.2.6
'darwin' 'linux' or 'windows'
export os=linux
'386' 'arm' on linux or 'amd64' for all distros
export arch=amd64
curl https://get.gravitational.com/teleport-$version-$os-$arch-bin.tar.gz.sha256
<checksum> <filename>

Next steps

Now that you know how to install Teleport, you can enable access to all of your infrastructure. Get started with:

Have a suggestion or can’t find something?

IMPROVE THE DOCS