Meet us at KubeCon + CloudNativeCon: Paris, France - March 19
Book Demo
Teleport logoTry For Free
Fork me on GitHub

Teleport

Installation

  • Available for:
  • OpenSource
  • Enterprise
  • Cloud
Installing Teleport Tooling: An Overview

Installing Teleport Tooling: An Overview

Length: 03:48

This guide shows you how to install Teleport binaries on your platform, including:

  • teleport
  • tsh
  • tctl
  • tbot

If you are new to Teleport, we recommend following our getting started guide.

For best results, Teleport clients (tsh, tctl, tbot) should be the same major version as the cluster they are connecting to. Teleport servers are compatible with clients that are on the same major version or one major version older. Teleport servers do not support clients that are on a newer major version.

See our Upgrading guide for more information.

Operating system support

Teleport is officially supported on the platforms listed below. It is worth noting that the open-source community has been successful in building and running Teleport on UNIX variants other than Linux [1].

Operating Systemteleport Daemontctl Admin Tooltsh and Teleport Connect User Clients [2]Web UI (via the browser)tbot Daemon
Linux v2.6.23+ (RHEL/CentOS 7+, Amazon Linux 2+, Amazon Linux 2023+, Ubuntu 16.04+, Debian 9+, SLES 12 SP 5+, and SLES 15 SP 5+) [3]yesyesyesyesyes
macOS v10.13+ (High Sierra)yesyesyesyesyes
Windows 10+ (rev. 1607) [4]nonoyesyesno

[1] Teleport is written in Go and many of these system requirements are due to the requirements of the Go toolchain.

[2] tsh is a Command Line Client (CLI) and Teleport Connect is a Graphical User Interface (GUI) desktop client. See Using Teleport Connect for usage and installation.

[3] Enhanced Session Recording requires Linux kernel v5.8+.

[4] Teleport server does not run on Windows yet, but tsh and Teleport Connect (the Teleport desktop clients) supports most features on Windows 10 and later.

Linux

This section shows you how to install Teleport binaries on a single Linux server.

Teleport maintains DEB and RPM package repositories for different operating systems, platforms, and Teleport versions. A server that installs Teleport from a DEB or RPM package must have systemd installed. You can also download TAR archives containing Teleport binaries. All installations include teleport, tsh, tctl, and tbot.

If you are starting out with Teleport, we recommend beginning with a Teleport Cloud account. From there, the only Teleport components you need to deploy yourself are Teleport agents. You can deploy agents by:

  • Following the instructions in the Teleport Web UI at /web/discover, where you can select a resource to enroll in your Teleport cluster and retrieve an installation script to run on Linux hosts.
  • Using the example Terraform module for deploying agents in Deploy Agents with Terraform.
  • Running the one-line installation script on each Linux server where you want to install a Teleport agent.

If you are running a self-hosted Teleport Enterprise cluster, read our guidance in Deploying a High-Availability Teleport Cluster, which provides full requirements and Terraform modules for deploying Teleport Enterprise on your infrastructure.

Self-hosted Teleport Enterprise clusters require a license file. Read Teleport Enterprise License File for how to manage this.

One-line installation script

You can run a one-line command to install Teleport binaries on a Linux server. The command takes the Teleport version and edition to install, then uses information about the operating system where it runs to choose a package manager and install Teleport.

First, assign environment variables based on your edition:

TELEPORT_EDITION="oss"
TELEPORT_VERSION="15.1.8"

The following commands show you how to determine the Teleport version to install by querying your Teleport Cloud account. This way, the Teleport installation has the same major version as the service that manages automatic updates:

TELEPORT_EDITION="cloud"
TELEPORT_DOMAIN=example.teleport.sh
TELEPORT_VERSION="$(curl https://$TELEPORT_DOMAIN/v1/webapi/automaticupgrades/channel/default/version | sed 's/v//')
TELEPORT_EDITION="enterprise"
TELEPORT_VERSION="15.1.8"

Download and run the installation script on the server where you want to install Teleport:

curl https://goteleport.com/static/install.sh | bash -s ${TELEPORT_VERSION?} ${TELEPORT_EDITION?}

Package repositories

The one-line installation script automatically detects a package manager on the local system and uses it to install Teleport from an upstream repository.

If your system does not support the one-line installation script, read the instructions in this section for instructions on working with Teleport package repositories.

  1. Assign the following environment variables in the terminal where you will run Teleport installation commands, indicating the package and version to install:

    export TELEPORT_PKG=teleport
    export TELEPORT_VERSION=v15

    Teleport Cloud installations must include the automatic agent updater. The following commands show you how to determine the Teleport version to install by querying your Teleport Cloud account. This way, the Teleport installation has the same major version as the service that conducts automatic updates:

    export TELEPORT_PKG="teleport-ent teleport-ent-updater"
    export TELEPORT_DOMAIN=example.teleport.com
    export TELEPORT_VERSION="$(curl https://$TELEPORT_DOMAIN/v1/webapi/automaticupgrades/channel/default/version | sed 's/v//')
    export TELEPORT_PKG=teleport-ent
    export TELEPORT_VERSION=v15

    For FedRAMP/FIPS-compliant installations, install the teleport-ent-fips package instead:

    export TELEPORT_PKG=teleport-ent-fips
  2. Teleport maintains DEB and RPM package repositories for different Linux distributions based on variables defined in /etc/os-release on Linux systems. Source this file to define the variables:

    source /etc/os-release

    The Teleport DEB and RPM repositories don't expose packages for all distribution variants. When installing Teleport using RPM repositories, you may need to replace the ID variable set in /etc/os-release with ID_LIKE to install packages of the closest supported distribution.

    Currently supported distributions (and ID values) are:

    DistributionVersionID value in /etc/os-release
    Amazon Linux2 and 2023amzn
    CentOS>= 7centos
    Debian>= 9debian
    RHEL>= 7rhel
    SLES>= 12 SP5, >= 15 SP5sles
    Ubuntu>= 16.04ubuntu

    Note that Enhanced Session Recording requires Linux kernel version 5.8+. This means that it requires more recent OS versions than other Teleport features:

    DistributionVersion
    Amazon Linux2 (post 11/2021), 2023
    CentOS/RHEL9+
    Debian11, or 10 with backports
    Ubuntu20.042+
  3. Follow the instructions for your package manager:

    Download the Teleport PGP public key

    sudo curl https://apt.releases.teleport.dev/gpg \-o /usr/share/keyrings/teleport-archive-keyring.asc

    Add the Teleport APT repository. You'll need to update this file for each

    major release of Teleport.

    echo "deb [signed-by=/usr/share/keyrings/teleport-archive-keyring.asc] \https://apt.releases.teleport.dev/${ID?} ${VERSION_CODENAME?} \stable/${TELEPORT_VERSION?}" \| sudo tee /etc/apt/sources.list.d/teleport.list > /dev/null

    sudo apt-get update
    sudo apt-get install ${TELEPORT_PKG?}

    Add the Teleport YUM repository. You'll need to update this file for each

    major release of Teleport.

    First, get the major version from $VERSION_ID so this fetches the correct

    package version.

    VERSION_ID=$(echo $VERSION_ID | grep -Eo "^[0-9]+")
    sudo yum install -y yum-utils
    sudo yum-config-manager --add-repo "$(rpm --eval "https://yum.releases.teleport.dev/$ID/$VERSION_ID/Teleport/%{_arch}/stable/${TELEPORT_VERSION?}/teleport.repo")"
    sudo yum install ${TELEPORT_PKG?}

    Tip: Add /usr/local/bin to path used by sudo (so 'sudo tctl users add' will work as per the docs)

    echo "Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin" > /etc/sudoers.d/secure_path

    Add the Teleport Zypper repository. You'll need to update this file for each

    major release of Teleport.

    First, get the OS major version from $VERSION_ID so this fetches the correct

    package version.

    VERSION_ID=$(echo $VERSION_ID | grep -Eo "^[0-9]+")

    Use zypper to add the teleport RPM repo

    sudo zypper addrepo --refresh --repo $(rpm --eval "https://zypper.releases.teleport.dev/$ID/$VERSION_ID/Teleport/%{_arch}/stable/${TELEPORT_VERSION?}/teleport-zypper.repo")
    sudo yum install ${TELEPORT_PKG?}

    Tip: Add /usr/local/bin to path used by sudo (so 'sudo tctl users add' will work as per the docs)

    echo "Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin" > /etc/sudoers.d/secure_path

    Add the Teleport YUM repository for v15. You'll need to update this

    file for each major release of Teleport.

    First, get the major version from $VERSION_ID so this fetches the correct

    package version.

    VERSION_ID=$(echo $VERSION_ID | grep -Eo "^[0-9]+")

    Install dnf config-manager

    sudo yum install -y yum-utils

    Use the dnf config manager plugin to add the teleport RPM repo

    sudo dnf config-manager --add-repo "$(rpm --eval "https://yum.releases.teleport.dev/$ID/$VERSION_ID/Teleport/%{_arch}/stable/${TELEPORT_VERSION?}/teleport.repo")"

    Install teleport

    sudo dnf install ${TELEPORT_PKG}

    Tip: Add /usr/local/bin to path used by sudo (so 'sudo tctl users add' will work as per the docs)

    echo "Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin" > /etc/sudoers.d/secure_path

TAR archives (self-hosted only)

For self-hosted deployments, Teleport maintains TAR archives for Linux-compatible binaries at https://cdn.teleport.dev. This section explains the Teleport TAR archives and how to use them.

It is not possible to install the automatic agent updater using TAR archives. Teleport Cloud customers must use the one-line installation script or manually install Teleport from a package repository in order to install the updater.

  1. In your terminal, assign environment variables that you will use to download your intended archive.

    For Teleport Community Edition, the Teleport package is called teleport:

    TELEPORT_PKG=teleport

    For self-hosted Teleport Enterprise deployments, the package is called teleport-ent:

    TELEPORT_PKG=teleport-ent
  2. Specify your system Teleport version and system architecture by assigning an environment variable:

    TELEPORT_VERSION=15.1.8
    SYSTEM_ARCH=""

    The following architecture values are available:

    • amd64
    • arm64
    • arm
    • 386
  3. Run the following commands to download the Teleport archive, unpack it, and install binaries:

    curl https://get.gravitational.com/${TELEPORT_PKG?}-v15.1.8-linux-${SYSTEM_ARCH?}-bin.tar.gz.sha256

    <checksum> <filename>

    curl -O https://cdn.teleport.dev/${TELEPORT_PKG?}-v15.1.8-linux-${SYSTEM_ARCH?}-bin.tar.gz
    shasum -a 256 ${TELEPORT_PKG?}-v15.1.8-linux-${SYSTEM_ARCH?}-bin.tar.gz

    Verify that the checksums match

    tar -xvf ${TELEPORT_PKG?}-v15.1.8-linux-${SYSTEM_ARCH?}-bin.tar.gz
    cd ${TELEPORT_PKG?}
    sudo ./install

    For FedRAMP/FIPS-compliant installations of Teleport Enterprise, package URLs are slightly different:

    curl https://get.gravitational.com/teleport-ent-v15.1.8-linux-${SYSTEM_ARCH?}-fips-bin.tar.gz.sha256

    <checksum> <filename>

    curl -O https://cdn.teleport.dev/teleport-ent-v15.1.8-linux-${SYSTEM_ARCH?}-fips-bin.tar.gz
    shasum -a 256 teleport-ent-v15.1.8-linux-${SYSTEM_ARCH?}-fips-bin.tar.gz

    Verify that the checksums match

    tar -xvf teleport-ent-v15.1.8-linux-${SYSTEM_ARCH?}-fips-bin.tar.gz
    cd teleport-ent
    sudo ./install

From your browser

For Teleport Community Edition, check the Downloads page for the most up-to-date information.

For Teleport Enterprise Cloud, check the Cloud Downloads page for the most up-to-date information on obtaining Teleport binaries compatible with Teleport Cloud.

Docker

Images

We provide a pre-built Docker image for every version of Teleport. This section describes the available Docker images.

These images are hosted on Amazon ECR Public.

Image suffixes

For each of the image names listed in this section, you can specify attributes of the image by appending a suffix to the repository name or tag.

Images with the -distroless suffix within the repository name include only the teleport binary and its runtime dependencies, with no shell or utility applications. An example is public.ecr.aws/gravitational/teleport-distroless for Teleport Community Edition.

Images with the *-distroless-debug suffix within the repository name include a Busybox shell and tool suite in addition to Teleport, and are intended for troubleshooting deployments only. They are not intended for production use. An example is public.ecr.aws/gravitational/teleport-distroless-debug.

*-distroless and *-distroless-debug images support multiple architectures natively, and do not require (or support) image suffixes. You can specify an architecture using the --platform flag of docker pull to pull the arm, arm64 or amd64 version of an image.

Version tags

Images point to a static version of Teleport. Use the image's tag to specify either:

  • The major, minor, and patch version (e.g., 15.1.8 for the latest version of Teleport Community Edition).
  • The major version only, which implies the latest minor and patch numbers for that major version. For example, 15 implies 15.1.8.
Image nameTroubleshooting Tools?Image base
public.ecr.aws/gravitational/teleport-distroless:15.1.8NoDistroless Debian 12
public.ecr.aws/gravitational/teleport-distroless-debug:15.1.8YesDistroless Debian 12

For testing, we always recommend that you use the latest release version of Teleport, which is currently public.ecr.aws/gravitational/teleport-distroless:15.1.8.

Image nameIncludes troubleshooting toolsImage base
public.ecr.aws/gravitational/teleport-ent-distroless:15.1.8NoDistroless Debian 12
public.ecr.aws/gravitational/teleport-ent-distroless-debug:15.1.8YesDistroless Debian 12

We also provide the following images for FIPS builds of Teleport Enterprise:

Image nameIncludes troubleshooting toolsImage base
public.ecr.aws/gravitational/teleport-ent-fips-distroless:15.1.8NoDistroless Debian 12
public.ecr.aws/gravitational/teleport-ent-fips-distroless-debug:15.1.8YesDistroless Debian 12

For testing, we always recommend that you use the latest release version of Teleport Enterprise, which is currently public.ecr.aws/gravitational/teleport-ent-distroless:15.1.8.

Image nameIncludes troubleshooting toolsImage base
public.ecr.aws/gravitational/teleport-ent-distroless:15.1.1NoDistroless Debian 12
public.ecr.aws/gravitational/teleport-ent-distroless-debug:15.1.1YesDistroless Debian 12

For testing, we always recommend that you use the latest Cloud release version of Teleport Enterprise, which is currently public.ecr.aws/gravitational/teleport-ent-distroless:15.1.1.

Interacting with distroless images

Since version 15, Teleport images are based on Google's Distroless images. Those images don't contain any shell.

To execute Teleport commands on containers based on these images, run commands similar to the following:

in docker

docker run -i my-container tctl status

in Kubernetes

kubectl exec -i my-pod -- tctl status

sending local files via stdin

kubectl exec -i my-pod -- tctl create -f < my-local-file.yaml

retrieving output via stdout and tar

kubectl exec -i my-pod -- tctl auth sign --user admin --format tls --ttl 10m --tar -o admin| tar xv -C local
ls -l local
total 24-rw------- 1 trent staff 1318 Jul 24 15:52 admin.cas-rw------- 1 trent staff 1895 Jul 24 15:52 admin.crt-rw------- 1 trent staff 1679 Jul 24 15:52 admin.key

Alternatively, you can use the debug variant of the image, which contains busybox and a minimal shell invocable via busybox sh:

docker run -it --entrypoint="" public.ecr.aws/gravitational/teleport-distroless -debug:public.ecr.aws/gravitational/teleport-distroless:15.1.8 busybox sh

Machine ID (tbot)

We also provide a slimmed down distroless image that only contains the tbot binary for use with Teleport Machine ID. The latest release can be found at public.ecr.aws/gravitational/tbot-distroless:15.1.8 and the version tagging follows the same pattern as the main teleport-distroless image.

Whilst the teleport-distroless image also includes tbot, using the tbot specific image should be preferred for Machine ID deployments. This image is smaller, improving pull times, and has a smaller attack surface. In addition, the image is customized in order to improve the experience of running tbot in a container environment.

To learn more, read the Deploying Machine ID on Kubernetes guide.

FIPS Support

This image includes the non-FIPS version of the tbot binary. If you require FIPS support, you should continue to use the public.ecr.aws/gravitational/teleport-ent-fips-distroless image.

Running Teleport on Docker

When running a container from one of the images listed above, consider the container equivalent to running the teleport binary. The Teleport container requires access to a file system and network ports.

Configuration

Teleport processes read their configuration from a local file path, which is /etc/teleport.yaml by default. Make sure this file path is mounted to your Teleport container.

Data directory

All Teleport processes read from and write to a data directory, which by default is /var/lib/teleport. Make sure the data directory is mounted to your Teleport container.

License file

If your Teleport Enterprise container runs the Auth Service, you will need to give it access to a license file at the path named in the configuration, which is /var/lib/teleport/license.pem by default. Make sure a license exists at this location in the Teleport container's data directory.

Other file paths

Depending on the configuration settings you assign on your Teleport container, you will need to make sure that any file paths you name are mounted on the container.

For example, if you are running the Teleport Proxy Service on a container, you need to mount the directory containing TLS credentials to your Teleport container, then assign the following fields in the container's configuration file to the appropriate paths:

proxy_service:
  https_keypairs:
  - key_file: /my/path/key.pem
    cert_file: /my/path/cert.pem

See the Teleport Configuration Reference for whether a field you would like to assign requires a file path.

Ports

A single Teleport process can run multiple services, each of which listens on a specific set of ports depending on your configuration. See our Networking Reference for the ports on your Teleport container to expose.

Extracting certificates from distroless images

Extracting certificates created with tctl auth sign from a container running a distroless image can be tricky due to the absence of a shell and other OS tools.

Where possible you should log into the Teleport cluster using tsh and use tctl auth sign locally to generate certificates. This way the action will be logged against your Teleport user and be subject to all of the usual Teleport RBAC policies in your cluster.

If this is not possible, use tctl auth sign --tar to collect all the files generated by tctl auth sign into a tar archive, which is streamed directly to stdout. The resulting certificates are never stored on the container filesystem. You can either pipe this output directly to tar, or redirect it to a local file for later use.

For example:

docker exec ${TELEPORT_CONTAINER} \ tctl auth sign --user alice --format tls -o alice.local --tar | tar xv
x alice.local.crtx alice.local.keyx alice.local.cas

Example of running a Teleport container

In this example, we will show you how to run the Teleport Auth Service and Proxy Service on a local Docker container using Teleport Community Edition.

Since this container uses a self-signed certificate, we do not recommend using this configuration to protect any infrastructure outside your workstation. You can, however, join other local Docker containers to it using the token method.

First, create directories in your home directory to mount to the container. The Teleport container will write its configuration and data to these directories:

mkdir -p ~/teleport/config ~/teleport/data

Run teleport configure from the Teleport container to generate a configuration file. This sets the container's name to localhost so your browser can trust the Proxy Service's self-signed TLS certificate:

docker run --hostname localhost --rm \ --entrypoint=/usr/local/bin/teleport \ public.ecr.aws/gravitational/teleport-distroless:15.1.8 configure --roles=proxy,auth > ~/teleport/config/teleport.yaml

Start Teleport on your container:

docker run --hostname localhost --name teleport \ -v ~/teleport/config:/etc/teleport \ -v ~/teleport/data:/var/lib/teleport \ -p 3025:3025 -p 3080:3080 \ public.ecr.aws/gravitational/teleport-distroless:15.1.8

From there, open another terminal and make sure your Teleport container's web API is functioning as intended:

curl --insecure https://localhost:3080/webapi/ping

You should see JSON output similar to the following:

{
  "auth": {
    "type": "local",
    "second_factor": "otp",
    "preferred_local_mfa": "otp",
    "local": {
      "name": ""
    },
    "private_key_policy": "none",
    "device_trust_disabled": true,
    "has_motd": false
  },
  "proxy": {
    "kube": {
      "enabled": true,
      "listen_addr": "0.0.0.0:3080"
    },
    "ssh": {
      "listen_addr": "0.0.0.0:3080",
      "tunnel_listen_addr": "0.0.0.0:3080",
      "web_listen_addr": "0.0.0.0:3080"
    },
    "db": {
      "postgres_listen_addr": "0.0.0.0:3080",
      "mysql_listen_addr": "0.0.0.0:3080"
    },
    "tls_routing_enabled": true
  },
  "server_version": "12.1.5",
  "min_client_version": "11.0.0",
  "cluster_name": "localhost",
  "automatic_upgrades": false
}

We are using the --insecure flag to trust Teleport's self-signed certificate. In production, you will want to provision TLS credentials to the Proxy Service from a trusted CA, e.g., Let's Encrypt.

Upgrading Teleport on Docker

To upgrade a Teleport container running on Docker:

  1. Leave the container's data directory in place.
  2. Stop the container.
  3. Run a new container with an image based on a newer Teleport version, mounting the data directory as you did while running the container initially. As long as the data directory contains the same content as before the upgrade, the Teleport container does not need to re-join the cluster.

Amazon EC2

We provide pre-built amd64 and arm64 Amazon Linux 2023 based EC2 AMIs with Teleport pre-installed.

These images are primarily intended for deploying a Teleport cluster using our reference Terraform code.

See the AWS Single-Instance Deployment and the Running Teleport Enterprise in High Availability mode on AWS using Terraform guide for detailed usage examples.

In order to use these AMIs outside of the reference Terraform, you can configure the Teleport installation by setting configuration variables in the /etc/teleport.d/conf file on the EC2 instance. See the Starter Cluster Configuration Template for a list of the available configuration options.

The image names all include the build timestamp (shown as $TIMESTAMP in the table below), and are tagged for easier searching.

Image nameEditionArchitectureFIPS supportAMI Tags
teleport-oss-15.1.8-x86_64-$TIMESTAMPOSSamd64NoTeleportVersion: 15.1.8, TeleportEdition: oss, TeleportFipsEnabled: false
teleport-oss-15.1.8-arm64-$TIMESTAMPOSSarm64NoTeleportVersion: 15.1.8, TeleportEdition: oss, TeleportFipsEnabled: false
teleport-ent-15.1.8-x86_64-$TIMESTAMPEnterpriseamd64NoTeleportVersion: 15.1.8, TeleportEdition: ent, TeleportFipsEnabled: false
teleport-ent-15.1.8-arm64-$TIMESTAMPEnterprisearm64NoTeleportVersion: 15.1.8, TeleportEdition: ent, TeleportFipsEnabled: false
teleport-ent-15.1.8-x86_64-fips-$TIMESTAMPEnterpriseamd64YesTeleportVersion: 15.1.8, TeleportEdition: ent, TeleportFipsEnabled: true
teleport-ent-15.1.8-arm64-fips-$TIMESTAMPEnterprisearm64YesTeleportVersion: 15.1.8, TeleportEdition: ent, TeleportFipsEnabled: true

These AMIs are owned by AWS account ID 146628656107.

All images are based on Amazon Linux 2023 and have been hardened using the Amazon EC2 ImageBuilder STIG hardening component.

Teleport AMIs are automatically published to all non-opt-in AWS regions.

Helm

Set up the Teleport Helm repository.

Allow Helm to install charts that are hosted in the Teleport Helm repository:

helm repo add teleport https://charts.releases.teleport.dev

Update the cache of charts from the remote repository so you can upgrade to all available releases:

helm repo update

There are two charts available to install. Please see our guide for using each chart.

ChartIncluded ServicesValues Reference
teleport-clusterAuth Service
Proxy Service
Other Teleport services if using a custom configuration
Reference
teleport-kube-agentKubernetes Service
Application Service
Database Service
Reference

macOS

Teleport Edition

You can download one of the following .pkg installers for macOS:

LinkBinaries
teleport-15.1.8.pkgteleport
tctl
tsh
tbot
tsh-15.1.8.pkgtsh

You can also fetch an installer via the command line:

curl -O https://cdn.teleport.dev/teleport-15.1.8.pkg

Installs on Macintosh HD

sudo installer -pkg teleport-15.1.8.pkg -target /

Password:

installer: Package name is teleport-15.1.8

installer: Upgrading at base path /

installer: The upgrade was successful.

which teleport

/usr/local/bin/teleport

The Teleport package in Homebrew is not maintained by Teleport and we can't guarantee its reliability or security.

Warnings

We recommend the use of our official Teleport packages. Binaries provided by Homebrew are not signed by Teleport, so features that require signed and notarized binaries (TouchID, Device Trust) are not available in Homebrew builds.

The tctl release available on Homebrew is the open source edition, and cannot manage configuration resources unique to Teleport Enterprise and Teleport Enterprise Cloud (e.g., OIDC and SAML connectors). For Teleport Enterprise and Enterprise Cloud, we recommend installing the official Teleport Enterprise edition of tctl.

Installing Teleport with Homebrew

To install Teleport with Homebrew, run the following command:

brew install teleport

If you choose to use Homebrew, you must verify that the versions of tsh and tctl you run on your local machine are compatible with the versions you run on your infrastructure. Homebrew usually ships the latest release of Teleport, which may be incompatible with older versions. See our compatibility policy for details.

To verify versions, log in to your cluster and compare the output of tctl status against tsh version and tctl version.

You can download one of the following .pkg installers for macOS:

LinkBinaries
teleport-ent-15.1.8.pkgteleport
tctl
tsh
tbot
tsh-15.1.8.pkgtsh

You can also fetch an installer from the command line:

curl -O https://cdn.teleport.dev/teleport-ent-15.1.8.pkg

Install on Macintosh HD

sudo installer -pkg teleport-ent-15.1.8.pkg -target /
Password:installer: Package name is teleport-ent-15.1.8installer: Upgrading at base path /installer: The upgrade was successful.
which teleport
/usr/local/bin/teleport

You can download one of the following .pkg installers for macOS:

LinkBinaries
teleport-ent-15.1.1.pkgteleport
tctl
tsh
tbot
tsh-15.1.1.pkgtsh

You can also fetch an installer from the command line:

curl -O https://cdn.teleport.dev/teleport-ent-15.1.1.pkg

Install on Macintosh HD

sudo installer -pkg teleport-ent-15.1.1.pkg -target /
Password:installer: Package name is teleport-ent-15.1.1installer: Upgrading at base path /installer: The upgrade was successful.
which teleport
/usr/local/bin/teleport

Windows (tsh client only)

Most tsh features are supported for Windows 10 1607+. The tsh ssh command can be run under cmd.exe, PowerShell, and Windows Terminal.

To install tsh on Windows, run the following commands in PowerShell (these commands will not work in cmd.exe):

Teleport Edition

Set the TLS level to TLS 1.2 (required on Windows Server 2016 and lower)

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12

Get the expected checksum for the Windows tsh package

$Resp = Invoke-WebRequest https://cdn.teleport.dev/teleport-v15.1.8-windows-amd64-bin.zip.sha256

PowerShell will return the binary representation of the response content

by default, so you need to convert it to a string

[System.Text.Encoding]::UTF8.getstring($Resp.Content)

<checksum> <filename>

Invoke-WebRequest -OutFile teleport-v15.1.8-windows-amd64-bin.zip -Uri https://cdn.teleport.dev/teleport-v15.1.8-windows-amd64-bin.zip
certUtil -hashfile teleport-v15.1.8-windows-amd64-bin.zip SHA256

SHA256 hash of teleport-v15.1.8-windows-amd64-bin.zip:

<checksum>

CertUtil: -hashfile command completed successfully.

After you have verified that the checksums match, you can extract the archive. The executable will be available at teleport-v15.1.8-windows-amd64-bin\tsh.exe.

Expand-Archive teleport-v15.1.8-windows-amd64-bin.zip
cd teleport-v15.1.8-windows-amd64-bin
.\tsh.exe version
Teleport v15.1.8 git:v15.1.8 go1.21

Make sure to move tsh.exe into your PATH.

Set the TLS level to TLS 1.2 (required on Windows Server 2016 and lower)

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12

Get the expected checksum for the Windows tsh package

$Resp = Invoke-WebRequest https://cdn.teleport.dev/teleport-v15.1.8-windows-amd64-bin.zip.sha256

PowerShell will return the binary representation of the response content

by default, so you need to convert it to a string

[System.Text.Encoding]::UTF8.getstring($Resp.Content)

<checksum> <filename>

Invoke-WebRequest -OutFile teleport-v15.1.8-windows-amd64-bin.zip -Uri https://cdn.teleport.dev/teleport-v15.1.8-windows-amd64-bin.zip
certUtil -hashfile teleport-v15.1.8-windows-amd64-bin.zip SHA256

SHA256 hash of teleport-v15.1.8-windows-amd64-bin.zip:

<checksum>

CertUtil: -hashfile command completed successfully.

After you have verified that the checksums match, you can extract the archive. The executable will be available at teleport-v15.1.8-windows-amd64-bin\tsh.exe.

Expand-Archive teleport-v15.1.8-windows-amd64-bin.zip
cd teleport-v15.1.8-windows-amd64-bin
.\tsh.exe version
Teleport v15.1.8 git:v15.1.8 go1.21

Make sure to move tsh.exe into your PATH.

Set the TLS level to TLS 1.2 (required on Windows Server 2016 and lower)

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12

Get the expected checksum for the Windows tsh package

$Resp = Invoke-WebRequest https://cdn.teleport.dev/teleport-v15.1.1-windows-amd64-bin.zip.sha256

PowerShell will return the binary representation of the response content

by default, so you need to convert it to a string

[System.Text.Encoding]::UTF8.getstring($Resp.Content)

<checksum> <filename>

Invoke-WebRequest -OutFile teleport-v15.1.1-windows-amd64-bin.zip -Uri https://cdn.teleport.dev/teleport-v15.1.1-windows-amd64-bin.zip
certUtil -hashfile teleport-v15.1.1-windows-amd64-bin.zip SHA256

SHA256 hash of teleport-v15.1.1-windows-amd64-bin.zip:

<checksum>

CertUtil: -hashfile command completed successfully.

After you have verified that the checksums match, you can extract the archive. The executable will be available at teleport-v15.1.1-windows-amd64-bin\tsh.exe.

Expand-Archive teleport-v15.1.1-windows-amd64-bin.zip
cd teleport-v15.1.1-windows-amd64-bin
.\tsh.exe version
Teleport v15.1.1 git:v15.1.1 go1.21

Make sure to move tsh.exe into your PATH.

Building from source

Teleport is written in Go, and currently requires go v1.21 or newer. Detailed instructions for building from source are available in the README.

Checksums

If you want to verify the integrity of a Teleport binary, SHA256 checksums are available for all downloads on our downloads page.

If you download Teleport via an automated system, you can programmatically obtain the checksum by adding .sha256 to the download link. This is the method shown in the installation examples.

export version=v15.1.8

'darwin' 'linux' or 'windows'

export os=linux

'386' 'arm' on linux or 'amd64' for all distros

export arch=amd64
curl https://cdn.teleport.dev/teleport-$version-$os-$arch-bin.tar.gz.sha256

<checksum> <filename>

Uninstalling Teleport

If you wish to uninstall Teleport at any time, see our documentation on Uninstalling Teleport.

Next steps

Now that you know how to install Teleport, you can enable access to all of your infrastructure. Get started with: