Teleport CLI Reference
- Version 15.x
- Version 14.x
- Version 13.x
- Version 12.x
- Older Versions
Teleport is made up of four CLI tools.
- teleport: Supports the Teleport Access Platform by starting and configuring various Teleport services.
- tsh: Allows end users to authenticate to Teleport and access resources in a cluster.
- tctl: Used to configure the Teleport Auth Service.
- tbot: Supports Machine ID, which provides short lived credentials to service accounts (e.g, a CI/CD server).
When running Teleport in production, you should adhere to the following best practices to avoid security incidents:
- Avoid using
sudoin production environments unless it's necessary.
- Create new, non-root, users and use test instances for experimenting with Teleport.
- Run Teleport's services as a non-root user unless required. Only the SSH
Service requires root access. Note that you will need root permissions (or
CAP_NET_BIND_SERVICEcapability) to make Teleport listen on a port numbered <
- Follow the principle of least privilege. Don't give users
permissive roles when more a restrictive role will do.
For example, don't assign users the built-in
access,editorroles, which give them permissions to access and edit all cluster resources. Instead, define roles with the minimum required permissions for each user and configure access requests to provide temporary elevated permissions.
- When you enroll Teleport resources—for example, new databases or applications—you
should save the invitation token to a file.
If you enter the token directly on the command line, a malicious user could view
it by running the
historycommand on a compromised system.
You should note that these practices aren't necessarily reflected in the examples used in documentation. Examples in the documentation are primarily intended for demonstration and for development environments.
Teleport's CLI tools can provide completion hints for bash and zsh.
For example, typing
tsh and pressing
Tab will show all available
tsh -- and pressing
Tab will show all available flags.
To enable completion, add an additional statement to your shell configuration file.
eval "$(tsh --completion-script-bash)"
# enable completion feature autoload -Uz compinit compinit eval "$(tsh --completion-script-zsh)"
Reload your shell to see the changes.
You can repeat the same process for
Backing up production instances, environments, and/or settings before making permanent modifications is encouraged as a best practice. Doing so allows you to roll back to an existing state if needed.
tctl allow you to filter servers, applications, databases,
desktops, and Kubernetes clusters using the
--search flag performs a simple fuzzy search on resource fields. For example,
--search=mac searches for resources containing
--query flag allows you to perform more sophisticated searches using a predicate language.
In both cases, you can further refine the results by appending a list of comma-separated labels to the command. For example:
tsh ls --search=foo,bar labelKey1=labelValue1,labelKey2=labelValue2
List all nodestsh ls
List nodes using label argumenttsh ls env=staging,os=mac
List nodes using search keywordstsh ls --search=staging,mac
List nodes using predicate language. This query searches for nodes with labels
with key `env` equal to `staging` and key `os` equal to `mac`.tsh ls --query='labels["env"] == "staging" && equals(labels["os"], "mac")'