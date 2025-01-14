cert_extensions []object CertExtensions specifies the key/values

cert_format string CertificateFormat defines the format of the user certificate to allow compatibility with older versions of OpenSSH.

client_idle_timeout string ClientIdleTimeout sets disconnect clients on idle timeout behavior, if set to 0 means do not disconnect, otherwise is set to the idle duration.

create_db_user boolean CreateDatabaseUser enabled automatic database user creation.

create_db_user_mode string or integer CreateDatabaseUserMode allows users to be automatically created on a database when not set to off. 0 is "unspecified", 1 is "off", 2 is "keep", 3 is "best_effort_drop". Can be either the string or the integer representation of each option.

create_desktop_user boolean CreateDesktopUser allows users to be automatically created on a Windows desktop

create_host_user boolean Deprecated: use CreateHostUserMode instead.

create_host_user_default_shell string CreateHostUserDefaultShell is used to configure the default shell for newly provisioned host users.

create_host_user_mode string or integer CreateHostUserMode allows users to be automatically created on a host when not set to off. 0 is "unspecified"; 1 is "off"; 2 is "drop" (removed for v15 and above), 3 is "keep"; 4 is "insecure-drop". Can be either the string or the integer representation of each option.

desktop_clipboard boolean DesktopClipboard indicates whether clipboard sharing is allowed between the user's workstation and the remote desktop. It defaults to true unless explicitly set to false.

desktop_directory_sharing boolean DesktopDirectorySharing indicates whether directory sharing is allowed between the user's workstation and the remote desktop. It defaults to false unless explicitly set to true.

device_trust_mode string DeviceTrustMode is the device authorization mode used for the resources associated with the role. See DeviceTrust.Mode.

disconnect_expired_cert boolean DisconnectExpiredCert sets disconnect clients on expired certificates.

enhanced_recording []string BPF defines what events to record for the BPF-based session recorder.

forward_agent boolean ForwardAgent is SSH agent forwarding.

idp object IDP is a set of options related to accessing IdPs within Teleport. Requires Teleport Enterprise.

lock string Lock specifies the locking mode (strict

max_connections integer MaxConnections defines the maximum number of concurrent connections a user may hold.

max_kubernetes_connections integer MaxKubernetesConnections defines the maximum number of concurrent Kubernetes sessions a user may hold.

max_session_ttl string MaxSessionTTL defines how long a SSH session can last for.

max_sessions integer MaxSessions defines the maximum number of concurrent sessions per connection.

mfa_verification_interval string MFAVerificationInterval optionally defines the maximum duration that can elapse between successive MFA verifications. This variable is used to ensure that users are periodically prompted to verify their identity, enhancing security by preventing prolonged sessions without re-authentication when using tsh proxy * derivatives. It's only effective if the session requires MFA. If not set, defaults to max_session_ttl .

permit_x11_forwarding boolean PermitX11Forwarding authorizes use of X11 forwarding.

pin_source_ip boolean PinSourceIP forces the same client IP for certificate generation and usage

port_forwarding boolean PortForwarding defines if the certificate will have "permit-port-forwarding" in the certificate. PortForwarding is "yes" if not set, that's why this is a pointer

record_session object RecordDesktopSession indicates whether desktop access sessions should be recorded. It defaults to true unless explicitly set to false.

request_access string RequestAccess defines the request strategy (optional

request_prompt string RequestPrompt is an optional message which tells users what they aught to request.

require_session_mfa string or integer RequireMFAType is the type of MFA requirement enforced for this user. 0 is "OFF", 1 is "SESSION", 2 is "SESSION_AND_HARDWARE_KEY", 3 is "HARDWARE_KEY_TOUCH", 4 is "HARDWARE_KEY_PIN", 5 is "HARDWARE_KEY_TOUCH_AND_PIN". Can be either the string or the integer representation of each option.