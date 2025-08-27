Version: 17.x

Ansible uses the OpenSSH client by default. Teleport supports SSH protocol and works as SSH jumphost.

In this guide we will configure OpenSSH client to work with Teleport Proxy and run a sample ansible playbook.

A running Teleport cluster. If you want to get started with Teleport, sign up for a free trial or set up a demo environment.

The tctl and tsh clients. Installing tctl and tsh clients Determine the version of your Teleport cluster. The tctl and tsh clients must be at most one major version behind your Teleport cluster version. Send a GET request to the Proxy Service at /v1/webapi/find and use a JSON query tool to obtain your cluster version: TELEPORT_DOMAIN= example.teleport.com:443 TELEPORT_VERSION="$(curl -s https://$TELEPORT_DOMAIN/v1/webapi/find | jq -r '.server_version')" Follow the instructions for your platform to install tctl and tsh clients: Mac Windows - Powershell Linux Download the signed macOS .pkg installer for Teleport, which includes the tctl and tsh clients: curl -O https://cdn.teleport.dev/teleport-${TELEPORT_VERSION?}.pkg In Finder double-click the pkg file to begin installation. danger Using Homebrew to install Teleport is not supported. The Teleport package in Homebrew is not maintained by Teleport and we can't guarantee its reliability or security. curl.exe -O https://cdn.teleport.dev/teleport-v${TELEPORT_VERSION?}-windows-amd64-bin.zip All of the Teleport binaries in Linux installations include the tctl and tsh clients. For more options (including RPM/DEB packages and downloads for i386/ARM/ARM64) see our installation page. curl -O https://cdn.teleport.dev/teleport-v${TELEPORT_VERSION?}-linux-amd64-bin.tar.gz tar -xzf teleport-v${TELEPORT_VERSION?}-linux-amd64-bin.tar.gz cd teleport sudo ./install



ssh openssh tool

openssh tool ansible >= 2.9.6

>= 2.9.6 Optional tool jq to process JSON output.

to process output. To check that you can connect to your Teleport cluster, sign in with tsh login , then verify that you can run tctl commands using your current credentials. For example, run the following command, assigning teleport.example.com to the domain name of the Teleport Proxy Service in your cluster and [email protected] teleport.example.com --user= [email protected] tsh login --proxy=--user= tctl status tctl status command, you can use your current credentials to run subsequent tctl commands from your workstation. If you host your own Teleport cluster, you can also run tctl commands on the computer that hosts the Teleport Auth Service for full permissions.

Log into Teleport with tsh :

tsh login --proxy= teleport.example.com

Generate openssh configuration using tsh config shortcut:

tsh config > ssh.cfg

tip You can edit matching patterns used in ssh.cfg if something is not working out of the box.

Create a folder ansible where we will collect all generated files:

mkdir -p ansible cp ssh.cfg ansible/ cd ansible

Create a file ansible.cfg :

[defaults] host_key_checking = True inventory=./hosts remote_tmp=/tmp [ssh_connection] scp_if_ssh = True ssh_args = -F ./ssh.cfg

You can create an inventory file hosts manually or use a script below to generate it from your environment. Set your cluster name (e.g. teleport.example.com or in the form mytenant.teleport.sh for Teleport Enterprise Cloud) and this script will generate the host names to match the openssh configuration:

tsh ls --format=json | jq '.[].spec.hostname + ". teleport.example.com "' > hosts

Finally, let's create a simple ansible playbook playbook.yaml .

The playbook below runs hostname on all hosts. Make sure to set the remote_user parameter to a valid SSH username that works with the target host and is allowed by Teleport:

- hosts: all remote_user: ubuntu tasks: - name: "hostname" command: "hostname"

From the folder ansible , run the ansible playbook:

ansible-playbook playbook.yaml



You are all set. You are now using short-lived SSH certificates and Teleport can now record all ansible commands in the audit log.

In cases where Ansible cannot connect, you may see an error like this:

example.host | UNREACHABLE! => { "changed": false, "msg": "Failed to connect to the host via ssh: ssh: Could not resolve hostname example.host: Name or service not known", "unreachable": true }

You can examine and tweak patterns matching the inventory hosts in ssh.cfg .

Try the SSH connection using ssh.cfg with verbose mode to inspect the error:

If ssh works, try running the playbook with verbose mode on:

ansible-playbook -vvvv playbook.yaml

If your hostnames contain uppercase characters (like MYHOSTNAME ), please note that Teleport's internal hostname matching is case sensitive by default, which can also lead to seeing this error.

If this is the case, you can work around this by enabling case-insensitive routing at the cluster level.