# tsh CLI reference `tsh` is a CLI client used by Teleport users. It allows users to interact with current and past sessions on the cluster, copy files to and from nodes, and list information about the cluster. ## tsh environment variables Environment variables configure your tsh client and can help you avoid using flags repetitively. | Environment Variable | Description | Example Value | | -------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------- | | TELEPORT\_AUTH | Any defined [authentication connector](https://goteleport.com/docs/ver/17.x/reference/access-controls/authentication.md), including `passwordless` and `local` (i.e., no authentication connector) | okta | | TELEPORT\_CLUSTER | Name of a Teleport root or leaf cluster | cluster.example.com | | TELEPORT\_LOGIN | Login name to be used by default on the remote host | root | | TELEPORT\_LOGIN\_BIND\_ADDR | Address in the form of host:port to bind to for login command webhook | host:port | | TELEPORT\_LOGIN\_BROWSER | Set to `none` to stop the system default browser from opening for SSO logins. If the value is not `none`, `tsh` will open the system default browser. | none | | TELEPORT\_PROXY | Address of the Teleport proxy server | cluster.example.com:3080 | | TELEPORT\_HEADLESS | Use headless authentication | true, false, 1, 0 | | TELEPORT\_HOME | Home location for tsh configuration and data | /directory | | TELEPORT\_USER | A Teleport user name | alice | | TELEPORT\_ADD\_KEYS\_TO\_AGENT | Specifies if the user certificate should be stored on the running SSH agent | yes, no, auto, only | | TELEPORT\_USE\_LOCAL\_SSH\_AGENT | Disable or enable local SSH agent integration | true, false | | TELEPORT\_GLOBAL\_TSH\_CONFIG | Override location of global `tsh` config file from default `/etc/tsh.yaml` | /opt/teleport/tsh.yaml | | TELEPORT\_MFA\_MODE | Preferred mode for MFA and Passwordless assertions | auto, cross-platform, platform, otp, sso | | TELEPORT\_IDENTITY\_FILE | File path to identity file | /opt/identity | ## tsh global flags | Name | Default Value(s) | Allowed Value(s) | Description | | ---------------------- | ---------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `-l, --login` | none | an identity name | The login identity that the Teleport user will use | | `--proxy` | none | `host:https_port[,ssh_proxy_port]` | Teleport Proxy Service address | | `--user` | `$USER` | none | The Teleport username | | `--ttl` | `720` (12 hours) | integer | Number of minutes a certificate issued for the `tsh` user will be valid for | | `-i, --identity` | none | **string** filepath | Identity file | | `--cert-format` | `standard` | `standard` or `oldssh` | SSH certificate format. `oldssh` supports older versions of OpenSSH servers that do not allow for custom metadata, which is how Teleport encodes a user's roles in their SSH certificate. | | `--insecure` | none | none | Do not verify the server's certificate and host name. Use only in test environments. | | `--auth` | `local` | Any defined [authentication connector](https://goteleport.com/docs/ver/17.x/reference/access-controls/authentication.md), including `passwordless` and `local` (i.e., no authentication connector) | Specify the type of authentication connector to use. | | `--mfa-mode` | auto | `auto`, `cross-platform`, `platform`, `otp`, or `sso` | Preferred mode for MFA and Passwordless assertions. | | `--skip-version-check` | none | none | Skip version checking between server and client. | | `-d, --debug` | none | none | Verbose logging to stdout | | `-J, --jumphost` | none | A jump host | SSH jumphost | | `--headless` | none | none | Use Headless Authentication | | `--mlock` | `auto` | `auto`, `off`, `best_effort`, `strict` | Lock process memory to protect client secrets stored in memory from being swapped to disk. | ## tsh apps ls List all available applications: ``` $ tsh apps ls ``` ## tsh clusters ``` $ tsh clusters [] ``` ### Flags | Name | Default Value(s) | Allowed Value(s) | Description | | ------------- | ---------------- | ---------------- | -------------------- | | `-q, --quiet` | none | none | no headers in output | ### Global flags These flags are available for all commands `--login`, `--proxy`, `--user`, `--ttl`, `--identity`, `--cert-format`, `--insecure`, `--auth`, `--skip-version-check`, `--debug`, `--jumphost`. Run `tsh help ` or see the [Global Flags section](#tsh-global-flags). ### Examples ``` $ tsh clusters Cluster Name Status ------------ ------ staging online production offline $ tsh clusters --quiet staging online production offline ``` ## tsh config Print OpenSSH configuration details to allow using an SSH client with credentials managed by Teleport to connect to hosts in your cluster. ``` $ tsh config ``` ### Flags | Name | Default Value(s) | Allowed Value(s) | Description | | -------------- | ---------------- | ---------------- | ---------------------------------------------------------------------------- | | `-l, --login` | none | Linux username | Default Linux username to use. Will translate to SSH config's `User` option. | | `-p`, `--port` | 3022 | port | Default SSH port to use. Will translate to SSH config's `Port` option. | ### Examples ``` Print OpenSSH config file to console $ tsh config Append Teleport configuration to ssh config $ tsh config >> ~/.ssh/config ``` ## tsh device enroll Enroll the current device as a trusted device. Requires a device enrollment token created via `tctl devices enroll`. ``` $ tsh device enroll --token=TOKEN ``` ### Flags | Name | Default Value(s) | Allowed Value(s) | Description | | --------- | ---------------- | ---------------- | ----------------------- | | `--token` | none | String | Device enrollment token | ### Examples ``` $ tsh device enroll --token=AAAAAAAAAAAAAAAAAAAAAAAA-this-is-an-example Device "C00AA0AAAA0A"/macOS enrolled ``` ## tsh gcloud Proxy `gcloud` CLI commands through the Teleport Application Service. `gcloud` is a tool for interacting with Google Cloud. A user must already be authenticated to a Google Cloud application in Teleport before they can execute `tsh gcloud` commands. ``` $ tsh gcloud [--app] [] ``` ### Arguments `command`: A `gcloud` command to run, including arguments and flags. ### Flags | Name | Default Value(s) | Allowed Value(s) | Description | | ------- | -------------------------------------------- | ------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------ | | `--app` | Currently logged in Google Cloud application | The name of a Google Cloud application as listed via `tsh apps ls`. | The Google Cloud application to run the command against, if logged in to multiple Google Cloud applications. | ### Global flags These flags are available for all commands `--login, --proxy, --user, --ttl, --identity, --cert-format, --insecure, --auth, --skip-version-check, --debug, --jumphost`. Run `tsh help ` or see the [Global Flags section](#tsh-global-flags). ### Examples ``` $ tsh gcloud compute instances list ``` ## tsh gsutil Proxy `gsutil` CLI commands through the Teleport Application Service. `gsutil` is a tool for interacting with Google Cloud Storage. A user must already be authenticated to a Google Cloud application in Teleport before they can execute `tsh gsutil` commands. ``` $ tsh gsutil [--app] [] ``` ### Arguments `command`: A `gsutil` command to run, including arguments and flags. ### Flags | Name | Default Value(s) | Allowed Value(s) | Description | | ------- | -------------------------------------------- | ------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------ | | `--app` | Currently logged in Google Cloud application | The name of a Google Cloud application as listed via `tsh apps ls`. | The Google Cloud application to run the command against, if logged in to multiple Google Cloud applications. | ### Global flags These flags are available for all commands `--login, --proxy, --user, --ttl, --identity, --cert-format, --insecure, --auth, --skip-version-check, --debug, --jumphost`. Run `tsh help ` or see the [Global Flags section](#tsh-global-flags). ### Examples ``` $ tsh gsutil ls ``` ## tsh help Prints help: ``` $ tsh help ``` ## tsh join Joins an active session: ``` $ tsh join [] ``` ### Arguments `` - `session-id` The UUID of an active Teleport Session obtained by `teleport status` within the session. ### Flags | Name | Default Value(s) | Allowed Value(s) | Description | | ----------- | ---------------- | ---------------- | ------------------------------ | | `--cluster` | none | a cluster\_name | Specify the cluster to connect | ### Global flags These flags are available for all commands `--login, --proxy, --user, --ttl, --identity, --cert-format, --insecure, --auth, --skip-version-check, --debug, --jumphost`. Run `tsh help ` or see the [Global Flags section](#tsh-global-flags). ### Examples ``` join session using teleport user joe as ec2-user $ tsh --user=joe --login=ec2-user join ``` ## tsh kube login Log into a Kubernetes cluster. Discover connected clusters by using [`tsh kube ls`](#tsh-kube-ls). ``` $ tsh kube login ``` ``` tsh kube login to k8s cluster (gke_bens-demos_us-central1-c_gks-demo) $ tsh kube login gke_bens-demos_us-central1-c_gks-demo Logged into kubernetes cluster "gke_bens-demos_us-central1-c_gks-demo". Try 'kubectl version' to test the connection. On login, kubeconfig is pointed at the first cluster (alphabetically) $ kubectl config current-context aws-gke_bens-demos_us-central1-c_gks-demo But all clusters are populated as contexts $ kubectl config get-contexts CURRENT NAME CLUSTER AUTHINFO NAMESPACE * aws-gke_bens-demos_us-central1-c_gks-demo aws aws-gke_bens-demos_us-central1-c_gks-demo aws-microk8s aws aws-microk8s ``` ### Flags | Name | Default Value(s) | Allowed Value(s) | Description | | ------------------------ | ---------------- | ---------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `--all` | false | Boolean | Whether to generate a kubeconfig for every Kubernetes cluster the current Teleport user has access to. If this is false, `tsh` will only generate a kubeconfig for the cluster specified in the `tsh kube login` command. | | `--as` | none | string | The Kubernetes user that the current Teleport user will log in as when they authenticate to the specified Kubernetes cluster.

This uses [Kubernetes impersonation](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#user-impersonation), so the Teleport user's Kubernetes user must have permissions to impersonate the target user. | | `--as-groups` | none | string | A Kubernetes group that the current Teleport user will log in as when they authenticate to the specified Kubernetes cluster.

This uses [Kubernetes impersonation](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#user-impersonation), so the Teleport user's Kubernetes user must have permissions to impersonate the target group.

You can include this flag multiple times to enable impersonation of multiple Kubernetes groups. | | `--cluster` | none | string | Name of the Teleport cluster to log into in order to connect to the given Kubernetes cluster. | | `-n`, `--kube-namespace` | none | string | The name of the Kubernetes namespace to configure as the default within the cluster the user is logging into. | ## tsh kube ls List Kubernetes clusters: ``` $ tsh kube ls ``` ### Examples ``` $ tsh kube ls Kube Cluster Name Selected ------------------------------------- -------- gke_bens-demos_us-central1-c_gks-demo * microk8s ``` ## tsh login Logs in to the cluster. When `tsh` logs in, the auto-expiring key is stored in `~/.tsh` and is valid for 12 hours by default unless you specify another interval via `--ttl` flag (capped by the server-side configuration). ``` $ tsh login [] [] ``` ### Arguments - `` - the name of the cluster, see [Trusted Cluster](https://goteleport.com/docs/ver/17.x/zero-trust-access/management/admin/trustedclusters.md) for more information. ### Flags | Name | Default Value(s) | Allowed Value(s) | Description | | -------------------------- | ---------------- | --------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `--bind-addr` | none | host:port | Address in the form of host:port to bind to for login command webhook | | `--callback` | none | host:port | Override the base URL (host:port) of the link shown when opening a browser for cluster logins. Must be used with --bind-addr. | | `-o, --out` | none | filepath | Identity output filepath | | `--format` | `file` | `file`, `openssh` or `kubernetes` | Identity format: file, openssh (for OpenSSH compatibility) or kubernetes (for kubeconfig) | | `--browser` | none | `none` | Set to 'none' to suppress opening system default browser for `tsh login` commands | | `--request-roles` | none | | Request one or more extra roles | | `--request-reason` | none | | Reason for requesting additional roles | | `--request-nowait` | none | | Finish without waiting for request resolution | | `--request-id` | none | | Login with the roles requested in the given request | | `--no-use-local-ssh-agent` | | | Do not load generated SSH certificates into the local ssh-agent (specified via `$SSH_AUTH_SOCK`). Useful when using `gpg-agent` or Yubikeys. You can also set the `TELEPORT_USE_LOCAL_SSH_AGENT` environment variable to `false` (default `true`) | ### Global flags These flags are available for all commands `--login, --proxy, --user, --ttl, --identity, --cert-format, --insecure, --auth, --skip-version-check, --debug, --jumphost`. Run `tsh help ` or see the [Global Flags section](#tsh-global-flags). ### Examples *The proxy endpoint can take a https and ssh port in this format `host:https_port[,ssh_proxy_port]`* ``` Try both ports 443 and 3080 for https $ tsh --proxy=proxy.example.com login Use ports 8080 and 8023 for https and SSH proxy: $ tsh --proxy=proxy.example.com:8080,8023 login Use port 8080 and 3023 (default) for SSH proxy: $ tsh --proxy=proxy.example.com:8080 login Use port 23 as custom SSH port, keep HTTPS proxy port as default $ tsh --proxy=work.example.com:,23 login Login and select cluster "two": $ tsh --proxy=proxy.example.com login two Select cluster "two" using existing credentials and proxy: $ tsh login two Login to the cluster with a very short-lived certificate $ tsh --ttl=1 login Login using the local Teleport 'admin' user: $ tsh --proxy=proxy.example.com --auth=local --user=admin login Login using GitHub as an SSO provider, assuming the GitHub connector is called "github" $ tsh --proxy=proxy.example.com --auth=github login Suppress the opening of the system default browser for external provider logins $ tsh --proxy=proxy.example.com --browser=none Login to cluster and output a local kubeconfig $ tsh login --proxy=proxy.example.com --format=kubernetes -o kubeconfig Request access to a cluster. $ tsh login --proxy=proxy.example.com --request-reason="I need to run a debug script on production" ``` ## tsh logout Deletes the client's cluster certificate: ``` $ tsh logout ``` ## tsh ls List cluster nodes: ``` $ tsh ls [] [