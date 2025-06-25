Deploying Machine ID on Linux
This page explains how to deploy Machine ID on a Linux host.
How it works
The process in which
tbot initially authenticates with the Teleport cluster is
known as joining. A join method is a specific technique for the bot to prove its
identity.
On platforms where there is no form of identity available to the machine, the
only available join method is
token. The
token join method is special as
it is the only join method that relies on a shared secret. In order to mitigate
the risks associated with this, the
token join method is single use and it
is not possible to use the same token multiple times.
Prerequisites
-
A running Teleport cluster version 17.0.0-dev or above. If you want to get started with Teleport, sign up for a free trial or set up a demo environment.
-
The
tctland
tshclients.
Details
Installing
tctland
tshclients
- Mac
- Windows - Powershell
- Linux
Download the signed macOS .pkg installer for Teleport, which includes the
tctland
tshclients:curl -O https://cdn.teleport.dev/teleport-17.0.0-dev.pkg
In Finder double-click the
pkgfile to begin installation.danger
Using Homebrew to install Teleport is not supported. The Teleport package in Homebrew is not maintained by Teleport and we can't guarantee its reliability or security.curl.exe -O https://cdn.teleport.dev/teleport-v17.0.0-dev-windows-amd64-bin.zip
Unzip the archive and move the `tctl` and `tsh` clients to your %PATH%
NOTE: Do not place the `tctl` and `tsh` clients in the System32 directory, as this can cause issues when using WinSCP.
Use %SystemRoot% (C:\Windows) or %USERPROFILE% (C:\Users\<username>) instead.
All of the Teleport binaries in Linux installations include the
tctland
tshclients. For more options (including RPM/DEB packages and downloads for i386/ARM/ARM64) see our installation page.curl -O https://cdn.teleport.dev/teleport-v17.0.0-dev-linux-amd64-bin.tar.gztar -xzf teleport-v17.0.0-dev-linux-amd64-bin.tar.gzcd teleportsudo ./install
Teleport binaries have been copied to /usr/local/bin
The
tctland
tshclients must be at most one major version behind your Teleport cluster version. Send a GET request to the Proxy Service at
/v1/webapi/pingand use a JSON query tool to obtain your cluster version:curl https://example.teleport.sh/v1/webapi/ping | jq -r '.server_version'17.0.0-dev
- To check that you can connect to your Teleport cluster, sign in with
tsh login, then verify that you can run
tctlcommands using your current credentials. For example, run the following command, assigning teleport.example.com to the domain name of the Teleport Proxy Service in your cluster and [email protected] to your Teleport username:If you can connect to the cluster and run thetsh login --proxy=teleport.example.com --user=[email protected]tctl status
Cluster teleport.example.com
Version 17.0.0-dev
CA pin sha256:abdc1245efgh5678abdc1245efgh5678abdc1245efgh5678abdc1245efgh5678
tctl statuscommand, you can use your current credentials to run subsequent
tctlcommands from your workstation. If you host your own Teleport cluster, you can also run
tctlcommands on the computer that hosts the Teleport Auth Service for full permissions.
- A Linux host that you wish to install Machine ID onto.
- A Linux user on that host that you wish Machine ID to run as. In the guide,
we will use
teleportfor this.
Step 1/4. Install
tbot
This step is completed on the Linux host.
First,
tbot needs to be installed on the VM that you wish to use Machine ID
on.
Download the appropriate Teleport package for your platform:
To install a Teleport Agent on your Linux server:
The easiest installation method, for Teleport versions 17.3 and above, is the cluster install script. It will use the best version, edition, and installation mode for your cluster.
-
Assign teleport.example.com:443 to your Teleport cluster hostname and port, but not the scheme (https://).
-
Run your cluster's install script:curl "https://teleport.example.com:443/scripts/install.sh" | sudo bash
On older Teleport versions:
-
Assign edition to one of the following, depending on your Teleport edition:
Edition Value Teleport Enterprise Cloud
cloud
Teleport Enterprise (Self-Hosted)
enterprise
Teleport Community Edition
oss
-
Get the version of Teleport to install. If you have automatic agent updates enabled in your cluster, query the latest Teleport version that is compatible with the updater:TELEPORT_DOMAIN=example.teleport.com:443TELEPORT_VERSION="$(curl https://$TELEPORT_DOMAIN/v1/webapi/automaticupgrades/channel/default/version | sed 's/v//')"
Otherwise, get the version of your Teleport cluster:TELEPORT_DOMAIN=example.teleport.com:443TELEPORT_VERSION="$(curl https://$TELEPORT_DOMAIN/v1/webapi/ping | jq -r '.server_version')"
-
Install Teleport on your Linux server:curl https://cdn.teleport.dev/install.sh | bash -s ${TELEPORT_VERSION} edition
The installation script detects the package manager on your Linux server and uses it to install Teleport binaries. To customize your installation, learn about the Teleport package repositories in the installation guide.
Step 2/4. Create a bot user
This step is completed on your local machine.
Create the bot:
tctl bots add example
A join token will be included in the results of
tctl bots add, record this
value as it will be needed when configuring
tbot.
Step 3/4. Configure
tbot
This step is completed on the Linux host.
Create
/etc/tbot.yaml:
version: v2
proxy_server: example.teleport.sh:443
onboarding:
join_method: token
token: abcd123-insecure-do-not-use-this
storage:
type: directory
path: /var/lib/teleport/bot
# outputs will be filled in during the completion of an access guide.
outputs: []
Replace:
example.teleport.sh:443with the address of your Teleport Proxy or Auth Service. Prefer using the address of a Teleport Proxy.
abcd123-insecure-do-not-use-thiswith the token that was returned by
tctl bots addin the previous step.
The first time that
tbot runs, this token will be exchanged for a certificate
that the bot uses for authentication. At this point, the token is invalidated.
This means you may remove the token from the configuration file after the first
run has completed, but there is no tangible security benefit to doing so.
Prepare the storage directory
When using the
token join method,
tbot must be able to persist its state
across restarts. The destination used to persist this state is known as the
bot's "storage destination". In this guide, the directory
/var/lib/teleport/bot will be used.
As this directory will store the bots sensitive credentials, it is important
to protect it. To do this, you will configure the directory to only be
accessible to the Linux user which
tbot will run as.
Execute the following, replacing
teleport with the Linux user that you will
run
tbot as:
Make the bot directory and assign ownership to teleport usersudo mkdir -p /var/lib/teleport/botsudo chown teleport:teleport /var/lib/teleport/bot
Create a systemd service
By default,
tbot will run in daemon mode. However, this must then be
configured as a service within the service manager on the Linux host. The
service manager will start
tbot on boot and ensure it is restarted if it
fails. For this guide, systemd will be demonstrated but
tbot should be
compatible with all common alternatives.
Use
tbot install systemd to generate a systemd service file:
sudo tbot install systemd \ --write \ --config /etc/tbot.yaml \ --user teleport \ --group teleport \ --anonymous-telemetry
Ensure that you replace:
teleportwith the name of Linux user you wish to run
tbotas.
/etc/tbot.yamlwith the path to the configuration file you have created.
You can omit
--write to print the systemd service file to the console instead
of writing it to disk.
--anonymous-telemetry enables the submission of anonymous usage telemetry.
This helps us shape the future development of
tbot. You can disable this by
omitting this.
Next, enable the service so that it will start on boot and then start the service:
sudo systemctl daemon-reloadsudo systemctl enable tbotsudo systemctl start tbot
Check the service has started successfully:
sudo systemctl status tbot
Step 4/4. Configure outputs
You have now prepared the base configuration for
tbot. At this point, it
identifies itself to the Teleport cluster and renews its own credentials but
does not output any credentials for other applications to use.
Follow one of the access guides to configure an output that meets your access needs.
Next steps
- Follow the access guides to finish configuring
tbotfor your environment.
- Read the configuration reference to explore all the available configuration options.
- More information about
TELEPORT_ANONYMOUS_TELEMETRY.