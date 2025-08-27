Version: 19.x (unreleased)

Proxy Git Commands with Teleport for GitHub

Teleport can proxy Git commands and use short-lived SSH certificates to authenticate GitHub organizations.

In this guide, you will:

Create a GitHub OAuth application.

Configure SSH certificate authorities for your GitHub organizations.

Create Teleport resources for the GitHub integration.

Run Git commands through Teleport.

GitHub enables organizations to configure a list of SSH Certificate Authorities (CAs) for authentication. This feature allows access to the organization's repositories using short-lived SSH certificates signed by an approved CA, such as a Teleport CA. Optionally, organizations can enforce stricter security by requiring these signed SSH certificates for access, effectively disabling the use of personal SSH keys and access tokens.

Teleport users can configure their Git repositories to proxy through Teleport. After setup, Git commands automatically route through Teleport, which impersonates their GitHub identities using short-lived SSH certificates signed by Teleport's CA for authentication with GitHub. Each Git command proxied through Teleport is also logged in Teleport's audit events.

To retrieve a user's GitHub identity, tsh initiates the GitHub OAuth flow by opening a browser window for the user to log in with their GitHub credentials.

Note that Teleport proxies Git commands through SSH but the users should continue to access GitHub through their browsers.

A running Teleport Enterprise (v17.2 or higher) cluster. If you want to get started with Teleport, sign up for a free trial or set up a demo environment.

The tctl and tsh clients. Installing tctl and tsh clients Determine the version of your Teleport cluster. The tctl and tsh clients must be at most one major version behind your Teleport cluster version. Send a GET request to the Proxy Service at /v1/webapi/find and use a JSON query tool to obtain your cluster version. Replace teleport.example.com:443 with the web address of your Teleport Proxy Service: TELEPORT_DOMAIN= teleport.example.com:443 TELEPORT_VERSION="$(curl -s https://$TELEPORT_DOMAIN/v1/webapi/find | jq -r '.server_version')" Follow the instructions for your platform to install tctl and tsh clients: Mac Windows - Powershell Linux Download the signed macOS .pkg installer for Teleport, which includes the tctl and tsh clients: curl -O https://cdn.teleport.dev/teleport-${TELEPORT_VERSION?}.pkg In Finder double-click the pkg file to begin installation. danger Using Homebrew to install Teleport is not supported. The Teleport package in Homebrew is not maintained by Teleport and we can't guarantee its reliability or security. curl.exe -O https://cdn.teleport.dev/teleport-v${TELEPORT_VERSION?}-windows-amd64-bin.zip All of the Teleport binaries in Linux installations include the tctl and tsh clients. For more options (including RPM/DEB packages and downloads for i386/ARM/ARM64) see our installation page. curl -O https://cdn.teleport.dev/teleport-v${TELEPORT_VERSION?}-linux-amd64-bin.tar.gz tar -xzf teleport-v${TELEPORT_VERSION?}-linux-amd64-bin.tar.gz cd teleport sudo ./install



Access to GitHub Enterprise Cloud and permissions to modify GitHub's SSH certificate authorities and configure OAuth applications. GitHub Enterprise compatibility GitHub integration requires a GitHub Enterprise plan and is currently supported for GitHub Enterprise Cloud . Support for GitHub Enterprise Server (self-hosted) is not available as of the current release.

To check that you can connect to your Teleport cluster, sign in with tsh login , then verify that you can run tctl commands using your current credentials. For example, run the following command, assigning teleport.example.com to the domain name of the Teleport Proxy Service in your cluster and [email protected] teleport.example.com --user= [email protected] tsh login --proxy=--user= tctl status tctl status command, you can use your current credentials to run subsequent tctl commands from your workstation. If you host your own Teleport cluster, you can also run tctl commands on the computer that hosts the Teleport Auth Service for full permissions.

, then verify that you can run commands using your current credentials. For example, run the following command, assigning to the domain name of the Teleport Proxy Service in your cluster and command, you can use your current credentials to run subsequent commands from your workstation. If you host your own Teleport cluster, you can also run commands on the computer that hosts the Teleport Auth Service for full permissions. Git locally installed

The GitHub integration requires a GitHub OAuth application to obtain users' GitHub identities. You can skip this step if the Teleport users use GitHub SSO to sign in Teleport.

Go to "OAuth Apps" under "Developer Settings" of your organization's settings. Click on "New OAuth App".

Fill in the details. Use the following for "Authentication callback URL". Replace teleport-proxy-address with the host and HTTPS port of your Teleport Proxy Service:

https:// teleport-proxy-address /v1/webapi/github/

Once the OAuth application is created, create a client secret and remember the client ID and the secret for the next step:

Now create a yaml file that represents the Github integration. Replace my-github-org with the organization name, and replace

oauth-app-client-id

and oauth-app-client-secret with values from the previous step.

kind: integration sub_kind: github version: v1 metadata: name: github- my-github-org spec: github: organization: my-github-org credentials: id_secret: id: oauth-app-client-id secret: oauth-app-client-secret

To create the resource with tctl , run:

tctl create github_integration.yaml

Once the integration resource is created, export the CA to be used for GitHub:

tctl auth export --type github --integration github- my-github-org

Now go to the "Authentication Security" page of your GitHub organization. Click on "New CA" under the "SSH certificate authorities" section, and copy-paste the CA exported from the above tctl auth export command.

User access is granted through git_server resources. The git_server references the integration created in the previous step:

kind: git_server sub_kind: github version: v2 spec: github: integration: github- my-github-org organization: my-github-org

To create the resource with tctl , run:

tctl create git_server.yaml

The user role must have github_permissions configured to allow access to your GitHub organization. For example:

kind: role metadata: name: github-access spec: allow: github_permissions: - orgs: - my-github-org version: v7

Assign the github-access role to your Teleport user by running the appropriate commands for your authentication provider:

Local User

GitHub

SAML

OIDC Retrieve your local user's roles as a comma-separated list: ROLES=$(tsh status -f json | jq -r '.active.roles | join(",")') Edit your local user to add the new role: tctl users update $(tsh status -f json | jq -r '.active.username') \ --set-roles "${ROLES?},github-access" Sign out of the Teleport cluster and sign in again to assume the new role. Open your github authentication connector in a text editor: tctl edit github/github Edit the github connector, adding github-access to the teams_to_roles section. The team you should map to this role depends on how you have designed your organization's role-based access controls (RBAC). However, the team must include your user account and should be the smallest team possible within your organization. Here is an example: teams_to_roles: - organization: octocats team: admins roles: - access + - github-access Apply your changes by saving closing the file in your editor. Sign out of the Teleport cluster and sign in again to assume the new role. Retrieve your saml configuration resource: tctl get --with-secrets saml/mysaml > saml.yaml Note that the --with-secrets flag adds the value of spec.signing_key_pair.private_key to the saml.yaml file. Because this key contains a sensitive value, you should remove the saml.yaml file immediately after updating the resource. Edit saml.yaml , adding github-access to the attributes_to_roles section. The attribute you should map to this role depends on how you have designed your organization's role-based access controls (RBAC). However, the group must include your user account and should be the smallest group possible within your organization. Here is an example: attributes_to_roles: - name: "groups" value: "my-group" roles: - access + - github-access Apply your changes: tctl create -f saml.yaml Sign out of the Teleport cluster and sign in again to assume the new role. Retrieve your oidc configuration resource: tctl get oidc/myoidc --with-secrets > oidc.yaml Note that the --with-secrets flag adds the value of spec.signing_key_pair.private_key to the oidc.yaml file. Because this key contains a sensitive value, you should remove the oidc.yaml file immediately after updating the resource. Edit oidc.yaml , adding github-access to the claims_to_roles section. The claim you should map to this role depends on how you have designed your organization's role-based access controls (RBAC). However, the group must include your user account and should be the smallest group possible within your organization. Here is an example: claims_to_roles: - name: "groups" value: "my-group" roles: - access + - github-access Apply your changes: tctl create -f oidc.yaml Sign out of the Teleport cluster and sign in again to assume the new role.

Use tsh git ls to view a list of GitHub organizations you have access to:

tsh git ls Type Organization Username URL ------ ------------- -------- -------------------------------- GitHub my-github-org my-user https://github.com/my-github-org

Teleport requires your GitHub identity to impersonate you. If you haven't provided it yet, run the following command:

tsh git login --github-org my-github-org If browser window does not open automatically, open it by clicking on the link: http://127.0.0.1:55555/some-id Your GitHub username is my-user.

This command opens a browser, prompting you to authenticate with GitHub via the OAuth app:

To clone a repository from your GitHub organization, find the SSH clone URL and run:

tsh git clone [email protected] :my-github-org/my-repo.git Cloning into 'my-repo'...

To configure an existing Git repository with Teleport, go to the repository and run:

tsh git config update The current Git directory is configured with Teleport for GitHub organization "my-github-org".

Once the repo is cloned or configured, you can use git commands as normal:

$ cd my-repo $ git fetch

Note that the OAuth app authentication flow and Git repository configuration are one-time setups and don't need to be repeated.