Command Line (CLI) Reference

Teleport is made up of three CLI tools.

teleport

The Teleport daemon is called teleport . It can be configured to run one or more "roles" with the --roles flags. The arguments to --roles correspond to the following services.

Service Role Name Description
Node node Runs a daemon on a node which allows SSH connections from authenticated clients.
Auth auth Authenticates nodes and users who want access to Teleport Nodes or information about the cluster
Proxy proxy The gateway that clients use to connect to the Auth or Node Services
App app Runs a daemon on a node which provides access to applications using an SSH reverse tunnel.

teleport start

Flags

Name Default Value(s) Allowed Value(s) Description
-d, --debug none none enable verbose logging to stderr
--insecure-no-tls false true or false Tells proxy to not generate default self-signed TLS certificates. This is useful when running Teleport on kubernetes (behind reverse proxy) or behind things like AWS ELBs, GCP LBs or Azure Load Balancers where SSL termination is provided externally.
-r, --roles proxy,node,auth string comma-separated list of proxy, node or auth start listed services/roles. These roles are explained in the Teleport Architecture document.
--pid-file none string filepath create a PID file at the path
--advertise-ip none string IP advertise IP to clients, often used behind NAT
-l, --listen-ip 0.0.0.0 net. IP binds services to IP
--auth-server none string IP proxy attempts to connect to a specified auth server instead of local auth, disables --roles=auth if set
--token none string set invitation token to register with an auth server on start, used once and ignored afterwards. Obtain it by running tctl nodes add on the auth server.We recommend to use tools like pwgen to generate sufficiently random tokens of 32+ byte length.
--ca-pin none string sha256:<hash> set CA pin to validate the Auth Server. Generated by tctl status
--nodename hostname command on the machine string assigns an alternative name for the node which can be used by clients to login. By default it's equal to the value returned by
-c, --config /etc/teleport.yaml string .yaml filepath starts services with config specified in the YAML file, overrides CLI flags if set
--bootstrap none string .yaml filepath bootstrap configured YAML resources
--labels none string comma-separated list assigns a set of labels to a node. See the explanation of labeling mechanism in the Labeling Nodes section.
--insecure none none disable certificate validation on Proxy Service, validation still occurs on Auth Service.
--fips none none start Teleport in FedRAMP/FIPS 140-2 mode.
--diag-addr none none Enable diagnostic endpoints
--permit-user-env none none flag reads in environment variables from ~/.tsh/environment when creating a session.
--app-name none none Name of the application to start
--app-uri none none Internal address of the application to proxy
--app-public-addr none none Public address fo the application to proxy

Examples

# By default without any configuration, teleport starts running as a single-node
# cluster. It's the equivalent of running with --roles=node,proxy,auth
$ teleport start

# Starts a node named 'db' running in strictly SSH mode role, joining the cluster
# serviced by the auth server running on 10.1.0.1
$ teleport start --roles=node --auth-server=10.1.0.1 --token=xyz --nodename=db

# Same as the above, but the node runs with db=master label and can be connected
# to using that label in addition to its name.
$ teleport start --roles=node --auth-server=10.1.0.1 --labels=db=master

# Starts an app server that proxies the application "example-app" running at http://localhost:8080.
$ teleport start --roles=app --token=xyz --auth-server=proxy.example.com:3080 \
    --app-name="example-app" \
    --app-uri="http://localhost:8080" \
    --labels=group:dev

teleport status

teleport status shows the status of a Teleport connection. This command is only available from inside of a recorded SSH session.

teleport configure

teleport configure dumps a sample configuration file in YAML format into standard output.

Caution: This sample config is not the default config and should be used for reference only.

teleport version

teleport version show the release version

teleport help

teleport help shows help teleport and its subcommands like this teleport help <subcommand>

tsh

tsh is a CLI client used by Teleport Users. It allows users to interact with current and past sessions on the cluster, copy files to and from nodes, and list information about the cluster.

tsh Global Flags

Name Default Value(s) Allowed Value(s) Description
-l, --login none an identity name the login identity that the Teleport User should use
--proxy none host:https_port[,ssh_proxy_port] set SSH proxy address
--user $USER none the Teleport User name
--ttl none relative duration like 5s, 2m, or 3h set time to live for a SSH session, session ttl unrestricted if unset
-i, --identity none string filepath Identity file
--cert-format file file or openssh SSH certificate format
--insecure none none Do not verify server's certificate and host name. Use only in test environments
--auth local any defined authentication connector Specify the type of authentication connector to use.
--skip-version-check none none Skip version checking between server and client.
-d, --debug none none Verbose logging to stdout
-J, --jumphost none A jump host SSH jumphost

tsh help

Prints help

Usage tsh help

tsh version

Prints client version

Usage tsh version

tsh ssh

Run shell or execute a command on a remote SSH node

Usage: tsh ssh [<flags>] <[[email protected]]host> [<command>...]

Arguments

<[[email protected]]host> [<command>...]

Flags

Name Default Value(s) Allowed Value(s) Description
-p, --port none port SSH port on a remote host
-A, --forward-agent none none Forward agent to target node like ssh -A
-L, --forward none none Forward localhost connections to remote server
-D, --dynamic-forward none none Forward localhost connections to remote server using SOCKS5
-N, -no-remote-exec none none Don't execute remote command, useful for port forwarding
--local none Execute command on localhost after connecting to SSH node
-t, --tty file Allocate TTY
--cluster none Specify the cluster to connect
-o, --option local OpenSSH options in the format used in the configuration file
--enable-escape-sequences Enable support for SSH escape sequences. Type '~?' during an SSH session to list supported sequences.
--no-use-local-ssh-agent Do not load generated SSH certificates into the local ssh-agent (specified via $SSH_AUTH_SOCK). Useful when using gpg-agent or Yubikeys. You can also set the TELEPORT_USE_LOCAL_SSH_AGENT environment variable to false (default true)

Global Flags

These flags are available for all commands --login, --proxy, --user, --ttl, --identity, --cert-format, --insecure, --auth, --skip-version-check, --debug, --jumphost. Run tsh help <subcommand> or see the Global Flags Section

Examples

# Log in to node `grav-00` as OS User `root` with Teleport User `teleport`
$ tsh ssh --proxy proxy.example.com --user teleport -d [email protected]
# `tsh ssh` takes the same arguments as OpenSSH client:
$ tsh ssh -o ForwardAgent=yes [email protected]
$ tsh ssh -o AddKeysToAgent=yes [email protected]

tsh apps ls

List all available applications

Usage: tsh apps ls

tsh join

Joins an active session

Usage: tsh join [<flags>] <session-id>

Arguments

<session-id>

Flags

Name Default Value(s) Allowed Value(s) Description
--cluster none a cluster_name Specify the cluster to connect

Global Flags

These flags are available for all commands --login, --proxy, --user, --ttl, --identity, --cert-format, --insecure, --auth, --skip-version-check, --debug, --jumphost. Run tsh help <subcommand> or see the Global Flags Section

Examples

tsh --proxy proxy.example.com join <session-id>

tsh play

Plays back a prior session

Usage: tsh play [<flags>] <session-id>

Arguments

<session-id>

Flags

Name Default Value(s) Allowed Value(s) Description
--cluster none a cluster_name Specify the cluster to connect

Global Flags

These flags are available for all commands --login, --proxy, --user, --ttl, --identity, --cert-format, --insecure, --auth, --skip-version-check, --debug, --jumphost. Run tsh help <subcommand> or see the Global Flags Section

Examples

tsh --proxy proxy.example.com play <session-id>

tsh scp

Copies files from source to dest

Usage usage: tsh scp [<flags>] <source>... <dest>

Arguments

Flags

Name Default Value(s) Allowed Value(s) Description
--cluster none a cluster_name Specify the cluster to connect
-r, --recursive none none Recursive copy of subdirectories
-P, --port none port number Port to connect to on the remote host
-q, --quiet none none Quiet mode

Global Flags

These flags are available for all commands --login, --proxy, --user, --ttl, --identity, --cert-format, --insecure, --auth, --skip-version, --debug, --jumphost. Run tsh help <subcommand> or see the Global Flags Section

Examples

$ tsh --proxy=proxy.example.com scp -P example.txt [email protected]/destination/dir

tsh ls

List cluster nodes

Usage usage: tsh ls [<flags>] [<label>]

Arguments

Flags

Name Default Value(s) Allowed Value(s) Description
-v, --verbose none none also print Node ID

Global Flags

These flags are available for all commands --login, --proxy, --user, --ttl, --identity, --cert-format, --insecure, --auth, --skip-version, --debug, --jumphost. Run tsh help <subcommand> or see the Global Flags Section

Examples

$ tsh ls
Node Name Address            Labels
--------- ------------------ ------
grav-00   10.164.0.0:3022    os:linux
grav-01   10.156.0.2:3022    os:linux
grav-02   10.156.0.7:3022    os:osx
$ tsh ls -v
Node Name Node ID                              Address            Labels
--------- ------------------------------------ ------------------ ------
grav-00   52e3e46a-372f-494b-bdd9-a1d25b9d6dec 10.164.0.0:3022    os:linux
grav-01   73d86fc7-7c4b-42e3-9a5f-c46e177a29e8 10.156.0.2:3022    os:linux
grav-02  24503590-e8ae-4a0a-ad7a-dd1865c04e30 10.156.0.7:3022     os:osx

# only show nodes with os label set to 'osx':
$ tsh ls os=osx
Node Name Address            Labels
--------- ------------------ ------
grav-02      10.156.0.7:3022    os:osx

tsh clusters

Usage: tsh clusters [<flags>]

Flags

Name Default Value(s) Allowed Value(s) Description
-q, --quiet none none no headers in output

Global Flags

These flags are available for all commands --login, --proxy, --user, --ttl, --identity, --cert-format, --insecure, --auth, --skip-version, --debug, --jumphost. Run tsh help <subcommand> or see the Global Flags Section

Examples

$ tsh clusters
Cluster Name Status
------------ ------
staging          online
production       offline
$ tsh clusters --quiet
staging online
production offline

tsh login

Logs in to the cluster. When tsh logs in, the auto-expiring key is stored in ~/.tsh and is valid for 12 hours by default, unless you specify another interval via --ttl flag (capped by the server-side configuration).

Usage: tsh login [<flags>] [<cluster>]

Arguments

Flags

Name Default Value(s) Allowed Value(s) Description
--bind-addr none host:port Address in the form of host:port to bind to for login command webhook
-o, --out none filepath Identity output filepath
--format file file, openssh or kubernetes Identity format: file, openssh (for OpenSSH compatibility) or kubernetes (for kubeconfig)
--browser none none Set to 'none' to suppress opening system default browser for tsh login commands
--request-roles none Request one or more extra roles
--request-reason none Reason for requesting additional roles

Global Flags

These flags are available for all commands --login, --proxy, --user, --ttl, --identity, --cert-format, --insecure, --auth, --skip-version-check, --debug, --jumphost. Run tsh help <subcommand> or see the Global Flags Section

Examples

The proxy endpoint can take a https and ssh port in this format host:https_port[,ssh_proxy_port]

# Use ports 8080 and 8023 for https and SSH proxy:
$ tsh --proxy=proxy.example.com:8080,8023 login

# Use port 8080 and 3023 (default) for SSH proxy:
$ tsh --proxy=proxy.example.com:8080 login

# Use port 23 as custom SSH port, keep HTTPS proxy port as default
$ tsh --proxy=work.example.com:,23 login

# Login and select cluster "two":
$ tsh --proxy=proxy.example.com login two

# Select cluster "two" using existing credentials and proxy:
$ tsh login two

# Login to the  cluster with a very short-lived certificate
$ tsh --ttl=1 login

# Login using the local Teleport 'admin' user:
$ tsh --proxy=proxy.example.com --auth=local --user=admin login

# Login using Github as an SSO provider, assuming the Github connector is called "github"
$ tsh --proxy=proxy.example.com --auth=github --user=admin login

# Suppress the opening of the system default browser for external provider logins
$ tsh --proxy=proxy.example.com --browser=none

# Login to cluster and output a local kubeconfig
$ tsh login --proxy=proxy.example.com --format=kubernetes -o kubeconfig

# Enterprise only: Request access to a cluster.
$ tsh login --proxy=proxy.example.com --request-reason="I need to run a debug script on production"

tsh logout

Deletes the client's cluster certificate

Usage: tsh logout

tsh status

Display the list of proxy servers and retrieved certificates

Usage: tsh status

Examples

$ tsh status

> Profile URL:  https://proxy.example.com:3080
  Logged in as: johndoe
  Roles:        admin*
  Logins:       root, admin, guest
  Valid until:  2017-04-25 15:02:30 -0700 PDT [valid for 1h0m0s]
  Extensions:   permit-agent-forwarding, permit-port-forwarding, permit-pty

tctl

tctl is an admin CLI tool used to administer a Teleport cluster. It connects to an Auth Server, meaning that it must be run on the same host with the role auth . If you run tctl on a non- auth node it will show an error.

tctl allows a cluster administrator to manage all resources in a cluster including nodes, users, tokens, and certificates.

tctl can also be used to modify the dynamic configuration of the cluster, like creating new user roles or connecting trusted clusters.

tctl Global Flags

Name Default Value(s) Allowed Value(s) Description
-d, --debug none none Enable verbose logging to stderr
-c, --config /etc/teleport.yaml string filepath Path to a configuration file

tctl help

Shows help.

Usage tctl help

tctl users add

Generates a user invitation token.

Usage: tctl users add [<flags>] <account> [<local-logins>]

Arguments

Flags

Name Default Value(s) Allowed Value(s) Description
--k8s-groups none a kubernetes group Kubernetes groups to assign to a user, e.g. system:masters
--k8s-users none a kubernetes user Kubernetes user to assign to a user, e.g. jenkins
--ttl 1h relative duration like 5s, 2m, or 3h, maximum 48h Set expiration time for token

Global Flags

These flags are available for all commands --debug, --config . Run tctl help <subcommand> or see the Global Flags Section

Examples

# Adds teleport user "joe" with mappings to
# OS users "joe" and "root"
tctl users add joe joe,root
# Adds teleport user "joe" with mappings to
# OS users "joe" only
tctl users add joe

tctl users ls

Lists all user accounts Usage: tctl users ls [<flags>]

tctl users rm

Deletes user accounts Usage: tctl users rm <logins>

Arguments

Examples

tctl users rm sally,tim
# Removes users sally and tim

tctl request ls

List of open requests Usage: tctl request ls

Examples

tctl request ls
Token                                Requestor Metadata       Created At (UTC)    Status
------------------------------------ --------- -------------- ------------------- -------
request-id-1                         alice     roles=dictator 07 Nov 19 19:38 UTC PENDING

tctl request approve

Approve a user's request. Usage: tctl request approve [token]

Arguments

Examples

tctl request approve request-id-1, request-id-2

tctl request deny

Denies a user's request. Usage: tctl request deny [token]

Arguments

Examples

tctl request deny request-id-1, request-id-2

tctl request rm

Delete a users role request. Usage: tctl request rm [token]

Arguments

Examples

tctl request rm request-id-1

tctl nodes add

Generate a node invitation token

Usage: tctl nodes add [<flags>]

Flags

Name Default Value(s) Allowed Value(s) Description
--roles node node,auth or proxy Comma-separated list of roles for the new node to assume
--ttl 30m relative duration like 5s, 2m, or 3h Time to live for a generated token
--token none string token value A custom token to use, auto-generated if not provided. Should match token set with teleport start --token

Global Flags

These flags are available for all commands --debug, --config . Run tctl help <subcommand> or see the Global Flags Section

Examples

# Generates a token which can be used by a node to join the cluster, default ttl is 30 minutes
$ tctl nodes add
# Generates a token which can be used to add an SSH node to the cluster
# The node will run the proxy service in addition is the node (ssh) service.
# This token can be used within an hour.
$ tctl nodes add --roles=node,proxy --ttl=1h

tctl nodes ls

List all active SSH nodes within the cluster

Usage: tctl nodes ls [<flags>]

Flags

Name Default Value(s) Allowed Value(s) Description
--namespace none string namespace Namespace of the nodes

Global Flags

These flags are available for all commands --debug, --config . Run tctl help <subcommand> or see the Global Flags Section

tctl tokens add

Create an invitation token

Usage: tctl tokens add --type=TYPE [<flags>]

Flags

Name Default Value(s) Allowed Value(s) Description
--type none trusted_cluster, node, proxy Type of token to add
--value none string token value Value of token to add
--ttl 1h relative duration like 5s, 2m, or 3h, maximum 48h Set expiration time for token

Global Flags

These flags are available for all commands --debug, --config . Run tctl help <subcommand> or see the Global Flags Section

Examples

# Generate an invite token for a trusted_cluster
$ tctl tokens add --type=trusted_cluster --ttl=5m
# Generate an invite token for a trusted_cluster with labels
$ tctl tokens add --type=trusted_cluster --labels=env=prod
# Generate an invite token for a node
# This is equivalent to `tctl nodes add`
$ tctl tokens add --type node

tctl tokens rm

Delete/revoke an invitation token

Usage: tctl tokens rm [<token>]

Arguments

tctl tokens ls

List node and user invitation tokens

Usage: tctl tokens ls [<flags>]

Example

$ tctl tokens ls
Token                            Type            Expiry Time (UTC)
-------------------------------- --------------- -------------------
ecce46d19bb4144716e5984269db1ac0 Node            11 Oct 19 22:17 UTC
fcbf269ca26440f35865ec29994f0fb4 trusted_cluster 11 Oct 19 22:19 UTC
6fd001d4200348deec9b50c4479ba07d User signup     11 Oct 19 22:20 UTC

tctl auth export

Export public cluster (CA) keys to stdout

Usage: tctl auth export [<flags>]

Flags

Name Default Value(s) Allowed Value(s) Description
--keys none none if set, will print private keys
--fingerprint none string e.g. SHA265:<fingerprint> filter authority by fingerprint
--compat none version number export certificates compatible with specific version of Teleport
--type none user, host or tls certificate type

Global Flags

These flags are available for all commands --debug, --config . Run tctl help <subcommand> or see the Global Flags Section

Examples

# Export all keys
$ tctl auth export
# Filter by fingerprint
$ tctl auth export --fingerprint=SHA256:8xu5kh1CbHCZRrGuitbQd4hM+d9V+I7YA1mUwA/2tAo
# Export tls certs only
$ tctl auth export --type tls

tctl auth sign

Create an identity file(s) for a given user

Usage: tctl auth sign -o <filepath> [--user <user> | --host <host>][--format] [<flags>]

Flags

Name Default Value(s) Allowed Value(s) Description
--user none existing user Teleport user name
--host none auth host Teleport host name
-o, --out none filepath identity output
--format file file, openssh, tls or kubernetes identity format
--identity file file identity format
--auth-server none auth host & port Remote Teleport host name
--ttl none relative duration like 5s, 2m, or 3h TTL (time to live) for the generated certificate
--compat "" standard or oldssh OpenSSH compatibility flag
--proxy "" Address of the teleport proxy. When --format is set to "kubernetes", this address will be set as cluster address in the generated kubeconfig file

Global Flags

These flags are available for all commands --debug, --config . Run tctl help <subcommand> or see the Global Flags Section

Examples

# Export identity file to teleport_id.pem
# for user `teleport` with a ttl set to 5m
$ tctl auth sign --format file --ttl=5m --user teleport -o teleport_id.pem
# Export identity formatted for openssh to teleport_id.pem
$ tctl auth sign --format openssh --user teleport -o teleport_id.pem
# Export host identity, `--format openssh` must be set with `--host`
# Generates grav-01 (private key) and grav-01-cert.pub in the current directory
$ tctl auth sign --format openssh --host grav-00
# Invalid command, only one of --user or --host should be set
$ tctl auth sign --format openssh --host grav-00 --user teleport -o grav_host
error: --user or --host must be specified
# create a certificate with a TTL of 10 years for the jenkins user
# the jenkins.pem file can later be used with `tsh`
$ tctl auth sign --ttl=87600h --user=jenkins --out=jenkins.pem
# create a certificate with a TTL of 1 day for the jenkins user
# the jenkins.pem file can later be used with `tsh`
$ tctl auth sign --ttl=24h --user=jenkins --out=jenkins.pem
# create a certificate with a TTL of 1 day for the jenkins user
# The kubeconfig file can later be used with `kubectl` or compatible tooling.
$ tctl auth sign --ttl=24h --user=jenkins --out=kubeconfig --format=kubernetes
# Exports an identity from the Auth Server in preparation for remote
# tctl execution.
$ tctl auth sign --user=admin --out=identity.pem

tctl auth rotate

Rotate certificate authorities in the cluster

Usage: tctl auth rotate [<flags>]

Flags

Name Default Value(s) Allowed Value(s) Description
--grace-period none relative duration like 5s, 2m, or 3h Grace period keeps previous certificate authorities signatures valid, if set to 0 will force users to login again and nodes to re-register.
--manual none none Activate manual rotation, set rotation phases manually
--type user,host user or host Certificate authority to rotate
--phase init, standby, update_clients, update_servers, rollback Target rotation phase to set, used in manual rotation

Global Flags

These flags are available for all commands --debug, --config . Run tctl help <subcommand> or see the Global Flags Section

Examples

# rotate only user certificates with a grace period of 200 hours:
$ tctl auth rotate --type=user --grace-period=200h

# rotate only host certificates with a grace period of 8 hours:
$ tctl auth rotate --type=host --grace-period=8h

tctl create

Create or update a Teleport resource from a YAML file.

The supported resource types are: user, node, cluster, role, connector. See the Resource Guide for complete docs on how to build these yaml files.

Usage: tctl create [<flags>] <filename>

Arguments

Flags

Name Default Value(s) Allowed Value(s) Description
-f, --force none none Overwrite the resource if already exists

Global Flags

These flags are available for all commands --debug, --config . Run tctl help <subcommand> or see the Global Flags Section

Examples

# Update a user record
$ tctl create -f joe.yaml
# Add a trusted cluster
$ tctl create cluster.yaml $ Update a trusted cluster $ tctl create -f
cluster.yaml

tctl rm

Delete a resource

Usage: tctl rm [<resource-type/resource-name>]

Arguments

Examples

# delete a SAML connector called "okta":
$ tctl rm saml/okta

# delete a local user called "admin":
$ tctl rm users/admin

tctl get

Print a YAML declaration of various Teleport resources

Usage: tctl get [<flags>] [<resource-type/resource-name>],...

Arguments

Flags

Name Default Value(s) Allowed Value(s) Description
--format yaml, json or text Output format
--with-secrets none none Include secrets in resources like certificate authorities or OIDC connectors

Global Flags

These flags are available for all commands --debug, --config . Run tctl help <subcommand> or see the Global Flags Section

Examples

$ tctl get users
# dump the user definition into a file:
$ tctl get user/joe > joe.yaml
# prints the trusted cluster 'east'
$ tctl get cluster/east
# prints all trusted clusters and all users
$ tctl get clusters,users
# Dump all resources for backup into state.yaml
$ tctl get all > state.yaml

tctl status

Report cluster status

Usage tctl status

Examples

# Checks status of cluster.
$ tctl status Cluster  grav-00 User CA  never updated Host CA  never updated CA
pin   sha256:1146cdd2b887772dcc2e879232c8f60012a839f7958724ce5744005474b15b9d
# Checks remote auth status using exported identity.
$ tctl status \
                --auth-server=192.168.99.102:3025 \
                --identity=identity.pem

tctl top

Reports diagnostic information.

The diagnostic metrics endpoint must be enabled with teleport start --diag-addr=<bind-addr> for tctl top to work.

Usage tctl top [<diag-addr>] [<refresh>]

Argument

Example

$ teleport start --diag-addr=127.0.0.1:3434
# View stats with refresh period of 5 seconds
$ tctl top http://127.0.0.1:3434 5s

tctl version

Print cluster version

Usage: tctl version

Try Teleport Today

In the Cloud, Self-hosted, or Open Source

Get Started
View Developer Docs