Table of Contents

Teleport Configuration Reference

teleport.yaml

Teleport uses the YAML file format for configuration. A full configuration reference file is shown below, this provides comments and all available options for teleport.yaml By default, it is stored in /etc/teleport.yaml.

# By default, this file should be stored in /etc/teleport.yaml

# This section of the configuration file applies to all teleport
# services.
teleport:
    # nodename allows to assign an alternative name this node can be reached by.
    # by default it's equal to hostname
    nodename: graviton

    # Data directory where Teleport daemon keeps its data.
    # See "Filesystem Layout" section above for more details.
    data_dir: /var/lib/teleport

    # Invitation token used to join a cluster. it is not used on
    # subsequent starts
    auth_token: xxxx-token-xxxx

    # Optional CA pin of the auth server. This enables more secure way of adding new
    # nodes to a cluster. See "Adding Nodes" section above.
    ca_pin: "sha256:7e12c17c20d9cb504bbcb3f0236be3f446861f1396dcbb44425fe28ec1c108f1"

    # When running in multi-homed or NATed environments Teleport nodes need
    # to know which IP it will be reachable at by other nodes
    #
    # This value can be specified as FQDN e.g. host.example.com
    advertise_ip: 10.1.0.5

    # list of auth servers in a cluster. you will have more than one auth server
    # if you configure teleport auth to run in HA configuration.
    # If adding a node located behind NAT, use the Proxy URL. e.g.
    #  auth_servers:
    #     - teleport-proxy.example.com:3080
    auth_servers:
        - 10.1.0.5:3025
        - 10.1.0.6:3025

    # Teleport throttles all connections to avoid abuse. These settings allow
    # you to adjust the default limits
    connection_limits:
        max_connections: 1000
        max_users: 250

    # Logging configuration. Possible output values to disk via '/var/lib/teleport/teleport.log',
    # 'stdout', 'stderr' and 'syslog'. Possible severity values are INFO, WARN
    # and ERROR (default).
    log:
        output: /var/lib/teleport/teleport.log
        severity: ERROR

    # Configuration for the storage back-end used for the cluster state and the
    # audit log. Several back-end types are supported. See "High Availability"
    # section of this Admin Manual below to learn how to configure DynamoDB,
    # S3, etcd and other highly available back-ends.
    storage:
        # By default teleport uses the `data_dir` directory on a local filesystem
        type: dir

        # List of locations where the audit log events will be stored. By default,
        # they are stored in `/var/lib/teleport/log`
        # When specifying multiple destinations like this, make sure that any highly-available
        # storage methods (like DynamoDB or Firestore) are specified first, as this is what the
        # Teleport web UI uses as its source of events to display.
        audit_events_uri: ['dynamodb://events_table_name', 'firestore://events_table_name', 'file:///var/lib/teleport/log', 'stdout://']

        # Use this setting to configure teleport to store the recorded sessions in
        # an AWS S3 bucket or use GCP Storage with 'gs://'. See "Using Amazon S3"
        # chapter for more information.
        audit_sessions_uri: 's3://example.com/path/to/bucket?region=us-east-1'

    # CA Signing algorithm used for OpenSSH Certificates
    # Defaults to rsa-sha2-512 in 4.3 and above.
    # valid values are: ssh-rsa, rsa-sha2-256, rsa-sha2-512; ssh-rsa is SHA1
    ca_signature_algo: "rsa-sha2-512"

    # Cipher algorithms that the server supports. This section only needs to be
    # set if you want to override the defaults.
    ciphers:
      - aes128-ctr
      - aes192-ctr
      - aes256-ctr
      - [email protected]
      - [email protected]

    # Key exchange algorithms that the server supports. This section only needs
    # to be set if you want to override the defaults.
    kex_algos:
      - [email protected]
      - ecdh-sha2-nistp256
      - ecdh-sha2-nistp384
      - ecdh-sha2-nistp521

    # Message authentication code (MAC) algorithms that the server supports.
    # This section only needs to be set if you want to override the defaults.
    mac_algos:
      - [email protected]
      - hmac-sha2-256

    # List of the supported ciphersuites. If this section is not specified,
    # only the default ciphersuites are enabled.
    ciphersuites:
       - tls-ecdhe-rsa-with-aes-128-gcm-sha256
       - tls-ecdhe-ecdsa-with-aes-128-gcm-sha256
       - tls-ecdhe-rsa-with-aes-256-gcm-sha384
       - tls-ecdhe-ecdsa-with-aes-256-gcm-sha384
       - tls-ecdhe-rsa-with-chacha20-poly1305
       - tls-ecdhe-ecdsa-with-chacha20-poly1305

# This section configures the 'auth service':
auth_service:
    # Turns 'auth' role on. Default is 'yes'
    enabled: yes

    # A cluster name is used as part of a signature in certificates
    # generated by this CA.
    #
    # We strongly recommend to explicitly set it to something meaningful as it
    # becomes important when configuring trust between multiple clusters.
    #
    # By default an automatically generated name is used (not recommended)
    #
    # IMPORTANT: if you change cluster_name, it will invalidate all generated
    # certificates and keys (may need to wipe out /var/lib/teleport directory)
    cluster_name: "main"

    authentication:
        # default authentication type. possible values are 'local' and 'github' for OSS
        #  and 'oidc', 'saml' and 'false' for Enterprise.
        # 'false' is required for FedRAMP / FIPS, see
        #  https://gravitational.com/teleport/docs/enterprise/ssh-kubernetes-fedramp/
        #  only local authentication (Teleport's own user DB) & Github is supported in the open
        #  source version
        type: local
        # second_factor can be off, otp, or u2f
        second_factor: otp
        # this section is used if second_factor is set to 'u2f'
        u2f:
            # app_id must point to the URL of the Teleport Web UI (proxy) accessible
            # by the end users
            app_id: https://localhost:3080
            # facets must list all proxy servers if there are more than one deployed
            facets:
            - https://localhost:3080

    # IP and the port to bind to. Other Teleport nodes will be connecting to
    # this port (AKA "Auth API" or "Cluster API") to validate client
    # certificates
    listen_addr: 0.0.0.0:3025

    # The optional DNS name the auth server if located behind a load balancer.
    # (see public_addr section below)
    public_addr: auth.example.com:3025

    # Pre-defined tokens for adding new nodes to a cluster. Each token specifies
    # the role a new node will be allowed to assume. The more secure way to
    # add nodes is to use `ttl node add --ttl` command to generate auto-expiring
    # tokens.
    #
    # We recommend to use tools like `pwgen` to generate sufficiently random
    # tokens of 32+ byte length.
    tokens:
        - "proxy,node:xxxxx"
        - "auth:yyyy"

    # Optional setting for configuring session recording. Possible values are:
    #    "node"  : sessions will be recorded on the node level  (the default)
    #    "proxy" : recording on the proxy level, see "recording proxy mode" section.
    #    "off"   : session recording is turned off
    #
    # EXPERIMENTAL *-sync modes
    # Proxy and node send logs directly to S3 or other
#    storage without storing the records on disk at all. *-sync requires all
#    nodes to be upgraded to 4.4
#
#    "node-sync" : sessions recording will be streamed from node -> auth -> storage service
#    "proxy-sync : sessions recording will be streamed from proxy -> auth -> storage service
#
    session_recording: "node"

    # This setting determines if a Teleport proxy performs strict host key checks.
    # Only applicable if session_recording=proxy, see "recording proxy mode" for details.
    proxy_checks_host_keys: yes

    # Determines if SSH sessions to cluster nodes are forcefully terminated
    # after no activity from a client (idle client).
    # Examples: "30m", "1h" or "1h30m"
    client_idle_timeout: never

    # Determines if the clients will be forcefully disconnected when their
    # certificates expire in the middle of an active SSH session. (default is 'no')
    disconnect_expired_cert: no

    # Determines the interval at which Teleport will send keep-alive messages. The default
    # is set to 5 minutes (300 seconds) to stay lower than the common load balancer timeout
    # of 350 seconds.
    # keep_alive_count_max is the number of missed keep-alive messages before the server
    # tears down the connection to the client.
    keep_alive_interval: 5m
    keep_alive_count_max: 3

    # Determines the internal session control timeout cluster wide. This value will
    # be used with enterprise max_connections and max_sessions. It's unlikely that
    # you'll need to change this.
    # session_control_timeout: 2m

    # License file to start auth server with. Note that this setting is ignored
    # in open-source Teleport and is required only for Teleport Pro, Business
    # and Enterprise subscription plans.
    #
    # The path can be either absolute or relative to the configured `data_dir`
    # and should point to the license file obtained from Teleport Download Portal.
    #
    # If not set, by default Teleport will look for the `license.pem` file in
    # the configured `data_dir` .
    license_file: /var/lib/teleport/license.pem

# This section configures the 'node service':
ssh_service:
    # Turns 'ssh' role on. Default is 'yes'
    enabled: yes

    # IP and the port for SSH service to bind to.
    listen_addr: 0.0.0.0:3022

    # The optional public address the SSH service. This is useful if administrators
    # want to allow users to connect to nodes directly, bypassing a Teleport proxy
    # (see public_addr section below)
    public_addr: node.example.com:3022

    # See explanation of labels in "Labeling Nodes" section below
    labels:
        role: leader
        type: postgres

    # List of the commands to periodically execute. Their output will be used as node labels.
    # See "Labeling Nodes" section below for more information and more examples.
    commands:
    # this command will add a label 'arch=x86_64' to a node
    - name: arch
      command: ['/bin/uname', '-p']
      period: 1h0m0s

    # enables reading ~/.tsh/environment before creating a session. by default
    # set to false, can be set true here or as a command line flag.
    permit_user_env: false

    # Enhanced Session Recording
    # see https://gravitational.com/teleport/docs/features/enhanced-session-recording
    enhanced_recording:
       # Enable or disable enhanced auditing for this node. Default value:
       # false.
       enabled: false

       # command_buffer_size is optional with a default value of 8 pages.
       command_buffer_size: 8

       # disk_buffer_size is optional with default value of 128 pages.
       disk_buffer_size: 128

       # network_buffer_size is optional with default value of 8 pages.
       network_buffer_size: 8

       # Controls where cgroupv2 hierarchy is mounted. Default value:
       # /cgroup2.
       cgroup_path: /cgroup2

    # configures PAM integration. see below for more details.
    pam:
        enabled: no
        service_name: teleport

# This section configures the 'proxy service'
proxy_service:
    # Turns 'proxy' role on. Default is 'yes'
    enabled: yes

    # SSH forwarding/proxy address. Command line (CLI) clients always begin their
    # SSH sessions by connecting to this port
    listen_addr: 0.0.0.0:3023

    # Reverse tunnel listening address. An auth server (CA) can establish an
    # outbound (from behind the firewall) connection to this address.
    # This will allow users of the outside CA to connect to behind-the-firewall
    # nodes.
    tunnel_listen_addr: 0.0.0.0:3024

    # The HTTPS listen address to serve the Web UI and also to authenticate the
    # command line (CLI) users via password+HOTP
    web_listen_addr: 0.0.0.0:3080

    # The DNS name of the proxy HTTPS endpoint as accessible by cluster users.
    # Defaults to the proxy's hostname if not specified. If running multiple
    # proxies behind a load balancer, this name must point to the load balancer
    # (see public_addr section below)
    public_addr: proxy.example.com:3080

    # The DNS name of the proxy SSH endpoint as accessible by cluster clients.
    # Defaults to the proxy's hostname if not specified. If running multiple proxies
    # behind a load balancer, this name must point to the load balancer.
    # Use a TCP load balancer because this port uses SSH protocol.
    ssh_public_addr: proxy.example.com:3023

    # The DNS name of the tunnel SSH endpoint as accessible by trusted clusters and
    # nodes joining the cluster via Teleport IoT/node tunneling.
    # Defaults to the proxy's hostname if not specified. If running multiple proxies
    # behind a load balancer, this name must point to the load balancer.
    # Use a TCP load balancer because this port uses SSH protocol.
    tunnel_public_addr: proxy.example.com:3024

    # TLS certificate for the HTTPS connection. Configuring these properly is
    # critical for Teleport security.
    https_keypairs:
    - key_file: /var/lib/teleport/webproxy_key.pem
      cert_file: /var/lib/teleport/webproxy_cert.pem
    - key_file: /etc/letsencrypt/live/*.teleport.example.com/privkey.pem
      cert_file: /etc/letsencrypt/live/*.teleport.example.com/fullchain.pem

    # This section configures the Kubernetes proxy service
    kubernetes:
        # Turns 'kubernetes' proxy on. Default is 'no'
        enabled: yes

        # Kubernetes proxy listen address.
        listen_addr: 0.0.0.0:3026

        # The DNS name of the Kubernetes proxy server that is accessible by cluster clients.
        # If running multiple proxies behind  a load balancer, this name must point to the
        # load balancer.
        public_addr: ['kube.example.com:3026']

        # This setting is not required if the Teleport proxy service is
        # deployed inside a Kubernetes cluster. Otherwise, Teleport proxy
        # will use the credentials from this file:
        kubeconfig_file: /path/to/kube/config

# This section configures the 'application service'
app_service:
    # Turns 'app' role on. Default is 'no'
   enabled: yes
   # We've a small debug app that can be used to make sure application
   # Access is working correctly. It'll output JWTs so it can be useful
   # when extending your application.
   debug_app: true
   apps:
   - name: "kubernetes-dashboard"
     # URI and Port of Application.
     uri: "http://10.0.1.27:8000"
     # Optional Public Addr
     public_addr: "example.com"
     # Optional Label: These can be used in combination with RBAC rules
     # to limit access to applications
     labels:
        env: "prod"
     # Optional Dynamic Labels
     commands:
     - name: "os"
       command: ["/usr/bin/uname"]
       period: "5s"

Try Teleport Today

In the Cloud, Self-hosted, or Open Source

View Developer Docs