gravitational/teleport

Teleport provides connectivity, authentication, access controls and audit for infrastructure.

Here is why you might use Teleport:

• Set up SSO for all of your cloud infrastructure [1].
• Protect access to cloud and on-prem services using mTLS endpoints and short-lived certificates.
• Establish tunnels to access services behind NATs and firewalls.
• Provide an audit log with session recording and replay for various protocols.
• Unify Role-Based Access Control (RBAC) and enforce the principle of least privilege with access requests.

[1] The open source version supports only GitHub SSO.

Teleport works with SSH, Kubernetes, databases, RDP, and web services.

• Architecture: https://goteleport.com/docs/architecture/
• Getting Started: https://goteleport.com/docs/getting-started/

1. Introduction
2. Installing and Running
3. Docker
4. Building Teleport
5. Why Did We Build Teleport?
6. More Information
7. Support and Contributing
8. Is Teleport Secure and Production Ready?
9. Who Built Teleport?

Teleport includes an identity-aware access proxy, a CA that issues short-lived certificates, a unified access control system and a tunneling system to access resources behind the firewall.

We have implemented Teleport as a single Go binary that integrates with multiple protocols and cloud services:

• SSH nodes.
• Kubernetes clusters
• PostgreSQL, MongoDB, CockroachDB and MySQL databases.
• Internal Web apps.
• Windows Hosts.
• Networked servers.

You can set up Teleport as a Linux daemon or a Kubernetes deployment.

Teleport focuses on best practices for infrastructure security:

• No need to manage shared secrets such as SSH keys or Kubernetes tokens: it uses certificate-based auth with certificate expiration for all protocols.
• Two-factor authentication (2FA) for everything.
• Collaboratively troubleshoot issues through session sharing.
• Single sign-on (SSO) for everything via GitHub Auth, OpenID Connect, or SAML with endpoints like Okta or Active Directory.
• Infrastructure introspection: Use Teleport via the CLI or Web UI to view the status of every SSH node, database instance, Kubernetes cluster, or internal web app.

Teleport uses Go crypto. It is fully compatible with OpenSSH, sshd servers, and ssh clients, Kubernetes clusters and more.

To set up a single-instance Teleport cluster, follow our getting started guide. You can then register your servers, Kubernetes clusters, and other infrastructure with your Teleport cluster.

You can also get started with Teleport Enterprise Cloud, a managed Teleport deployment that makes it easier to enable secure access to your infrastructure.

Sign up for a free trial of Teleport Enterprise Cloud.

Follow our guide to registering your first server with Teleport Enterprise Cloud.

If you wish to deploy Teleport inside a Docker container see the installation guide.

Follow the instructions in the docker/README file.

To run a full test suite locally, see the test dependencies list

The teleport repository contains the Teleport daemon binary (written in Go) and a web UI written in Javascript (a git submodule located in the webassets/ directory).

If your intention is to build and deploy for use in a production infrastructure a released tag should be used. The default branch, master, is the current development branch for an upcoming major version. Get the latest release tags listed at https://goteleport.com/download/ and then use that tag in the git clone. For example git clone https://github.com/gravitational/teleport.git -b v16.0.0 gets release v16.0.0.

It is often easiest to build with Docker, which ensures that all required tooling is available for the build. To execute a dockerized build, ensure that docker is installed and running, and execute:

make -C build.assets build-binaries

Ensure you have installed correct versions of necessary dependencies:

• Go version from go.mod
• If you wish to build the Rust-powered features like Desktop Access, see the Rust and Cargo versions in build.assets/Makefile (search for RUST_VERSION)
• For tsh version > 10.x with FIDO support, you will need libfido and openssl 1.1 installed locally
• To build the web UI:
  • yarn(< 2.0.0) is required.
  • If you prefer not to install/use yarn, but have docker available, you can run make docker-ui instead.
  • The Rust and Cargo version in build.assets/Makefile (search for RUST_VERSION) are required.
  • The wasm-pack version in build.assets/Makefile (search for WASM_PACK_VERSION) is required.
  • binaryen (which contains wasm-opt) is required to be installed manually on linux aarch64 (64-bit ARM). You can check if it's already installed on your system by running which wasm-opt. If not you can install it like apt-get install binaryen (for Debian-based Linux). wasm-pack will install this automatically on other platforms.

For an example of Dev Environment setup on a Mac, see these instructions.

Important

• The Go compiler is somewhat sensitive to the amount of memory: you will need at least 1GB of virtual memory to compile Teleport. A 512MB instance without swap will not work.
• This will build the latest version of Teleport, regardless of whether it is stable. If you want to build the latest stable release, run git checkout and git submodule update --recursive to the corresponding tag (for example,
• run git checkout v8.0.0) before performing a build.

Get the source

git clone https://github.com/gravitational/teleport.git
cd teleport

To perform a build

make full

To build tsh with Apple TouchID support enabled:

Important

tsh binaries with Touch ID support are only functional using binaries signed with Teleport's Apple Developer ID and notarized by Apple. If you are a Teleport maintainer, ask the team for access.

make build/tsh TOUCHID=yes

To build tsh with libfido:

make build/tsh FIDO2=dynamic

• On a Mac, with libfido and openssl 3 installed via homebrew

  export PKG_CONFIG_PATH="$(brew --prefix openssl@3)/lib/pkgconfig"
  make build/tsh FIDO2=dynamic

If the build succeeds, the installer will place the binaries in the build directory.

Before starting, create default data directories:

sudo mkdir -p -m0700 /var/lib/teleport
sudo chown $USER /var/lib/teleport

To speed up your development process, you can run Teleport using CompileDaemon. This will build and run the Teleport binary, and then rebuild and restart it whenever any Go source files change.

1. Install CompileDaemon:

   go install github.com/githubnemo/CompileDaemon@latest

   Note that we use go install instead of the suggested go get, because we don't want CompileDaemon to become a dependency of the project.

2. Build and run the Teleport binary:

   make teleport-hot-reload

   By default, this runs a teleport start command. If you want to customize the command, for example by providing a custom config file location, you can use the TELEPORT_ARGS parameter:

   make teleport-hot-reload TELEPORT_ARGS='start --config=/path/to/config.yaml'

Note that you still need to run make grpc if you modify any Protocol Buffers files to regenerate the generated Go sources; regenerating these sources should in turn cause the CompileDaemon to rebuild and restart Teleport.

The Teleport Web UI resides in the web directory.

To rebuild the Teleport UI package, run the following command:

make docker-ui

Then you can replace Teleport Web UI files with the files from the newly-generated /dist folder.

To enable speedy iterations on the Web UI, you can run a local web-dev server.

You can also tell Teleport to load the Web UI assets from the source directory. To enable this behavior, set the environment variable DEBUG=1 and rebuild with the default target:

# Run Teleport as a single-node cluster in development mode:
DEBUG=1 ./build/teleport start -d

Keep the server running in this mode, and make your UI changes in /dist directory. For instructions about how to update the Web UI, read the web README.

All dependencies are managed using Go modules. Here are the instructions for some common tasks:

Latest version:

go get github.com/new/dependency

and update the source to use this dependency.

To get a specific version, use go get github.com/new/dependency@version instead.

go get github.com/new/dependency@version

go get -u github.com/new/dependency

go get -u all

Why is a specific package imported?

go mod why $pkgname

Why is a specific module imported?

go mod why -m $modname

Why is a specific version of a module imported?

go mod graph | grep $modname

Note: Devbox support is still experimental. It's very possible things may not work as intended.

Teleport can be built using devbox. To use devbox, follow the instructions to install devbox here and then run:

devbox shell

This will install Teleport's various build dependencies and drop you into a shell with these dependencies. From here, you can build Teleport normally.

A nix flake is located in build.assets/flake that allows for installation of Teleport's less common build tooling. If this flake is updated, run:

devbox install

in order to make sure the changes in the flake are reflected in the local devbox shell.

The Teleport creators used to work together at Rackspace. We noticed that most cloud computing users struggle with setting up and configuring infrastructure security because popular tools, while flexible, are complex to understand and expensive to maintain. Additionally, most organizations use multiple infrastructure form factors such as several cloud providers, multiple cloud accounts, servers in colocation, and even smart devices. Some of those devices run on untrusted networks, behind third-party firewalls. This only magnifies complexity and increases operational overhead.

We had a choice, either start a security consulting business or build a solution that's dead-easy to use and understand. A real-time representation of all of your servers in the same room as you, as if they were magically teleported. Thus, Teleport was born!

• Teleport Getting Started
• Teleport Architecture
• Reference
• FAQ

We offer a few different options for support. First of all, we try to provide clear and comprehensive documentation. The docs are also in GitHub, so feel free to create a PR or file an issue if you have ideas for improvements. If you still have questions after reviewing our docs, you can also:

• Join Teleport Discussions to ask questions. Our engineers are available there to help you.
• If you want to contribute to Teleport or file a bug report/issue, you can create an issue here in GitHub.
• If you are interested in Teleport Enterprise or more responsive support during a POC, we can also create a dedicated Slack channel for you during your POC. You can reach out to us through our website to arrange for a POC.

Yes -- Teleport is production-ready and designed to protect and facilitate access to the most precious and mission-critical applications.

Teleport has completed several security audits from nationally and internationally recognized technology security companies.

We publicize some of our audit results, security philosophy and related information on our trust page.

You can see the list of companies that use Teleport in production on the Teleport product page.

Teleport was created by Gravitational, Inc.. We have built Teleport by borrowing from our previous experiences at Rackspace. Learn more about Teleport and our history.