goteleport.com
Open in
urlscan Pro
2606:4700::6812:717
Public Scan
Submitted URL: http://apt.releases.teleport.dev/
Effective URL: https://goteleport.com/docs/installation/
Submission: On November 08 via api from US — Scanned from DE
Effective URL: https://goteleport.com/docs/installation/
Submission: On November 08 via api from US — Scanned from DE
Form analysis 1 forms found in the DOM
<form __bizdiag="-1623319188" __biza="W___">
<div id="feedbackContainer" class="Feedback_feedbackForm__PJxcv">
<p id="feedback" class="Feedback_feedbackTitle__3c0l7">Was this page helpful?</p>
<div class="Feedback_svgContainer__qXBsU"><img alt="thumbs-up" loading="lazy" width="27" height="27" decoding="async" data-nimg="1" style="color:transparent" src="/docs/_next/static/media/thumbs-up.14365333.svg"><img alt="thumbs-down"
loading="lazy" width="27" height="27" decoding="async" data-nimg="1" style="color:transparent" src="/docs/_next/static/media/thumbs-down.a806fc0d.svg"></div>
</div>
</form>Text Content
Platform
PLATFORM
Why TeleportHow It Works
ACCESS CONTROL
SSHKubernetesDatabasesInternal WebappsWindowsAWS Console
Our Features
AssistSingle Sign OnJust In Time Access RequestsRole Based Access ControlAudit
and Session RecordingsDevice TrustPasswordless
Solutions
BY INDUSTRY
E-commerce & EntertainmentFinancial ServicesSoftware-as-a-service (SaaS)
Providers
BY USE CASE
Privileged Access ManagementMachine-to-Machine AccessDeveloper-friendly
browserPasswordless Infrastructure Access
BY CLOUD PROVIDER
Infrastructure Access for AWS
BY COMPLIANCE STANDARD
FedRAMPHIPAASOC 2
Resources
TRY TELEPORT
Teleport LabsTeleport TeamIntegrations
Community
Our CustomersGitHub
Resources
BlogEventsWebinarsPodcastsTech Papers
SUPPORT
Support PortalCommunity SlackGitHub DiscussionSystem Status
Featured Resource
Documentation
DocumentationTeleport ClientsHow It WorksTeleport LabsTeleport CommunityTeleport
Slack ChannelGitHub
Pricing
Community
Getting Started with OSSDownloadsCommunity SlackGitHubGitHub DiscussionsPodcasts
Sign In
Get StartedContact Sales
* Home
* Get Started with Teleport
*
*
*
*
* Core Concepts
*
*
*
*
* Installation
*
*
*
*
* FAQ
*
*
*
*
* Upcoming Releases
*
*
*
*
* Changelog
*
*
*
*
* Teleport Assist
*
*
*
*
* Choose an Edition
* Deploy a Cluster
* Manage Access
* Manage your Cluster
* Connect your Client
* Run Teleport Agents
* Application Access
* Server Access
* Kubernetes Access
* Database Access
* Desktop Access
* Machine ID
* API
* Reference
* Architecture
* Contribute
Teleport
INSTALLATION
Version 14.x
* Version 15.x
* Version 14.x
* Version 13.x
* Version 12.x
* Older Versions
* Available for:
* OpenSource
* Team
* Cloud
* Enterprise
INSTALLING TELEPORT TOOLING: AN OVERVIEW
Length: 03:48
Watch video
This guide shows you how to install Teleport binaries on your platform,
including:
* teleport
* tsh
* tctl
* tbot
If you are new to Teleport, we recommend following our getting started guide.
For best results, Teleport clients (tsh, tctl, tbot) should be the same major
version as the cluster they are connecting to. Teleport servers are compatible
with clients that are on the same major version or one major version older.
Teleport servers do not support clients that are on a newer major version.
See our Upgrading guide for more information.
OPERATING SYSTEM SUPPORT
Teleport is officially supported on the platforms listed below. It is worth
noting that the open-source community has been successful in building and
running Teleport on UNIX variants other than Linux [1].
Operating Systemteleport Daemontctl Admin Tooltsh and Teleport Connect User
Clients [2]Web UI (via the browser)tbot DaemonLinux v2.6.23+ (RHEL/CentOS 7+,
Amazon Linux 2+, Amazon Linux 2023+, Ubuntu 16.04+, Debian 9+, SLES 12 SP 5+,
and SLES 15 SP 5+) [3]yesyesyesyesyesmacOS v10.13+ (High
Sierra)yesyesyesyesyesWindows 10+ (rev. 1607) [4]nonoyesyesno
[1] Teleport is written in Go and many of these system requirements are due to
the requirements of the Go toolchain.
[2] tsh is a Command Line Client (CLI) and Teleport Connect is a Graphical User
Interface (GUI) desktop client. See Using Teleport Connect for usage and
installation.
[3] Enhanced Session Recording requires Linux kernel v5.8+.
[4] Teleport server does not run on Windows yet, but tsh and Teleport Connect
(the Teleport desktop clients) supports most features on Windows 10 and later.
LINUX
All installations include teleport, tsh, tctl, and tbot.
FEATURE SUPPORT
Some Teleport features have additional requirements:
FeatureRequirementDebianUbuntuCentOS/RHELAmazon LinuxSLESEnhanced Session
RecordingKernel v5.8+11, or 10 with backports20.04.2+9+2 (post 11/2021), 202312
SP5, 15 SP5Automatic Updatessystemd-based9+16.04+7+2, 202312 SP5, 15
SP5Installation through apt/yum/zypper repossystemd-based9+16.04+7+2, 202312
SP5, 15 SP5
Note
apt, yum, and zypper repos don't expose packages for all distribution variants.
When following installation instructions, you might need to replace ID with
ID_LIKE to install packages of the closest supported distribution.
Currently supported distributions (and ID) are:
* RHEL >= 7 (rhel)
* CentOS >= 7 (centos)
* Debian >= 9 (debian)
* Ubuntu >= 16.04 (ubuntu)
* Amazon Linux 2 and 2023 (amzn)
* SLES >= 12 SP5, >= 15 SP5 (sles)
INSTALLATION INSTRUCTIONS
Best practices for production security
When running Teleport in production, you should adhere to the following best
practices to avoid security incidents:
* Avoid using sudo in production environments unless it's necessary.
* Create new, non-root, users and use test instances for experimenting with
Teleport.
* Run Teleport's services as a non-root user unless required. Only the SSH
Service requires root access. Note that you will need root permissions (or
the CAP_NET_BIND_SERVICE capability) to make Teleport listen on a port
numbered < 1024 (e.g. 443).
* Follow the principle of least privilege. Don't give users permissive roles
when more a restrictive role will do. For example, don't assign users the
built-in access,editor roles, which give them permissions to access and edit
all cluster resources. Instead, define roles with the minimum required
permissions for each user and configure access requests to provide temporary
elevated permissions.
* When you enroll Teleport resources—for example, new databases or
applications—you should save the invitation token to a file. If you enter the
token directly on the command line, a malicious user could view it by running
the history command on a compromised system.
You should note that these practices aren't necessarily reflected in the
examples used in documentation. Examples in the documentation are primarily
intended for demonstration and for development environments.
Select an edition, then follow the instructions for that edition to install
Teleport.
Teleport Edition
Teleport Community Edition
* Teleport Community Edition
* Teleport Team
* Teleport Enterprise
* Teleport Enterprise Cloud
curl https://goteleport.com/static/install.sh | bash -s 14.1.1
* Debian 9+/Ubuntu 16.04+ (apt)
* Amazon Linux 2/RHEL 7/CentOS 7 (yum)
* Amazon Linux 2023/RHEL 8+ (dnf)
* SLES 12 SP5+ and 15 SP5+ (zypper)
Add the Teleport repository to your repository list:
Download Teleport's PGP public key
sudo curl https://apt.releases.teleport.dev/gpg \-o /usr/share/keyrings/teleport-archive-keyring.asc
Source variables about OS version
source /etc/os-release
Add the Teleport APT repository for cloud.
echo "deb [signed-by=/usr/share/keyrings/teleport-archive-keyring.asc] \https://apt.releases.teleport.dev/${ID?} ${VERSION_CODENAME?} stable/cloud" \| sudo tee /etc/apt/sources.list.d/teleport.list > /dev/null
sudo apt-get update
sudo apt-get install teleport-ent-updater
Source variables about OS version
source /etc/os-release
Add the Teleport YUM repository for cloud.
First, get the OS major version from $VERSION_ID so this fetches the correct
package version.
VERSION_ID=$(echo $VERSION_ID | grep -Eo "^[0-9]+")
sudo yum-config-manager --add-repo "$(rpm --eval "https://yum.releases.teleport.dev/$ID/$VERSION_ID/Teleport/%{_arch}/stable/cloud/teleport-yum.repo")"
sudo yum install teleport-ent-updater
Tip: Add /usr/local/bin to path used by sudo (so 'sudo tctl users add' will work as per the docs)
echo "Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin" > /etc/sudoers.d/secure_path
Source variables about OS version
source /etc/os-release
Add the Teleport YUM repository for cloud.
First, get the OS major version from $VERSION_ID so this fetches the correct
package version.
VERSION_ID=$(echo $VERSION_ID | grep -Eo "^[0-9]+")
Use the dnf config manager plugin to add the teleport RPM repo
sudo dnf config-manager --add-repo "$(rpm --eval "https://yum.releases.teleport.dev/$ID/$VERSION_ID/Teleport/%{_arch}/stable/cloud/teleport-yum.repo")"
Install teleport
sudo dnf install teleport-ent-updater
Tip: Add /usr/local/bin to path used by sudo (so 'sudo tctl users add' will work as per the docs)
echo "Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin" > /etc/sudoers.d/secure_path
Source variables about OS version
source /etc/os-release
Add the Teleport Zypper repository for cloud.
First, get the OS major version from $VERSION_ID so this fetches the correct
package version.
VERSION_ID=$(echo $VERSION_ID | grep -Eo "^[0-9]+")
Use Zypper to add the teleport RPM repo
sudo zypper addrepo --refresh --repo $(rpm --eval "https://zypper.releases.teleport.dev/$ID/$VERSION_ID/Teleport/%{_arch}/stable/cloud/teleport-zypper.repo")
Install teleport
sudo zypper install teleport-ent-updater
OS REPOSITORY CHANNELS
The following channels are available for APT, YUM, and Zypper repos. They may be
used in place of stable/v14 anywhere in the Teleport documentation.
Channel nameDescriptionstable/<major>Receives releases for the specified major
release line, i.e. v14stable/cloudRolling channel that receives releases
compatible with current Cloud versionstable/rollingRolling channel that receives
all published Teleport releases
Is my Teleport instance compatible with Teleport Team?
Before installing a teleport binary with a version besides v13, read our
compatibility rules to ensure that the binary is compatible with Teleport Cloud.
When running multiple teleport binaries within a cluster, the following rules
apply:
* Patch and minor versions are always compatible, for example, any 8.0.1
component will work with any 8.0.3 component and any 8.1.0 component will
work with any 8.3.0 component.
* Servers support clients that are 1 major version behind, but do not support
clients that are on a newer major version. For example, an 8.x.x Proxy
Service is compatible with 7.x.x resource services and 7.x.x tsh, but we
don't guarantee that a 9.x.x resource service will work with an 8.x.x Proxy
Service. This also means you must not attempt to upgrade from 6.x.x straight
to 8.x.x. You must upgrade to 7.x.x first.
* Proxy Services and resource services do not support Auth Services that are on
an older major version, and will fail to connect to older Auth Services by
default. This behavior can be overridden by passing --skip-version-check when
starting Proxy Services and resource services.
* Debian 9+/Ubuntu 16.04+ (apt)
* Amazon Linux 2/RHEL 7 (yum)
* Amazon Linux 2/RHEL 7 (zypper)
* Amazon Linux 2023/RHEL 8+ (dnf)
* SLES 12 SP5+ and 15 SP5+ (zypper)
* Tarball
Download Teleport's PGP public key
sudo curl https://apt.releases.teleport.dev/gpg \-o /usr/share/keyrings/teleport-archive-keyring.asc
Source variables about OS version
source /etc/os-release
Add the Teleport APT repository for v14. You'll need to update this
file for each major release of Teleport.
echo "deb [signed-by=/usr/share/keyrings/teleport-archive-keyring.asc] \https://apt.releases.teleport.dev/${ID?} ${VERSION_CODENAME?} stable/v14" \| sudo tee /etc/apt/sources.list.d/teleport.list > /dev/null
sudo apt-get update
sudo apt-get install teleport-ent
For FedRAMP/FIPS-compliant installations, install the teleport-ent-fips package
instead:
sudo apt-get install teleport-ent-fips
Source variables about OS version
source /etc/os-release
Add the Teleport YUM repository for v14. You'll need to update this
file for each major release of Teleport.
First, get the major version from $VERSION_ID so this fetches the correct
package version.
VERSION_ID=$(echo $VERSION_ID | grep -Eo "^[0-9]+")
sudo yum-config-manager --add-repo "$(rpm --eval "https://yum.releases.teleport.dev/$ID/$VERSION_ID/Teleport/%{_arch}/stable/v14/teleport.repo")"
sudo yum install teleport-ent
Tip: Add /usr/local/bin to path used by sudo (so 'sudo tctl users add' will work as per the docs)
echo "Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin" > /etc/sudoers.d/secure_path
For FedRAMP/FIPS-compliant installations, install the teleport-ent-fips package
instead:
sudo yum install teleport-ent-fips
Source variables about OS version
source /etc/os-release
Add the Teleport Zypper repository for v14. You'll need to update this
file for each major release of Teleport.
First, get the OS major version from $VERSION_ID so this fetches the correct
package version.
VERSION_ID=$(echo $VERSION_ID | grep -Eo "^[0-9]+")
Use zypper to add the teleport RPM repo
sudo zypper addrepo --refresh --repo $(rpm --eval "https://zypper.releases.teleport.dev/$ID/$VERSION_ID/Teleport/%{_arch}/stable/cloud/teleport-zypper.repo")
sudo yum install teleport-ent
Tip: Add /usr/local/bin to path used by sudo (so 'sudo tctl users add' will work as per the docs)
echo "Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin" > /etc/sudoers.d/secure_path
For FedRAMP/FIPS-compliant installations, install the teleport-ent-fips package
instead:
sudo yum install teleport-ent-fips
Source variables about OS version
source /etc/os-release
Add the Teleport YUM repository for v14. You'll need to update this
file for each major release of Teleport.
First, get the major version from $VERSION_ID so this fetches the correct
package version.
VERSION_ID=$(echo $VERSION_ID | grep -Eo "^[0-9]+")
Use the dnf config manager plugin to add the teleport RPM repo
sudo dnf config-manager --add-repo "$(rpm --eval "https://yum.releases.teleport.dev/$ID/$VERSION_ID/Teleport/%{_arch}/stable/v14/teleport.repo")"
Install teleport
sudo dnf install teleport-ent
Tip: Add /usr/local/bin to path used by sudo (so 'sudo tctl users add' will work as per the docs)
echo "Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin" > /etc/sudoers.d/secure_path
For FedRAMP/FIPS-compliant installations, install the teleport-ent-fips package
instead:
sudo dnf install teleport-ent-fips
Source variables about OS version
source /etc/os-release
Add the Teleport Zypper repository.
First, get the OS major version from $VERSION_ID so this fetches the correct
package version.
VERSION_ID=$(echo $VERSION_ID | grep -Eo "^[0-9]+")
Use Zypper to add the teleport RPM repo
sudo zypper addrepo --refresh --repo $(rpm --eval "https://zypper.releases.teleport.dev/$ID/$VERSION_ID/Teleport/%{_arch}/stable/v14/teleport-zypper.repo")
Install teleport
sudo zypper install teleport-ent
For FedRAMP/FIPS-compliant installations, install the teleport-ent-fips package
instead:
sudo zypper install teleport-ent-fips
In the example commands below, update $SYSTEM_ARCH with the appropriate value
(amd64, arm64, or arm). All example commands using this variable will update
after one is filled out.
curl https://get.gravitational.com/teleport-ent-v14.1.1-linux-$SYSTEM_ARCH-bin.tar.gz.sha256
<checksum> <filename>
curl -O https://cdn.teleport.dev/teleport-ent-v14.1.1-linux-$SYSTEM_ARCH-bin.tar.gz
shasum -a 256 teleport-ent-v14.1.1-linux-$SYSTEM_ARCH-bin.tar.gz
Verify that the checksums match
tar -xvf teleport-ent-v14.1.1-linux-$SYSTEM_ARCH-bin.tar.gz
cd teleport-ent
sudo ./install
For FedRAMP/FIPS-compliant installations of Teleport Enterprise, package URLs
will be slightly different:
curl https://get.gravitational.com/teleport-ent-v14.1.1-linux-$SYSTEM_ARCH-fips-bin.tar.gz.sha256
<checksum> <filename>
curl -O https://cdn.teleport.dev/teleport-ent-v14.1.1-linux-$SYSTEM_ARCH-fips-bin.tar.gz
shasum -a 256 teleport-ent-v14.1.1-linux-$SYSTEM_ARCH-fips-bin.tar.gz
Verify that the checksums match
tar -xvf teleport-ent-v14.1.1-linux-$SYSTEM_ARCH-fips-bin.tar.gz
cd teleport-ent
sudo ./install
OS REPOSITORY CHANNELS
The following channels are available for APT, YUM, and Zypper repos. They may be
used in place of stable/v14 anywhere in the Teleport documentation.
Channel nameDescriptionstable/<major>Receives releases for the specified major
release line, i.e. v14stable/cloudRolling channel that receives releases
compatible with current Cloud versionstable/rollingRolling channel that receives
all published Teleport releases
* Debian 9+/Ubuntu 16.04+ (apt)
* Amazon Linux 2/RHEL 7/CentOS 7 (yum)
* Amazon Linux 2023/RHEL 8+ (dnf)
* SLES 12 SP5+ and 15 SP5+ (zypper)
Add the Teleport repository to your repository list:
Download Teleport's PGP public key
sudo curl https://apt.releases.teleport.dev/gpg \-o /usr/share/keyrings/teleport-archive-keyring.asc
Source variables about OS version
source /etc/os-release
Add the Teleport APT repository for cloud.
echo "deb [signed-by=/usr/share/keyrings/teleport-archive-keyring.asc] \https://apt.releases.teleport.dev/${ID?} ${VERSION_CODENAME?} stable/cloud" \| sudo tee /etc/apt/sources.list.d/teleport.list > /dev/null
sudo apt-get update
sudo apt-get install teleport-ent-updater
Source variables about OS version
source /etc/os-release
Add the Teleport YUM repository for cloud.
First, get the OS major version from $VERSION_ID so this fetches the correct
package version.
VERSION_ID=$(echo $VERSION_ID | grep -Eo "^[0-9]+")
sudo yum-config-manager --add-repo "$(rpm --eval "https://yum.releases.teleport.dev/$ID/$VERSION_ID/Teleport/%{_arch}/stable/cloud/teleport-yum.repo")"
sudo yum install teleport-ent-updater
Tip: Add /usr/local/bin to path used by sudo (so 'sudo tctl users add' will work as per the docs)
echo "Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin" > /etc/sudoers.d/secure_path
Source variables about OS version
source /etc/os-release
Add the Teleport YUM repository for cloud.
First, get the OS major version from $VERSION_ID so this fetches the correct
package version.
VERSION_ID=$(echo $VERSION_ID | grep -Eo "^[0-9]+")
Use the dnf config manager plugin to add the teleport RPM repo
sudo dnf config-manager --add-repo "$(rpm --eval "https://yum.releases.teleport.dev/$ID/$VERSION_ID/Teleport/%{_arch}/stable/cloud/teleport-yum.repo")"
Install teleport
sudo dnf install teleport-ent-updater
Tip: Add /usr/local/bin to path used by sudo (so 'sudo tctl users add' will work as per the docs)
echo "Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin" > /etc/sudoers.d/secure_path
Source variables about OS version
source /etc/os-release
Add the Teleport Zypper repository for cloud.
First, get the OS major version from $VERSION_ID so this fetches the correct
package version.
VERSION_ID=$(echo $VERSION_ID | grep -Eo "^[0-9]+")
Use Zypper to add the teleport RPM repo
sudo zypper addrepo --refresh --repo $(rpm --eval "https://zypper.releases.teleport.dev/$ID/$VERSION_ID/Teleport/%{_arch}/stable/cloud/teleport-zypper.repo")
Install teleport
sudo zypper install teleport-ent-updater
OS REPOSITORY CHANNELS
The following channels are available for APT, YUM, and Zypper repos. They may be
used in place of stable/v14 anywhere in the Teleport documentation.
Channel nameDescriptionstable/<major>Receives releases for the specified major
release line, i.e. v14stable/cloudRolling channel that receives releases
compatible with current Cloud versionstable/rollingRolling channel that receives
all published Teleport releases
Is my Teleport instance compatible with Teleport Enterprise Cloud?
Before installing a teleport binary with a version besides v13, read our
compatibility rules to ensure that the binary is compatible with Teleport
Enterprise Cloud.
When running multiple teleport binaries within a cluster, the following rules
apply:
* Patch and minor versions are always compatible, for example, any 8.0.1
component will work with any 8.0.3 component and any 8.1.0 component will
work with any 8.3.0 component.
* Servers support clients that are 1 major version behind, but do not support
clients that are on a newer major version. For example, an 8.x.x Proxy
Service is compatible with 7.x.x resource services and 7.x.x tsh, but we
don't guarantee that a 9.x.x resource service will work with an 8.x.x Proxy
Service. This also means you must not attempt to upgrade from 6.x.x straight
to 8.x.x. You must upgrade to 7.x.x first.
* Proxy Services and resource services do not support Auth Services that are on
an older major version, and will fail to connect to older Auth Services by
default. This behavior can be overridden by passing --skip-version-check when
starting Proxy Services and resource services.
* Teleport Community Edition
* Teleport Enterprise Cloud
Using APT or YUM for versions prior to Teleport 10?
If you've previously installed Teleport via the APT repo at
https://deb.releases.teleport.dev/, you can upgrade by re-running the
"Debian/Ubuntu (DEB)" install instructions above.
We will also continue to maintain the legacy APT repo at
https://deb.releases.teleport.dev/ for the foreseeable future.
Check the Downloads page for the most up-to-date information.
Check the Cloud Downloads page for the most up-to-date information on obtaining
Teleport binaries compatible with Teleport Cloud.
DOCKER
IMAGES
We provide a pre-built Docker image for every version of Teleport. This section
describes the available Docker images.
These images are hosted on Amazon ECR Public.
IMAGE SUFFIXES
For each of the image names listed in this section, you can specify attributes
of the image by appending a suffix to the repository name or tag.
Images with the -distroless suffix within the repository name include only the
teleport binary and its runtime dependencies, with no shell or utility
applications. An example is public.ecr.aws/gravitational/teleport-distroless for
Teleport Community Edition.
Images with the *-distroless-debug suffix within the repository name include a
Busybox shell and tool suite in addition to Teleport, and are intended for
troubleshooting deployments only. They are not intended for production use. An
example is public.ecr.aws/gravitational/teleport-distroless-debug.
You can specify the architecture of an image by appending a suffix to its tag.
We support the following architecture suffixes: amd64, arm, and arm64. For
example, if you want to pull the ARM64 image for
public.ecr.aws/gravitational/teleport, you can use
public.ecr.aws/gravitational/teleport:14.1.1-arm64.
*-distroless and *-distroless-debug images support multiple architectures
natively, and do not require (or support) image suffixes. You can specify an
architecture using the --platform flag of docker pull to pull the arm, arm64 or
amd64 version of an image.
VERSION TAGS
Images point to a static version of Teleport. Use the image's tag to specify
either:
* The major, minor, and patch version (e.g., 14.1.1 for the latest version of
Teleport Community Edition).
* The major version only, which implies the latest minor and patch numbers for
that major version. For example, 14 implies 14.1.1.
* Teleport Team/Community Edition
* Teleport Enterprise Cloud/Enterprise
Image nameTroubleshooting Tools?Image
basepublic.ecr.aws/gravitational/teleport-distroless:14.1.1NoDistroless Debian
11public.ecr.aws/gravitational/teleport-distroless-debug:14.1.1YesDistroless
Debian 11
For testing, we always recommend that you use the latest released version of
Teleport, which is currently
public.ecr.aws/gravitational/teleport-distroless:14.1.1.
Ubuntu 20.04-based images are available from our Legacy Amazon ECR Public
repository. Their use is considered deprecated, and they may be removed in
future releases.
Image nameIncludes troubleshooting toolsImage
basepublic.ecr.aws/gravitational/teleport-ent-distroless:14.1.1NoDistroless
Debian
11public.ecr.aws/gravitational/teleport-ent-distroless-debug:14.1.1YesDistroless
Debian 11
We also provide the following images for FIPS builds of Teleport Enterprise:
Image nameIncludes troubleshooting toolsImage
basepublic.ecr.aws/gravitational/teleport-ent-fips-distroless:14.1.1NoDistroless
Debian
12public.ecr.aws/gravitational/teleport-ent-fips-distroless-debug:14.1.1YesDistroless
Debian 12
For testing, we always recommend that you use the latest release version of
Teleport Enterprise, which is currently
public.ecr.aws/gravitational/teleport-ent-distroless:14.1.1.
Ubuntu 20.04-based images for non-FIPS Teleport are available from our Legacy
Amazon ECR Public repository.
RUNNING TELEPORT ON DOCKER
When running a container from one of the images listed above, consider the
container equivalent to running the teleport binary. The Teleport container
requires access to a file system and network ports.
CONFIGURATION
Teleport processes read their configuration from a local file path, which is
/etc/teleport.yaml by default. Make sure this file path is mounted to your
Teleport container.
DATA DIRECTORY
All Teleport processes read from and write to a data directory, which by default
is /var/lib/teleport. Make sure the data directory is mounted to your Teleport
container.
LICENSE FILE
If your Teleport Enterprise container runs the Auth Service, you will need to
give it access to a license file at the path named in the configuration, which
is /var/lib/teleport/license.pem by default. Make sure a license exists at this
location in the Teleport container's data directory.
OTHER FILE PATHS
Depending on the configuration settings you assign on your Teleport container,
you will need to make sure that any file paths you name are mounted on the
container.
For example, if you are running the Teleport Proxy Service on a container, you
need to mount the directory containing TLS credentials to your Teleport
container, then assign the following fields in the container's configuration
file to the appropriate paths:
proxy_service:
https_keypairs:
- key_file: /my/path/key.pem
cert_file: /my/path/cert.pem
See the Teleport Configuration Reference for whether a field you would like to
assign requires a file path.
PORTS
A single Teleport process can run multiple services, each of which listens on a
specific set of ports depending on your configuration. See our Networking
Reference for the ports on your Teleport container to expose.
EXTRACTING CERTIFICATES FROM DISTROLESS IMAGES
Extracting certificates created with tctl auth sign from a container running a
distroless image can be tricky due to the absence of a shell and other OS tools.
Where possible you should log into the Teleport cluster using tsh and use tctl
auth sign locally to generate certificates. This way the action will be logged
against your Teleport user and be subject to all of the usual Teleport RBAC
policies in your cluster.
If this is not possible, use tctl auth sign --tar to collect all the files
generated by tctl auth sign into a tar archive, which is streamed directly to
stdout. The resulting certificates are never stored on the container filesystem.
You can either pipe this output directly to tar, or redirect it to a local file
for later use.
For example:
docker exec ${TELEPORT_CONTAINER} \ tctl auth sign --user alice --format tls -o alice.local --tar | tar xvx alice.local.crtx alice.local.keyx alice.local.cas
EXAMPLE OF RUNNING A TELEPORT CONTAINER
In this example, we will show you how to run the Teleport Auth and Proxy
Services on a local Docker container using Teleport Community Edition.
Since this container uses a self-signed certificate, we do not recommend using
this configuration to protect any infrastructure outside your workstation. You
can, however, join other local Docker containers to it using the token method.
First, create directories in your home directory to mount to the container. The
Teleport container will write its configuration and data to these directories:
mkdir -p ~/teleport/config ~/teleport/data
Run teleport configure from the Teleport container to generate a configuration
file. This sets the container's name to localhost so your browser can trust the
Proxy Service's self-signed TLS certificate:
docker run --hostname localhost --rm \ --entrypoint=/usr/local/bin/teleport \ public.ecr.aws/gravitational/teleport-distroless:14.1.1 configure --roles=proxy,auth > ~/teleport/config/teleport.yaml
Start Teleport on your container:
docker run --hostname localhost --name teleport \ -v ~/teleport/config:/etc/teleport \ -v ~/teleport/data:/var/lib/teleport \ -p 3025:3025 -p 3080:3080 \ public.ecr.aws/gravitational/teleport-distroless:14.1.1
From there, open another terminal and make sure your Teleport container's web
API is functioning as intended:
curl --insecure https://localhost:3080/webapi/ping
You should see JSON output similar to the following:
{
"auth": {
"type": "local",
"second_factor": "otp",
"preferred_local_mfa": "otp",
"local": {
"name": ""
},
"private_key_policy": "none",
"device_trust_disabled": true,
"has_motd": false
},
"proxy": {
"kube": {
"enabled": true,
"listen_addr": "0.0.0.0:3080"
},
"ssh": {
"listen_addr": "0.0.0.0:3080",
"tunnel_listen_addr": "0.0.0.0:3080",
"web_listen_addr": "0.0.0.0:3080"
},
"db": {
"postgres_listen_addr": "0.0.0.0:3080",
"mysql_listen_addr": "0.0.0.0:3080"
},
"tls_routing_enabled": true
},
"server_version": "12.1.5",
"min_client_version": "11.0.0",
"cluster_name": "localhost",
"automatic_upgrades": false
}
We are using the --insecure flag to trust Teleport's self-signed certificate. In
production, you will want to provision TLS credentials to the Proxy Service from
a trusted CA, e.g., Let's Encrypt.
AMAZON EC2
We provide pre-built amd64 Amazon Linux 2023 based EC2 AMIs with Teleport
pre-installed.
These images are primarily intended for deploying a Teleport cluster using our
reference Terraform code.
See the AWS Single-Instance Deployment and the Running Teleport Enterprise in
High Availability mode on AWS using Terraform guide for detailed usage examples.
In order to use these AMIs outside of the reference Terraform, you can configure
the Teleport installation by setting configuration variables in the
/etc/teleport.d/conf file on the EC2 instance. See the Starter Cluster
Configuration Template for a list of the available configuration options.
The image names all include the build timestamp (shown as $TIMESTAMP in the
table below), and are tagged for easier searching.
Image nameEditionFIPS supportAMI TagsOwner Account
IDteleport-oss-14.1.1-$TIMESTAMPOSSNoTeleportVersion: 14.1.1, TeleportEdition:
oss, TeleportFipsEnabled:
false146628656107teleport-ent-14.1.1-$TIMESTAMPEnterpriseNoTeleportVersion:
14.1.1, TeleportEdition: ent, TeleportFipsEnabled:
false146628656107teleport-oss-14.1.1-fips-$TIMESTAMPEnterpriseYesTeleportVersion:
14.1.1, TeleportEdition: ent, TeleportFipsEnabled: true146628656107
All images are based on Amazon Linux 2023 and have been hardened using the
Amazon EC2 ImageBuilder STIG hardening component.
Teleport AMIs are automatically published to all non-opt-in AWS regions.
HELM
To allow Helm to install charts that are hosted in the Teleport Helm repository,
use helm repo add:
helm repo add teleport https://charts.releases.teleport.dev
To update the cache of charts from the remote repository, run helm repo update:
helm repo update
There are two charts available to install. Please see our guide for using each
chart.
ChartIncluded ServicesValues Referenceteleport-clusterAuth Service
Proxy Service
Other Teleport services if using a custom
configurationReferenceteleport-kube-agentKubernetes Service
Application Service
Database ServiceReference
MACOS
Teleport Edition
Community/Team
* Community/Team
* Enterprise
* Enterprise Cloud
* Teleport package
* Homebrew
You can download one of the following .pkg installers for macOS:
LinkBinariesteleport-14.1.1.pkgteleport
tctl
tsh
tbottsh-14.1.1.pkgtsh
You can also fetch an installer via the command line:
curl -O https://cdn.teleport.dev/teleport-14.1.1.pkg
Installs on Macintosh HD
sudo installer -pkg teleport-14.1.1.pkg -target /
Password:
installer: Package name is teleport-14.1.1
installer: Upgrading at base path /
installer: The upgrade was successful.
which teleport
/usr/local/bin/teleport
The Teleport package in Homebrew is not maintained by Teleport and we can't
guarantee its reliability or security.
WARNINGS
We recommend the use of our official Teleport packages. Binaries provided by
Homebrew are not signed by Teleport, so features that require signed and
notarized binaries (TouchID, Device Trust) are not available in Homebrew builds.
The tctl release available on Homebrew is the open source edition, and cannot
manage configuration resources unique to Teleport Enterprise and Teleport
Enterprise Cloud (e.g., OIDC and SAML connectors). For Teleport Enterprise and
Enterprise Cloud, we recommend installing the official Teleport Enterprise
edition of tctl.
INSTALLING TELEPORT WITH HOMEBREW
To install Teleport with Homebrew, run the following command:
brew install teleport
If you choose to use Homebrew, you must verify that the versions of tsh and tctl
you run on your local machine are compatible with the versions you run on your
infrastructure. Homebrew usually ships the latest release of Teleport, which may
be incompatible with older versions. See our compatibility policy for details.
To verify versions, log in to your cluster and compare the output of tctl status
against tsh version and tctl version.
You can download one of the following .pkg installers for macOS:
LinkBinariesteleport-ent-14.1.1.pkgteleport
tctl
tsh
tbottsh-14.1.1.pkgtsh
You can also fetch an installer from the command line:
curl -O https://cdn.teleport.dev/teleport-ent-14.1.1.pkg
Install on Macintosh HD
sudo installer -pkg teleport-ent-14.1.1.pkg -target /Password:installer: Package name is teleport-ent-14.1.1installer: Upgrading at base path /installer: The upgrade was successful.
which teleport/usr/local/bin/teleport
You can download one of the following .pkg installers for macOS:
LinkBinariesteleport-ent-13.4.3.pkgteleport
tctl
tsh
tbottsh-13.4.3.pkgtsh
You can also fetch an installer from the command line:
curl -O https://cdn.teleport.dev/teleport-ent-13.4.3.pkg
Install on Macintosh HD
sudo installer -pkg teleport-ent-13.4.3.pkg -target /Password:installer: Package name is teleport-ent-13.4.3installer: Upgrading at base path /installer: The upgrade was successful.
which teleport/usr/local/bin/teleport
WINDOWS (TSH CLIENT ONLY)
Most tsh features are supported for Windows 10 1607+. The tsh ssh command can be
run under cmd.exe, PowerShell, and Windows Terminal.
To install tsh on Windows, run the following commands in PowerShell (these
commands will not work in cmd.exe):
Teleport Edition
Teleport Community Edition
* Teleport Community Edition
* Teleport Team
* Teleport Enterprise
* Teleport Enterprise Cloud
Set the TLS level to TLS 1.2 (required on Windows Server 2016 and lower)
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
Get the expected checksum for the Windows tsh package
$Resp = Invoke-WebRequest https://get.gravitational.com/teleport-v14.1.1-windows-amd64-bin.zip.sha256
PowerShell will return the binary representation of the response content
by default, so you need to convert it to a string
[System.Text.Encoding]::UTF8.getstring($Resp.Content)
<checksum> <filename>
Invoke-WebRequest -OutFile teleport-v14.1.1-windows-amd64-bin.zip -Uri https://cdn.teleport.dev/teleport-v14.1.1-windows-amd64-bin.zip
certUtil -hashfile teleport-v14.1.1-windows-amd64-bin.zip SHA256
SHA256 hash of teleport-v14.1.1-windows-amd64-bin.zip:
<checksum>
CertUtil: -hashfile command completed successfully.
After you have verified that the checksums match, you can extract the archive.
The executable will be available at
teleport-v14.1.1-windows-amd64-bin\teleport\tsh.exe.
Expand-Archive teleport-v{{ .version }}-windows-amd64-bin.zip
cd teleport-v14.1.1-windows-amd64-bin\teleport
.\tsh.exe versionTeleport v14.1.1 git:v{{ .version }} go1.21
Make sure to move tsh.exe into your PATH.
Set the TLS level to TLS 1.2 (required on Windows Server 2016 and lower)
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
Get the expected checksum for the Windows tsh package
$Resp = Invoke-WebRequest https://get.gravitational.com/teleport-v14.1.1-windows-amd64-bin.zip.sha256
PowerShell will return the binary representation of the response content
by default, so you need to convert it to a string
[System.Text.Encoding]::UTF8.getstring($Resp.Content)
<checksum> <filename>
Invoke-WebRequest -OutFile teleport-v14.1.1-windows-amd64-bin.zip -Uri https://cdn.teleport.dev/teleport-v14.1.1-windows-amd64-bin.zip
certUtil -hashfile teleport-v14.1.1-windows-amd64-bin.zip SHA256
SHA256 hash of teleport-v14.1.1-windows-amd64-bin.zip:
<checksum>
CertUtil: -hashfile command completed successfully.
After you have verified that the checksums match, you can extract the archive.
The executable will be available at
teleport-v14.1.1-windows-amd64-bin\teleport\tsh.exe.
Expand-Archive teleport-v{{ .version }}-windows-amd64-bin.zip
cd teleport-v14.1.1-windows-amd64-bin\teleport
.\tsh.exe versionTeleport v14.1.1 git:v{{ .version }} go1.21
Make sure to move tsh.exe into your PATH.
Set the TLS level to TLS 1.2 (required on Windows Server 2016 and lower)
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
Get the expected checksum for the Windows tsh package
$Resp = Invoke-WebRequest https://get.gravitational.com/teleport-v14.1.1-windows-amd64-bin.zip.sha256
PowerShell will return the binary representation of the response content
by default, so you need to convert it to a string
[System.Text.Encoding]::UTF8.getstring($Resp.Content)
<checksum> <filename>
Invoke-WebRequest -OutFile teleport-v14.1.1-windows-amd64-bin.zip -Uri https://cdn.teleport.dev/teleport-v14.1.1-windows-amd64-bin.zip
certUtil -hashfile teleport-v14.1.1-windows-amd64-bin.zip SHA256
SHA256 hash of teleport-v14.1.1-windows-amd64-bin.zip:
<checksum>
CertUtil: -hashfile command completed successfully.
After you have verified that the checksums match, you can extract the archive.
The executable will be available at
teleport-v14.1.1-windows-amd64-bin\teleport\tsh.exe.
Expand-Archive teleport-v{{ .version }}-windows-amd64-bin.zip
cd teleport-v14.1.1-windows-amd64-bin\teleport
.\tsh.exe versionTeleport v14.1.1 git:v{{ .version }} go1.21
Make sure to move tsh.exe into your PATH.
Set the TLS level to TLS 1.2 (required on Windows Server 2016 and lower)
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
Get the expected checksum for the Windows tsh package
$Resp = Invoke-WebRequest https://get.gravitational.com/teleport-v13.4.3-windows-amd64-bin.zip.sha256
PowerShell will return the binary representation of the response content
by default, so you need to convert it to a string
[System.Text.Encoding]::UTF8.getstring($Resp.Content)
<checksum> <filename>
Invoke-WebRequest -OutFile teleport-v13.4.3-windows-amd64-bin.zip -Uri https://cdn.teleport.dev/teleport-v13.4.3-windows-amd64-bin.zip
certUtil -hashfile teleport-v13.4.3-windows-amd64-bin.zip SHA256
SHA256 hash of teleport-v13.4.3-windows-amd64-bin.zip:
<checksum>
CertUtil: -hashfile command completed successfully.
After you have verified that the checksums match, you can extract the archive.
The executable will be available at
teleport-v13.4.3-windows-amd64-bin\teleport\tsh.exe.
Expand-Archive teleport-v{{ .version }}-windows-amd64-bin.zip
cd teleport-v13.4.3-windows-amd64-bin\teleport
.\tsh.exe versionTeleport v13.4.3 git:v{{ .version }} go1.21
Make sure to move tsh.exe into your PATH.
BUILDING FROM SOURCE
Teleport is written in Go, and currently requires go v1.21 or newer. Detailed
instructions for building from source are available in the README.
CHECKSUMS
If you want to verify the integrity of a Teleport binary, SHA256 checksums are
available for all downloads on our downloads page.
If you download Teleport via an automated system, you can programmatically
obtain the checksum by adding .sha256 to the download link. This is the method
shown in the installation examples.
export version=v14.1.1
'darwin' 'linux' or 'windows'
export os=linux
'386' 'arm' on linux or 'amd64' for all distros
export arch=amd64
curl https://get.gravitational.com/teleport-$version-$os-$arch-bin.tar.gz.sha256
<checksum> <filename>
UNINSTALLING TELEPORT
If you wish to uninstall Teleport at any time, see our documentation on
Uninstalling Teleport.
NEXT STEPS
Now that you know how to install Teleport, you can enable access to all of your
infrastructure. Get started with:
* Server Access
* Kubernetes Access
* Database Access
* Application Access
* Desktop Access
* Machine ID
Table of Contents
* Operating system support
* Linux
* Docker
* Amazon EC2
* Helm
* macOS
* Windows (tsh client only)
* Building from source
* Checksums
* Uninstalling Teleport
* Next steps
Was this page helpful?
Switch to AI chat
Powered by
inkeep
Ask Teleport
Search
Hi, I'm Teleport!
I'm an AI assistant trained on documentation, help articles, and other content.
Ask me anything about Teleport.
--------------------------------------------------------------------------------
Powered by
inkeep