Categorygithub.com/gravitational/teleport
modulepackage
18.0.0-dev.vnet-windows.4+incompatible
Repository: https://github.com/gravitational/teleport.git
Documentation: pkg.go.dev
Overview
Versions
17
Dependencies
6
Dependents
3k
Files
1.3k SLOC

# README

Teleport provides connectivity, authentication, access controls and audit for infrastructure.

Here is why you might use Teleport:

  • Set up SSO for all of your cloud infrastructure [1].
  • Protect access to cloud and on-prem services using mTLS endpoints and short-lived certificates.
  • Establish tunnels to access services behind NATs and firewalls.
  • Provide an audit log with session recording and replay for various protocols.
  • Unify Role-Based Access Control (RBAC) and enforce the principle of least privilege with access requests.

[1] The open source version supports only GitHub SSO.

Teleport works with SSH, Kubernetes, databases, RDP, and web services.


Table of Contents

  1. Introduction
  2. Installing and Running
  3. Docker
  4. Building Teleport
  5. Why Did We Build Teleport?
  6. More Information
  7. Support and Contributing
  8. Is Teleport Secure and Production Ready?
  9. Who Built Teleport?
  10. License

Introduction

Teleport includes an identity-aware access proxy, a CA that issues short-lived certificates, a unified access control system and a tunneling system to access resources behind the firewall.

We have implemented Teleport as a single Go binary that integrates with multiple protocols and cloud services:

You can set up Teleport as a Linux daemon or a Kubernetes deployment.

Teleport focuses on best practices for infrastructure security:

  • No need to manage shared secrets such as SSH keys or Kubernetes tokens: it uses certificate-based auth with certificate expiration for all protocols.
  • Two-factor authentication (2FA) for everything.
  • Collaboratively troubleshoot issues through session sharing.
  • Single sign-on (SSO) for everything via GitHub Auth, OpenID Connect, or SAML with endpoints like Okta or Microsoft Entra ID.
  • Infrastructure introspection: Use Teleport via the CLI or Web UI to view the status of every SSH node, database instance, Kubernetes cluster, or internal web app.

Teleport uses Go crypto. It is fully compatible with OpenSSH, sshd servers, and ssh clients, Kubernetes clusters and more.

Project LinksDescription
Teleport WebsiteThe official website of the project.
DocumentationAdmin guide, user manual and more.
BlogOur blog where we publish Teleport news.
ForumAsk us a setup question, post your tutorial, feedback, or idea on our forum.
SlackNeed help with your setup? Ping us in our Slack channel.
Cloud-hostedWe offer Enterprise with a Cloud-hosted option. For teams that require easy and secure access to their computing environments.

Installing and Running

To set up a single-instance Teleport cluster, follow our getting started guide. You can then register your servers, Kubernetes clusters, and other infrastructure with your Teleport cluster.

You can also get started with Teleport Enterprise Cloud, a managed Teleport deployment that makes it easier to enable secure access to your infrastructure.

Sign up for a free trial of Teleport Enterprise Cloud.

Follow our guide to registering your first server with Teleport Enterprise Cloud.

Docker

Deploy Teleport

If you wish to deploy Teleport inside a Docker container see the installation guide.

For Local Testing and Development

To run a full test suite locally, see the test dependencies list

Building Teleport

The teleport repository contains the Teleport daemon binary (written in Go) and a web UI written in TypeScript.

If your intention is to build and deploy for use in a production infrastructure a released tag should be used. The default branch, master, is the current development branch for an upcoming major version. Get the latest release tags listed at https://goteleport.com/download/ and then use that tag in the git clone. For example git clone https://github.com/gravitational/teleport.git -b v16.0.0 gets release v16.0.0.

Dockerized Build

It is often easiest to build with Docker, which ensures that all required tooling is available for the build. To execute a dockerized build, ensure that docker is installed and running, and execute:

make -C build.assets build-binaries

Local Build

Dependencies

Ensure you have installed correct versions of necessary dependencies:

  • Go version from go.mod
  • If you wish to build the Rust-powered features like Desktop Access, see the Rust and Cargo versions in build.assets/Makefile (search for RUST_VERSION)
  • For tsh version > 10.x with FIDO2 support, you will need libfido2 and pkg-config installed locally
  • To build the web UI:
    • pnpm. If you have Node.js installed, run corepack enable pnpm to make pnpm available.
    • If you prefer not to install/use pnpm, but have docker available, you can run make docker-ui instead.
    • The Rust and Cargo version in build.assets/Makefile (search for RUST_VERSION) are required.
    • The wasm-pack version in build.assets/Makefile (search for WASM_PACK_VERSION) is required.
    • binaryen (which contains wasm-opt) is required to be installed manually on linux aarch64 (64-bit ARM). You can check if it's already installed on your system by running which wasm-opt. If not you can install it like apt-get install binaryen (for Debian-based Linux). wasm-pack will install this automatically on other platforms.

For an example of Dev Environment setup on a Mac, see these instructions.

Perform a build

Important

  • The Go compiler is somewhat sensitive to the amount of memory: you will need at least 1GB of virtual memory to compile Teleport. A 512MB instance without swap will not work.
  • This will build the latest version of Teleport, regardless of whether it is stable. If you want to build the latest stable release, run git checkout and git submodule update --recursive to the corresponding tag (for example,
  • run git checkout v8.0.0) before performing a build.

Get the source

git clone https://github.com/gravitational/teleport.git
cd teleport

To perform a build

make full

tsh dynamically links against libfido2 by default, to support development environments, as long as the library itself can be found:

$ brew install libfido2 pkg-config  # Replace with your package manager of choice

$ make build/tsh
> libfido2 found, setting FIDO2=dynamic
> (...)

Release binaries are linked statically against libfido2. You may switch the linking mode using the FIDO2 variable:

make build/tsh FIDO2=dynamic # dynamic linking
make build/tsh FIDO2=static  # static linking, for an easy setup use `make enter`
                             # or `build.assets/macos/build-fido2-macos.sh`.
make build/tsh FIDO2=off     # doesn't link libfido2 in any way

tsh builds with Touch ID support require access to an Apple Developer account. If you are a Teleport maintainer, ask the team for access.

Build output and run locally

If the build succeeds, the installer will place the binaries in the build directory.

Before starting, create default data directories:

sudo mkdir -p -m0700 /var/lib/teleport
sudo chown $USER /var/lib/teleport

Running Teleport in a hot reload mode

To speed up your development process, you can run Teleport using CompileDaemon. This will build and run the Teleport binary, and then rebuild and restart it whenever any Go source files change.

  1. Install CompileDaemon:

    go install github.com/githubnemo/CompileDaemon@latest

    Note that we use go install instead of the suggested go get, because we don't want CompileDaemon to become a dependency of the project.

  2. Build and run the Teleport binary:

    make teleport-hot-reload

    By default, this runs a teleport start command. If you want to customize the command, for example by providing a custom config file location, you can use the TELEPORT_ARGS parameter:

    make teleport-hot-reload TELEPORT_ARGS='start --config=/path/to/config.yaml'

Note that you still need to run make grpc if you modify any Protocol Buffers files to regenerate the generated Go sources; regenerating these sources should in turn cause the CompileDaemon to rebuild and restart Teleport.

Web UI

The Teleport Web UI resides in the web directory.

Rebuilding Web UI for development

To rebuild the Teleport UI package, run the following command:

make docker-ui

Then you can replace Teleport Web UI files with the files from the newly-generated /dist folder.

To enable speedy iterations on the Web UI, you can run a local web-dev server.

You can also tell Teleport to load the Web UI assets from the source directory. To enable this behavior, set the environment variable DEBUG=1 and rebuild with the default target:

# Run Teleport as a single-node cluster in development mode:
DEBUG=1 ./build/teleport start -d

Keep the server running in this mode, and make your UI changes in /dist directory. For instructions about how to update the Web UI, read the web README.

Managing dependencies

All dependencies are managed using Go modules. Here are the instructions for some common tasks:

Add a new dependency

Latest version:

go get github.com/new/dependency

and update the source to use this dependency.

To get a specific version, use go get github.com/new/dependency@version instead.

Set dependency to a specific version

go get github.com/new/dependency@version

Update dependency to the latest version

go get -u github.com/new/dependency

Update all dependencies

go get -u all

Debugging dependencies

Why is a specific package imported?

go mod why $pkgname

Why is a specific module imported?

go mod why -m $modname

Why is a specific version of a module imported?

go mod graph | grep $modname

Devbox Build (experimental)

Note: Devbox support is still experimental. It's very possible things may not work as intended.

Teleport can be built using devbox. To use devbox, follow the instructions to install devbox here and then run:

devbox shell

This will install Teleport's various build dependencies and drop you into a shell with these dependencies. From here, you can build Teleport normally.

flake.nix

A nix flake is located in build.assets/flake that allows for installation of Teleport's less common build tooling. If this flake is updated, run:

devbox install

in order to make sure the changes in the flake are reflected in the local devbox shell.

Why did We Build Teleport?

The Teleport creators used to work together at Rackspace. We noticed that most cloud computing users struggle with setting up and configuring infrastructure security because popular tools, while flexible, are complex to understand and expensive to maintain. Additionally, most organizations use multiple infrastructure form factors such as several cloud providers, multiple cloud accounts, servers in colocation, and even smart devices. Some of those devices run on untrusted networks, behind third-party firewalls. This only magnifies complexity and increases operational overhead.

We had a choice, either start a security consulting business or build a solution that's dead-easy to use and understand. A real-time representation of all of your servers in the same room as you, as if they were magically teleported. Thus, Teleport was born!

More Information

Support and Contributing

We offer a few different options for support. First of all, we try to provide clear and comprehensive documentation. The docs are also in GitHub, so feel free to create a PR or file an issue if you have ideas for improvements. If you still have questions after reviewing our docs, you can also:

  • Join Teleport Discussions to ask questions. Our engineers are available there to help you.
  • If you want to contribute to Teleport or file a bug report/issue, you can create an issue here in GitHub.
  • If you are interested in Teleport Enterprise or more responsive support during a POC, we can also create a dedicated Slack channel for you during your POC. You can reach out to us through our website to arrange for a POC.

Is Teleport Secure and Production-Ready?

Yes -- Teleport is production-ready and designed to protect and facilitate access to the most precious and mission-critical applications.

Teleport has completed several security audits from nationally and internationally recognized technology security companies.

We publicize some of our audit results, security philosophy and related information on our trust page.

You can see the list of companies that use Teleport in production on the Teleport product page.

Who Built Teleport?

Teleport was created by Gravitational, Inc.. We have built Teleport by borrowing from our previous experiences at Rackspace. Learn more about Teleport and our history.

License

Teleport is distributed in multiple forms with different licensing implications.

The Teleport API module (all code in this repository under /api) is available under the Apache 2.0 license.

The remainder of the source code in this repository is available under the GNU Affero General Public License. Users compiling Teleport from source must comply with the terms of this license.

Teleport Community Edition builds distributed on http://goteleport.com/download are available under a modified Apache 2.0 license.

# Packages

Code generated by "make version".
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
integration package tests Teleport on a high level creating clusters of servers in memory, connecting them together and connecting to them.
No description provided by the author
No description provided by the author
No description provided by the author

# Functions

Component generates "component:subcomponent1:subcomponent2" strings used in debugging.
NewWebAssetsFilesystem is a no-op in this build mode.

# Constants

ACL is the canned ACL to send to S3.
ADFS is Microsoft Active Directory Federation Services.
AdminRoleName is the name of the default admin role for all local users if another role is not explicitly assigned.
internal application being proxied.
AuthorizedKeys are public keys that check against User CAs.
AWSRunDBTests turns on tests executed against AWS databases directly.
AWSRunTests turns on tests executed against AWS directly.
AZBlobTestURI specifies the storage account URL to use for Azure Blob Storage tests.
BrowserNone is the string used to suppress the opening of a browser in response to 'tsh login' commands.
CancelTCPIPForwardRequest is an SSHRequest to cancel a previous TCPIPForwardRequest.
CertCriticalOptionSourceAddress is a critical option that defines IP addresses (in CIDR notation) from which this certificate is accepted for authentication.
CertExtensionAllowedResources lists the resources which this certificate should be allowed to access.
CertExtensionBotInstanceID indicates the unique identifier of this Machine ID bot instance, if any.
CertExtensionBotName indicates the name of the Machine ID bot this certificate was issued to, if any.
CertExtensionConnectionDiagnosticID contains the ID of the ConnectionDiagnostic.
CertExtensionDeviceAssetTag is the device inventory identifier.
CertExtensionDeviceCredentialID is the identifier for the credential used by the device to authenticate itself.
CertExtensionDeviceID is the trusted device identifier.
CertExtensionDisallowReissue is set when a certificate should not be allowed to request future certificates.
CertExtensionGeneration counts the number of times a certificate has been renewed.
CertExtensionGitHubUserID indicates the GitHub user ID identified by the GitHub connector.
CertExtensionGitHubUsername indicates the GitHub username identified by the GitHub connector.
CertExtensionImpersonator is set when one user has requested certificates for another user.
CertExtensionLoginIP is used to embed the IP of the client that created the certificate.
CertExtensionMFAVerified is used to mark certificates issued after an MFA check.
CertExtensionPermitAgentForwarding allows agent forwarding for certificate.
CertExtensionPermitPortForwarding allows user to request port forwarding.
CertExtensionPermitPTY allows user to request PTY.
CertExtensionPermitX11Forwarding allows X11 forwarding for certificate.
CertExtensionPreviousIdentityExpires is the extension that stores an RFC3339 timestamp representing the expiry time of the identity/cert that this identity/cert was derived from.
CertExtensionPrivateKeyPolicy is used to mark certificates with their supported private key policy.
CertExtensionRenewable is a flag to indicate the certificate may be renewed.
CertExtensionTeleportActiveRequests is used to track which privilege escalation requests were used to construct the certificate.
CertExtensionTeleportRoles is used to propagate teleport roles.
CertExtensionTeleportRouteToCluster is used to encode the target cluster to route to in the certificate.
CertExtensionTeleportTraits is used to propagate traits about the user.
CertificateFormatOldSSH is used to make Teleport interoperate with older versions of OpenSSH.
CertificateFormatUnspecified is used to check if the format was specified or not.
ChanDirectTCPIP is an SSH channel of type "direct-tcpip".
ChanForwardedTCPIP is an SSH channel of type "forwarded-tcpip".
ChanSession is an SSH channel of type "session".
CheckHomeDirSubCommand is the sub-command Teleport uses to re-exec itself to check if the user's home directory exists.
ClusterDetailsReqType is the name of a global request which returns cluster details like if the proxy is recording sessions or not and if FIPS is enabled.
ComponentACME is ACME protocol controller.
ComponentApp is the application proxy service.
ComponentAppProxy is the application handler within the web proxy service.
ComponentAthena represents athena clients.
ComponentAuditLog is audit log component.
ComponentAuth is the cluster CA node (auth server API).
ComponentAuthority is a TLS and an SSH certificate authority.
ComponentBackend is a backend component.
ComponentBPF is the eBPF packagae.
ComponentBuffer is in-memory event circular buffer used to broadcast events to subscribers.
ComponentCache is a cache component.
ComponentCgroup is the cgroup package.
ComponentClient is a client.
ComponentConnectProxy is the HTTP CONNECT proxy used to tunnel connection.
ComponentDatabase is the database proxy service.
ComponentDebug is the debug service, which exposes debugging configuration over a Unix socket.
ComponentDiagnostic is a diagnostic service.
ComponentDiagnosticHealth is the health monitor used by the diagnostic and debug services.
ComponentDiscovery is the Discovery service.
ComponentDynamoDB represents dynamodb clients.
ComponentFields is a fields component.
ComponentFirestore represents firestore clients.
ComponentForwardingGit represents the SSH proxy that forwards Git commands.
ComponentForwardingNode is SSH node (SSH server serving requests).
ComponentGit represents git proxy related services.
ComponentGRPC is gRPC server.
ComponentHostUsers represents host user management.
ComponentInstance is an abstract component common to all services.
ComponentKeepAlive is keep-alive messages sent from clients to servers and vice versa.
ComponentKey is a field that represents a component - e.g.
ComponentKeyAgent is an agent that has loaded the sessions keys and certificates for a user connected to a proxy.
ComponentKeyGen is the public/private keypair generator.
ComponentKeyStore is all sessions keys and certificates a user has on disk for all proxies.
ComponentKube is an Kubernetes API gateway.
ComponentKubeClient is the Kubernetes client.
ComponentLabel is a component label name used in reporting.
ComponentLocalTerm is a terminal on a regular SSH node.
ComponentMemory is a memory backend.
ComponentMetrics is a metrics server.
ComponentMigrate is responsible for data migrations.
ComponentNode is SSH node (SSH server serving requests).
Component pluggable authentication module (PAM).
ComponentProcess is a main control process.
ComponentProxy is SSH proxy (SSH server forwarding connections).
ComponentProxyKube is a kubernetes proxy.
ComponentProxyPeer is the proxy peering component of the proxy service.
ComponentProxySecureGRPC represents a secure gRPC server running on Proxy (used for Kube).
ComponentRBAC is role-based access control.
ComponentRemoteSubsystem is subsystem on a forwarding SSH node.
ComponentRemoteTerm is a terminal on a forwarding SSH node.
ComponentReverseTunnelAgent is reverse tunnel agent that together with server establish a bi-directional SSH revers tunnel to bypass firewall restrictions.
ComponentReverseTunnelServer is reverse tunnel server that together with agent establish a bi-directional SSH revers tunnel to bypass firewall restrictions.
ComponentRolloutController represents the autoupdate_agent_rollout controller.
ComponentSAML is a SAML service provider.
ComponentServer is a server subcomponent of some services.
ComponentSession is an active session.
ComponentSOCKS is a SOCKS5 proxy.
ComponentSubsystemProxy is the proxy subsystem.
ComponentSubsystemSFTP is the SFTP subsystem.
ComponentTBot is the "tbot" binary.
ComponentTCTL is the "tctl" binary.
ComponentTeleport is the "teleport" binary.
ComponentTracing is a tracing exporter.
ComponentTSH is the "tsh" binary.
ComponentTunClient is a tunnel client.
ComponentUnifiedResource is a cache of resources meant to be listed and displayed together in the web UI.
ComponentUpdater represents the teleport-update binary.
ComponentUpload is a session recording upload server.
ComponentUsageReporting is the component responsible for reporting usage metrics.
ComponentVersionControl is the component common to all version control operations.
ComponentWeb is a web server.
ComponentWebProxy is the web handler within the web proxy service.
ComponentWebsocket is websocket server that the web client connects to.
ComponentWindowsDesktop is a Windows desktop access server.
ConnectMyComputerRoleNamePrefix is the prefix used for roles prepared for individual users during the setup of Connect My Computer.
CurrentSessionIDRequest is sent by servers to inform clients of the session ID that is being used.
DataDirParameterName is the name of the data dir configuration parameter passed to all backends during initialization.
DebugLevel is a debug logging level name.
DebugServiceSocketName represents the Unix domain socket name of the debug service.
DefaultTerminalHeight defines the default height of a server-side allocated pseudo TTY.
DefaultTerminalWidth defines the default width of a server-side allocated pseudo TTY.
DirMaskSharedGroup is the mask for a directory accessible by the owner and group.
DisableServerSideEncryption is an optional switch to opt out of SSE in case the provider does not support it.
Endpoint is an optional Host for non-AWS S3.
EnvKubeConfig is environment variable for kubeconfig.
EnvSSHJoinMode is the SSH environment variable that contains the requested participant mode.
EnvSSHSessionDisplayParticipantRequirements is set to true or false to indicate if participant requirement information should be printed.
EnvSSHSessionInvited is an environment variable listing people invited to a session.
EnvSSHSessionReason is a reason attached to started sessions meant to describe their intent.
EnvVarAllowNoSecondFactor is used to allow disabling second factor auth todo(tross): DELETE WHEN ABLE TO.
ExecSubCommand is the sub-command Teleport uses to re-exec itself for command execution (exec and shells).
FileMaskOwnerOnly is the file mask that allows read write access to owers only.
ForceTerminateRequest is an SSH request to forcefully terminate a session.
GCSTestURI turns on GCS tests.
GetHomeDirSubsystem is an SSH subsystem request that Teleport uses to get the home directory of a remote user.
HomeDirNotAccessible is returned when the "teleport checkhomedir" command has found the user's home directory, but the user does NOT have permissions to access it.
HomeDirNotFound is returned when the "teleport checkhomedir" command cannot find the user's home directory.
HostHeader is the name of the Host header.
HTTPNextProtoTLS is the NPN/ALPN protocol negotiated during HTTP/1.1.'s TLS setup.
Insecure is an optional switch to use HTTP instead of HTTPS.
IterationsEnvVar sets tests iterations to run.
JSON means JSON serialization format.
JumpCloud is an identity provider.
KeepAliveReqType is a SSH request type to keep the connection alive.
KnownHosts are public keys that check against Host CAs.
KubeConfigDir is a default directory where k8s stores its user local config.
KubeConfigFile is a default filename where k8s stores its user local config.
KubeLegacyProxySuffix is the suffix used for legacy proxy services when generating their names Server names.
KubeRunTests turns on kubernetes tests.
KubeSessionDisplayParticipantRequirementsQueryParam is the query parameter used to indicate that the client wants to display the participant requirements for the given session.
KubeSessionInvitedQueryParam is the query parameter used to indicate the users to invite to the session.
KubeSessionReasonQueryParam is the query parameter used to indicate the reason for the session request.
KubeSystemAuthenticated is a builtin group that allows any user to access common API methods, e.g.
LinuxAdminGID is the ID of the standard adm group on linux.
LogsDir is a log subdirectory for events and logs.
MaxEnvironmentFileLines is the maximum number of lines in a environment file.
MaxHTTPRequestSize is the maximum accepted size (in bytes) of the body of a received HTTP request.
MaxHTTPResponseSize is the maximum accepted size (in bytes) of the body of a received HTTP response.
MaxLeases serves as an identifying error string indicating that the semaphore system is rejecting an acquisition attempt due to max leases having already been reached.
MaxResourceSize is the maximum size (in bytes) of a serialized resource.
MetricsAccessRequestsCreated provides total number of created access requests.
MetricBackendAtomicWriteConditionFailed measures the amount of atomic write requests that result in condition failure.
MetricBackendAtomicWriteContention counts the amount of times atomic writes experience internal retries due to contention.
MetricBackendAtomicWriteFailedRequests measures failed backend atomic write requests count.
MetricBackendAtomicWriteHistogram measures histogram of backend write latencies.
MetricBackendAtomicWriteRequests measures backend atomic write requests count.
MetricBackendAtomicWriteSize measures the histogram of atomic write batch sizes.
MetricBackendBatchFailedReadRequests measures failed backend batch read requests count.
MetricBackendBatchFailedWriteRequests measures failed batch backend requests count.
MetricBackendBatchReadHistogram measures histogram of backend batch read latencies.
MetricBackendBatchReadRequests measures batch backend read requests count.
MetricBackendBatchWriteHistogram measures histogram of backend batch write latencies.
MetricBackendBatchWriteRequests measures batch backend writes count.
MetricBackendFailedReadRequests measures failed backend read requests count.
MetricBackendReadHistogram measures histogram of backend read latencies.
MetricBackendReadRequests measures backend read requests count.
MetricBackendReads tallies all individual backend reads (this is distinct from backend read requests in that bulk reads count as multiple reads).
MetricBackendRequests measures count of backend requests.
MetricBackendWatcherQueues is a metric with backend watcher queues sizes.
MetricBackendWatchers is a metric with backend watchers.
MetricBackendWriteFailedPreconditionRequests measures the portion of failed backend write requests that failed due to a custom precondition (existence, revision, value, etc).
MetricBackendWriteFailedRequests measures failed backend write requests count.
MetricBackendWriteHistogram measures histogram of backend write latencies.
MetricBackendWriteRequests measures backend write requests count.
MetricBackendWrites tallies all individual backend writes (this is distinct from backend write requests in that bulk writes count as multiple writes).
MetricBuildInfo tracks build information.
MetricCacheEventsReceived tracks the total number of events received by a cache.
MetricCertificateMismatch counts login failures due to certificate mismatch.
MetricClusterNameNotFound counts times a cluster name was not found.
MetricConnectedResources tracks the number and type of resources connected via keepalives.
MetricConnectToNodeAttempts counts ssh attempts.
MetricEnrolledInUpgrades provides total number of instances that advertise an upgrader.
MetricFailedConnectToNodeAttempts counts failed ssh attempts.
MetricFailedLoginAttempts counts failed login attempts.
MetricGenerateRequests counts how many generate server keys requests are issued over time.
MetricGenerateRequestsCurrent measures current in-flight requests.
MetricGenerateRequestsHistogram measures generate requests latency.
MetricGenerateRequestsThrottled measures how many generate requests are throttled.
MetricGoAllocBytes measures allocated memory bytes.
MetricGoGoroutines measures current number of goroutines.
MetricGoHeapAllocBytes measures heap bytes allocated by Go runtime.
MetricGoHeapObjects measures count of heap objects created by Go runtime.
MetricGoInfo provides information about Go runtime version.
MetricGoThreads is amount of system threads used by Go runtime.
MetricHeartbeatConnectionsReceived counts heartbeat connections received by auth.
MetricHeartbeatsMissed counts the nodes that failed to heartbeat.
MetricHostedPluginStatus tracks the current status (as defined by types.PluginStatus) for a plugin instance.
MetricIncompleteSessionUploads returns the number of incomplete session uploads.
MetricLostCommandEvents measures the number of command events that were lost.
MetricLostDiskEvents measures the number of disk events that were lost.
MetricLostNetworkEvents measures the number of network events that were lost.
MetricLostRestrictedEvents measures the number of restricted events that were lost.
MetricMigrations tracks for each migration if it is active or not.
MetricMissingSSHTunnels returns the number of missing SSH tunnels for this proxy.
MetricNamespace defines the teleport prometheus namespace.
MetricParquetlogConsumerBatchCount is a count of number of events in single batch.
MetricParquetlogConsumerBatchPorcessingDuration is a histogram of durations it took to process single batch of events.
MetricParquetlogConsumerBatchSize is a histogram of sizes of single batch of events.
MetricAthenaConsumerCollectFailed is a count of number of errors received from sqs collect.
MetricParquetlogConsumerDeleteEventsDuration is a histogram of durations it took to delete events from SQS.
MetricParquetlogConsumerLastProcessedTimestamp is a timestamp of last finished consumer execution.
MetricParquetlogConsumerOldestProcessedMessage is age of oldest processed message.
MetricParquetlogConsumerS3FlushDuration is a histogram of durations it took to flush and close parquet files on s3.
MetricProcessCPUSecondsTotal measures CPU seconds consumed by process.
MetricProcessMaxFDs shows maximum amount of file descriptors allowed for the process.
MetricProcessOpenFDs shows process open file descriptors.
MetricProcessResidentMemoryBytes measures bytes consumed by process resident memory.
MetricProcessStartTimeSeconds measures process start time.
MetricProxyConnectionLimitHit counts the number of times the proxy connection limit was exceeded.
MetricProxySSHSessions measures sessions in flight on the proxy.
MetricRegisteredServers tracks the number of Teleport servers that have successfully registered with the Teleport cluster and have not reached the end of their ttl.
MetricRegisteredServersByInstallMethods tracks the number of Teleport servers, and their installation method, that have successfully registered with the Teleport cluster and have not reached the end of their ttl.
MetricRemoteClusters measures connected remote clusters.
MetricReverseSSHTunnels defines the number of connected SSH reverse tunnels to the proxy.
MetricServerInteractiveSessions measures interactive sessions in flight.
MetricStaleCacheEventsReceived tracks the number of stale events received by a cache.
MetricState tracks the state of the teleport process.
MetricTeleportServices tracks which services are currently running in the current Teleport Process.
MetricTotalInstances provides an instance count.
MetricTrustedClusters counts trusted clusters.
MetricUpgraderCounts provides instance count per-upgrader.
MetricUsageBatches is a count of batches enqueued for submission.
MetricUsageBatchesFailed is a count of event batches that failed to submit.
MetricUsageBatchesSubmitted is a count of event batches successfully submitted.
MetricUsageBatchSubmissionDuration is a histogram of durations it took to submit a batch.
MetricUsageEventsDropped is a count of events dropped due to the submission buffer reaching a length limit.
MetricUsageEventsRequeued is a count of events that were requeued after a submission failed.
MetricUsageEventsSubmitted is a count of usage events that have been generated.
UserCertificatesCreated provides total number of user certificates generated.
MetricUserLoginCount counts user logins.
MetricUserMaxConcurrentSessionsHit counts number of times a user exceeded their max concurrent ssh connections.
MetricWatcherEventsEmitted counts watcher events that are emitted.
MetricWatcherEventSizes measures the size of watcher events that are emitted.
MFAPresenceRequest is an SSH request to notify clients that MFA presence is required for a session.
MinimumEtcdVersion is the minimum version of etcd supported by Teleport.
Names is for formatting node names in plain text.
NetIQ is an identity provider.
NetworkingSubCommand is the sub-command Teleport uses to re-exec itself for networking operations.
NodeIsAmbiguous serves as an identifying error string indicating that the proxy subsystem found multiple nodes matching the specified hostname.
Off means mode is off.
OIDCAccessTypeOnline indicates that OIDC flow should be performed with Authorization server and user connected online.
OIDCPromptSelectAccount instructs the Authorization Server to prompt the End-User to select a user account.
Okta should be used for Okta OIDC providers.
OktaAccessRoleContext is the context used to name Okta Access role created by Okta access list sync.
OktaReviewerRoleContext is the context used to name Okta Reviewer role created by Okta Access List sync.
On means mode is on.
OpenBrowserDarwin is the command used to open a web browser on macOS/Darwin.
OpenBrowserLinux is the command used to open a web browser on Linux.
OpenBrowserWindows is the command used to open a web browser on Windows.
ParkSubCommand is the sub-command Teleport uses to re-exec itself as a specific UID to prevent the matching user from being deleted before spawning the intended child process.
Ping is the common backend for all Ping Identity-branded identity providers (including PingOne, PingFederate, etc).
PresetAccessRoleName is a name of a preset role that allows accessing cluster resources.
PresetAuditorRoleName is a name of a preset role that allows reading cluster events and playing back session records.
PresetDeviceAdminRoleName is the name of the "device-admin" role.
PresetDeviceEnrollRoleName is the name of the "device-enroll" role.
PresetEditorRoleName is a name of a preset role that allows editing cluster configuration.
PresetGroupAccessRoleName is a name of a preset role that allows access to all user groups.
PresetRequesterRoleName is a name of a preset role that allows for requesting access to resources.
PresetRequireTrustedDeviceRoleName is the name of the "require-trusted-device" role.
PresetReviewerRoleName is a name of a preset role that allows for reviewing access requests.
PresetTerraformProviderRoleName is a name of a default role that allows the Terraform provider to configure all its supported Teleport resources.
PresetWildcardWorkloadIdentityIssuerRoleName is a name of a preset role that includes the permissions necessary to issue workload identity credentials using any workload_identity resource.
The localhost domain, for talking to a proxy or node on the same machine.
The IPv4 loopback address, for talking to a proxy or node on the same machine.
The IPv6 loopback address, for talking to a proxy or node on the same machine.
PrivateDirMode is a mode for private directories.
PTY is a raw PTY session capture format.
Region is AWS region parameter.
RemoteClusterStatusOffline indicates that cluster is considered as offline, since it has missed a series of heartbeats.
RemoteClusterStatusOnline indicates that cluster is sending heartbeats at expected interval.
RemoteCommandFailure is returned when a command has failed to execute and we don't have another status code for it.
RemoteCommandSuccess is returned when a command has successfully executed.
S3UseVirtualStyleAddressing is an optional switch to use use a virtual-hosted–style URI.
SafeTerminalType is the fall-back TTY type to fall back to (when $TERM is not defined).
SchemeAZBlob is the Azure Blob Storage scheme, used as the scheme in the session storage URI to identify a storage account accessed over https.
SchemeAZBlobHTTP is the Azure Blob Storage scheme, used as the scheme in the session storage URI to identify a storage account accessed over http.
SchemeFile configures local disk-based file storage for audit events.
SchemeGCS is used for Google Cloud Storage.
SchemeS3 is used for S3-like object storage.
SchemeStdout outputs audit log entries to stdout.
SCP is Secure Copy.
SessionEvent is sent by servers to clients when an audit event occurs on the session.
SessionIDQueryRequest is sent by clients to ask servers if they will generate their own session ID when a new session is created.
SFTPSubCommand is the sub-command Teleport uses to re-exec itself to handle SFTP connections.
SFTPSubsystem is the SFTP SSH subsystem.
SharedDirMode is a mode for a directory shared with group.
SSEKMSKey is an optional switch to use an KMS CMK key for S3 SSE.
SSHAgentPID is the environment variable pointing to the agent process ID.
SSHAuthSock is the environment variable pointing to the Unix socket the SSH agent is running on.
SSHSessionID is the UUID of the current session.
SSHSessionJoinPrincipal is the SSH principal used when joining sessions.
SSHSessionWebProxyAddr is the address the web proxy.
SSHTeleportClusterName is the name of the cluster this node belongs to.
SSHTeleportHostUUID is the UUID of the host.
SSHTeleportUser is the current Teleport user that is logged in.
StandardHTTPSPort is the default port used for the https URI scheme, cf.
Syslog is a mode for syslog logging.
SystemAccessApproverUserName names a Teleport user that acts as an Access Request approver for access plugins.
SystemAutomaticAccessApprovalRoleName names a preset role that may automatically approve any Role Access Request.
SystemIdentityCenterAccessRoleName specifies the name of a system role that grants a user access to AWS Identity Center resources via Access Requests.
SystemOktaAccessRoleName is the name of the system role that allows access to Okta resources.
SystemOktaRequesterRoleName is a name of a system role that allows for requesting access to Okta resources.
TagAutomaticUpdates is a prometheus label to indicate whether the instance is enrolled in automatic updates.
TagCacheComponent is a prometheus label for the cache component.
TagClient is a prometheus label to indicate what client the metric is tied to.
TagCluster is a metric tag for a cluster.
TagFalse is a tag value to mark false values.
TagGitref is a prometheus label for the gitref of Teleport built.
TagGoVersion is a prometheus label for version of Go used to build Teleport.
TagInstallMethods is a prometheus label to indicate what installation methods were used for the agent.
TagMigration is a metric tag for a migration.
TagPrivateKeyPolicy is a private key policy associated with a user's certificates.
TagRange is a tag specifying backend requests.
TagReq is a tag specifying backend request type.
TagResource is a tag specifying the resource for an event.
TagResources is a number of resources requested as a part of access request.
TagRoles is a number of roles requested as a part of access request.
TagServer is a prometheus label to indicate what server the metric is tied to.
TagServiceName is the prometheus label to indicate what services are running in the current proxy.
TagTrue is a tag value to mark true values.
TagType is a prometheus label for type of resource or tunnel connected.
TagUpgrader is a metric tag for upgraders.
TagVersion is a prometheus label for version of Teleport built.
TCPIPForwardRequest is an SSH request for the server to open a listener for port forwarding.
TerminalSizeRequest is a request for the terminal size of the session.
Text
Text means text serialization format.
TOTPSkew adds that many periods before and after to the validity window.
TOTPValidityPeriod is the number of seconds a TOTP token is valid.
TraitExternalPrefix is the role variable prefix that indicates the data comes from an external identity provider.
TraitInternalAWSRoleARNs is the variable used to store allowed AWS role ARNs for local accounts.
TraitInternalAzureIdentities is the variable used to store allowed Azure identities for local accounts.
TraitInternalDBNamesVariable is the variable used to store allowed database names for local accounts.
TraitInternalDBRolesVariable is the variable used to store allowed database roles for automatic database user provisioning.
TraitInternalDBUsersVariable is the variable used to store allowed database users for local accounts.
TraitInternalGCPServiceAccounts is the variable used to store allowed GCP service accounts for local accounts.
TraitInternalGitHubOrgs is the variable used to store allowed GitHub organizations for GitHub integrations.
TraitInternalJWTVariable is the variable used to store JWT token for app sessions.
TraitInternalKubeGroupsVariable is the variable used to store allowed kubernetes groups for local accounts.
TraitInternalKubeUsersVariable is the variable used to store allowed kubernetes users for local accounts.
TraitInternalLoginsVariable is the variable used to store allowed logins for local accounts.
TraitInternalPrefix is the role variable prefix that indicates it's for local accounts.
TraitInternalWindowsLoginsVariable is the variable used to store allowed Windows Desktop logins for local accounts.
TraitTeams is the name of the role variable use to store team membership information.
UnexpectedCredentials is returned when a command is no longer running with the expected credentials.
UsageAppOnly specifies a certificate metadata that only allows it to be used for proxying applications.
UsageDatabaseOnly specifies certificate usage metadata that only allows it to be used for proxying database connections.
UsageKubeOnly specifies certificate usage metadata that limits certificate to be only used for kubernetes proxying.
UsageWindowsDesktopOnly specifies certificate usage metadata that limits certificate to be only used for Windows desktop access.
UserSingleUseCertTTL is a TTL for per-connection user certificates.
UserSystem defines a user as system.
VerboseLogsEnvVar forces all logs to be verbose (down to DEBUG level).
No description provided by the author
VersionRequest is sent by clients to server requesting the Teleport version they are running.
VnetAdminSetupSubCommand is the sub-command tsh vnet uses to perform a setup as a privileged user.
WaitSubCommand is the sub-command Teleport uses to wait until a domain name stops resolving.
YAML means YAML serialization format.

# Variables

ErrNodeIsAmbiguous serves as an identifying error string indicating that the proxy subsystem found multiple nodes matching the specified hostname.
Gitref is set to the output of "git describe" during the build process.
MinClientSemVersion is the MinClientVersion represented as a [semver.Version].
MinClientVersion is the minimum client version required by the server.
No description provided by the author
SemVersion is the Version represented as a [semver.Version].

# Type aliases

A principal name for use in SSH certificates.