Package db contains methods for working with database connection profiles that combine connection parameters for a particular database.

Package escape implements client-side escape character logic.

Package identityfile handles formatting and parsing of identity files.

CreatePROXYHeaderGetter returns PROXY headers signer with embedded client source/destination IP addresses, which are taken from the context.

ExportAllAuthorities exports public keys of all authorities of a particular type.

ExportAllAuthoritiesSecrets exports private keys of all authorities of a particular type.

ExportIntegrationAuthorities exports the public keys of all authorities associated with an integration.

GetKubeTLSServerName returns k8s server name used in KUBECONFIG to leverage TLS Routing.

GetPaginatedSessions grabs up to 'max' sessions.

GetSessionFromResponse creates a [types.WebSession] if a cookie named [websession.CookieName] is present in the provided [roundtrip.Response].

GetWebConfig is used by teleterm to fetch webconfig.js from proxies.

HostCredentials is used to fetch host credentials for a node.

InsecureSkipHostKeyChecking is used when the user passes in "StrictHostKeyChecking yes".

IsErrorResolvableWithRelogin returns true if relogin is attempted on `err`.

IsIntegrationAuthorityType returns true if provided type is an integration CA type.

IsNoCredentialsError returns whether the given error implies that the user should retrieve new credentials.

IsNonRetryableError checks if the provided error is a NonRetryableError.

LoadAllConfigs loads all tsh configs and merges them in the appropriate order.

LoadKeysToKubeFromStore loads the keys for a given teleport cluster and kube cluster from the store.

LoadTSHConfig loads a single config file from the given path.

MakeDefaultConfig returns default client config.

MFARequiredUnknown creates a new MFARequiredUnknownErr that wraps the error encountered attempting to determine if the mfa ceremony should proceed.

NewAppCertChecker creates a new CertChecker for the given app.

NewCertChecker creates a new CertChecker with the given CertIssuer.

NewClient creates a TeleportClient object and fully configures it.

NewDBCertChecker creates a new CertChecker for the given database.

NewMemClientStore initializes an FS backed client store with the given base dir.

NewFSKeyStore initializes a new FSClientStore.

NewFSProfileStore creates a new instance of FSProfileStore.

NewFSTrustedCertsStore creates a new instance of FSTrustedCertsStore.

NewKeyRing creates a new KeyRing for the given private keys.

NewKubeSession joins a live kubernetes session.

NewLocalAgent reads all available credentials from the provided LocalKeyStore and loads them into the local and system agent.

NewLocalCertGenerator creates a new LocalCertGenerator and listens to the configured listen address.

NewMemClientStore initializes a new in-memory client store.

NewMemProfileStore creates a new instance of MemProfileStore.

NewMemTrustedCertsStore creates a new instance of MemTrustedCertsStore.

NewNodeClient constructs a NodeClient that is connected to the node at nodeAddress.

ParseDynamicPortForwardSpec parses the dynamic port forwarding spec passed in the -D flag.

ParseLabelSpec parses a string like 'name=value,"long name"="quoted value"` into a map like { "name" -> "value", "long name" -> "quoted value" }.

ParseMFAChallengeResponse parses [MFAChallengeResponse] from JSON and returns it as a [proto.MFAAuthenticateResponse].

ParsePortForwardSpec parses parameter to -L flag, i.e.

ParsePortMapping parses textual form of port mapping (e.g., "1337:42") into a struct.

ParseProxyHost parses a ProxyHost string of the format <hostname>:<proxy_web_port>,<proxy_ssh_port> and returns the parsed components.

ParseSearchKeywords parses a string ie: foo,bar,"quoted value"` into a slice of strings: ["foo", "bar", "quoted value"].

PerformSessionMFACeremony issues single-use certificates via GenerateUserCerts, following its recommended RPC flow.

PlayFile plays the recorded session from a file.

ProfileNameFromProxyAddress converts proxy address to profile name or returns the current profile if the proxyAddr is not set.

ProxyHost returns the hostname of the proxy server (without any port numbers).

RetryWithRelogin is a helper error handling method, attempts to relogin and retry the function once.

RunALPNAuthTunnel runs a local authenticated ALPN proxy to another service.

RunPresenceTask periodically performs and MFA ceremony to detect that a user is still present and attentive.

SSHAgentHeadlessLogin begins the headless login ceremony, returning new user certificates if successful.

SSHAgentLogin is used by tsh to fetch local user credentials.

SSHAgentLoginWeb is used by tsh to fetch local user credentials via the web api.

SSHAgentMFALogin requests a MFA challenge via the proxy.

SSHAgentMFAWebSessionLogin requests a MFA challenge via the proxy web api.

SSHAgentPasswordlessLogin requests a passwordless MFA challenge via the proxy.

SSHAgentPasswordlessLoginWeb requests a passwordless MFA challenge via the proxy web api.

TrustedCertsFromCACerts converts the given TLS CA certificates and KnownHosts files into a list of Trusted Certs.

Username returns the current user's username.

ValidateAgentKeyOption validates that a string is a valid option for the AddKeysToAgent parameter.

VirtualPathAppCertParams returns parameters for selecting specific app cert by name.

VirtualPathAppKeyParams returns parameters for selecting specific app key by name.

VirtualPathCAParams returns parameters for selecting CA certificates.

VirtualPathDatabaseCertParams returns parameters for selecting a specific database certificate by name.

VirtualPathDatabaseKeyParams returns parameters for selecting a specific database key by name.

VirtualPathEnvName formats a single virtual path environment variable name.

VirtualPathEnvNames determines an ordered list of environment variables that should be checked to resolve an env var override.

VirtualPathKubernetesParams returns parameters for selecting k8s clusters by name.

WithAfterLoginHook is a functional option for configuring a function that will be called after a successful login.

WithBeforeLoginHook is a functional option for configuring a function that will be called before the login attempt.

WithHostAddress returns a SSHOptions which overrides the target host address with the one provided.

WithLabeledOutput labels each line of output from a command with the node's hostname.

WithLocalCommandExecutor returns a SSHOptions which specifies an executor that should be used to invoke commands locally.

WithMakeCurrentProfile is a functional option for configuring whether to update the current profile after a successful login.

WithNodeHostname sets the hostname to display for the connected node.

WithOutput sends command output to the given stdout and stderr instead of the node client's.

WithPresenceClock sets the clock to be used by RunPresenceTask.

WithSSHLogDir sets the directory to write command output to when running commands on multiple nodes.

WithTTL sets the TTL option.

CertCacheDrop indicates that all user certificates should be dropped as part of the re-issue process.

CertCacheKeep indicates that all user certificates (except those explicitly updated by the re-issue) should be preserved across the re-issue process.

DefaultLoginURL is the default login page.

HTTPS is https prefix.

LoginFailedBadCallbackRedirectURL is a redirect URL when an SSO error specific to auth connector's callback was encountered.

LoginFailedRedirectURL is the default redirect URL when an SSO error was encountered.

LoginFailedUnauthorizedRedirectURL is a redirect URL for when an SSO authenticates successfully, but the user has no matching roles in Teleport.

SAMLSingleLogoutFailedRedirectURL is the default redirect URL when an error was encountered during SAML Single Logout.

TSHConfigPath is the path within the .tsh directory to the tsh config file.

VirtualPathEnvPrefix is the env var name prefix shared by all virtual path vars.

WSS is secure web sockets prefix.

ErrNoProfile is returned by the client store when a specific profile is not found.

WithAllCerts lists all known CertOptions.

ALPNAuthTunnelConfig contains the required fields used to create an authed ALPN Proxy.

AppCertIssuer checks and issues app certs.

AuthenticateSSHUserRequest is passed by tsh to authenticate a local user with MFA and receive short-lived certificates.

CachePolicy defines cache policy for local clients.

CertChecker is a local proxy middleware that ensures certs are valid on start up and on each new connection.

ClusterClient facilitates communicating with both the Auth and Proxy services of a cluster.

Config is a client config.

CreateSSHCertReq is passed by tsh to authenticate a local user without MFA and receive short-lived certificates.

CreateWebSessionReq is a request for the web api to initiate a new web session.

CreateWebSessionResponse is a response from the web api to a [CreateWebSessionReq] request.

DBCertIssuer checks and issues db certs.

DynamicForwardedPort local port for dynamic application-level port forwarding.

ExpandedTemplate contains any matched date from a [ProxyTemplate] that has been expanded after being evaluated.

ExportAuthoritiesRequest has the required fields to create an export authorities request.

ExportedAuthority represents an exported authority certificate, as returned by [ExportAllAuthorities] or [ExportAllAuthoritiesSecrets].

ExportIntegrationAuthoritiesRequest has the required fields to create an export authorities request for integrations.

ExtraProxyHeaders represents the headers to include with the webclient.

ForwardedPort specifies local tunnel to remote destination managed by the client, is equivalent of ssh -L src:host:dst command.

FSKeyStore is an on-disk implementation of the KeyStore interface.

FSProfileStore is an on-disk implementation of the ProfileStore interface.

FSTrustedCertsStore is an on-disk implementation of the TrustedCAStore interface.

GitHubIdentity is the GitHub identity attached to the user.

HeadlessLoginReq is a headless login request for /webapi/headless/login.

KeyRing describes a set of client keys and certificates for a specific cluster.

KeyRingIndex identifies a KeyRing in the store.

KubeSession a joined kubernetes session from the client side.

LegacyCertPathError will be returned when [(*FSKeyStore).GetKeyRing] does not find a user TLS certificate at the expected path used in v17+ but does find one at the legacy path used in Teleport v16-.

LocalAgentConfig contains parameters for creating the local keys agent.

LocalCertGenerator is a TLS Certificate generator used to inject valid TLS certificates based on SNI during local HTTPS handshakes.

LocalKeyAgent holds Teleport certificates for a user connected to a cluster.

MemProfileStore is an in-memory implementation of ProfileStore.

MemTrustedCertsStore is an in-memory implementation of TrustedCertsStore.

MFAAuthenticateChallenge is an MFA authentication challenge sent on user login / authentication ceremonies.

MFAChallengeRequest is a request from the client for a MFA challenge from the server.

MFAChallengeResponse holds the response to a MFA challenge.

MFARegisterChallenge is an MFA register challenge sent on new MFA register.

MFARequiredUnknownErr indicates that connections to an instance failed due to being unable to determine if mfa is required.

NodeClient implements ssh client to a ssh node (teleport or any regular ssh node) NodeClient can run shell and commands or upload and download files.

NodeDetails provides connection information for a node.

NonRetryableError wraps an error to indicate that the error should fail IsErrorResolvableWithRelogin.

ParsedProxyHost holds the hostname and Web & SSH proxy addresses parsed out of a WebProxyAddress string.

PerformSessionMFACeremonyParams are the input parameters for [PerformSessionMFACeremony].

PortMapping represents a mapping of LocalPort to TargetPort, e.g., "1337:42".

ProfileStatus combines metadata from the logged in profile and associated SSH certificate.

ProxyTemplate describes a single rule for parsing out proxy address from the full hostname.

ReissueParams encodes optional parameters for user certificate reissue.

RunCommandOptions is a set of options for NodeClient.RunCommand.

SSHLogin contains common SSH login parameters.

SSHLoginDirect contains SSH login parameters for direct (user/pass/OTP) login.

SSHLoginMFA contains SSH login parameters for MFA login.

SSHLoginPasswordless contains SSH login parameters for passwordless login.

SSHLoginSSO contains SSH login parameters for SSO login.

SSHOptions allow overriding configuration used when connecting to a host via [TeleportClient.SSH].

SSOChallenge is a json compatible [proto.SSOChallenge].

SSOLoginConsoleReq is passed by tsh to authenticate an SSO user and receive short-lived certificates.

SSOLoginConsoleResponse is a response to SSO console request.

SSOMFADevice is a json compatible [proto.SSOMFADevice].

SSOResponse is a json compatible [proto.SSOResponse].

SSOUserPublicKeys holds user-submitted public keys and attestation statements used in SSO login requests.

Store is a storage interface for client data.

TargetNode contains information about a resolved host.

TeleportClient is a wrapper around SSH client with teleport specific workflow built in.

TLSCredential holds a signed TLS certificate and matching private key.

TOTPRegisterChallenge contains a TOTP challenge.

TSHConfig represents configuration loaded from the tsh config file.

UserPublicKeys holds user-submitted public keys and attestation statements used in local login requests.

WebClient is a package local lightweight client used in tests and some functions to handle errors properly.

WithAppCerts is a CertOption for handling application access certificates.

WithDBCerts is a CertOption for handling database access certificates.

WithKubeCerts is a CertOption for handling kubernetes certificates.

WithSSHCerts is a CertOption for handling SSH certificates.

ALPNAuthClient contains the required auth.ClientI methods to create a local ALPN proxy.

CertIssuer checks and issues certs.

CertOption is an additional step to run when loading/deleting user certificates.

KeyStore is a storage interface for client session keys and certificates.

PerformSessionMFACurrentClient is a subset of Auth methods required for MFA.

PerformSessionMFARootClient is a subset of Auth methods required for MFA.

PresenceMaintainer allows maintaining presence with the Auth service.

ProfileStore is a storage interface for client profile data.

TrustedCertsStore is a storage interface for trusted CA certificates and public keys.

AgentForwardingMode describes how the user key agent will be forwarded to a remote machine, if at all.

CertCachePolicy describes what should happen to the certificate cache when a user certificate is re-issued.

CertCheckerOption is a variadic options func to set options for CertChecker functions.

DTAuthnRunCeremonyFunc matches the signature of [dtauthn.Ceremony.Run].

DTAutoEnrollFunc matches the signature of [dtenroll.AutoEnroll].

DynamicForwardedPorts is a slice of locally forwarded dynamic ports (SOCKS5).

ForwardedPorts contains an array of forwarded port structs.

HostKeyCallback is called by SSH client when it needs to check remote host key or certificate validity.

NodeClientOption is a functional argument for NewNodeClient.

PresenceOption a functional option for RunPresenceTask.

PromptMFAChallengeHandler is a handler for MFA challenges.

ProxyTemplates represents a list of individual proxy templates.

RetryWithReloginOption is a functional option for configuring the RetryWithRelogin helper.

RunCommandOption is a functional argument for NodeClient.RunCommand.

ShellCreatedCallback can be supplied for every teleport client.

SSHLoginFunc is a function which carries out authn with an auth server and returns an auth response.

SSOLoginFunc is a function used in tests to mock SSO logins.

VirtualPathKind is the suffix component for env vars denoting the type of file that will be loaded.

VirtualPathParams are an ordered list of additional optional parameters for a virtual path.

WebauthnLoginFunc is a function that performs WebAuthn login.

WebLoginFunc is a function which carries out authn with the web server and returns a web session and cookies.