# Teleport — Secure Infrastructure Access Platform

> Teleport provides identity-based, zero-trust access to servers, Kubernetes clusters, databases, and web applications. It replaces VPNs and shared credentials with certificate-based authentication, session recording, and unified access controls.

## Install

Save in your project root:

# Teleport — Secure Infrastructure Access Platform

## Quick Use
```bash
# Install Teleport
curl https://goteleport.com/static/install.sh | bash

# Start a single-node cluster
sudo teleport configure --cluster-name=example.teleport.sh --output=file
sudo teleport start

# Access web UI at https://localhost:3080

# SSH via Teleport (no SSH keys needed)
tsh login --proxy=example.teleport.sh
tsh ssh user@hostname

# List available servers
tsh ls
```

## Introduction
Teleport replaces traditional infrastructure access tools (VPNs, SSH keys, database passwords) with a unified, identity-based access platform. Instead of distributing and managing credentials, Teleport issues short-lived certificates tied to user identity. Every session is recorded, audited, and governed by role-based access policies.

With over 20,000 GitHub stars, Teleport is used by companies like Nasdaq, IBM, Samsung, and Snowflake to secure access to their infrastructure. It provides a single gateway for SSH, Kubernetes, databases, Windows desktops, and web applications — with built-in compliance features.

## What Teleport Does
Teleport acts as an identity-aware access proxy. Users authenticate once (via SSO, MFA, or hardware keys), and Teleport issues short-lived X.509 certificates for accessing resources. All sessions are recorded, all access is logged, and policies are enforced in real-time. No standing credentials exist — reducing the attack surface.

## Architecture Overview
```
[Users]
SSO + MFA + Hardware Keys
        |
   [Teleport Proxy]
   Public-facing gateway
   TLS termination
   Web UI
        |
   [Teleport Auth]
   Certificate authority
   RBAC engine
   Session recording
   Audit log
        |
+-------+-------+-------+-------+
|       |       |       |       |
[SSH    [K8s    [DB     [App    [Windows]
Access] Access] Access] Access] Access]
Servers Clusters Postgres Web apps RDP
Nodes   kubectl  MySQL   Internal Desktop
                 MongoDB dashboards
```

## Self-Hosting & Configuration
```yaml
# teleport.yaml — configuration
teleport:
  nodename: teleport.example.com
  data_dir: /var/lib/teleport

auth_service:
  enabled: true
  cluster_name: example.teleport.sh
  authentication:
    type: local
    second_factor: "on"
    webauthn:
      rp_id: example.teleport.sh

proxy_service:
  enabled: true
  web_listen_addr: 0.0.0.0:443
  public_addr: teleport.example.com:443
  acme:
    enabled: true
    email: admin@example.com

ssh_service:
  enabled: true
  labels:
    env: production
    team: engineering
```

```bash
# Add a server to the cluster
sudo teleport node configure \
  --token=invite-token \
  --auth-server=teleport.example.com:443 \
  --output=file
sudo teleport start

# Role-based access example
tctl create <<EOF
kind: role
metadata:
  name: developer
spec:
  allow:
    logins: [ubuntu, ec2-user]
    node_labels:
      env: [staging, development]
    kubernetes_groups: [developers]
    db_names: ["*"]
    db_users: [readonly]
EOF
```

## Key Features
- **Identity-Based Access** — short-lived certificates, no standing credentials
- **SSH Access** — passwordless SSH with session recording
- **Kubernetes Access** — secure kubectl access with RBAC
- **Database Access** — proxy for PostgreSQL, MySQL, MongoDB, and more
- **Application Access** — secure access to internal web apps without VPN
- **Session Recording** — complete audit trail of all interactive sessions
- **Access Requests** — just-in-time access with approval workflows
- **Compliance** — SOC 2, FedRAMP, HIPAA-ready audit logging

## Comparison with Similar Tools
| Feature | Teleport | HashiCorp Boundary | Tailscale | StrongDM | Bastion hosts |
|---|---|---|---|---|---|
| Access Type | Identity-based | Identity-based | Network mesh | Identity-based | Network |
| SSH | Yes | Via boundary | Via Tailscale | Yes | Yes |
| Kubernetes | Yes | Limited | Via Tailscale | Yes | Manual |
| Databases | Yes | Yes | No | Yes | Manual |
| Session Recording | Yes | No | No | Yes | Manual |
| Self-Hosted | Yes | Yes | Partial | No | Yes |
| Open Source | Yes (Community) | Yes | Partial | No | N/A |

## FAQ
**Q: Teleport vs VPN — why should I switch?**
A: VPNs grant broad network access. Teleport provides fine-grained, identity-based access to specific resources. You get session recording, audit trails, and just-in-time access — none of which VPNs provide.

**Q: Is Teleport free?**
A: Teleport Community Edition is free and open source. Enterprise and Cloud editions add features like FedRAMP compliance, hardware key enforcement, and premium support.

**Q: How does Teleport replace SSH keys?**
A: Instead of distributing and rotating SSH keys, users authenticate via SSO/MFA and receive a short-lived SSH certificate (valid for hours, not years). When it expires, they re-authenticate. No key management needed.

**Q: Can I use Teleport with my existing SSO?**
A: Yes. Teleport integrates with Okta, Azure AD, Google Workspace, GitHub, GitLab, and any SAML/OIDC identity provider for single sign-on.

## Sources
- GitHub: https://github.com/gravitational/teleport
- Documentation: https://goteleport.com/docs
- Website: https://goteleport.com
- Created by Gravitational (now Teleport)
- License: AGPL-3.0 (Community) / Commercial

---
Source: https://tokrepo.com/en/workflows/69b045fd-3702-11f1-9bc6-00163e2b0d79
Author: AI Open Source