tsh CLI reference

tsh is a CLI client used by Teleport users. It allows users to interact with current and past sessions on the cluster, copy files to and from nodes, and list information about the cluster.

tsh environment variables

Environment variables configure your tsh client and can help you avoid using flags repetitively.

Environment Variable	Description	Example Value
TELEPORT_AUTH	Any defined authentication connector, including passwordless and local (i.e., no authentication connector)	okta
TELEPORT_MFA_MODE	Preferred mode for MFA and Passwordless assertions	otp
TELEPORT_CLUSTER	Name of a Teleport root or leaf cluster	cluster.example.com
TELEPORT_LOGIN	Login name to be used by default on the remote host	root
TELEPORT_LOGIN_BIND_ADDR	Address in the form of host:port to bind to for login command webhook	host:port
TELEPORT_LOGIN_BROWSER	Set to none to stop the system default browser from opening for SSO logins. If the value is not none, tsh will open the system default browser.	none
TELEPORT_PROXY	Address of the Teleport proxy server	cluster.example.com:3080
TELEPORT_HOME	Home location for tsh configuration and data	/directory
TELEPORT_USER	A Teleport user name	alice
TELEPORT_ADD_KEYS_TO_AGENT	Specifies if the user certificate should be stored on the running SSH agent	yes, no, auto, only
TELEPORT_USE_LOCAL_SSH_AGENT	Disable or enable local SSH agent integration	true, false
TELEPORT_GLOBAL_TSH_CONFIG	Override location of global tsh config file from default /etc/tsh.yaml	/opt/teleport/tsh.yaml
TELEPORT_HEADLESS	Use headless authentication	true, false, 1, 0
TELEPORT_IDENTITY_FILE	File path to identity file	/opt/identity

tsh global flags

Name	Default Value(s)	Allowed Value(s)	Description
-l, --login	none	an identity name	The login identity that the Teleport user will use
--proxy	none	host:https_port[,ssh_proxy_port]	Teleport Proxy Service address
--user	$USER	none	The Teleport username
--ttl	720 (12 hours)	integer	Number of minutes a certificate issued for the tsh user will be valid for
-i, --identity	none	string filepath	Identity file
--cert-format	standard	standard or oldssh	SSH certificate format. oldssh supports older versions of OpenSSH servers that do not allow for custom metadata, which is how Teleport encodes a user's roles in their SSH certificate.
--insecure	none	none	Do not verify the server's certificate and host name. Use only in test environments.
--auth	local	Any defined authentication connector, including passwordless and local (i.e., no authentication connector)	Specify the type of authentication connector to use.
--mfa-mode	auto	auto, cross-platform, platform or otp	Preferred mode for MFA and Passwordless assertions.
--skip-version-check	none	none	Skip version checking between server and client.
-d, --debug	none	none	Verbose logging to stdout
-J, --jumphost	none	A jump host	SSH jumphost
--headless	none	none	Use Headless WebAuthn for authentication
--mlock	auto	auto, off, best_effort, strict	Lock process memory to protect client secrets stored in memory from being swapped to disk.

tsh apps ls

List all available applications:

$ tsh apps ls

tsh clusters

$ tsh clusters [<flags>]

Flags

Name	Default Value(s)	Allowed Value(s)	Description
-q, --quiet	none	none	no headers in output

Global flags

These flags are available for all commands --login, --proxy, --user, --ttl, --identity, --cert-format, --insecure, --auth, --skip-version-check, --debug, --jumphost. Run tsh help <subcommand> or see the Global Flags section.

Examples

$ tsh clusters

# Cluster Name Status
# ------------ ------
# staging          online
# production       offline

$ tsh clusters --quiet

# staging online
# production offline

tsh config

Print OpenSSH configuration details to allow using an SSH client with credentials managed by Teleport to connect to hosts in your cluster.

$ tsh config

Flags

Name	Default Value(s)	Allowed Value(s)	Description
-l, --login	none	Linux username	Default Linux username to use. Will translate to SSH config's User option.
-p, --port	3022	port	Default SSH port to use. Will translate to SSH config's Port option.

Examples

# Print OpenSSH config file to console
$ tsh config

# Append Teleport configuration to ssh config
$ tsh config >> ~/.ssh/config

tsh device enroll

Enroll the current device as a trusted device.

Requires a device enrollment token created via tctl devices enroll.

$ tsh device enroll --token=TOKEN

Flags

Name	Default Value(s)	Allowed Value(s)	Description
--token	none	String	Device enrollment token

Examples

$ tsh device enroll --token=AAAAAAAAAAAAAAAAAAAAAAAA-this-is-an-example
Device "C00AA0AAAA0A"/macOS enrolled

tsh gcloud

Proxy gcloud CLI commands through the Teleport Application Service. gcloud is a tool for interacting with Google Cloud. A user must already be authenticated to a Google Cloud application in Teleport before they can execute tsh gcloud commands.

$ tsh gcloud [--app] [<command>]

Arguments

command: A gcloud command to run, including arguments and flags.

Flags

Name	Default Value(s)	Allowed Value(s)	Description
--app	Currently logged in Google Cloud application	The name of a Google Cloud application as listed via tsh apps ls.	The Google Cloud application to run the command against, if logged in to multiple Google Cloud applications.

Global flags

These flags are available for all commands --login, --proxy, --user, --ttl, --identity, --cert-format, --insecure, --auth, --skip-version-check, --debug, --jumphost. Run tsh help <subcommand> or see the Global Flags section.

Examples

$ tsh gcloud compute instances list

tsh gsutil

Proxy gsutil CLI commands through the Teleport Application Service. gsutil is a tool for interacting with Google Cloud Storage. A user must already be authenticated to a Google Cloud application in Teleport before they can execute tsh gsutil commands.

$ tsh gsutil [--app] [<command>]

Arguments

command: A gsutil command to run, including arguments and flags.

Flags

Name	Default Value(s)	Allowed Value(s)	Description
--app	Currently logged in Google Cloud application	The name of a Google Cloud application as listed via tsh apps ls.	The Google Cloud application to run the command against, if logged in to multiple Google Cloud applications.

Global flags

These flags are available for all commands --login, --proxy, --user, --ttl, --identity, --cert-format, --insecure, --auth, --skip-version-check, --debug, --jumphost. Run tsh help <subcommand> or see the Global Flags section.

Examples

$ tsh gsutil ls

tsh help

Prints help:

$ tsh help

tsh join

Joins an active session:

$ tsh join [<flags>] <session-id>

Arguments

<session-id>

• session-id The UUID of an active Teleport Session obtained by teleport status within the session.

Flags

Name	Default Value(s)	Allowed Value(s)	Description
--cluster	none	a cluster_name	Specify the cluster to connect

Global flags

These flags are available for all commands --login, --proxy, --user, --ttl, --identity, --cert-format, --insecure, --auth, --skip-version-check, --debug, --jumphost. Run tsh help <subcommand> or see the Global Flags section.

Examples

# join session using teleport user joe as ec2-user
$ tsh --user=joe --login=ec2-user join <session-id>

tsh kube login

Log into a Kubernetes cluster. Discover connected clusters by using tsh kube ls.

$ tsh kube login <kube-cluster>

# tsh kube login to k8s cluster (gke_bens-demos_us-central1-c_gks-demo)
$ tsh kube login gke_bens-demos_us-central1-c_gks-demo
# Logged into kubernetes cluster "gke_bens-demos_us-central1-c_gks-demo". Try 'kubectl version' to test the connection.

# On login, kubeconfig is pointed at the first cluster (alphabetically)
$ kubectl config current-context
# aws-gke_bens-demos_us-central1-c_gks-demo

# But all clusters are populated as contexts
$ kubectl config get-contexts

# CURRENT   NAME                                        CLUSTER                       AUTHINFO                                    NAMESPACE
# *         aws-gke_bens-demos_us-central1-c_gks-demo   aws                           aws-gke_bens-demos_us-central1-c_gks-demo
#          aws-microk8s                                aws                           aws-microk8s

Flags

Name	Default Value(s)	Allowed Value(s)	Description
--all	false	Boolean	Whether to generate a kubeconfig for every Kubernetes cluster the current Teleport user has access to. If this is false, tsh will only generate a kubeconfig for the cluster specified in the tsh kube login command.
--as	none	string	The Kubernetes user that the current Teleport user will log in as when they authenticate to the specified Kubernetes cluster. This uses Kubernetes impersonation, so the Teleport user's Kubernetes user must have permissions to impersonate the target user.
--as-groups	none	string	A Kubernetes group that the current Teleport user will log in as when they authenticate to the specified Kubernetes cluster. This uses Kubernetes impersonation, so the Teleport user's Kubernetes user must have permissions to impersonate the target group. You can include this flag multiple times to enable impersonation of multiple Kubernetes groups.
--cluster	none	string	Name of the Teleport cluster to log into in order to connect to the given Kubernetes cluster.
-n, --kube-namespace	none	string	The name of the Kubernetes namespace to configure as the default within the cluster the user is logging into.

tsh kube ls

List Kubernetes clusters:

$ tsh kube ls

Examples

$ tsh kube ls

# Kube Cluster Name                     Selected
# ------------------------------------- --------
# gke_bens-demos_us-central1-c_gks-demo *
# microk8s

tsh login

Logs in to the cluster. When tsh logs in, the auto-expiring key is stored in ~/.tsh and is valid for 12 hours by default unless you specify another interval via --ttl flag (capped by the server-side configuration).

$ tsh login [<flags>] [<cluster>]

Arguments

• <cluster> - the name of the cluster, see Trusted Cluster for more information.

Flags

Name	Default Value(s)	Allowed Value(s)	Description
--bind-addr	none	host:port	Address in the form of host:port to bind to for login command webhook
-o, --out	none	filepath	Identity output filepath
--format	file	file, openssh or kubernetes	Identity format: file, openssh (for OpenSSH compatibility) or kubernetes (for kubeconfig)
--browser	none	none	Set to 'none' to suppress opening system default browser for tsh login commands
--request-roles	none		Request one or more extra roles
--request-reason	none		Reason for requesting additional roles
--request-nowait	none		Finish without waiting for request resolution
--request-id	none		Login with the roles requested in the given request
--no-use-local-ssh-agent			Do not load generated SSH certificates into the local ssh-agent (specified via $SSH_AUTH_SOCK). Useful when using gpg-agent or Yubikeys. You can also set the TELEPORT_USE_LOCAL_SSH_AGENT environment variable to false (default true)

Global flags

These flags are available for all commands --login, --proxy, --user, --ttl, --identity, --cert-format, --insecure, --auth, --skip-version-check, --debug, --jumphost. Run tsh help <subcommand> or see the Global Flags section.

Examples

The proxy endpoint can take a https and ssh port in this format host:https_port[,ssh_proxy_port]

# Try both ports 443 and 3080 for https
$ tsh --proxy=proxy.example.com login

# Use ports 8080 and 8023 for https and SSH proxy:
$ tsh --proxy=proxy.example.com:8080,8023 login

# Use port 8080 and 3023 (default) for SSH proxy:
$ tsh --proxy=proxy.example.com:8080 login

# Use port 23 as custom SSH port, keep HTTPS proxy port as default
$ tsh --proxy=work.example.com:,23 login

# Login and select cluster "two":
$ tsh --proxy=proxy.example.com login two

# Select cluster "two" using existing credentials and proxy:
$ tsh login two

# Login to the  cluster with a very short-lived certificate
$ tsh --ttl=1 login

# Login using the local Teleport 'admin' user:
$ tsh --proxy=proxy.example.com --auth=local --user=admin login

# Login using GitHub as an SSO provider, assuming the GitHub connector is called "github"
$ tsh --proxy=proxy.example.com --auth=github login

# Suppress the opening of the system default browser for external provider logins
$ tsh --proxy=proxy.example.com --browser=none

# Login to cluster and output a local kubeconfig
$ tsh login --proxy=proxy.example.com --format=kubernetes -o kubeconfig

# Request access to a cluster.
$ tsh login --proxy=proxy.example.com --request-reason="I need to run a debug script on production"

tsh logout

Deletes the client's cluster certificate:

$ tsh logout

tsh ls

List cluster nodes:

$ tsh ls [<flags>] [<label>]

Not seeing Nodes?

When Teleport's Auth Service receives a request to list Teleport Nodes (e.g., to display Nodes in the Web UI or via tsh ls), it only returns the Nodes that the current user is authorized to view.

For each Node in the user's Teleport cluster, the Auth Service applies the following checks in order and, if one check fails, hides the Node from the user:

• None of the user's roles contain a deny rule that matches the Node's labels.
• At least one of the user's roles contains an allow rule that matches the Node's labels.

If you are not seeing Nodes when expected, make sure that your user's roles include the appropriate allow and deny rules as documented in the Teleport Access Controls Reference.

Arguments

• <labels> - comma-separated list of key=value labels to filter nodes by, e.g., env=dev,host=foo.

Flags

Name	Default Value(s)	Allowed Value(s)	Description
-v, --verbose	none	none	also print Node ID

Global flags

These flags are available for all commands --login, --proxy, --user, --ttl, --identity, --cert-format, --insecure, --auth, --skip-version-check, --debug, --jumphost. Run tsh help <subcommand> or see the Global Flags section.

Examples

$ tsh ls

# Node Name Address            Labels
# --------- ------------------ ------
# grav-00   10.164.0.0:3022    os:linux
# grav-01   10.156.0.2:3022    os:linux
# grav-02   10.156.0.7:3022    os:osx

$ tsh ls -v

# Node Name Node ID                              Address            Labels
# --------- ------------------------------------ ------------------ ------
# grav-00   52e3e46a-372f-494b-bdd9-a1d25b9d6dec 10.164.0.0:3022    os:linux
# grav-01   73d86fc7-7c4b-42e3-9a5f-c46e177a29e8 10.156.0.2:3022    os:linux
# grav-02  24503590-e8ae-4a0a-ad7a-dd1865c04e30 10.156.0.7:3022     os:osx

# Only show nodes with os label set to 'osx':
$ tsh ls os=osx

# Node Name Address            Labels
# --------- ------------------ ------
# grav-02   10.156.0.7:3022    os:osx

tsh mfa add

Register a new Multi-Factor Authentication (MFA) device:

$ tsh mfa add

Examples

$ tsh mfa add

# Choose device type [TOTP, WEBAUTHN]: webauthn
# Enter device name: desktop yubikey
# Tap any *registered* security key
# Tap your *new* security key
# MFA device "desktop yubikey" added.

$ tsh mfa add

# Choose device type [TOTP, WEBAUTHN]: totp
# Enter device name: android
# Tap any *registered* security key
# Open your TOTP app and create a new manual entry with these fields:
# Name: awly@example.com:3080
# Issuer: Teleport
# Algorithm: SHA1
# Number of digits: 6
# Period: 30s
# Secret: 6DHDR7GWA7ZKLLWEWRIF55WXJKZ52UVJ

# Once created, enter an OTP code generated by the app: 123456
# MFA device "android" added.

tsh mfa ls

List all registered Multi-Factor Authentication (MFA) devices:

$ tsh mfa ls

tsh mfa rm

Remove a registered Multi-Factor Authentication (MFA) device. You can view your registered devices using tsh mfa ls.

$ tsh mfa rm <device-name>

tsh play

Plays back a prior session:

$ tsh play [<flags>] <session-id>

Arguments

<session-id>

• session-id The UUID of a past Teleport Session obtained by teleport status within the session or from the Web UI.

Flags

Name	Default Value(s)	Allowed Value(s)	Description
--cluster	none	a cluster_name	Specify the cluster to connect
--format	pty	json, pty	Format for playback

Global flags

These flags are available for all commands --login, --proxy, --user, --ttl, --identity, --cert-format, --insecure, --auth, --skip-version-check, --debug, --jumphost, --format. Run tsh help <subcommand> or see the Global Flags section.

Examples

$ tsh --proxy proxy.example.com play <session-id>

# Playing back a session using pty format using a downloaded session recording.
$ tsh play --format=pty 1fe153d1-ce8b-4ef4-9908-6539457ba4ad.tar

# Playing back a session in json format using jq to filter on events
$ tsh play --format=json ~/play/0c0b81ed-91a9-4a2a-8d7c-7495891a6ca0.tar | jq '.event

tsh proxy app

Starts a local TLS proxy for Application Service connections. You can use this proxy to connect to an application repeatedly after a single login to your Teleport cluster, which is especially useful for interacting with an application via a CLI.

$ tsh proxy app [<flags>] <app>

Arguments

<app>

• app The name of the application to start the local proxy for. To see a list of available applications, run tsh apps ls.

Flags

Name	Default Value(s)	Allowed Value(s)	Description
-p, --port	none	port number	Specify the source port for the local proxy

Global Flags

These flags are available for all commands --login, --proxy, --user, --ttl, --identity, --cert-format, --insecure, --auth, --skip-version-check, --debug, --jumphost, --format. Run tsh help <subcommand> or see the Global Flags Section

Examples

$ tsh proxy app <app>

# Proxy a connection to grafana on local port 10700
$ tsh proxy --port 10700 app grafana &
# Proxying connections to grafana on 127.0.0.1:10700
$ curl http://127.0.0.1:10700/api/users

tsh proxy aws

Start a local proxy for AWS access. The user must already be logged in to at least one AWS application via Teleport before the proxy can start.

$ tsh proxy aws [<flags>]

Flags

Name	Default Value(s)	Allowed Value(s)	Description
--app	Currently logged in AWS app	string	Optional name of the AWS application (as shown in tsh apps ls) to use if logged in to multiple
-p, --port	none	port number	Specify the source port for the local proxy
-e, --endpoint-url	HTTP Proxy	Endpoint URL	Run the local proxy to serve as an AWS endpoint URL. If not specified, the local proxy serves as an HTTPS proxy.
-f, --format	unix	text, unix, command-prompt, or powershell	Optional format for printing environment variables for the AWS proxy

Global Flags

These flags are available for all commands --login, --proxy, --user, --ttl, --identity, --cert-format, --insecure, --auth, --skip-version-check, --debug, --jumphost, --format. Run tsh help <subcommand> or see the Global Flags Section

Examples

# Proxy a connection to AWS with the default settings
$ tsh apps login awsapp
$ tsh proxy aws
# Set env variables from output
$ aws s3 ls

# Proxying connections to AWS on 127.0.0.1:10700 to app awsapp2
$ tsh apps logins awsapp2
$ tsh proxy aws --port=10700 --app=awsapp2
# Set env variables from output
$ aws s3 ls

tsh proxy azure

Starts a local proxy server that provides secure access to an Azure managed service identity endpoint. This is useful for managing access to Azure from custom client applications. The local proxy forwards traffic to the Teleport Application Service, which uses an Azure managed identity to fetch an authentication token from Azure.

$ tsh proxy azure [<flags>]

The command will print the address of the local proxy server along with export commands for environment variables required to connect:

Started Azure proxy on http://127.0.0.1:54321.
To avoid port randomization, you can choose the listening port using the --port flag.

Use the following credentials and HTTPS proxy setting to connect to the proxy:

  export AZURE_CONFIG_DIR=/Users/myuser/.tsh/azure/my.teleport.cluster/azure
  export HTTPS_PROXY=http://127.0.0.1:54321
  export HTTP_PROXY=http://127.0.0.1:54321
  export MSI_ENDPOINT=https://azure-msi.teleport.dev/123456789abcdef01234
  export REQUESTS_CA_BUNDLE=/Users/myuser/.tsh/keys/teleport.example.com/myuser-app/teleport.example.com/azure-cli-localca.pem

tip

tsh proxy azure runs the local proxy in the foreground, so don't interrupt the process or exit the terminal where you ran the command until you're ready to close the local proxy.

Copy the export commands and paste them into a second terminal.

To run the local proxy server, one of the user's roles must include the spec.allow.azure_identities field with one of the identities used by the Application Service. To learn how to set up secure access to Azure via Teleport, read Protect the Azure CLI with Teleport Application Access.

Arguments

This command does not accept any arguments.

Flags

Name	Default Value(s)	Allowed Value(s)	Description
--app	none	string	Name of the Teleport application representing Azure (i.e., based on tsh apps ls). Use this flag if your Teleport user has access to multiple Azure applications.
--port	none	port number	The port on localhost where the local proxy will listen for connections.
--format	powershell if on Windows, unix otherwise	text, unix, command-prompt, or powershell	The format to use for listing environment variables for Azure client applications connecting to the local proxy.

Global Flags

These flags are available for all commands --login, --proxy, --user, --ttl, --identity, --cert-format, --insecure, --auth, --skip-version-check, --debug, --jumphost, --format. Run tsh help <subcommand> or see the Global Flags Section

tsh proxy db

Start a local TLS proxy for database connections when using Teleport with TLS Routing enabled. Clients can connect to a Teleport-registered database through the local proxy.

$ tsh proxy db [<flags>] <db>

Flags

Name	Default Value(s)	Allowed Value(s)	Description
--cluster	none	string	The name of the Teleport cluster to connect to.
--db-name	see below	string	The database name to log in to.
--db-user	see below	string	The database user to log in as.
--port	none	string	Source port used by the local proxy.
--tunnel	none	Boolean	Open an authenticated tunnel using a database's client certificate so clients don't need to authenticate.

If --db-user or --db-name are required, then default settings are chosen from either an active database certificate obtained via a prior use of tsh db login or from the user's allowed db_users or db_names.

The database user is always required. The database name is required for PostgreSQL, MongoDB, and Oracle databases.

Global Flags

These flags are available for all commands --login, --proxy, --user, --ttl, --identity, --cert-format, --insecure, --auth, --skip-version-check, --debug, --jumphost, --format. Run tsh help <subcommand> or see the Global Flags Section

Examples

Proxy a DB connection to a named database

$ tsh proxy db <db>

Proxy a connection to mysql db on local port 10700:

$ tsh proxy db --port 10700  mysql-db
# Started DB proxy on 127.0.0.1:10700

# Use following credentials to connect to the mysql-db proxy:
#  ca_file=/Users/jeff/.tsh/keys/teleport.example.com/cas/teleport.example.com.pem
#  cert_file=/Users/jeff/.tsh/keys/teleport.example.com/jeff-db/tele1c/mysql-db-x509.pem
#  key_file=/Users/jeff/.tsh/keys/teleport.example.com/jeff

Proxy a connection to mysql db with no credentials required:

$ tsh proxy db --tunnel mysql-db
Started authenticated tunnel for the MySQL database "mysql-db" in cluster "teleport.example.com" on 127.0.0.1:49415.

Use the following command to connect to the database:
  $ mysql --port 49415 --host localhost --protocol TCP

tsh proxy gcloud

Start a local proxy for Google Cloud API access. The user must already be logged in to at least one Google Cloud application via Teleport before the proxy can start.

$ tsh proxy gcloud [<flags>]

Flags

Name	Default Value(s)	Allowed Value(s)	Description
--app	Currently logged in Google Cloud app	string	Optional name of the Google Cloud application (as shown in tsh apps ls) to use if logged in to multiple
-p, --port	none	port number	Specify the source port for the local proxy
-e, --endpoint-url	HTTP Proxy	Endpoint URL	Run the local proxy to serve as a Google Cloud endpoint URL. If not specified, the local proxy serves as an HTTPS proxy.
-f, --format	unix	text, unix, command-prompt, or powershell	Optional format for printing environment variables for the Google Cloud proxy

Global Flags

These flags are available for all commands --login, --proxy, --user, --ttl, --identity, --cert-format, --insecure, --auth, --skip-version-check, --debug, --jumphost, --format. Run tsh help <subcommand> or see the Global Flags Section

Examples

$ tsh apps login google-cloud-app
$ tsh proxy gcloud
# Set env variables from output
$ gcloud compute instances list
$ gsutil ls

tsh proxy ssh

Start a local TLS proxy for ssh connections when using Teleport in TLS Routing mode. This is typically used as part of the SSH client configuration to use ssh as a client through Teleport. See the OpenSSH Guide guide on configuring OpenSSH servers and clients. The tsh config output will include tsh proxy ssh within a ProxyCommand directive.

$ tsh proxy ssh [<flags>] <[user@]host>

Arguments

• <[user@]host> Remote hostname and the login to use

Flags

Name	Default Value(s)	Allowed Value(s)	Description
--cluster	none	Teleport Cluster	The name of the Teleport cluster to connect to.

Global Flags

These flags are available for all commands --login, --proxy, --user, --ttl, --identity, --cert-format, --insecure, --auth, --skip-version-check, --debug, --jumphost, --format. Run tsh help <subcommand> or see the Global Flags Section

Examples

Run the following command to generate an OpenSSH client configuration:

$ tsh config

This command produces the following configuration:

# Common flags for all example.com hosts
Host *.example.com example.com
    UserKnownHostsFile "/Users/jeff/.tsh/known_hosts"
    IdentityFile "/Users/jeff/.tsh/keys/enterprise.teleportdemo.com/jeff"
    CertificateFile "/Users/jeff/.tsh/keys/example.com/jeff-ssh/example.com-cert.pub"
    PubkeyAcceptedKeyTypes +ssh-rsa-cert-v01@openssh.com
    HostKeyAlgorithms ssh-rsa-cert-v01@openssh.com

# Flags for all example.com hosts except the proxy
Host *.example.com !example.com
    Port 3022
    ProxyCommand "/usr/local/bin/tsh" proxy ssh --cluster=example.com --proxy=example.com %r@%h:%p

This output should be placed into the default SSH Config for environment, ~/.ssh/config for Mac/Linux or .ssh\config in the Windows User home directory. You can use this as a standalone SSH config file too.

When you run an ssh command against a host with a subdomain of your Proxy Service's domain, this SSH configuration will use the ProxyCommand to run tsh proxy ssh:

$ ssh myuser@node1.example.com

tsh puttyconfig

Adds a PuTTY saved session to the Windows registry for the currently logged in Windows user.

$ tsh puttyconfig [--leaf <leaf-cluster-name>] [login@]hostname

Flags

Name	Default Value(s)	Allowed Value(s)	Description
-l, --login	none	Linux username	Default Linux username to use. Will translate to SSH config's User option.
-p, --port	3022	port	Default SSH port to use. Will translate to SSH config's Port option.
--leaf	none	Leaf cluster name	Leaf cluster name to add to the saved session.

Examples

# Add a saved PuTTY session on 'node' for the user 'ec2-user'
$ tsh puttyconfig ec2-user@node

# Add a saved PuTTY session for the Teleport-registered OpenSSH node 'openssh' for the user 'ubuntu'
$ tsh puttyconfig --port 22 ubuntu@openssh

# Add a saved PuTTY session on leaf-node for the user 'ec2-user' on the leaf cluster 'example.teleport.sh'
$ tsh puttyconfig --leaf example.teleport.sh ec2-user@leaf-node

See full docs on tsh puttyconfig here.

tsh recordings ls

List recorded sessions.

$ tsh recordings ls [<flags>]

Flags

Name	Default Value(s)	Allowed Value(s)	Description
--from-utc	24 hours ago	date	Start of time range in which recordings are listed. Format 2006-01-02. Defaults to 24 hours ago.
--to-utc	current	date	Start of time range in which recordings are listed. Format 2006-01-02. Defaults to 24 hours ago.
--limit	50	number	Maximum number of recordings to show.
--last	none	duration	Duration into the past from which session recordings should be listed. Format 5h30m40s

Global flags

These flags are available for all commands --login, --proxy, --user, --ttl, --identity, --cert-format, --insecure, --auth, --skip-version-check, --debug, --jumphost, --format. Run tsh help <subcommand> or see the Global Flags section.

Examples

# get the recorded sessions from the last 24 hours
$ tsh --proxy proxy.example.com recordings ls
ID                                   Type Participants Hostname Timestamp
------------------------------------ ---- ------------ -------- -------------------
b0a04442-70dc-4be8-9308-7b7901d2d600 ssh  jeff         dev       Nov 26 16:36:16 UTC
c0a02222-70dc-4be8-9308-7b7901d2d600 kube alice                  Nov 26 20:36:16 UTC
d0a04442-70dc-4be8-9308-7b7901d2d600 ssh  navin        test      Nov 26 16:36:16 UTC

# The session can be played with tsh play
$ tsh play c0a02222-70dc-4be8-9308-7b7901d2d60

# List recorded sessions that occurred between Nov 1, 2022 to Nov 3, 2022
$ tsh recordings ls --from-utc=2022-11-01 --to-utc=2022-11-3

# Retrieve recorded sessions in the last 6 hours
$ tsh recordings ls --last=6h0m0s

Recorded Sessions Availability

Recorded sessions are linked from the audit events to session recordings files in their storage backend. The following error can occur if a session recording file is not available or when employing multiple auth servers with directory storage backend for recorded sessions. When using a directory storage backend for audit logs and recorded sessions, only the auth server with that recorded session can retrieve it.

$ tsh play c8e1b2c5-322a-4095-89e3-391edfd2da9b
ERROR: Recording for session c8e1b2c5-322a-4095-89e3-391edfd2da9b not found.

Using a Security Information and Event Management (SIEM) service that combines the audit logs will help consolidate the list of available recordings.

Downloaded recorded session are directly playable as a file.

$ tsh play c8e1b2c5-322a-4095-89e3-391edfd2da9b.tar

tsh request create

Create a new Access Request.

$ tsh request create [<flags>]

Flags

Name	Default Value(s)	Allowed Value(s)	Description
--roles	none	Comma-separated strings	List of Teleport roles to request
--resource	none	String (flag can be repeated to request multiple resources)	Resource ID to be requested
--reason	none	String	Reason for making the request (optional)
--reviewers	none	Comma-separated strings	Suggested reviewers for the request (optional)
--nowait	false	true or false	Finish without waiting for request resolution
--request-ttl	1 hour	Relative duration like 5s, 2m, or 3h,	Defines how long the Access Request will be in a PENDING state before becoming invalid
--session-ttl	Time left on current session	Relative duration like 5s, 2m, or 3h	Defines how long the elevated session will be valid for
--max-duration	none	Relative duration like 5s, 2m, 3h, or 7d	Defines the maximum duration of the elevated session up to 7 days. The assigned role also must have max_duration option specified (optional)
--assume-start-time	none	String	Sets time roles can be assumed by requestor (RFC3339)

Note

The --request-ttl and --session-ttl values can not be greater than the following:

• Maximum certificate lifetime.
• Time left on an existing session (certificate).
• Maximum session duration defined by the user's roles.

Use --max-duration to request access for longer than the maximum certificate lifetime.

tsh request drop

Drop one or more access requests from current identity

$ tsh request drop [<request-id>...]

Arguments

• <request-id> - IDs of requests to "drop" from the current identity so that your certificate will lose elevated roles and/or resource restrictions. If no request ID is given, the default is to drop all Access Requests.

tsh request ls

List Access Requests

$ tsh request ls

Flags

Name	Default Value(s)	Allowed Value(s)	Description
--format	text	text, json, or yaml	Format output
--reviewable	false	true or false	Only show requests reviewable by current user
--suggested	false	true or false	Only show requests that suggest current user as reviewer
--my-requests	false	true or false	Only show requests created by current user

tsh request review

Review an Access Request

$ tsh request review [<flags>] <request-id>

Flags

Name	Default Value(s)	Allowed Value(s)	Description
--approve	false	true or false	Review proposes approval
--deny	false	true or false	Review proposes denial
--reason	none	String	Review reason message
--assume-start-time	none	String	Sets time roles can be assumed by requestor (RFC3339)

Arguments

• <request-id> - ID of the target request

tsh request search

Search for resources to request access to

$ tsh request search [<flags>]

Flags

Name	Default Value(s)	Allowed Value(s)	Description
--kind	none	node, kubernetes_cluster, db, app, windows_desktop	Resource kind to search for (required)
--search	none	Comma-separated strings	List of comma-separated search keywords or phrases enclosed in single quotes
--query	none	String	Query by predicate language enclosed in single quotes
--labels	none	Comma-separated strings	List of comma-separated labels to filter by labels (e.g. key=value1,key2=value2)

tsh request show

Show Access Request details

$ tsh request show <request-id>

Flags

Name	Default Value(s)	Allowed Value(s)	Description
--format	text	text, json, or yaml	Format output

Arguments

• <request-id> - ID of the target request

tsh scp

Copies files from source to dest:

$ tsh scp [<flags>] <source>... <dest>

Arguments

• <source> - filepath to copy
• <dest> - target destination

Flags

Name	Default Value(s)	Allowed Value(s)	Description
--cluster	none	a cluster_name	Specify the cluster to connect
-r, --recursive	none	none	Recursive copy of subdirectories
-P, --port	none	port number	Port to connect to on the remote host
-q, --quiet	none	none	Quiet mode

Global flags

These flags are available for all commands --login, --proxy, --user, --ttl, --identity, --cert-format, --insecure, --auth, --skip-version-check, --debug, --jumphost. Run tsh help <subcommand> or see the Global Flags section.

Examples

$ tsh --proxy=proxy.example.com scp example.txt user@host:/destination/dir

note

tsh scp will not work from the CLI if the user requires session moderation. You can transfer files in a moderated session by joining the SSH session from the Web UI and requesting the file transfer there. Both the session initiator and moderators must be present in the Web UI in order to approve the file transfer request.

tsh ssh

Run shell or execute a command on a remote SSH node:

$ tsh ssh [<flags>] <[user@]host> [<command>...]

Arguments

<[user@]host> [<command>...]

• user The login identity to use on the remote host. If [user] is not specified the user defaults to $USER or can be set with --user. If the flag --user and positional argument [user] are specified the arg [user] takes precedence.
• host The nodename of a cluster Node or a label specification like env=aws to run on all matching hosts.
• command The command to execute on a remote host.

Flags

Name	Default Value(s)	Allowed Value(s)	Description
-p, --port	none	port	SSH port on a remote host
-A, --forward-agent	none	none	Forward agent to target node like ssh -A
-L, --forward	none	none	Forward localhost connections to remote server
-D, --dynamic-forward	none	none	Forward localhost connections to remote server using SOCKS5
-R, --remote-forward	none	none	Forward remote connections to localhost
-N, -no-remote-exec	none	none	Don't execute remote command, useful for port forwarding
--local	none		Execute command on localhost after connecting to SSH node
-t, --tty	file		Allocate TTY
--cluster	none		Specify the cluster to connect
-o, --option	local		OpenSSH options in the format used in the configuration file
--enable-escape-sequences			Enable support for SSH escape sequences. Type ~? during an SSH session to list supported sequences.
--no-use-local-ssh-agent			Do not load generated SSH certificates into the local ssh-agent (specified via $SSH_AUTH_SOCK). Useful when using gpg-agent or Yubikeys. You can also set the TELEPORT_USE_LOCAL_SSH_AGENT environment variable to false (default true)
-X, --x11-untrusted	none	none	Requests untrusted (secure) X11 forwarding for this session.
-Y, --x11-trusted	none	none	Requests trusted (insecure) X11 forwarding for this session. This can make your local machine vulnerable to attacks, use with caution.
--x11-untrusted-timeout	10m	duration	Sets a timeout for untrusted X11 forwarding, after which the client will reject any forwarding requests from the server.

Global flags

These flags are available for all commands --login, --proxy, --user, --ttl, --identity, --cert-format, --insecure, --auth, --skip-version-check, --debug, --jumphost. Run tsh help <subcommand> or see the Global Flags section.

Examples

# Log in to node `grav-00` as OS User `root` with Teleport User `teleport`
$ tsh ssh --proxy proxy.example.com --user teleport -d root@grav-00
# `tsh ssh` takes the same arguments as OpenSSH client:
$ tsh ssh -o ForwardAgent=yes root@grav-00
$ tsh ssh -o AddKeysToAgent=yes root@grav-00
# Run `hostname` on all nodes with the `env: aws` label
$ tsh ssh root@env=aws hostname

tsh status

Display the list of proxy servers and retrieved certificates:

$ tsh status

Examples

$ tsh status

# > Profile URL:  https://proxy.example.com:3080
#   Logged in as:       benarent
#   Cluster:            aws
#   Roles:              access, editor, auditor
#   Logins:             benarent, root, ec2-user, ubunutu
#   Kubernetes:         enabled
#   Kubernetes cluster: "gke_bens-demos_us-central1-c_gks-demo"
#   Kubernetes groups:  system:masters
#  Valid until:        2020-11-21 01:50:23 -0800 PST [valid for 11h52m0s]
#  Extensions:         permit-agent-forwarding, permit-port-forwarding, permit-pty

tsh version

Prints the version of your tsh binary and the Teleport Proxy Service in the current tsh profile

$ tsh version [<flags>]

Name	Default Value(s)	Allowed Value(s)	Description
-f, --format	text	text, json, yaml	Format for version output
--client	none	none	Show the client version only (no server required).

Examples

$ tsh version
Teleport v15.4.22 git: go1.21
Proxy version: 15.4.22
Proxy: teleport.example.com:443

Display in JSON format:

$ tsh version --format=json

{
  "version": "15.4.22",
  "gitref": "",
  "runtime": "go1.21",
  "proxyVersion": "15.4.22",
  "proxyPublicAddress": "teleport.example.com:443"
}

Only display the tsh binary version:

$ tsh version --client
Teleport v15.4.22 git: go1.21