Teleport (software)

Teleport is an open-source tool for providing zero trust access to servers and cloud applications using SSH, Kubernetes and HTTPS. It can eliminate the need for VPNs by providing a single gateway to access computing infrastructure via SSH, Kubernetes clusters, and cloud applications via a built-in proxy.

Teleport started as an open source library used by the Gravity project to enable secure software deployments into restricted and regulated environments. Teleport was open sourced as a standalone tool by Gravitational Inc. in 2016. It is currently deployed in production by Samsung, NASDAQ, IBM, Ticketmaster, Epic Games and others. It has been publicly audited by technology security companies like Cure 53 and Doyensec.

Alternatives to Teleport include a bastion host and strongDM.

History
Teleport was built by Gravitational Inc, a company that specializes in Kubernetes-based application deployment and compliance. The security gateway protocol that became Teleport originated within a remote application management platform also built by Gravitational, called Gravity. Gravitational was a member of the 2015 Y Combinator cohort, and Teleport was originally released in June 2016.

Teleport 3.0 was released in October 2018 and introduced Kubernetes integration. Version 4.0 was released in 2019 and included support for IoT infrastructure and products.

In December 2023, Teleport announced a change in the license of their source code from the previously used Apache 2.0 License to the AGPLv3 license.

The open-source version of Teleport is known as Teleport Community and is available for download on GitHub. Gravitational Inc also offers a commercial version of Teleport (Teleport Enterprise) that includes features like role-based access control (RBAC).

Features
Teleport provides the following features, as detailed on GitHub:

Access Proxy
Teleport proxy provides SSH and HTTPs access to servers, applications, and Kubernetes clusters across multiple data centers, cloud providers, and edge devices. Teleport proxy is identity-aware, i.e. it only allows certificate-based authentication by integrating with an identity manager such as GitHub, Google Apps, Okta or Active Directory, and others.

Audit Log
Teleport collects system events across all servers it is installed on and stores them in an audit log for compliance purposes. Auditable events include authentication attempts, file transfers, network connections, and file system changes made during an SSH session. The audit log can be stored on an encrypted file system, in Amazon DynamoDB and other cloud data stores.

Session Recording
Teleport records interactive user sessions for SSH and Kubernetes protocols and stores them in the audit log. Stored sessions can be replayed via a built-in session player.

IoT Access
Servers running Teleport can be accessed by clients regardless of their physical location, even when they are using a cellular connection.

Dynamic Authorization
Teleport users can request a one-time elevation of permissions to complete a privileged task. Such requests can be approved or denied via chat ops tools such as Slack, Mattermost, or a custom workflow, implemented via Teleport API.

Web UI
Teleport Proxy offers a web-based client for configuration, accessing servers via SSH and Kubernetes and for accessing the audit log.

Teleport requires at least 1GB of virtual memory to be built and compiled.

Architecture
Teleport is written in Go programming language, and runs on UNIX-compatible operating systems, including Linux, macOS, and several BSD variants. Teleport consists of two executables:  (command line client) and   (server daemon).

The  server daemon can run in the following modes:


 * Node. In this mode, the daemon is providing SSH and Kubernetes access to the server it is running on.
 * Proxy. In this mode, the daemon is acting as an identity-aware proxy for all protocols supported by Teleport. Currently, this includes SSH, HTTPS, and Kubernetes API.
 * Auth Server. In this mode, the daemon is acting as a certificate authority that all other daemons must authenticate with. The auth server is issuing certificates for users and for servers and stores the audit log.