Back to Blog
Security

How to Set Up Teleport to Securely Access Your Servers

17 May 2020 6 min read Security
How to Set Up Teleport to Securely Access Your Servers
Security

Updated June 2026 — commands and versions refreshed for current releases. The original guide installed Teleport 4.2; this version uses the modern Teleport repository install and current configuration.

What is Teleport

Teleport is a gateway for managing access to clusters of Linux servers via SSH, the Kubernetes API, databases, and web apps. It is built for organizations that need to secure infrastructure, keep visibility into activity, and reduce the operational overhead of privileged access management.

Key features include:

  • A single SSH/Kubernetes access gateway for an entire organization
  • SSH certificate-based authentication instead of static keys
  • Auto-expiring keys signed by a cluster certificate authority
  • Enforced second-factor authentication
  • Session sharing for collaborative troubleshooting
  • Dynamic node discovery with labels
  • Role-based access control (RBAC) for SSH
  • Audit logs with session recording and replay
  • Agentless mode that works with pre-existing SSH daemons

Why Use Teleport

How to Set Up Teleport to Securely Access Your Servers

Static SSH keys are hard to rotate, easy to leak, and offer no audit trail. Teleport replaces them with short-lived certificates issued by a central certificate authority, layers on mandatory MFA, and records every session for replay. The result is stronger security and far less key-management toil.

Definitions

  • Node: a server you can SSH to, running the teleport daemon with the node role enabled.
  • Certificate Authority (CA): the public/private key pairs that manage access.
  • Teleport Cluster: nodes connected to the same CA.
  • Cluster Name: a required identifier for each cluster.
  • Trusted Cluster: allows third-party users or nodes when their keys are signed by a trusted CA.

Installation Steps

Install Teleport

The original guide downloaded a tarball for Teleport 4.2 and ran its installer:

$ tar -xzf teleport-v4.2.8-linux-amd64-bin.tar.gz
$ sudo ./install

For current releases, use the official repository install script, which always pulls a supported version and wires up apt for clean upgrades:

# Install the current stable Teleport OSS edition via the official script
curl https://goteleport.com/static/install.sh | bash -s 16.0.0 oss

Get an SSL Certificate from Let's Encrypt

Teleport's web UI and proxy need a valid TLS certificate. Install Certbot via snap (the PPA from the original article is deprecated):

sudo apt-get update
sudo apt-get install snapd
sudo snap install --classic certbot
sudo ln -s /snap/bin/certbot /usr/bin/certbot

Request a certificate:

sudo certbot certonly --standalone

Certificates are stored in the /etc/letsencrypt/live/ directory. Test automatic renewal:

sudo certbot renew --dry-run

Create the Teleport Data Directory

sudo mkdir /var/lib/teleport

Systemd Unit File

The repository install ships a systemd unit automatically, but if you installed from a tarball, create /etc/systemd/system/teleport.service:

[Unit]
Description=Teleport SSH Service
After=network.target

[Service]
Type=simple
Restart=on-failure
ExecStart=/usr/local/bin/teleport start --config=/etc/teleport.yaml --pid-file=/var/run/teleport.pid
ExecReload=/bin/kill -HUP ${MAINPID}
PIDFile=/run/teleport.pid

[Install]
WantedBy=multi-user.target

Configure Teleport

Generate a default configuration file at /etc/teleport.yaml:

sudo teleport configure -o file

Edit the generated file to set your public address, cluster name, and the paths to the Let's Encrypt certificate and key you created above.

Open the Firewall (UFW)

Allow SSH, HTTP/HTTPS, and Teleport's service ports:

sudo ufw status

sudo ufw allow ssh
sudo ufw allow http
sudo ufw allow https
sudo ufw allow 3022
sudo ufw allow 3023
sudo ufw allow 3024
sudo ufw allow 3025
sudo ufw allow 3026
sudo ufw allow 3080

sudo ufw enable

sudo ufw status verbose

Modern Teleport can multiplex everything behind a single port (TLS routing on 443), so on a fresh install you may only need 443 plus SSH. The full list above remains valid for the classic multi-port layout.

Start Teleport

sudo systemctl daemon-reload
sudo systemctl enable teleport
sudo systemctl start teleport

# check whether teleport is running
sudo systemctl status teleport
journalctl -fu teleport

With the daemon running, create your first user with sudo tctl users add, enroll an MFA device, and you can begin accessing your fleet through short-lived certificates with full session recording.

Indivar Software Solutions

SAP Business One consulting and custom software development since 2009. Offices in India, New Zealand, and the USA.

Back to Blog Discuss Your Project
Related Articles

More on Security

Need Help with SAP Business One?

Whether you need implementation support, custom add-ons, or strategic ERP advice, our team is ready to help. over 17 years of SAP B1 experience across India, New Zealand, and the USA.

Contact Us View Our Products