Install and Setup Teleport Access Plane on Linux

Last Updated:

In this tutorial, you will learn how to install and setup Teleport access plane on Linux. According to the documentation page, Teleport is a Certificate Authority and an Access Plane for your infrastructure. With Teleport you can:

  • Set up Single Sign-On and have one place to access your SSH servers, Kubernetes, Databases, Desktops, and Web Apps.
  • Use your favorite programming language to define access policies to your infrastructure.
  • Share and record interactive sessions across all environments.

Some of the notable features for Teleport include;

  • Server Access: Single Sign-On, short-lived certificates, and audit for SSH servers.
  • Application Access: Provide secure access to internal dashboards and web applications.
  • Kubernetes Access: Single Sign-On, audit and unified access for Kubernetes clusters.
  • Database Access: Secure access to SQL and NoSQL databases.
  • Desktop Access: Secure browser-based access to desktop environments.
  • Cloud: Connect your nodes, web apps, kubernetes clusters and databases to Teleport as a service.
  • Enterprise: OIDC, SAML, compliance controls and commercial support.

Install and Setup Teleport Access Plane on Linux

Teleport is available in two editions: community and enterprise edition.

We will be using the community edition in this example setup.

Install Teleport on Linux

In this example tutorial, we are using an Ubuntu 20.04 system. Hence, to install Teleport on Ubuntu 20.04 Linux server;

Install Teleport repository GPG signing key;

wget -qO- \
| gpg --dearmor > /etc/apt/trusted.gpg.d/teleport.gpg

Install Teleport repository on Ubuntu 20.04;

echo "deb stable main" > /etc/apt/sources.list.d/teleport.list

Update package cache;

apt update

Install Teleport on Ubuntu 20.04 Linux;

apt install teleport

Configure Teleport on Linux

Next, you need to configure Teleport for secure SSH access.

  • Set DNS resolvable hostnames for Teleport Server

Set the hostname of the Teleport server and update the DNS records accordingly.

hostnamectl set-hostname

If you don’t have a DNS server, set the name resolution on hosts file;

echo " teleport" >> /etc/hosts

Update your domain names accordingly.

  • Generate SSL/TLS certificates for Teleport Server

For a secured access to Teleport web interface, you need to generate SSL/TLS certificates. This can be the commercially signed certificates (if your Teleport is public facing) or self-signed (if your instance is local).

In this setup, we will use self-signed SSL certs and thus, the command below can be ran to generate them.

NOTE: The certificate must have a subject that corresponds to the domain of your Teleport host, e.g., * Replace the domain names accordingly.

openssl req -x509 -nodes -newkey rsa:4096 \
-keyout /var/lib/teleport/teleport.key \
-out /var/lib/teleport/teleport.pem -sha256 -days 3650 \
-subj "/C=US/ST=Oregon/L=Portland/O=Company Name/OU=Org/CN=*"
  • Generate Teleport Configuration file

Once you have setup the domain name and generates the SSL certs, run the command below to generate Teleport configuration file.

teleport configure -o /etc/teleport.yaml  \ \ \
    --cert-file=/var/lib/teleport/teleport.pem \

This is the sample configuration file;

cat /etc/teleport.yaml
version: v2
  nodename: ubuntu20
  data_dir: /var/lib/teleport
    output: stderr
    severity: INFO
      output: text
  ca_pin: []
  diag_addr: ""
  enabled: "yes"
  proxy_listener_mode: multiplex
  enabled: "yes"
    env: example
  - name: hostname
    command: [hostname]
    period: 1m0s
  enabled: "yes"
  - key_file: /var/lib/teleport/teleport.key
    cert_file: /var/lib/teleport/teleport.pem
  acme: {}

You can create your config file and you can test its validity using the --test option.

teleport configure --test /etc/teleport.yaml
  • Start Teleport Service

Next, start and enable Teleport service to run on system boot;

systemctl enable --now teleport

Check the status;

systemctl status teleport

● teleport.service - Teleport SSH Service
     Loaded: loaded (/lib/systemd/system/teleport.service; enabled; vendor preset: enabled)
     Active: active (running) since Sat 2022-03-18 15:02:19 UTC; 24s ago
   Main PID: 2144 (teleport)
      Tasks: 8 (limit: 2274)
     Memory: 36.2M
     CGroup: /system.slice/teleport.service
             └─2144 /usr/local/bin/teleport start --pid-file=/run/

Mar 18 15:02:21 teleport[2144]: 2022-03-18T15:02:21Z [DB:SERVIC] INFO Starting Postgres proxy server on service/service.go:3158
Mar 18 15:02:21 teleport[2144]: 2022-03-18T15:02:21Z [DB:SERVIC] INFO Starting Database TLS proxy server on service/service.go:3176
Mar 18 15:02:21 teleport[2144]: 2022-03-18T15:02:21Z [PROXY:SER] INFO Starting proxy gRPC server on [::]:443. service/service.go:3210
Mar 18 15:02:21 teleport[2144]: 2022-03-18T15:02:21Z [PROXY:SER] INFO Starting TLS ALPN SNI proxy server on [::]:443. service/service.go:3239
Mar 18 15:02:21 teleport[2144]: 2022-03-18T15:02:21Z INFO [NODE:1:CA] Cache "node" first init succeeded. cache/cache.go:742
Mar 18 15:02:21 teleport[2144]: 2022-03-18T15:02:21Z [PROC:1]    INFO Service node is creating new listener on service/signals.go>
Mar 18 15:02:21 teleport[2144]: 2022-03-18T15:02:21Z [NODE:1]    INFO Service 9.0.1:v9.0.1-0-g7bbe6f15c is starting on sqlite cach>
Mar 18 15:02:21 teleport[2144]: 2022-03-18T15:02:21Z [NODE:1]    INFO Service 9.0.1:v9.0.1-0-g7bbe6f15c is starting on utils/cli.>
Mar 18 15:02:21 teleport[2144]: [NODE]         Service 9.0.1:v9.0.1-0-g7bbe6f15c is starting on
Mar 18 15:02:21 teleport[2144]: 2022-03-18T15:02:21Z [PROC:1]    INFO The new service has started successfully. Starting syncing rotation
  • Create Teleport Admin User

Run the command below to generate Teleport admin user. The Teleport users can be created using the tctl command in the format;

tctl users add --roles=ROLES [<flags>] <account>


tctl users add --roles=editor,access kifarunix-admin

To get the permissions of the role;

tctl get role/role

For example;

tctl get role/editor

tctl will generate a signup token and give you a URL to share with a user. A user will have to complete account creation by visiting the URL.

Sample command output;

User "kifarunix-admin" has been created but requires a password. Share this URL with the user to complete user setup, link is valid for 1h:

NOTE: Make sure points at a Teleport proxy which users can access.
  • Finalize Teleport Setup on Browser

You can now access the link provided, which is valid for one hour (by default, can be adjusted using the --ttl).

If the firewall is running on the server, ensure you open port 443/tcp to allow external access.

You can access the URL on browser.

Click Get Started to create an account.

Set the password for your account and generate 2FA code by scanning the QR code using any authenticator app. I used Duo Mobile in this example.

Enter the 2FA code and proceed to create Teleport admin account.

Install and Setup Teleport Access Plane on Linux

And there you go.

Install and Setup Teleport Access Plane on Linux

You can now proceed to add servers for secure access to the Teleport access plane.

Read more on Teleport Admin Guide

Other Tutorials

Mount Remote Filesystem Over SSH using SSHFS

Connect to VNC Server via SSH Tunnel

Monitor Linux Hosts using Nagios check_by_ssh Plugin


We're passionate about sharing our knowledge and experiences with you through our blog. If you appreciate our efforts, consider buying us a virtual coffee. Your support keeps us motivated and enables us to continually improve, ensuring that we can provide you with the best content possible. Thank you for being a coffee-fueled champion of our work!

Photo of author
I am the Co-founder of, Linux and the whole FOSS enthusiast, Linux System Admin and a Blue Teamer who loves to share technological tips and hacks with others as a way of sharing knowledge as: "In vain have you acquired knowledge if you have not imparted it to others".

Leave a Comment