tsh

Teleport unified infrastructure access client

TLDR

Log in to Teleport cluster

$ tsh login --proxy=[teleport.example.com] --user=[username]

List available SSH servers

$ tsh ls

SSH to a server

$ tsh ssh [user]@[hostname]

List Kubernetes clusters

$ tsh kube ls

Connect to Kubernetes cluster

$ tsh kube login [cluster-name]

List available databases

$ tsh db ls

Connect to a database

$ tsh db connect [database-name]

List active sessions

$ tsh sessions ls

Log out from cluster

$ tsh logout

SYNOPSIS

tsh [global-options] command [command-options] [args...]

tsh is the Teleport client CLI for accessing infrastructure protected by Teleport. It provides unified access to SSH servers, Kubernetes clusters, databases, and web applications with built-in audit logging and access controls.
Authentication via login stores credentials in ~/.tsh with automatic expiration (default 12 hours). Certificates support short-lived access aligned with zero-trust principles.
For SSH access, use ssh command or generate native SSH config with tsh config for use with standard ssh clients. Session recording enables play for audit review.
Kubernetes access with kube login configures kubectl credentials. Database access via db connect provides authenticated connections to PostgreSQL, MySQL, MongoDB, and other databases.
Access requests enable just-in-time privilege escalation with approval workflows. Create requests with request create for resources requiring elevated permissions.

PARAMETERS

--proxy address

Teleport proxy service address.

--user username

Teleport username.

--login os-user

Remote OS username for SSH.

--ttl duration

Session credential TTL. Default: 12h.

--identity file

Path to identity file.

--auth connector

Authentication connector name.

--insecure

Skip TLS certificate verification.

--debug

Enable verbose debug logging.

--jumphost, -J host

SSH jump host.

--cert-format format

Certificate format: standard or kubernetes.

--skip-version-check

Skip client/server version compatibility check.

COMMANDS

login

Authenticate to Teleport cluster.

logout

End session and remove credentials.

status

Show current login status.

List available SSH servers.

ssh [user@]host

Start SSH session to a server.

scp src dest

Secure copy files.

join session-id

Join an active session.

play session-id

Replay a recorded session.

sessions ls

List active sessions.

kube ls|login|credentials

Manage Kubernetes access.

db ls|login|connect|logout

Manage database access.

apps ls|login|logout

Manage application access.

request create|ls|show|review

Manage access requests.

config

Generate SSH config for native SSH client.

version

Show version information.

CAVEATS

Requires Teleport cluster access configured by administrator. Some resources require role-based access or approval. Certificate TTL limits session duration. The --insecure flag should not be used in production.

HISTORY

Teleport was created by Gravitational (now Teleport) in 2016 to provide secure access to infrastructure with audit logging and identity-based access controls. The project implements certificate-based authentication following BeyondCorp/zero-trust principles. Teleport open-sourced the core product and has since expanded to cover Kubernetes, databases, and applications.

tsh