TSH: Teleport Authentication Gateway Client


versionPrint the version
sshRun shell or execute a command on a remote SSH node
awsAccess AWS API
appsView and control proxied applications
proxyRun local TLS proxy allowing connecting to Teleport in single-port mode
dbView and control proxied databases
joinJoin the active SSH session
playReplay the recorded SSH session
scpSecure file copy
lsList remote SSH nodes
clustersList available Teleport clusters
loginLog in to a cluster and retrieve the session certificate
logoutDelete a cluster certificate
statusDisplay the list of proxy servers and retrieved certificates
envPrint commands to set Teleport session environment variables
requestManage access requests
kubeManage available kubernetes clusters
mfaManage multi-factor authentication (MFA) devices
configPrint OpenSSH configuration details


-l, --loginRemote host login
--proxy <Teleport proxy address>SSH proxy address
--user <user>SSH proxy user
--ttl <time>Minutes to live for a SSH session
-i, --identity <file>Identity file
--cert-format <arg>SSH certificate format
--insecureDo not verify server's certificate and host name. Use only in test environments
--auth <arg>Specify the name of authentication connector to use
--skip-version-checkSkip version checking between server and client
-d, --debugVerbose logging to stdout
-k, --add-keys-to-agentControls how keys are handled. Valid values are [auto no yes only]
--enable-escape-sequencesEnable support for SSH escape sequences. Type '~?' during an SSH session to list supported sequences. Default is enabled
--bind-addrOverride host:port used when opening a browser for cluster logins
-J, --jumphostSSH jumphost