Local Users

Report an issue with this page

In Teleport, local users are users managed directly via Teleport, rather than a third-party identity provider. All local users are stored in Teleport's cluster state backend, which contains the user's name, their roles and traits, and a bcrypt password hash.

This guide shows you how to:

• Add local users
• Edit existing users
• Delete users

Prerequisites

• A running Teleport cluster version 17.5.2 or above. If you do not have one, read Get Started with Teleport.

• The tctl and tsh clients.

  Details

  Installing tctl and tsh clients

  Mac

  Download the signed macOS .pkg installer for Teleport, which includes the tctl and tsh clients:

  curl -O https://cdn.teleport.dev/teleport-17.5.2.pkg

  In Finder double-click the pkg file to begin installation.

  danger

  Using Homebrew to install Teleport is not supported. The Teleport package in Homebrew is not maintained by Teleport and we can't guarantee its reliability or security.

  Windows - Powershell

  curl.exe -O https://cdn.teleport.dev/teleport-v17.5.2-windows-amd64-bin.zip
  Unzip the archive and move the `tctl` and `tsh` clients to your %PATH%
  NOTE: Do not place the `tctl` and `tsh` clients in the System32 directory, as this can cause issues when using WinSCP.
  Use %SystemRoot% (C:\Windows) or %USERPROFILE% (C:\Users\<username>) instead.

  Linux

  All of the Teleport binaries in Linux installations include the tctl and tsh clients. For more options (including RPM/DEB packages and downloads for i386/ARM/ARM64) see our installation page.

  curl -O https://cdn.teleport.dev/teleport-v17.5.2-linux-amd64-bin.tar.gz
  tar -xzf teleport-v17.5.2-linux-amd64-bin.tar.gz
  cd teleport
  sudo ./install
  Teleport binaries have been copied to /usr/local/bin

  The tctl and tsh clients must be at most one major version behind your Teleport cluster version. Send a GET request to the Proxy Service at /v1/webapi/ping and use a JSON query tool to obtain your cluster version:

  curl https://example.teleport.sh/v1/webapi/ping | jq -r '.server_version'
  17.5.2

• To check that you can connect to your Teleport cluster, sign in with tsh login, then verify that you can run tctl commands using your current credentials. For example, run the following command, assigning teleport.example.com to the domain name of the Teleport Proxy Service in your cluster and email@example.com to your Teleport username:

  tsh login --proxy=teleport.example.com --user=email@example.com
  tctl status
  Cluster  teleport.example.com
  Version  17.5.2
  CA pin   sha256:abdc1245efgh5678abdc1245efgh5678abdc1245efgh5678abdc1245efgh5678

  If you can connect to the cluster and run the tctl status command, you can use your current credentials to run subsequent tctl commands from your workstation. If you host your own Teleport cluster, you can also run tctl commands on the computer that hosts the Teleport Auth Service for full permissions.

Adding local users

A user identity in Teleport exists in the scope of a cluster. A Teleport administrator creates Teleport user accounts and maps them to the roles they can use.

Let's look at this table:

Teleport User	Allowed OS Logins	Description
joe	joe, root	Teleport user joe can log in to member Nodes as user joe or root on the OS.
bob	bob	Teleport user bob can log in to member Nodes only as OS user bob.
kim		If no OS login is specified, it defaults to the same name as the Teleport user, kim.

Let's add a new user to Teleport using the tctl tool:

Teleport Community Edition

tctl users add joe --logins=joe,root --roles=access,editor

Commercial

tctl users add joe --logins=joe,root --roles=access,editor,reviewer

Teleport generates an auto-expiring token (with a TTL of one hour) and prints the token URL, which must be used before the TTL expires.

User "joe" has been created but requires a password. Share this URL with the user to complete user setup, link is valid for 1h:https://<proxy_host>:443/web/invite/<token>
NOTE: Make sure <proxy_host>:443 points at a Teleport proxy which users can access.

The user completes registration by visiting this URL in their web browser, picking a password, and configuring multi-factor authentication. If the credentials are correct, the Teleport Auth Service generates and signs a new certificate, and the client stores this key and will use it for subsequent logins.

The key will automatically expire after 12 hours by default, after which the user will need to log back in with their credentials. This TTL can be configured to a different value.

Once authenticated, the account will become visible via tctl:

tctl users ls

User           Allowed Logins
----           --------------
admin          admin,root
kim            kim
joe            joe,root

Editing users

Admins can edit user entries via tctl.

For example, to see the full list of user records, an administrator can execute:

tctl get users

To edit the user joe, run the following command:

tctl edit user/joe

Make your changes, then save and close the file in your editor to apply them.

Deleting users

Admins can delete a local user via tctl:

tctl users rm joe

Next steps

Teleport Enterprise/Enterprise Cloud

In addition to users, you can use tctl to manage roles and other dynamic resources. See our Teleport Resources Reference.

For all available tctl commands and flags, see our CLI Reference.

You can also configure Teleport so that users can log in using an SSO provider. For more information, see:

• Single Sign-On

Teleport Community Edition

In addition to users, you can use tctl to manage roles and other dynamic resources. See our Teleport Resources Reference.

For all available tctl commands and flags, see our CLI Reference.

You can also configure Teleport so that users can log in using GitHub. For more information, see GitHub SSO.