When a user decides to connect to a specific DB instance, the connection goes from psql to a proxy, then (via an appropriate reverse SSH tunnel) to the corresponding sidecar and from there, via mutual TLS, to the target database instance.These tunnels are how database instances are registered as “online”. The sidecar establishes an outgoing persistent reverse SSH tunnel to the proxy. Meanwhile, Teleport’s database service process (shown as “sidecar” in the diagram) is running on the same network as a database.tsh also configures the user’s command line environment, so psql knows to talk to the proxy. The tsh client is now aware of all databases available to this user.After the user completes the login process, the Teleport certificate authority ( CA) issues an x.509 certificate, filled with the user’s identity metadata (roles, etc.) which is returned to the client.
This could be any identity provider: Google apps, GitHub, Okta, Active Directory, etc. The Teleport proxy running on accepts the login request and forwards the client to the company’s identity platform.
The server daemon can perform several functions: Teleport consists of just two dependency-free binaries: the teleport daemon runs on servers, and the tsh CLI runs on clients. It is used by smart engineering teams to access various computing resources on public and private clouds, such as:
Teleport is an open source, identity-aware, access proxy with an integrated certificate authority.