# MFA for Administrative Actions Teleport can be configured to require additional multi-factor authentication checks to perform administrative actions through `tctl`, `tsh`, the Web UI, Teleport Connect, and any other Teleport client. Examples of administrative actions include, but are not limited to: - Resetting or recovering user accounts - Inviting new users - Updating cluster configuration resources - Modifying access management resources - Approving Access Requests - Generating new join tokens - Impersonation - Creating new bots for Machine & Workload Identity This is an advanced security feature that protects users against compromises of their on-disk Teleport certificates. --- WARNING When MFA for administrative actions is enabled, user certificates produced with `tctl auth sign` will no longer be suitable for automation due to the additional MFA checks. We recommend using [Machine & Workload Identity](https://goteleport.com/docs/machine-workload-identity/getting-started.md) to issue certificates for automated workflows, which uses role impersonation that is not subject to MFA checks. Certificates produced with `tctl auth sign` directly on an Auth Service instance using the super-admin role are not subject to MFA checks to support legacy self-hosted setups. --- ## Prerequisites - A running Teleport cluster. If you want to get started with Teleport, [sign up](https://goteleport.com/signup) for a free trial or [set up a demo environment](https://goteleport.com/docs/get-started/deploy-community.md). - The `tctl` and `tsh` clients. Installing `tctl` and `tsh` clients 1. Determine the version of your Teleport cluster. The `tctl` and `tsh` clients must be at most one major version behind your Teleport cluster version. Send a GET request to the Proxy Service at `/v1/webapi/find` and use a JSON query tool to obtain your cluster version. Replace teleport.example.com:443 with the web address of your Teleport Proxy Service: ``` $ TELEPORT_DOMAIN=teleport.example.com:443 $ TELEPORT_VERSION="$(curl -s https://$TELEPORT_DOMAIN/v1/webapi/find | jq -r '.server_version')" ``` 2. Follow the instructions for your platform to install `tctl` and `tsh` clients: **Mac** Download the signed macOS .pkg installer for Teleport, which includes the `tctl` and `tsh` clients: ``` $ curl -O https://cdn.teleport.dev/teleport-${TELEPORT_VERSION?}.pkg ``` In Finder double-click the `pkg` file to begin installation. --- DANGER Using Homebrew to install Teleport is not supported. The Teleport package in Homebrew is not maintained by Teleport and we can't guarantee its reliability or security. --- **Windows - Powershell** ``` $ curl.exe -O https://cdn.teleport.dev/teleport-v${TELEPORT_VERSION?}-windows-amd64-bin.zip Unzip the archive and move the `tctl` and `tsh` clients to your %PATH% NOTE: Do not place the `tctl` and `tsh` clients in the System32 directory, as this can cause issues when using WinSCP. Use %SystemRoot% (C:\Windows) or %USERPROFILE% (C:\Users\) instead. ``` **Linux** All of the Teleport binaries in Linux installations include the `tctl` and `tsh` clients. For more options (including RPM/DEB packages and downloads for i386/ARM/ARM64) see our [installation page](https://goteleport.com/docs/installation.md). ``` $ curl -O https://cdn.teleport.dev/teleport-v${TELEPORT_VERSION?}-linux-amd64-bin.tar.gz $ tar -xzf teleport-v${TELEPORT_VERSION?}-linux-amd64-bin.tar.gz $ cd teleport $ sudo ./install Teleport binaries have been copied to /usr/local/bin ``` * To check that you can connect to your Teleport cluster, sign in with `tsh login`, then verify that you can run `tctl` commands using your current credentials. For example, run the following command, assigning teleport.example.com to the domain name of the Teleport Proxy Service in your cluster and email\@example.com to your Teleport username: ``` $ tsh login --proxy=teleport.example.com --user=email@example.com $ tctl status Cluster teleport.example.com Version 19.0.0-dev CA pin sha256:abdc1245efgh5678abdc1245efgh5678abdc1245efgh5678abdc1245efgh5678 ``` If you can connect to the cluster and run the `tctl status` command, you can use your current credentials to run subsequent `tctl` commands from your workstation. If you host your own Teleport cluster, you can also run `tctl` commands on the computer that hosts the Teleport Auth Service for full permissions. * [WebAuthn configured](https://goteleport.com/docs/zero-trust-access/management/security/idp-compromise.md) on this cluster * Multi-factor authentication hardware device, such as YubiKey or SoloKey * A Web browser with [WebAuthn support](https://developers.yubico.com/WebAuthn/WebAuthn_Browser_Support/) (if using SSH or desktop sessions from the Teleport Web UI). ## Require MFA for administrative actions MFA for administrative actions is automatically enforced for clusters where WebAuthn is the only form of multi-factor authentication allowed. --- NOTE In a future major version, Teleport may enforce MFA for administrative actions for a wider range of cluster configurations. --- Edit the `cluster_auth_preference` resource: ``` $ tctl edit cap ``` Update the `cluster_auth_preference` definition to include the following content: ``` kind: cluster_auth_preference version: v2 metadata: name: cluster-auth-preference spec: type: local second_factors: ["webauthn"] webauthn: rp_id: example.com ``` Save and exit the file. `tctl` will update the remote definition: ``` cluster auth preference has been updated ```