...
The notable difference between Teleport and our current services is that a specific command-line application, called tsh, is required to do the single sign-on function (once per day).
The single sign-on step will open a web browser and prompt the user for their username and password (from the token). This means if we migrate away from ActivID in the future then the Teleport service is not affected in any way, because login is delegated to the web service.
After login, a user's ssh-agent is populated with some SSH Certificates signed by the Teleport server, valid for a limited time (say, eight hours).
SSH clients present the certificates in a similar way to SSH Keys each time they login, and the certificates are validated by both the Teleport gateway and the destination host.
| Tip |
|---|
With Teleport, users are authenticated both at the gateway and at the destination host. |
...