diff --git a/docs/pages/admin-guides/access-controls/device-trust/device-management.mdx b/docs/pages/admin-guides/access-controls/device-trust/device-management.mdx
index ef200e46dcd6..57f482872f4a 100644
--- a/docs/pages/admin-guides/access-controls/device-trust/device-management.mdx
+++ b/docs/pages/admin-guides/access-controls/device-trust/device-management.mdx
@@ -138,11 +138,14 @@ For auto-enrollment to work, the following conditions must be met:
integration, like the [Jamf Pro integration](./jamf-integration.mdx).
- Auto-enrollment must be enabled in the cluster setting.
-Enable auto-enrollment in your cluster settings:
+Enable auto-enrollment in your cluster settings. To do so, modify the dynamic
+config resource using the following command:
-
-
-Modify the dynamic config resource using `tctl edit cluster_auth_preference`:
+```code
+$ tctl edit cluster_auth_preference
+```
+
+Make the following change:
```diff
kind: cluster_auth_preference
@@ -156,22 +159,7 @@ spec:
+ auto_enroll: true
```
-
-
-Edit the Auth Server's `teleport.yaml` file:
-
-```diff
-auth_service:
- authentication:
- # ...
- device_trust:
-+ auto_enroll: true
-```
-
-After saving the changes, restart the Teleport service.
-
-
-
+Save and close your editor to apply your changes.
Once enabled, users with their device registered in Teleport will have their
device enrolled to Teleport in their next login.
@@ -244,18 +232,14 @@ To configure `ekcert_allowed_cas`, you must first obtain the CA certificate in
PEM format from the manufacturer of the TPM included in your devices. This step
varies from manufacturer to manufacturer.
-After you obtain the CA certificate in PEM format, there are two ways of
-configuring `ekcert_allowed_cas`:
+After you obtain the CA certificate in PEM format, modify the dynamic config
+resource using the following command:
-- Statically using the Teleport configuration file. This is the simplest
- option, but is not possible for Teleport Cloud clusters and not recommended
- for clusters in a highly available configuration.
-- Dynamically using `cluster_auth_preference` resource. This works with all
- clusters and is the most flexible.
+```code
+$ tctl edit cluster_auth_preference
+```
-
-
-Modify the dynamic config resource using `tctl edit cluster_auth_preference`:
+Make the following change:
```diff
kind: cluster_auth_preference
@@ -274,27 +258,7 @@ spec:
+ -----END CERTIFICATE-----
```
-
-
-Edit the Auth Server's `teleport.yaml` file and restart:
-
-```diff
-auth_service:
- authentication:
- ...
- device_trust:
-+ ekcert_allowed_cas:
-+ # The CA can be configured inline within the configuration file:
-+ - |
-+ -----BEGIN CERTIFICATE-----
-+ --snip--
-+ -----END CERTIFICATE-----
-+ # Or, it can be configured in the configuration file using a path:
-+ - /path/to/my/ekcert-ca.pem
-```
-
-
-
+Save and close your editor to apply your changes.
## Troubleshooting
diff --git a/docs/pages/admin-guides/access-controls/device-trust/enforcing-device-trust.mdx b/docs/pages/admin-guides/access-controls/device-trust/enforcing-device-trust.mdx
index 3bb1fff1e764..9ac5c819060c 100644
--- a/docs/pages/admin-guides/access-controls/device-trust/enforcing-device-trust.mdx
+++ b/docs/pages/admin-guides/access-controls/device-trust/enforcing-device-trust.mdx
@@ -96,10 +96,13 @@ accesses.
To enable device mode `required` update your configuration as follows:
-
-
-Create a `cap.yaml` file or get the existing configuration using
-`tctl get cluster_auth_preference`:
+Edit your cluster authentication preference using the following command:
+
+```code
+$ tctl edit cluster_auth_preference
+```
+
+Make the following change:
```diff
kind: cluster_auth_preference
@@ -115,39 +118,11 @@ spec:
+ mode: "required" # add this line
```
-Update the configuration:
-
-```code
-$ tctl create -f cap.yaml
-cluster auth preference has been updated
-```
-
-You can also edit this configuration directly:
-
-```code
-$ tctl edit cluster_auth_preference
-```
-
-
-
-Edit the Auth Server's `teleport.yaml` file and restart all Auth Services:
-
-```diff
-auth_service:
- authentication:
- type: local
- second_factor: "on"
- webauthn:
- rp_id: (=clusterDefaults.clusterName=)
- device_trust:
-+ mode: "required" # add this line
-```
-
-
-
+Save and close your editor to apply your changes.
-Once the config is updated, SSH, Database and Kubernetes access without a trusted device will be forbidden.
-For example, SSH access without a trusted device fails with the following error:
+Once the config is updated, SSH, Database and Kubernetes access without a
+trusted device will be forbidden. For example, SSH access without a trusted
+device fails with the following error:
```code
$ tsh ssh (=clusterDefaults.nodeIP=)
diff --git a/docs/pages/admin-guides/access-controls/guides/mfa-for-admin-actions.mdx b/docs/pages/admin-guides/access-controls/guides/mfa-for-admin-actions.mdx
index a3cab5e3e3b5..809a3b193ba8 100644
--- a/docs/pages/admin-guides/access-controls/guides/mfa-for-admin-actions.mdx
+++ b/docs/pages/admin-guides/access-controls/guides/mfa-for-admin-actions.mdx
@@ -56,50 +56,30 @@ WebAuthn is the only form of second factor allowed.
for a wider range of cluster configurations.
-
-
-
- Edit the `cluster_auth_preference` resource:
-
- ```code
- $ tctl edit cap
- ```
-
- Update the `cluster_auth_preference` definition to include the following content:
-
- ```yaml
- kind: cluster_auth_preference
- version: v2
- metadata:
- name: cluster-auth-preference
- spec:
- type: local
- # To make webauthn the only form of second factor allowed, set this field to 'webauthn'.
- second_factor: "webauthn"
- webauthn:
- rp_id: example.com
- ```
-
- Save and exit the file. `tctl` will update the remote definition:
-
- ```text
- cluster auth preference has been updated
- ```
-
-
-
- Edit the Auth Service's `teleport.yaml` file and restart all Auth Service instances:
-
- ```yaml
- # snippet from /etc/teleport.yaml:
- auth_service:
- authentication:
- type: local
- # To make webauthn the only form of second factor allowed, set this field to 'webauthn'.
- second_factor: "webauthn"
- webauthn:
- rp_id: example.com
- ```
-
-
-
+Edit the `cluster_auth_preference` resource:
+
+```code
+$ tctl edit cap
+```
+
+Update the `cluster_auth_preference` definition to include the following content:
+
+```yaml
+kind: cluster_auth_preference
+version: v2
+metadata:
+ name: cluster-auth-preference
+spec:
+ type: local
+ # To make webauthn the only form of second factor allowed, set this field to 'webauthn'.
+ second_factor: "webauthn"
+ webauthn:
+ rp_id: example.com
+```
+
+Save and exit the file. `tctl` will update the remote definition:
+
+```text
+cluster auth preference has been updated
+```
+
diff --git a/docs/pages/admin-guides/access-controls/guides/passwordless.mdx b/docs/pages/admin-guides/access-controls/guides/passwordless.mdx
index 1ece97815ff4..a2931cda9ed6 100644
--- a/docs/pages/admin-guides/access-controls/guides/passwordless.mdx
+++ b/docs/pages/admin-guides/access-controls/guides/passwordless.mdx
@@ -119,54 +119,17 @@ using `tsh login --proxy=example.com --auth=local` in order to get their first
passwordless registration.
To enable passwordless by default, add `connector_name: passwordless` to your
-cluster configuration:
+cluster configuration.
-
-
-
-
- Auth Server `teleport.yaml` file:
-
- ```yaml
- auth_service:
- authentication:
- type: local
- second_factor: on
- webauthn:
- rp_id: example.com
- connector_name: passwordless # passwordless by default
- ```
-
-
- Create a `cap.yaml` file or get the existing configuration using
- `tctl get cluster_auth_preference`:
-
- ```yaml
- kind: cluster_auth_preference
- version: v2
- metadata:
- name: cluster-auth-preference
- spec:
- type: local
- second_factor: "on"
- webauthn:
- rp_id: example.com
- connector_name: passwordless # passwordless by default
- ```
-
- Update the configuration:
-
- ```code
- $ tctl create -f cap.yaml
- # cluster auth preference has been updated
- ```
-
-
-
+Edit your cluster authentication preference configuration using the following
+command:
+
+```code
+$ tctl edit cluster_auth_preference
+```
-
-Create a `cap.yaml` file or get the existing configuration using
-`tctl get cluster_auth_preference`:
+Ensure that the configuration includes the `connector_name` field as shown
+below:
```yaml
kind: cluster_auth_preference
@@ -181,16 +144,6 @@ spec:
connector_name: passwordless # passwordless by default
```
-Update the configuration:
-
-```code
-$ tctl create -f cap.yaml
-# cluster auth preference has been updated
-```
-
-
-
-
## Troubleshooting
### "Allow passwordless logins" doesn't appear
@@ -259,55 +212,15 @@ $ tsh webauthnwin diag
### Disable passwordless
If you want to forbid passwordless access to your cluster, add `passwordless:
-false` to your configuration:
+false` to your configuration. Edit your cluster authentication preference using
+the following command:
-
-
-
-
- Auth Server `teleport.yaml` file:
-
- ```yaml
- # snippet from /etc/teleport.yaml:
- auth_service:
- authentication:
- type: local
- second_factor: on
- webauthn:
- rp_id: example.com
- passwordless: false # disable passwordless
- ```
-
-
- Create a `cap.yaml` file or get the existing configuration using
- `tctl get cluster_auth_preference`:
-
- ```yaml
- kind: cluster_auth_preference
- version: v2
- metadata:
- name: cluster-auth-preference
- spec:
- type: local
- second_factor: "on"
- webauthn:
- rp_id: example.com
- passwordless: false # disable passwordless
- ```
-
- Update the configuration:
-
- ```code
- $ tctl create -f cap.yaml
- # cluster auth preference has been updated
- ```
-
-
-
+```code
+$ tctl edit cluster_auth_preference
+```
-
-Create a `cap.yaml` file or get the existing configuration using
-`tctl get cluster_auth_preference`:
+In your editor, ensure that your `cluster_auth_preference` includes a
+`passwordless` field similar to the following:
```yaml
kind: cluster_auth_preference
@@ -322,15 +235,7 @@ spec:
passwordless: false # disable passwordless
```
-Update the configuration:
-
-```code
-$ tctl create -f cap.yaml
-# cluster auth preference has been updated
-```
-
-
-
+Save and close your editor to apply your changes.
### Why did my multi-factor authentication (MFA) device become a passkey?
diff --git a/docs/pages/admin-guides/access-controls/guides/per-session-mfa.mdx b/docs/pages/admin-guides/access-controls/guides/per-session-mfa.mdx
index e09365dd95da..c2fa8ed63f9e 100644
--- a/docs/pages/admin-guides/access-controls/guides/per-session-mfa.mdx
+++ b/docs/pages/admin-guides/access-controls/guides/per-session-mfa.mdx
@@ -56,51 +56,8 @@ Per-session MFA can be enforced cluster-wide or only for some specific roles.
### Cluster-wide
-
-
-
To enforce MFA checks for all roles, edit your cluster authentication
-configuration:
-
-
-
-
-Update `teleport.yaml` on the Auth Server to include the following content:
-
-```yaml
-auth_service:
- authentication:
- # require per-session MFA cluster-wide
- require_session_mfa: yes
-```
-
-
-
-
-Edit your `cluster_auth_preference` resource:
-
-```code
-$ tctl edit cap
-```
-
-Ensure that the resource contains the following content:
-
-```yaml
-kind: cluster_auth_preference
-metadata:
- name: cluster-auth-preference
-spec:
- require_session_mfa: true
-version: v2
-```
-
-Apply your changes by saving and closing the file in your editor.
-
-
-
-
-
-
+configuration.
Edit your `cluster_auth_preference` resource:
@@ -121,10 +78,6 @@ version: v2
Apply your changes by saving and closing the file in your editor.
-
-
-
-
### Per role
To enforce MFA checks for a specific role, update the role to contain:
diff --git a/docs/pages/connect-your-client/web-ui.mdx b/docs/pages/connect-your-client/web-ui.mdx
index 22b8c6202d1d..be05318f09d5 100644
--- a/docs/pages/connect-your-client/web-ui.mdx
+++ b/docs/pages/connect-your-client/web-ui.mdx
@@ -40,9 +40,6 @@ interacted with any Web UI browser tab, either through keyboard input or mouse m
To change the default idle timeout of 10 minutes, ask your cluster admin to adjust the
`web_idle_timeout` setting in the Auth Service configuration.
-
-
-
Use `tctl` to edit the `cluster_networking_config` value:
```code
@@ -68,15 +65,3 @@ After you save and exit the editor, `tctl` will update the resource:
cluster networking configuration has been updated
```
-
-
-
-Update `/etc/teleport.yaml` in the `auth_service` section and restart the `teleport` daemon.
-
-```yaml
-auth_service:
- web_idle_timeout: 10m0s
-```
-
-
-
diff --git a/docs/pages/enroll-resources/database-access/enroll-aws-databases/aws-opensearch.mdx b/docs/pages/enroll-resources/database-access/enroll-aws-databases/aws-opensearch.mdx
index 5fd5b7cffb2e..bc4a2f57b5bc 100644
--- a/docs/pages/enroll-resources/database-access/enroll-aws-databases/aws-opensearch.mdx
+++ b/docs/pages/enroll-resources/database-access/enroll-aws-databases/aws-opensearch.mdx
@@ -184,9 +184,6 @@ Use the token provided by the output of this command in the next step.
(!docs/pages/includes/install-linux.mdx!)
-
-
-
On the host where you will run the Teleport Database Service, start Teleport
with the appropriate configuration.
@@ -214,59 +211,6 @@ $ sudo teleport db configure create \
(!docs/pages/includes/start-teleport.mdx service="the Teleport Database Service"!)
-
-
-
-Modify your Teleport Database Service static configuration file:
-
-```yaml
-db_service:
- enabled: "yes"
- databases:
- - name: example-opensearch
- aws:
- account_id: "(=aws.aws_access_key=)"
- protocol: opensearch
- uri: :443
- static_labels:
- env: dev
-```
-
-Restart the Teleport Database Service for the configuration file changes to take
-effect.
-
-
-
-Create a dynamic database resource to dynamically register an AWS database
-in an external account and proxy connections to it.
-
-```yaml
-kind: db
-version: v3
-metadata:
- name: "example-opensearch"
- description: "Example dynamic database resource"
- labels:
- env: "dev"
-spec:
- protocol: "opensearch"
- uri: :443
- aws:
- account_id: "(=aws.aws_access_key=)"
-```
-
-Save the configuration to a file like `database.yaml` and create it with `tctl`:
-
-```code
-$ tctl create database.yaml
-```
-
-For more information about database registration using dynamic database
-resources, see: [Dynamic Registration](../guides/dynamic-registration.mdx).
-
-
-
-
## Step 4/4. Connect
Once the Database Service has started and joined the cluster, you can start accessing Amazon OpenSearch API:
diff --git a/docs/pages/enroll-resources/database-access/enroll-self-hosted-databases/oracle-self-hosted.mdx b/docs/pages/enroll-resources/database-access/enroll-self-hosted-databases/oracle-self-hosted.mdx
index f66f25e7317a..17f1aef4d745 100644
--- a/docs/pages/enroll-resources/database-access/enroll-self-hosted-databases/oracle-self-hosted.mdx
+++ b/docs/pages/enroll-resources/database-access/enroll-self-hosted-databases/oracle-self-hosted.mdx
@@ -204,10 +204,9 @@ AUDIT ALL STATEMENTS by alice BY access;
You must enable auditing for each Teleport user that will be used to connect to Oracle.
Additionally you can create a different audit policy for each user.
-Configure the Teleport Database Service to pull audit logs from Oracle Audit Trail:
+Edit the Database Service configuration you created earlier pull audit logs from
+Oracle Audit Trail:
-
-
```yaml
db_service:
enabled: "yes"
@@ -218,22 +217,6 @@ db_service:
oracle:
audit_user: "teleport"
```
-
-
-```yaml
-kind: db
-version: v3
-metadata:
- name: oracle
-spec:
- protocol: "oracle"
- uri: "oracle.example.com:2484"
- oracle:
- audit_user: "teleport"
-```
-
-
-
Teleport doesn't clean up audit trail events from Oracle Audit Trail.
Make sure to configure an Oracle Audit Trail cleanup policy to avoid running out of disk space.
diff --git a/docs/pages/includes/database-access/auto-user-provisioning/db-definition-default-dbname.mdx b/docs/pages/includes/database-access/auto-user-provisioning/db-definition-default-dbname.mdx
index 8db14c3ab953..f5283bfed938 100644
--- a/docs/pages/includes/database-access/auto-user-provisioning/db-definition-default-dbname.mdx
+++ b/docs/pages/includes/database-access/auto-user-provisioning/db-definition-default-dbname.mdx
@@ -1,23 +1,6 @@
{{ default="'teleport'" }}
Next, configure the database admin user in the Teleport database configuration:
-
-
-```yaml
-db_service:
- enabled: "yes"
- databases:
- - name: "example"
- protocol: "{{ protocol }}"
- uri: "{{ uri }}"
- admin_user:
- name: "teleport-admin"
- # Optional default database the admin user logs into. Default is
- # {{ default }}, if not specified.
- # default_database: teleport
-```
-
-
```yaml
kind: db
version: v3
@@ -32,11 +15,12 @@ spec:
# {{ default }}, if not specified.
# default_database: teleport
```
-
-
-
+This example assumes that you have configured the database as a dynamic
+resource. If you have configured your database using a static Teleport Database
+Service configuration, edit the entry in your `db_service.databases`
+configuration.
+
For auto-discovered cloud databases, the name of the admin user is taken from
the `teleport.dev/db-admin` label, and the default database is taken from the
`teleport.dev/db-admin-default-database` label.
-
diff --git a/docs/pages/includes/database-access/auto-user-provisioning/db-definition-self-hosted.mdx b/docs/pages/includes/database-access/auto-user-provisioning/db-definition-self-hosted.mdx
index c238a65926a1..84cdb5a0f120 100644
--- a/docs/pages/includes/database-access/auto-user-provisioning/db-definition-self-hosted.mdx
+++ b/docs/pages/includes/database-access/auto-user-provisioning/db-definition-self-hosted.mdx
@@ -1,19 +1,5 @@
Next, configure the database admin user in the Teleport database configuration:
-
-
-```yaml
-db_service:
- enabled: "yes"
- databases:
- - name: "example"
- protocol: "{{ protocol }}"
- uri: "{{ uri }}"
- admin_user:
- name: "teleport-admin"
-```
-
-
```yaml
kind: db
version: v3
@@ -25,5 +11,8 @@ spec:
admin_user:
name: "teleport-admin"
```
-
-
+
+This example assumes that you have configured the database as a dynamic
+resource. If you have configured your database using a static Teleport Database
+Service configuration, edit the entry in your `db_service.databases`
+configuration.
diff --git a/docs/pages/includes/database-access/auto-user-provisioning/db-definition.mdx b/docs/pages/includes/database-access/auto-user-provisioning/db-definition.mdx
index c2a7749c4605..ac4afded4f7a 100644
--- a/docs/pages/includes/database-access/auto-user-provisioning/db-definition.mdx
+++ b/docs/pages/includes/database-access/auto-user-provisioning/db-definition.mdx
@@ -1,19 +1,5 @@
Next, configure the database admin user in the Teleport database configuration:
-
-
-```yaml
-db_service:
- enabled: "yes"
- databases:
- - name: "example"
- protocol: "{{ protocol }}"
- uri: "{{ uri }}"
- admin_user:
- name: "teleport-admin"
-```
-
-
```yaml
kind: db
version: v3
@@ -25,10 +11,11 @@ spec:
admin_user:
name: "teleport-admin"
```
-
-
-
+This example assumes that you have configured the database as a dynamic
+resource. If you have configured your database using a static Teleport Database
+Service configuration, edit the entry in your `db_service.databases`
+configuration.
+
For auto-discovered cloud databases, the name of the admin user is taken from
the `teleport.dev/db-admin` label.
-
diff --git a/docs/pages/includes/enterprise/oidcauthentication.mdx b/docs/pages/includes/enterprise/oidcauthentication.mdx
index 5ecb3a6ce3b3..136102ea8365 100644
--- a/docs/pages/includes/enterprise/oidcauthentication.mdx
+++ b/docs/pages/includes/enterprise/oidcauthentication.mdx
@@ -1,39 +1,19 @@
Configure Teleport to use OIDC authentication as the default instead of the local
user database.
-Follow the instructions for your Teleport edition:
-
-
-
-
- Update `/etc/teleport.yaml` in the `auth_service` section and restart the `teleport` daemon.
-
- ```yaml
- auth_service:
- authentication:
- type: oidc
-
- ```
-
-
-
-
- Create a file called `cap.yaml`:
-
- ```yaml
- kind: cluster_auth_preference
- metadata:
- name: cluster-auth-preference
- spec:
- type: oidc
- version: v2
- ```
-
- Create a resource:
-
- ```code
- $ tctl create -f cap.yaml
- ```
-
-
-
+Edit your `cluster_auth_preference` resource:
+
+```code
+$ tctl edit cap
+```
+
+In your editor, ensure that the file contains the following content:
+
+```yaml
+kind: cluster_auth_preference
+metadata:
+ name: cluster-auth-preference
+spec:
+ type: oidc
+version: v2
+```
diff --git a/docs/pages/includes/enterprise/samlauthentication.mdx b/docs/pages/includes/enterprise/samlauthentication.mdx
index dfabdb7a3ec7..9fcd1e9db536 100644
--- a/docs/pages/includes/enterprise/samlauthentication.mdx
+++ b/docs/pages/includes/enterprise/samlauthentication.mdx
@@ -3,11 +3,6 @@
Configure Teleport to use SAML authentication as the default instead of the local
user database.
-Follow the instructions for your Teleport edition:
-
-
-
-
Use `tctl` to edit the `cluster_auth_preference` value:
```code
@@ -34,20 +29,6 @@ After you save and exit the editor, `tctl` will update the resource:
cluster auth preference has been updated
```
-
-
-
-Update `/etc/teleport.yaml` in the `auth_service` section and restart the `teleport` daemon.
-
-```yaml
-auth_service:
- authentication:
- type: saml
-```
-
-
-
-
If you need to log in again before configuring your SAML provider, use the flag `--auth=local`.