sFTP connection using teleport

I am trying to setup sFTP connection to wordpress instance using Teleport. I am stuck at this moment and having following error message.

sftp -o ConnectTimeout=3 -o ProxyCommand=‘ssh -i ~/.tsh/keys/teleport.example.com/xxx.yyy -p 3023 %r@nlb-teleport.example.com -s proxy:%h:%p’ -o ‘ForwardAgent=yes’ -o Port=3022 -o IdentityFile=’~/.tsh/keys/teleport.example.com/xxx.yyyy’ user@wordpress.example.com

subsystem request failed on channel 0
Connection closed

I have also tried the following:
sftp -F ~/.ssh/config -o ‘ForwardAgent yes’ xxx.yyyy@wordpress.example.com

subsystem request failed on channel 0
Connection closed

Happy to have your help.
Thank you

Teleport nodes don’t support the sftp subsystem directly. In this instance, you should use scp or tsh scp instead.

If you’re connecting to a node running sshd rather than a node running teleport, however, I think sftp should work. Is wordpress.example.com running sshd?

sFTP is requirement for the product team as it is easier for them to upload the files.

yes, wordpress server is running sshd.


I just tested this myself and it looks sftp does work. One thing that’s important is that if the host is using sshd, you will need to connect to port 22 (sshd) and not 3022 (teleport). I saw that you were using port 3022 in your command above which will not work.

This command worked for me:

sftp -o ForwardAgent=yes -o ConnectTimeout=3 -o ProxyCommand="ssh -i ~/.tsh/keys/teleport.example.com/user -o ForwardAgent=yes -p 3023 %r@teleport.example.com -s proxy:%h:%p" -i ~/.tsh/keys/teleport.example.com/webvictim login@ssh_host

For this to work, you will need to have followed the steps detailed on https://gravitational.com/teleport/docs/openssh-teleport

If you haven’t done this, here is a quick guide on what to do:

  1. Export your Teleport user CA from the Teleport auth server:

sudo tctl auth export --type=user > teleport_user_ca.pub

  1. Remove @cert-authority from the beginning of the line in the teleport_user_ca.pub file, then copy the teleport_user_ca.pub file to /etc/ssh on your sshd-based server.

  2. Sign a host key and certificate for the sshd-based host on the Teleport auth server:

sudo tctl auth sign --host=host.example.com --format=openssh --out host_key

(you can add multiple comma-separated values to the --host directive - for example, if the IP of the server is and you would also like to be able to access the server using that IP via Teleport, you could use --host=host.example.com,

  1. Copy the host_key and host_key-cert.pub files to /etc/ssh on your sshd-based server.

  2. Add these lines to /etc/ssh/sshd_config on the sshd-based server:

# Present a host key/certificate to Teleport
HostKey /etc/ssh/host_key
HostCertificate /etc/ssh/host_key-cert.pub

# Trust user certificates issued by Teleport
TrustedUserCAKeys /etc/ssh/teleport_user_ca.pub
  1. Restart sshd

At this point the command above (either with ssh for an interactive session or sftp for file transfer) should work.

Let me know how you get on. If it doesn’t work, please post the sshd logs from the host and the teleport logs from the auth/proxy server at DEBUG level for further assistance.