Add documentation for using tctl remotely

[pschisa]

Details

Currently, the use of tctl remotely after logging in to a Teleport cluster via tsh is not well documented.

The only mentions of using tctl remotely I could find in the docs are:

1. A few comments in the Teleport Pro FAQ (https://goteleport.com/docs/pro/faq/#how-can-i-access-the-tctl-admin-tool and https://goteleport.com/docs/pro/faq/#why-am-i-getting-permission-denied-errors-when-using-tctl) which are not entirely comprehensive on how to use the tctl tool remotely. This is also not helpful for on-prem customers.

2. https://goteleport.com/docs/cli-docs/#tctl mentions it in the last paragraph but mentions that tctl "must be run on the same host with the role auth" in the same summary, leading to confusion

3. https://goteleport.com/docs/changelog/#improvements-7 mentions it in the 4.2.0 changelog but tells users to "Read the Docs" which links to a 404 error (https://goteleport.com/docs/ver/4.2/cli-docs/#tctl)

Request is to have the functionality of using tctl remotely clearly defined in the tctl section with a comprehensive list of requirements that are different from tsh (required role permissions, not having a local configuration, access to reverse tunnel port, etc.). Also, all dated references to only being able to use the tctl tool on the auth servers should be adjusted. This will help make it clear to users that tctl can be run remotely when logged in via tsh and how to successfully set up that access.

Might be able to knock out #3018 in the same pass.

Category

• Improve Existing
• Remove Outdated