Securing Infrastructure Access at Scale in Large Enterprises
Dec 12
Virtual
Register Now
Teleport logoTry For Free
Fork me on GitHub

Teleport

Teleport Changelog

Changelog

17.0.2 (11/25/2024)

  • Fixed missing user participants in session recordings listing for non-interactive Kubernetes recordings. #49343
  • Support delegated joining for Bitbucket Pipelines in Machine ID. #49335
  • Fix a bug in the Teleport Operator chart that causes the operator to not be able to watch secrets during secret injection. #49327
  • You can now search text within SSH sessions in the Web UI and Teleport Connect. #49269
  • Teleport Connect now refreshes the resources view after dropping an access request. #49264
  • Fixed an issue where teleport park processes could be leaked causing runaway resource usage. #49260
  • Fixed VNet not being able to connect to the daemon. #49199
  • The tsh puttyconfig command now disables GSSAPI auth settings to avoid a "Not Responding" condition in PuTTY. #49189
  • Allow Azure VMs to join from a different subscription than their managed identity. #49156
  • Fix an issue loading the license file when Teleport is started without a configuration file. #49150
  • Added support for directly configuring JWKS for GitHub joining for circumstances where the GHES is not reachable by the Teleport Auth Service. #49049
  • Fixed a bug where Access Lists imported from Microsoft Entra ID fail to be created if their display names include special characters. #5551

17.0.1 (11/15/2024)

Teleport 17 brings the following new features and improvements:

  • Refreshed web UI
  • Modern signature algorithms
  • (Preview) AWS IAM Identity Center integration
  • Hardware key support for Teleport Connect
  • Nested access lists
  • Access lists UI/UX improvements
  • Signed and notarized macOS assets
  • Datadog Incident Management plugin for access requests
  • Hosted Microsoft Teams plugin for access requests
  • Dynamic registration for Windows desktops
  • Support for images in web SSH sessions
  • tbot CLI updates

Description

Refreshed Web UI

We have updated and improved designs and added a new navigation menu to Teleport 17’s web UI to enhance its usability and scalability.

Modern signature algorithms

Teleport 17 admins have the option to use elliptic curve cryptography for the majority of user, host, and certificate authority key material.

This includes Ed25519 SSH keys and ECDSA TLS keys, replacing the RSA keys used today.

New clusters will leverage modern signature algorithms by default. Existing Teleport clusters will continue to use RSA2048 until a CA rotation is performed.

(Preview) AWS IAM Identity Center integration

Teleport 17 integrates with AWS IAM Identity Center to allow users to sync and manage AWS IC group members via Access Lists.

Hardware key support for Teleport Connect

We have extended Teleport 17’s support for hardware-backed private keys to Teleport Connect.

Nested access lists

Teleport 17 admins and access list owners can add access lists as members in other access lists.

Access lists UI/UX improvements

Teleport 17 web UI has an updated access lists page that will include the new table view, improved search and filtering capabilities.

Signed and notarized macOS assets

Starting from Teleport 17 macOS teleport.pkg installer includes signed and notarized tsh.app and tctl.app so downloading a separate tsh.pkg to use Touch ID is no longer necessary.

In addition, Teleport 17 event handler and Terraform provider for macOS are also signed and notarized.

Datadog Incident Management plugin for access requests

Teleport 17 supports PagerDuty-like integration with Datadog's on-call and incident management APIs for access request notifications.

Hosted Microsoft Teams plugin for access requests

Teleport 17 adds support for Microsoft Teams integration for access request notifications using Teleport web UI without needing to self-host the plugin.

Dynamic registration for Windows desktops

Dynamic registration allows Teleport administrators to register new Windows desktops without having to update the static configuration files read by Teleport Windows Desktop Service instances.

Support for images in web SSH sessions

The SSH console in Teleport’s web UI includes support for rendering images via both the SIXEL and iTerm Inline Image Protocol (IIP).

tbot CLI updates

The tbot client now supports starting most outputs and services directly from the command line with no need for a configuration file using the new tbot start <mode> family of commands. If desired, a given command can be converted to a YAML configuration file with tbot configure <mode>.

Additionally, tctl now supports inspection and management of bot instances using the tctl bots instances family of commands. This allows onboarding of new instances for existing bots with tctl bots instances add, and inspection of existing instances with tctl bots instances list.

Breaking changes and deprecations

macOS assets

Starting with version 17, Teleport no longer provides a separate tsh.pkg macOS package.

Instead, teleport.pkg and all macOS tarballs include signed and notarized tsh.app and tctl.app.

Enforced stricter requirements for SSH hostnames

Hostnames are only allowed if they are less than 257 characters and consist of only alphanumeric characters and the symbols . and -.

Any hostname that violates the new restrictions will be changed, the original hostname will be moved to the teleport.internal/invalid-hostname label for discoverability.

Any Teleport agents with an invalid hostname will be replaced with the host UUID. Any Agentless OpenSSH Servers with an invalid hostname will be replaced with the host of the address, if it is valid, or a randomly generated identifier. Any hosts with invalid hostnames should be updated to comply with the new requirements to avoid Teleport renaming them.

TELEPORT_ALLOW_NO_SECOND_FACTOR removed

As of Teleport 16, multi-factor authentication is required for local users. To assist with upgrades, Teleport 16 included a temporary opt-out mechanism via the TELEPORT_ALLOW_NO_SECOND_FACTOR environment variable. This opt-out mechanism has been removed.

TOTP for per-session MFA

Teleport 17 is the last release where tsh will allow for using TOTP with per-session MFA. Starting with Teleport 18, tsh will require a strong webauthn credential for per-session MFA.

TOTP will continue to be accepted for the initial login.

16.4.6 (10/22/2024)

Security Fixes

[High] Privilege persistence in Okta SCIM-only integration

When Okta SCIM-only integration is enabled, in certain cases Teleport could calculate the effective set of permission based on SSO user's stale traits. This could allow a user who was unassigned from an Okta group to log into a Teleport cluster once with a role granted by the unassigned group being present in their effective role set.

Note: This issue only affects Teleport clusters that have installed a SCIM-only Okta integration as described in this guide. If you have an Okta integration with user sync enabled or only using Okta SSO auth connector to log into your Teleport cluster without SCIM integration configured, you're unaffected. To verify your configuration:

  • Use tctl get plugins/okta --format=json | jq ".[].spec.Settings.okta.sync_settings.sync_users" command to check if you have Okta integration with user sync enabled. If it outputs null or false, you may be affected and should upgrade.
  • Check SCIM provisioning settings for the Okta application you created or updated while following the SCIM-only setup guide. If SCIM provisioning is enabled, you may be affected and should upgrade.

We strongly recommend customers who use Okta SCIM integration to upgrade their auth servers to version 16.3.0 or later. Teleport services other than auth (proxy, SSH, Kubernetes, desktop, application, database and discovery) are not impacted and do not need to be updated.

Other improvements and fixes

  • Added a new teleport_roles_total metric that exposes the number of roles which exist in a cluster. #47812
  • Teleport's Windows Desktop Service now filters domain-joined Linux hosts out during LDAP discovery. #47773
  • The join_token.create audit event has been enriched with additional metadata. #47765
  • Propagate resources configured in teleport-kube-agent chart values to post-install and post-delete hooks. #47743
  • Add support for the Datadog Incident Management plugin helm chart. #47727
  • Automatic device enrollment may be locally disabled using the TELEPORT_DEVICE_AUTO_ENROLL_DISABLED=1 environment variable. #47720
  • Fixed the Machine ID and GitHub Actions wizard. #47708
  • Added migration to update the old import_all_objects database object import rule to the new preset. #47707
  • Alter ServiceAccounts in the teleport-cluster Helm chart to automatically disable mounting of service account tokens on newer Kubernetes distributions, helping satisfy security linters. #47703
  • Avoid tsh auto-enroll escalation in machines without a TPM. #47695
  • Fixed a bug that prevented users from canceling tsh scan keys executions. #47658
  • Postgres database session start events now include the Postgres backend PID for the session. #47643
  • Reworked the teleport-event-handler integration to significantly improve performance, especially when running with larger --concurrency values. #47633
  • Fixes a bug where Let's Encrypt certificate renewal failed in AMI and HA deployments due to insufficient disk space caused by syncing audit logs. #47622
  • Adds support for custom SQS consumer lock name and disabling a consumer. #47614
  • Fixed an issue that prevented RDS Aurora discovery configuration in the AWS OIDC enrollment wizard when any cluster existed without member instances. #47605
  • Extend the Datadog plugin to support automatic approvals. #47602
  • Allow using a custom database for Firestore backends. #47583
  • Include host name instead of host uuid in error messages when SSH connections are prevented due to an invalid login. #47578
  • Fix the example Terraform code to support the new larger Teleport Enterprise licenses and updates output of web address to use fqdn when ACM is disabled. #47512
  • Add new tctl subcommands to manage bot instances. #47225

Enterprise:

  • Device auto-enroll failures are now recorded in the audit log.
  • Fixed possible panic when processing Okta assignments.

16.4.3 (10/16/2024)

  • Extended Teleport Discovery Service to support resource discovery across all projects accessible by the service account. #47568
  • Fixed a bug that could allow users to list active sessions even when prohibited by RBAC. #47564
  • The tctl tokens ls command redacts secret join tokens by default. To include the token values, provide the new --with-secrets flag. #47545
  • Added missing field-level documentation to the terraform provider reference. #47469
  • Fixed a bug where tsh logout failed to parse flags passed with spaces. #47460
  • Fixed the resource-based labels handler crashing without restarting. #47452
  • Install teleport FIPS binary in FIPS environments during Server Auto Discover. #47437
  • Fix possibly missing rules when using large amount of Access Monitoring Rules. #47430
  • Added ability to list/get AccessMonitoringRule resources with tctl. #47401
  • Include JWK header in JWTs issued by Teleport Application Access. #47393
  • Teleport Workload ID now supports issuing JWT SVIDs via the Workload API. #47389
  • Added kubeconfig context name to the output table of tsh proxy kube command for enhanced clarity. #47383
  • Improve error messaging when connections to offline agents are attempted. #47361
  • Allow specifying the instance type of AWS HA Terraform bastion instance. #47338
  • Added a config option to Teleport Connect to control how it interacts with the local SSH agent (sshAgent.addKeysToAgent). #47324
  • Teleport Workload ID issued JWT SVIDs are now compatible with OIDC federation with a number of platforms. #47317
  • The "ha-autoscale-cluster" terraform module now support default AWS resource tags and ASG instance refresh on configuration or launch template changes. #47299
  • Fixed error in Workload ID in cases where the process ID cannot be resolved. #47274
  • Teleport Connect for Linux now requires glibc 2.31 or later. #47262
  • Fixed a bug where security group rules that refer to another security group by ID were not displayed in web UI enrollment wizards when viewing security group rules. #47246
  • Improve the msteams access plugin debug logging. #47158
  • Fix missing tsh MFA prompt in certain OTP+WebAuthn scenarios. #47154
  • Updates self-hosted db discover flow to generate 2190h TTL certs, not 12h. #47125
  • Fixes an issue preventing access requests from displaying user friendly resource names. #47112
  • Fixed a bug where only one IP CIDR block security group rule for a port range was displayed in the web UI RDS enrollment wizard when viewing a security group. #47077
  • The tsh play command now supports a text output format. #47073
  • Updated Go to 1.22.8. #47050
  • Fixed the "source path is empty" error when attempting to upload a file in Teleport Connect. #47011
  • Added static host users to Terraform provider. #46974
  • Enforce a global device_trust.mode=required on OSS processes paired with an Enterprise Auth. #46947
  • Added a new config option in Teleport Connect to control SSH agent forwarding (ssh.forwardAgent); starting in Teleport Connect v17, this option will be disabled by default. #46895
  • Correctly display available allowed logins of leaf AWS Console Apps on tsh app login. #46806
  • Allow all audit events to be trimmed if necessary. #46499

Enterprise:

  • Fixed possible panic when processing Okta assignments.
  • Fixed bug where an unknown device aborts device web authentication.
  • Add the Datadog Incident Management Plugin as a hosted plugin.
  • Permit bootstrapping enterprise clusters with state from an open source cluster.

16.4.2 (09/25/2024)

  • Fixed a panic when using the self-hosted PagerDuty plugin. #46925
  • A user joining a session will now see available controls for terminating & leaving the session. #46901
  • Fixed a regression in the SAML IdP service which prevented cache from initializing in a cluster that may have a service provider configured with unsupported acs_url and relay_state values. #46845

Enterprise:

  • Fixed a possible crash when using Teleport Policy's GitLab integration.

16.4.1 (09/25/2024)

Secrets support for Kubernetes Operator

Kubernetes Operator is now able to lookup values from Kubernetes secrets for GithubConnector.ClientSecret and OIDCConnector.ClientSecret.

Other improvements and fixes

  • Fixed a regression that made it impossible to read the Teleport Audit Log after creating a plugin if the audit event is present. #46831
  • Added a new flag to static host users spec that allows teleport to automatically take ownership across matching hosts of any users with the same name as the static host user. #46828
  • Added support for Kubernetes SPDY over Websocket Protocols for PortForward. #46815
  • Fixed a regression where Teleport swallowed Kubernetes API errors when using kubectl exec with a Kubernetes cluster newer than v1.30.0. #46811
  • Added support for Access Request Datadog plugin. #46740

16.4.0 (09/18/2024)

Machine ID for HCP Terraform and Terraform Enterprise

Teleport now supports secure joining via Terraform Cloud, allowing Machine ID workflows to run on Terraform Cloud without shared secrets.

SPIFFE Federation for Workload Identity

Teleport Workload Identity now supports SPIFFE Federation, allowing trust relationships to be established between a Teleport cluster's trust domain and trust domains managed by other SPIFFE compatible platforms. Establishing a relationship between the trust domains enables workloads belonging to one trust domain to validate the identity of workloads in the other trust domain, and vice versa.

Multi-domain support for web applications

Teleport now supports web application access where one application depends on another. For example, you may have a web application that depends on a backend API service, both of which are separate apps protected by Teleport.

Okta integration status dashboard

Cluster admins are now able to get a detailed overview of the Okta integration status in the Teleport web UI.

Other improvements and fixes

  • Fixed the web favicon not displaying on specific builds. #46736
  • Fixed regression in private key parser to handle mismatched PEM headers. #46727
  • Removed TXT record validation from custom DNS zones in VNet; VNet now supports any custom DNS zone, as long as it's included in vnet_config. #46722
  • Fixed audit log not recognizing static host user events. #46697
  • Fixes a bug in Kubernetes access that causes the error expected *metav1.PartialObjectMetadata object when trying to list resources. #46694
  • Added a new default_shell configuration for the static host users resource that works exactly the same as the create_host_user_default_shell configuration added for roles. #46688
  • Machine ID now generates cluster-specific ssh_config and known_hosts files which will always direct SSH connections made using them via Teleport. #46684
  • Fixed a regression that prevented the fish shell from starting in Teleport Connect. #46662
  • Added a new create_host_user_default_shell configuration under role options that changes the default shell of auto provisioned host users. #46648
  • Fixed an issue that prevented host user creation when the username was also listed in host_groups. #46635
  • Fixed tsh scp showing a login prompt when attempting to transfer a folder without the recursive option. #46603
  • The Teleport Terraform provider now supports AccessMonitoringRule resources. #46582
  • The teleport-plugin-slack chart can now deploy tbot to obtain and renew the Slack plugin credentials automatically. This setup is easier and more secure than signing long-lived credentials. #46581
  • Always show the device trust green shield for authenticated devices. #46565
  • Add new terraform_cloud joining method to enable secretless authentication on HCP Terraform jobs for the Teleport Terraform provider. #46049
  • Emit audit logs when creating, updating or deleting Teleport Plugins. #4939

16.3.0 (09/11/2024)

Out-of-band user creation

Cluster administrators are now able to configure Teleport's ssh_service to ensure that certain host users exist on the machine without the need to start an SSH session. #46498

Other improvements and fixes

  • Allow the cluster wide ssh dial timeout to be set via auth_service.ssh_dial_timeout in the Teleport config file. #46507
  • Fixed an issue preventing session joining while host user creation was in use. #46501
  • Added tbot Helm chart for deploying a Machine ID Bot into a Teleport cluster. #46373

16.2.2 (09/10/24)

  • Fixed an issue that prevented the Firestore backend from reading existing data. #46433
  • The teleport-kube-agent chart now correctly propagates configured annotations when deploying a StatefulSet. #46421
  • Fixed regression with Slack notification rules matching on plugin name instead of type. #46391
  • Update tsh puttyconfig to respect any defined proxy templates. #46384
  • Ensure that additional pod labels are carried over to post-upgrade and post-delete hook job pods when using the teleport-kube-agent Helm chart. #46232
  • Fix bug that renders WebUI unusable if a role is deleted while it is still being in use by the logged in user. #45774

16.2.1 (09/05/24)

  • Fixed debug service not being turned off by configuration; Connect My Computer in Teleport Connect should no longer fail with "bind: invalid argument". #46293
  • Fixed an issue that could result in duplicate session recordings being created. #46265
  • Connect now supports bulk selection of resources to create an access request in the unified resources view. #46238
  • Added support for the teleport_installer resource to the Teleport Terraform provider. #46200
  • Fixed an issue that would cause reissue of certificates to fail in some scenarios where a local auth service was present. #46184
  • Updated OpenSSL to 3.0.15. #46180
  • Extend Teleport ability to use non-default cluster domains in Kubernetes, avoiding the assumption of cluster.local. #46150
  • Fixed retention period handling in the CockroachDB audit log storage backend. #46147
  • Prevented Teleport Kubernetes access from resending resize events to the party that triggered the terminal resize, avoiding potential resize loops. #46066
  • Fixed an issue where attempts to play/export certain session recordings would fail with gzip: invalid header. #46035
  • Fixed a bug where Teleport services could not join the cluster using iam, azure, or tpm methods when the proxy service certificate did not contain IP SANs. #46010
  • Prevent connections from being randomly terminated by Teleport proxies when proxy_protocol is enabled and TLS is terminated before Teleport Proxy. #45992
  • Updated the icons for server, application, and desktop resources. #45990
  • Added eks:UpdateAccessEntry to IAM permissions generated by the teleport integration IAM setup command and to the documentation reference for auto-discovery IAM permissions. #45983
  • Added ServiceNow support to access request notification routing rules. #45965
  • Added PagerDuty support to access request notification routing rules. #45913
  • Fixed an issue where host_sudoers could be written to Teleport proxy server sudoer lists in Teleport v14 and v15. #45958
  • Prevent interactive sessions from hanging on exit. #45952
  • Fixed kernel version check of Enhanced Session Recording for distributions with backported BPF. #45941
  • Added a flag to skip a relogin attempt when using tsh ssh and tsh proxy ssh. #45929
  • The hostname where the process is running is returned when running tctl get db_services. #45909
  • Add buttons to clear all selected Roles/Reviewers in new Access Requests. #45904
  • Fixed an issue WebSocket upgrade fails with MiTM proxies that can remask payloads. #45899
  • When a database is created manually (without auto-discovery) the teleport.dev/db-admin and teleport.dev/db-admin-default-database labels are no longer ignored and can be used to configure database auto-user provisioning. #45891
  • Add support for non-RSA SSH signatures with imported CA keys. #45890
  • Update tsh login and tsh status output to truncate a list of roles. #45581

16.2.0 (08/26/24)

NLA Support for Windows desktops

Teleport now supports Network Level Authentication (NLA) when connecting to Windows hosts that are part of an Active Directory domain. NLA support is currently opt-in. It will be enabled by default in a future release.

To enable NLA, set the TELEPORT_ENABLE_RDP_NLA environment variable to yes on your windows_desktop_service instances. It is not necessary to configure the Windows hosts to require NLA - Teleport's client will perform NLA when configured to do so, even if the server does not require it.

More information is available in the Active Directory docs

DocumentDB IAM authentication support

Teleport now supports authenticating to DocumentDB with IAM users and roles recently released by AWS.

Join Tokens in the Web UI

Teleport now allows users to manage join tokens in the web UI as an alternative to the tctl tokens commands.

Database Access Controls in Access Graph

Database Access users are now able to see database objects and their access paths in Access Graph.

Logrotate support

Teleport now integrates with logrotate by automatically reopening log files when detecting that they were renamed.

Other improvements and fixes

  • Failure to share a local directory in a Windows desktop session is no longer considered a fatal error. #45852
  • Add teleport.dev/project-id label for auto-enrolled instances in GCP. #45820
  • Fix an issue that prevented the creation of AWS App Access for an Integration that used digits only (eg, AWS Account ID). #45819
  • Slack plugin now lists logins permitted by requested roles. #45759
  • For new EKS Cluster auto-enroll configurations, the temporary Access Entry is tagged with teleport.dev/ namespaced tags. For existing set ups, please add the eks:TagResource action to the Integration IAM Role to get the same behavior. #45725
  • Added support for importing S3 Bucket Tags into Teleport Policy's Access Graph. For existing configurations, ensure that the s3:GetBucketTagging permission is manually included in the Teleport Access Graph integration role. #45551
  • Add a tctl terraform env command to simplify running the Teleport Terraform provider locally. #44690
  • Add native MachineID support to the Terraform provider. Environments with delegated joining methods such as GitHub Actions, GitLab CI, CircleCI, GCP, or AWS can run the Terraform provider without having to setup tbot. #44690
  • The Terraform Provider now sequentially tries every credential source and provide more actionable error messages if it cannot connect. #44690
  • When the Terraform provider finds expired credentials it will now fail fast with a clear error instead of hanging for 30 seconds and sending potentially misleading error about certificates being untrusted. #44690
  • Fix a bug that caused some enterprise clusters to incorrectly display a message that the cluster had a monthly allocation of 0 access requests. #4923

16.1.8 (08/23/24)

Security fix

[High] Stored XSS in SAML IdP

When registering a service provider with SAML IdP, Teleport did not sufficiently validate the ACS endpoint. This could allow a Teleport administrator with permissions to write saml_idp_service_provider resources to configure a malicious service provider with an XSS payload and compromise session of users who would access that service provider.

Note: This vulnerability is only applicable when Teleport itself is acting as the identity provider. If you only use SAML to connect to an upstream identity provider you are not impacted. You can use the tctl get saml_idp_service_provider command to verify if you have any Service Provider applications registered and Teleport acts as an IdP.

For self-hosted Teleport customers that use Teleport as SAML Identity Provider, we recommend upgrading auth and proxy servers. Teleport agents (SSH, Kubernetes, desktop, application, database and discovery) are not impacted and do not need to be updated.

Other fixes and improvements

  • Fixed an issue where Teleport could modify group assignments for users not managed by Teleport. This will require a migration of host users created with create_host_user_mode: keep in order to maintain Teleport management. #45791
  • The terminal shell can now be changed in Teleport Connect by right-clicking on a terminal tab. This allows using WSL (wsl.exe) if it is installed. Also, the default shell on Windows has been changed to pwsh.exe (instead of powershell.exe). #45734
  • Improve web UI enroll RDS flow where VPC, subnets, and security groups are now selectable. #45688
  • Allow to limit duration of local tsh proxy certificates with a new MFAVerificationInterval option. #45686
  • Fixed host user creation for tsh scp. #45680
  • Fixed an issue AWS access fails when the username is longer than 64 characters. #45658
  • Permit setting a cluster wide SSH connection dial timeout. #45650
  • Improve performance of host resolution performed via tsh ssh when connecting via labels or proxy templates. #45644
  • Remove empty tcp app session recordings. #45643
  • Fixed bug causing FeatureHiding flag to not hide the "Access Management" section in the UI as intended. #45608
  • Fixed an issue where users created in keep mode could effectively become insecure_drop and get cleaned up as a result. #45594
  • Prevent RBAC bypass for new Postgres connections. #45554
  • tctl allows cluster administrators to create custom notifications targeting Teleport users. #45503
  • Fixed debug service not enabled by default when not using a configuration file. #45480
  • Introduce support for Envoy SDS into the Machine ID spiffe-workload-api service. #45460
  • Improve the output of tsh sessions ls. #45452
  • Fix access entry handling permission error when EKS auto-discovery was set up in the Discover UI. #45442
  • Fix showing error message when enrolling EKS clusters in the Discover UI. #45415
  • Fixed the "Create A Bot" flow for GitHub Actions and SSH. It now correctly grants the bot the role created during the flow, and the example YAML is now correctly formatted. #45409
  • Mark authenticators used for passwordless as a passkey, if not previously marked as such. #45395
  • Prevents a panic caused by AWS STS client not being initialized when assuming an AWS Role. #45382
  • Update teleport debug commands to handle data dir not set. #45341
  • Fix tctl get all not returning SAML or OIDC auth connectors. #45319
  • The Opsgenie plugin recipients can now be dynamically configured by creating Access Monitoring Rules resources with the required Opsgenie notify schedules. #45307
  • Improve discoverability of the source or rejected connections due to unsupported versions. #45278
  • Improved copy and paste behavior in the terminal in Teleport Connect. On Windows and Linux, Ctrl+Shift+C/V now copies and pastes text (these shortcuts can be changed with keymap.terminalCopy/keymap.terminalPaste). A mouse right click (terminal.rightClick) can copy/paste text too (enabled by default on Windows). #45265
  • Fixed an issue that could cause auth servers to panic when their backend connectivity was interrupted. #45225
  • Adds SPIFFE compatible federation bundle endpoint to the Proxy API, allowing other workload identity platforms to federate with the Teleport cluster. #44998
  • Add 'Download CSV' button to Access Monitoring Query results. #4899
  • Fixed issue in Okta Sync that spuriously deletes Okta Applications due to connectivity errors. #4885
  • Fixed bug in Okta Sync that mistakenly removes Apps and Groups on connectivity failure. #4883
  • Fixed bug that caused some enterprise clusters to incorrectly display a message that the cluster had a monthly allocation of 0 access requests. #4923

16.1.4 (08/07/24)

  • Improved tsh ssh performance for concurrent execs. #45162
  • Fixed issue with loading cluster features when agents are upgraded prior to auth. #45226
  • Updated Go to 1.22.6. #45194

16.1.3 (08/06/24)

  • Fixed an issue where tsh aws may display extra text in addition to the original command output. #45168
  • Fixed regression that denied access to launch some Apps. #45149
  • Bot resources now honor their metadata.expires field. #45130
  • Teleport Connect now sets TERM_PROGRAM: Teleport_Connect and TERM_PROGRAM_VERSION: <app_version> environment variables in the integrated terminal. #45063
  • Fixed a panic in the Microsoft Teams plugin when it receives an error. #45011
  • Added a background item for VNet in Teleport Connect; VNet now prompts for a password only during the first launch. #44994
  • Added warning on tbot startup when the requested certificate TTL exceeds the maximum allowed value. #44989
  • Fixed a race condition between session recording uploads and session recording upload cleanup. #44978
  • Prevented Kubernetes per-Resource RBAC from blocking access to namespaces when denying access to a single resource kind in every namespace. #44974
  • SSO login flows can now authorize web sessions with Device Trust. #44906
  • Added support for Kubernetes Workload Attestation into Teleport Workload Identity to allow the authentication of pods running within Kubernetes without secrets. #44883

Enterprise:

  • Fixed a redirection issue with the SAML IdP authentication middleware which prevented users from signing into the service provider when an SAML authentication request was made with an HTTP-POST binding protocol, and user's didn't already have an active session with Teleport. #4806
  • SAML applications can now be deleted from the Web UI. #4778
  • Fixed an issue introduced in v16.0.3 and v15.4.6 where tbot FIPS builds fail to start due to a missing boringcrypto dependency. #4757

16.1.1 (07/31/24)

  • Added option to allow client redirects from IPs in specified CIDR ranges in SSO client logins. #44846
  • Machine ID can now be configured to use Kubernetes Secret destinations from the command line using the kubernetes-secret schema. #44801
  • Prevent the Discovery Service from overwriting Teleport dynamic resources that have the same name as discovered resources. #44785
  • Reduced the probability that the event-handler deadlocks when encountering errors processing session recordings. #44771
  • Improved event-handler diagnostics by providing a way to capture profiles dynamically via SIGUSR1. #44758
  • Teleport Connect now uses ConPTY for better terminal resizing and accurate color rendering on Windows, with an option to disable it in the app config. #44742
  • Fixed event-handler Helm charts using the wrong command when starting the event-handler container. #44697
  • Improved stability of very large Teleport clusters during temporary backend disruption/degradation. #44694
  • Resolved compatibility issue with Paramiko and Machine ID's SSH multiplexer SSH agent. #44673
  • Teleport no longer creates invalid SAML Connectors when calling tctl get saml/<connector-name> | tctl create -f without the --with-secrets flag. #44666
  • Fixed a fatal error in tbot when unable to lookup the user from a given UID in containerized environments for checking ACL configuration. #44645
  • Fixed application access regression where an HTTP header wasn't set in forwarded requests. #44628
  • Added Server auto-discovery support for Rocky and AlmaLinux distros. #44612
  • Use the registered port of the target host when tsh puttyconfig is invoked without --port. #44572
  • Added more icons for guessing application icon by name or by label teleport.icon in the web UI. #44566
  • Remove deprecated S3 bucket option when creating or editing AWS OIDC integration in the web UI. #44485
  • Fixed terminal sessions with a database CLI client in Teleport Connect hanging indefinitely if the client cannot be found. #44465
  • Added application-tunnel service to Machine ID for establishing a long-lived tunnel to a HTTP or TCP application for Machine to Machine access. #44443
  • Fixed a regression that caused Teleport Connect to fail to start on Intel Macs. #44435
  • Improved auto-discovery resiliency by recreating Teleport configuration when the node fails to join the cluster. #44432
  • Fixed a low-probability panic in audit event upload logic. #44425
  • Fixed Teleport Connect binaries not being signed correctly. #44419
  • Prevented DoSing the cluster during a mass failed join event by agents. #44414
  • The availability filter is now a toggle to show (or hide) requestable resources. #44413
  • Moved PostgreSQL auto provisioning users procedures to pg_temp schema. #44409
  • Added audit events for AWS and Azure integration resource actions. #44403
  • Fixed automatic updates with previous versions of the teleport.yaml config. #44379
  • Added support for Rocky and AlmaLinux when enrolling a new server from the UI. #44332
  • Fixed PostgreSQL session playback not rendering queries line breaks correctly. #44315
  • Fixed Teleport access plugin tarballs containing a build directory, which was accidentally added upon v16.0.0 release. #44300
  • Prevented an infinite loop in DynamoDB event querying by advancing the cursor to the next day when the limit is reached at the end of a day with an empty iterator. This ensures the cursor does not reset to the beginning of the day. #44275
  • The clipboard sharing tooltip for desktop sessions now indicates why clipboard sharing is disabled. #44237
  • Prevented redirects to arbitrary URLs when launching an app. #44188
  • Added a --skip-idle-time flag to tsh play. #44013
  • Added audit events for discovery config actions. #43793
  • Enabled Access Monitoring Rules routing with Mattermost plugin. #43601
  • SAML application can now be deleted from the Web UI. #4778
  • Fixed an Access List permission bug where an Access List owner, who is also a member, was not able to add/remove Access List member. #4744
  • Fixed a bug in Web UI where clicking SAML GCP Workforce Identity Federation discover tile would throw an error, preventing from using the guided enrollment feature. #4720
  • Fixed an issue with incorrect yum/zypper updater packages being installed. #4684

16.1.0 (07/15/24)

We're excited to announce an update to the Teleport logo. This refresh aligns with our evolving brand and will be reflected across the product, our marketing site (goteleport.com), branded content, swag, and more.

The new logo will appear in the web UI starting with this release and on the marketing website starting from July 17th, 2024.

Database access session replay

Database access users will be able to watch PostgreSQL query replays in the web UI or with tsh.

Other improvements and fixes

  • Fixed "staircase" text output for non-interactive Kube exec sessions in Web UI. #44249
  • Fixed a leak in the admin process spawned by starting VNet through tsh vnet or Teleport Connect. #44225
  • Fixed a kube-agent-updater bug affecting resolutions of private images. #44191
  • The show_resources option is no longer required for statically configured proxy ui settings. #44181
  • The teleport-cluster chart can now use existing ingresses instead of creating its own. #44146
  • Ensure that tsh login outputs accurate status information for the new session. #44143
  • Fixes "device trust mode x requires Teleport Enterprise" errors on tctl. #44133
  • Added the tbot install systemd command for installing tbot as a service on Linux systems. #44083
  • Added ability to list Access List members in json format in tctl. #44071
  • Update grpc to v1.64.1 (patches GO-2024-2978). #44067
  • Batch access review reminders into 1 message and provide link out to the web UI. #44034
  • Fixed denying access despite access being configured for Notification Routing Rules in the web UI. #44029
  • Honor proxy templates in tsh ssh. #44026
  • Fixed eBPF error occurring during startup on Linux RHEL 9. #44023
  • Fixed Redshift auto-user deactivation/deletion failure that occurs when a user is created or deleted and another user is deactivated concurrently. #43968
  • Lower latency of detecting Kubernetes cluster becoming online. #43967
  • Teleport AMIs now optionally source environment variables from /etc/default/teleport as regular Teleport package installations do. #43962
  • Make tbot compilable on Windows. #43959
  • Add a new event to the database session recording with query/command result information. #43955
  • Enabled setting event types to forward, skip events, skip session types in event-handler helm chart. #43938
  • extraLabels configured in teleport-kube-agent chart values are now correctly propagated to post-delete hooks. A new extraLabels.job object has been added for labels which should only apply to the post-delete job. #43932
  • Add support for Teams to Opsgenie plugin alert creation. #43916
  • Machine ID outputs now execute individually and concurrently, meaning that one failing output does not disrupt other outputs, and that performance when generating a large number of outputs is improved. #43876
  • SAML IdP service provider resource can now be updated from the Web UI. #4651
  • Fixed empty condition from unquoted string with YAML editor for Notification Routing Rules in the Web UI. #4636
  • Teleport Enterprise now supports the TELEPORT_REPORTING_HTTP(S)_PROXY environment variable to specify the URL of the HTTP(S) proxy used for connections to our usage reporting ingest service. #4568
  • Fixed inaccurately notifying user that Access List reviews are due in the web UI. #4521

16.0.4 (07/03/24)

  • Omit control plane services from the inventory list output for Cloud-Hosted instances. #43779
  • Updated Go toolchain to v1.22.5. #43768
  • Reduced CPU usage in auth servers experiencing very high concurrent request load. #43755
  • Machine ID defaults to disabling the use of the Kubernetes exec plugin when writing a Kubeconfig to a directory destination. This removes the need to manually configure disable_exec_plugin. #43655
  • Fixed startup crash of Teleport Connect on Ubuntu 24.04 by adding an AppArmor profile. #43653
  • Added support for dialling leaf clusters to the tbot SSH multiplexer. #43634
  • Extend Teleport ability to use non-default cluster domains in Kubernetes, avoiding the assumption of cluster.local. #43631
  • Wait for user MFA input when reissuing expired certificates for a kube proxy. #43612
  • Improved error diagnostics when using Machine ID's SSH multiplexer. #43586

Enterprise:

  • Teleport Enterprise now supports the TELEPORT_REPORTING_HTTP(S)_PROXY environment variable to specify the URL of the HTTP(S) proxy used for connections to our usage reporting ingest service.

16.0.3 (06/27/24)

This release of Teleport contains a fix for medium-level security issue impacting Teleport Enterprise, as well as various other updates and improvements

Security Fixes

  • [Medium] Fixes issue where a SCIM client could potentially overwrite. Teleport system Roles using specially crafted groups. This issue impacts Teleport Enterprise deployments using the Okta integration with SCIM support enabled.

We strongly recommend all customers upgrade to the latest releases of Teleport.

Other updates and improvements

  • Update go-retryablehttp to v0.7.7 (fixes CVE-2024-6104). #43474
  • Fixed Discover setup access error when updating user. #43560
  • Added audit event field describing if the "MFA for admin actions" requirement changed. #43541
  • Fixed remote port forwarding validation error. #43516
  • Added support to trust system CAs for self-hosted databases. #43493
  • Added error display in the Web UI for SSH and Kubernetes sessions. #43485
  • Fixed accurate inventory reporting of the updater after it is removed. #43454
  • tctl alerts ls now displays remaining alert ttl. #43436
  • Fixed input search for Teleport Connect's Access Request listing. #43429
  • Added Debug setting for event-handler. #43408
  • Fixed Headless auth for sso users, including when local auth is disabled. #43361
  • Added configuration for custom CAs in the event-handler helm chart. #43340
  • Updated VNet panel in Teleport Connect to list custom DNS zones and DNS zones from leaf clusters. #43312
  • Fixed an issue with Database Access Controls preventing users from making additional database connections. #43303
  • Fixed bug that caused gRPC connections to be disconnected when their certificate expired even though DisconnectCertExpiry was false. #43290
  • Fixed Connect My Computer in Teleport Connect failing with "bind: invalid argument". #43287
  • Fix a bug where a Teleport instance running only Jamf or Discovery service would never have a healthy /readyz endpoint. #43283
  • Added a missing [Install] section to the teleport-acm systemd unit file as used by Teleport AMIs. #43257
  • Patched timing variability in curve25519-dalek. #43246
  • Fixed setting request reason for automatic ssh Access Requests. #43178
  • Improved log rotation logic in Teleport Connect; now the non-numbered files always contain recent logs. #43161
  • Added tctl desktop bootstrap for bootstrapping AD environments to work with desktop access. #43150

Enterprise only changes and improvements

  • The teleport updater will no longer default to using the global version channel, avoiding incompatible updates.
  • Fixed sync error in Okta SCIM integration.

16.0.1 (06/17/24)

  • tctl now ignores any configuration file if the auth_service section is disabled, and prefer loading credentials from a given identity file or tsh profile instead. #43115
  • Skip jamf_service validation when the service is not enabled. #43095
  • Fix v16.0.0 amd64 Teleport plugin images using arm64 binaries. #43084
  • Add ability to edit user traits from the Web UI. #43067
  • Enforce limits when reading events from Firestore for large time windows to prevent OOM events. #42966
  • Allow all authenticated users to read the cluster vnet_config. #42957
  • Improve search and predicate/label based dialing performance in large clusters under very high load. #42943

16.0.0 (06/13/24)

Teleport 16 brings the following new features and improvements:

  • Teleport VNet
  • Device Trust for the Web UI
  • Increased support for per-session MFA
  • Web UI notification system
  • Access requests from the resources view
  • tctl for Windows
  • Teleport plugins improvements

Description

Teleport VNet

Teleport 16 introduces Teleport VNet, a new feature that provides a virtual IP subnet and DNS server which automatically proxies TCP connections to Teleport apps over mutually authenticated tunnels.

This allows scripts and software applications to connect to any Teleport-protected application as if they were connected to a VPN, without the need to manage local tunnels.

Teleport VNet is powered by the Teleport Connect client and is available for macOS. Support for other operating systems will come in a future release.

Device Trust for the Web UI

Teleport Device Trust can now be enforced for browser-based workflows like remote desktop and web application access. The Teleport Connect client must be installed in order to satisfy device locality checks.

Increased support for per-session MFA

Teleport 16 now supports per-session MFA checks when accessing both web and TCP applications via all supported clients (Web UI, tsh, and Teleport Connect).

Additionally, Teleport Connect now includes support for per-session MFA when accessing database resources.

Web UI notification system

Teleport’s Web UI includes a new notifications system that notifies users of items requiring attention (for example, Access Requests needing review).

Access requests from the resources view

The resources view in the web UI now shows both resources you currently have access to and resources you can request access to. This allows users to request access to resources without navigating to a separate page.

Cluster administrators who prefer the previous behavior of hiding requestable resources from the main view can set show_resources: accessible_only in their UI config:

For dynamic configuration, run tctl edit ui_config:

kind: ui_config
version: v1
metadata:
  name: ui-config
spec:
  show_resources: accessible_only

Alternatively, self-hosted Teleport users can update the ui section of their proxy configuration:

proxy_service:
  enabled: yes
  ui:
    show_resources: accessible_only

tctl for Windows

Teleport 16 includes Windows builds of the tctl administrative tool, allowing Windows users to administer their cluster without the need for a macOS or Linux workstation.

Additionally, there are no longer enterprise-specific versions of tctl. All Teleport clients (tsh, tctl, and Teleport Connect) are available in a single distribution that works on both Enterprise and Community Edition clusters.

Teleport plugins improvements

Teleport 16 includes major improvements to the plugins. All plugins now have:

  • amd64 and arm64 binaries available
  • amd64 and arm64 multi-arch images
  • Major and minor version rolling tags (ie public.ecr.aws/gravitational/teleport-plugin-email:16)
  • Image signatures for all images
  • Additional debug images with all of the above features

In addition, we now support plugins for each supported major version, starting with v15. This means that if we fix a bug or security issue in a v16 plugin version, we will also apply and release the change for the v15 plugin version.

Other

The Jamf plugin now authenticates with Jamf API credentials instead of username and password.

Breaking changes and deprecations

Community Edition license

Starting with this release, Teleport Community Edition restricts commercial usage.

https://goteleport.com/blog/teleport-community-license/

License file validation on startup

Teleport 16 introduces license file validation on startup. This only applies to customers running Teleport Enterprise Self-Hosted. No action is required for customers running Teleport Enterprise (Cloud) or Teleport Community Edition.

If, after updating to Teleport 16, you receive an error message regarding an outdated license file, follow our step-by-step guide to update your license file.

Multi-factor authentication is now required for local users

Support for disabling multi-factor authentication has been removed. Teleport will refuse to start until the second_factor setting is set to on, webauthn or otp.

This change only affects self-hosted Teleport users, as Teleport Enterprise (Cloud) has always required multi-factor authentication.

Important: To avoid locking users out, we recommend the following steps:

  1. Ensure that all cluster administrators have multi-factor devices registered in Teleport so that they will be able to reset any other users.
  2. Announce to the user base that all users must register an MFA device. Consider creating a cluster alert with tctl alerts create to help spread the word.
  3. While you are still on Teleport 15, set second_factor: on. This will help identify any users who have not registered MFA devices and allow you to revert to second_factor: optional if necessary.
  4. Upgrade to Teleport 16.

Any users who do not register MFA devices prior to the Teleport 16 upgrade will be unable to log in and must be reset by an administrator (tctl users reset).

Incompatible clients are rejected

In accordance with our component compatibility guidelines, Teleport 16 will start rejecting connections from clients and agents running incompatible (ie too old) versions.

If Teleport detects connection attempts from outdated clients, it will show an alert to cluster administrators in both the web UI and tsh.

To disable this behavior and run in an unsupported configuration that allows incompatible agents to connect to your cluster, start your Auth Service instances with the TELEPORT_UNSTABLE_ALLOW_OLD_CLIENTS=yes environment variable.

Opsgenie plugin annotations

Prior to Teleport 16, when using an Opsgenie plugin, the teleport.dev/schedules role annotation was used to specify both schedules for Access Request notifications as well as schedules to check for the request auto-approval.

Starting with Teleport 16, the annotations were split to provide behavior consistent with other Access Request plugins: a role must now contain the teleport.dev/notify-services to receive notifications on Opsgenie and the teleport.dev/schedules to check for auto-approval.

Detailed setup instructions are available in the documentation.

Teleport Assist has been removed

Teleport Assist chat has been removed from Teleport 16. auth_service.assist and proxy_service.assist options have been removed from the configuration. Teleport will not start if these options are present.

During the migration from v15 to v16, the options mentioned above should be removed from the configuration.

New required permissions for DynamoDB

Teleport clusters using the DynamoDB backend on AWS now require the dynamodb:ConditionCheckItem permissions. For a full list of required permissions, see the IAM policy example.

Updated keyboard shortcuts in Teleport connect

On Windows and Linux, some of Teleport Connect’s keyboard shortcuts conflicted with the default bash or nano shortcuts (Ctrl+E, Ctrl+K, etc). On those platforms, the default shortcuts have been changed to a combination of Ctrl+Shift+*.

On macOS, the default shortcut to open a new terminal has been changed to Ctrl+Shift+`.

See the configuration guide for a list of updated keyboard shortcuts.

Machine ID and OpenSSH client config changes

Users with custom ssh_config should modify their ProxyCommand to use the new, more performant, tbot ssh-proxy-command. See the v16 upgrade guide for more details.

Removal of Active Directory configuration flow

The Active Directory installation and configuration wizard has been removed. Users who don’t already have Active Directory should leverage Teleport’s local user support, and users with existing Active Directory environments should follow the manual setup guide.

Teleport Assist is removed

All Teleport Assist functionality and OpenAI integration has been removed from Teleport.

15.4.10 (07/29/24)

  • Fixed an issue that could cause auth servers to panic when their backend connectivity was interrupted. #44787
  • Reduced the probability that the event-handler deadlocks when encountering errors processing session recordings. #44772
  • Improved event-handler diagnostics by providing a way to capture profiles dynamically via SIGUSR1. #44759
  • Added support for Teams to Opsgenie plugin alert creation. #44330
  • Improved stability of very large teleport clusters during temporary backend disruption/degradation. #44695
  • Resolved compatibility issue with Paramiko and Machine ID's SSH multiplexer SSH agent. #44672
  • Fixed a fatal error in tbot when unable to lookup the user from a given UID in containerized environments for checking ACL configuration. #44646
  • Fixed application access regression where an HTTP header wasn't set in forwarded requests. #44629
  • Use the registered port of the target host when tsh puttyconfig is invoked without --port. #44573
  • Added more icons for guessing application icon by name or by label teleport.icon in the web UI. #44568
  • Removed deprecated S3 bucket option when creating or editing AWS OIDC integration in the web UI. #44487
  • Fixed terminal sessions with a database CLI client in Teleport Connect hanging indefinitely if the client cannot be found. #44466
  • Added application-tunnel service to Machine ID for establishing a long-lived tunnel to a HTTP or TCP application for Machine to Machine access. #44446
  • Fixed a low-probability panic in audit event upload logic. #44424
  • Fixed Teleport Connect binaries not being signed correctly. #44420
  • Prevented DoSing the cluster during a mass failed join event by agents. #44415
  • Added audit events for AWS and Azure integration resource actions. #44404
  • Fixed automatic updates with previous versions of the teleport.yaml config. #44378
  • Added support for Rocky and AlmaLinux when enrolling a new server from the UI. #44331
  • Fixed Teleport access plugin tarballs containing a build directory, which was accidentally added upon v15.4.5 release. #44301
  • Prevented an infinite loop in DynamoDB event querying by advancing the cursor to the next day when the limit is reached at the end of a day with an empty iterator. This ensures the cursor does not reset to the beginning of the day. #44274
  • The clipboard sharing tooltip for desktop sessions now indicates why clipboard sharing is disabled. #44238
  • Fixed a kube-agent-updater bug affecting resolutions of private images. #44192
  • Prevented redirects to arbitrary URLs when launching an app. #44189
  • Added audit event field describing if the "MFA for admin actions" requirement changed. #44185
  • The teleport-cluster chart can now use existing ingresses instead of creating its own. #44147
  • Ensured that tsh login outputs accurate status information for the new session. #44144
  • Fixed "device trust mode x requires Teleport Enterprise" errors on tctl. #44134
  • Added a --skip-idle-time flag to tsh play. #44095
  • Added the tbot install systemd command for installing tbot as a service on Linux systems. #44082
  • Added ability to list Access List members in json format in tctl cli tool. #44072
  • Made tbot compilable on Windows. #44070
  • For slack integration, Access List reminders are batched into 1 message and provides link out to the web UI. #44035
  • Fixed denying access despite access being configured for Notification Routing Rules in the web UI. #44028
  • Fixed eBPF error occurring during startup on Linux RHEL 9. #44024
  • Lowered latency of detecting Kubernetes cluster becoming online. #43971
  • Enabled Access Monitoring Rules routing with Mattermost plugin. #43600

Enterprise:

  • Fixed an Access List permission bug where an Access List owner, who is also a member, was not able to add/rm Access List member.
  • Fixed an issue with incorrect yum/zypper updater packages being installed.
  • Fixed empty condition from unquoted string with yaml editor for Notification Routing Rules in the Web UI.

15.4.9 (07/11/24)

  • Honor proxy templates in tsh ssh. #44027
  • Fixed Redshift auto-user deactivation/deletion failure that occurs when a user is created or deleted and another user is deactivated concurrently. #43975
  • Teleport AMIs now optionally source environment variables from /etc/default/teleport as regular Teleport package installations do. #43961
  • Enabled setting event types to forward, skip events, skip session types in event-handler helm chart. #43939
  • Correctly propagate extraLabels configured in teleport-kube-agent chart values to post-delete hooks. A new extraLabels.job object has been added for labels which should only apply to the post-delete job. #43931
  • Machine ID outputs now execute individually and concurrently, meaning that one failing output does not disrupt other outputs, and that performance when generating a large number of outputs is improved. #43883
  • Omit control plane services from the inventory list output for Cloud-Hosted instances. #43778
  • Fixed session recordings getting overwritten or not uploaded. #42164

Enterprise:

  • Fixed inaccurately notifying user that Access List reviews are due in the web UI.

15.4.7 (07/03/24)

  • Added audit events for discovery config actions. #43794
  • Updated Go toolchain to v1.22.5. #43769
  • Reduced CPU usage in auth servers experiencing very high concurrent request load. #43760
  • Machine ID defaults to disabling the use of the Kubernetes exec plugin when writing a Kubeconfig to a directory destination. This removes the need to manually configure disable_exec_plugin. #43656
  • Fixed startup crash of Teleport Connect on Ubuntu 24.04 by adding an AppArmor profile. #43652
  • Added support for dialling leaf clusters to the tbot SSH multiplexer. #43635
  • Extend Teleport ability to use non-default cluster domains in Kubernetes, avoiding the assumption of cluster.local. #43632
  • Wait for user MFA input when reissuing expired certificates for a kube proxy. #43613
  • Improved error diagnostics when using Machine ID's SSH multiplexer. #43587

Enterprise:

  • Increased Access Monitoring refresh interval to 24h.
  • Teleport Enterprise now supports the TELEPORT_REPORTING_HTTP(S)_PROXY environment variable to specify the URL of the HTTP(S) proxy used for connections to our usage reporting ingest service.

15.4.6 (06/27/24)

This release of Teleport contains a fix for medium-level security issue impacting Teleport Enterprise, as well as various other updates and improvements

Security Fixes

  • [Medium] Fixes issue where a SCIM client could potentially overwrite. Teleport system Roles using specially crafted groups. This issue impacts Teleport Enterprise deployments using the Okta integration with SCIM support enabled.

We strongly recommend all customers upgrade to the latest releases of Teleport.

Other updates and improvements

  • Fixed Discover setup access error when updating user. #43561
  • Updated Go toolchain to 1.22. #43550
  • Fixed remote port forwarding validation error. #43517
  • Added support to trust system CAs for self-hosted databases. #43500
  • Added error display in the Web UI for SSH and Kubernetes sessions. #43491
  • Update go-retryablehttp to v0.7.7 (fixes CVE-2024-6104). #43475
  • Fixed accurate inventory reporting of the updater after it is removed.. #43453
  • tctl alerts ls now displays remaining alert ttl. #43435
  • Fixed input search for Teleport Connect's Access Request listing. #43430
  • Added Debug setting for event-handler. #43409
  • Fixed Headless auth for sso users, including when local auth is disabled. #43362
  • Added configuration for custom CAs in the event-handler helm chart. #43341
  • Fixed an issue with Database Access Controls preventing users from making additional database connections depending on their permissions. #43302
  • Fixed Connect My Computer in Teleport Connect failing with "bind: invalid argument". #43288

Enterprise only updates and improvements

  • The teleport updater will no longer default to using the global version channel, avoiding incompatible updates. #4476

15.4.5 (06/20/24)

  • Added a missing [Install] section to the teleport-acm systemd unit file as used by Teleport AMIs. #43256
  • Patched timing variability in curve25519-dalek. #43249
  • Updated tctl to ignore a configuration file if the auth_service section is disabled, and prefer loading credentials from a given identity file or tsh profile instead. #43203
  • Fixed setting request reason for automatic ssh Access Requests. #43180
  • Updated teleport to skip jamf_service validation when the Jamf service is not enabled. #43169
  • Improved log rotation logic in Teleport Connect; now the non-numbered files always contain recent logs. #43162
  • Made tsh and Teleport Connect return early during login if ping to Proxy Service was not successful. #43086
  • Added ability to edit user traits from the Web UI. #43068
  • Enforce limits when reading events from Firestore to prevent OOM events. #42967
  • Fixed updating groups for Teleport-created host users. #42884
  • Added support for crown_jewel resource. #42866
  • Added ability to edit user traits from the Web UI. #43068
  • Fixed gRPC disconnection on certificate expiry even though DisconnectCertExpiry was false. #43291
  • Fixed issue where a Teleport instance running only Jamf or Discovery service would never have a healthy /readyz endpoint. #43284

Enterprise-only changes

  • Fixed sync error in Okta SCIM integration.

15.4.4 (06/13/24)

  • Improve search and predicate/label based dialing performance in large clusters under very high load. #42941
  • Fix an issue Oracle access failed through trusted cluster. #42928
  • Fix errors caused by dynamoevents query StartKey not being within the [From, To] window. #42915
  • Fix Jira Issue creation when Summary exceeds the max allowed size. #42862
  • Fix editing reviewers from being ignored/overwritten when creating an Access Request from the web UI. #4397

15.4.3 (06/12/24)

Note: This release includes a new binary, fdpass-teleport, that can be optionally used by Machine ID to significantly reduce resource consumption in use-cases that create large numbers of SSH connections (e.g. Ansible). Refer to the documentation for more details.

  • Update azidentity to v1.6.0 (patches CVE-2024-35255). #42859
  • Remote rate limits on endpoints used extensively to connect to the cluster. #42835
  • Machine ID SSH multiplexer now only writes artifacts if they have not changed, resolving a potential race condition with the OpenSSH client. #42830
  • Use more efficient API when querying SSH nodes to resolve Proxy Templates in tbot. #42829
  • Improve the performance of the Athena audit log and S3 session storage backends. #42795
  • Prevent a panic in the Proxy when accessing an offline application. #42786
  • Improve backoff of session recording uploads by teleport agents. #42776
  • Introduce the new Machine ID ssh-multiplexer service for significant improvements in SSH performance. #42761
  • Reduce backend writes incurred by tracking status of non-recorded sessions. #42694
  • Fix not being able to logout from the web UI when session invalidation errors. #42648
  • Fix Access List listing not updating when creating or deleting an Access List in the web UI. #4383
  • Fix crashes related to importing GCP labels. #42871

15.4.2 (06/11/24)

  • Fixed a desktop access resize bug which occurs when window was resized during MFA. #42705
  • Fixed listing available db users in Teleport Connect for databases from leaf clusters obtained through Access Requests. #42679
  • Fixed file upload/download for Teleport-created users in insecure-drop mode. #42660
  • Updated OpenSSL to 3.0.14. #42642
  • Fixed fetching resources with tons of metadata (such as labels or description) in Teleport Connect. #42627
  • Added support for Microsoft Entra ID directory synchronization (Teleport Enterprise only, preview). #42555
  • Added experimental support for storing audit events in cockroach. #42549
  • Teleport Connect binaries for Windows are now signed. #42472
  • Updated Go to 1.21.11. #42404
  • Added GCP Cloud SQL for PostgreSQL backend support. #42399
  • Added Prometheus metrics for the Postgres event backend. #42384
  • Fixed the event-handler Helm chart causing stuck rollouts when using a PVC. #42363
  • Fixed web UI notification dropdown menu height from growing too long from many notifications. #42336
  • Disabled session recordings for non-interactive sessions when enhanced recording is disabled. There is no loss of auditing or impact on data fidelity because these recordings only contained session.start, session.end, and session.leave events which were already captured in the audit log. This will cause all teleport components to consume less resources and reduce storage costs. #42320
  • Fixed an issue where removing an app could make teleport app agents incorrectly report as unhealthy for a short time. #42270
  • Fixed a panic in the DynamoDB audit log backend when the cursor fell outside of the [From,To] interval. #42267
  • The teleport configure command now supports a --node-name flag for overriding the node's hostname. #42250
  • Added support plugin resource in tctl tool. #42224

15.4.0 (05/31/24)

Access requests notification routing rules

Hosted Slack plugin users can now configure notification routing rules for role-based Access Requests.

Database access for Spanner

Database access users can now connect to GCP Spanner.

Unix Workload Attestation

Delayed from Teleport 15.3.0

Teleport Workload ID now supports basic workload attestation on Unix systems, allowing cluster administrators to restrict the issuance of SVIDs to specific workloads based on UID/PID/GID.

Other improvements and fixes

  • Fixed an issue where mix-and-match of join tokens could interfere with some services appearing correctly in heartbeats. #42189
  • Added an alternate EC2 auto discover flow using AWS Systems Manager as a more scalable method than Endpoint Instance Connect in the "Enroll New Resource" view in the web UI. #42205
  • Fixed kubectl exec functionality when Teleport is running behind L7 load balancer. #42192
  • Fixed the plugins AMR cache to be updated when Access requests are removed from the subject of an existing rule. #42186
  • Improved temporary disk space usage for session recording processing. #42174
  • Fixed a regression where Kubernetes Exec audit events were not properly populated and lacked error details. #42145
  • Fixed Azure join method when using Resource Groups in the allow section. #42141
  • Added new teleport debug set-log-level / profile commands changing instance log level without a restart and collecting pprof profiles. #42122
  • Added ability to manage access monitoring rules via tctl. #42092
  • Added access monitoring rule routing for slack access plugin. #42087
  • Extended Discovery Service to self-bootstrap necessary permissions for Kubernetes Service to interact with the Kubernetes API on behalf of users. #42075
  • Fixed resource leak in session recording cleanup. #42066
  • Reduced memory and CPU usage after control plane restarts in clusters with a high number of roles. #42062
  • Added an option to send a Ctrl+Alt+Del sequence to remote desktops. #41720
  • Added support for GCP Spanner to Teleport Database Service. #41349

15.3.7 (05/23/24)

  • Fixed creating Access Requests for servers in Teleport Connect that were blocked due to a "no roles configured" error. #41959
  • Fixed regression issue with event-handler Linux artifacts not being available. #4237
  • Fixed failed startup on GCP if missing permissions. #41985

15.3.6 (05/22/24)

This release contains fixes for several high-severity security issues, as well as numerous other bug fixes and improvements.

Security Fixes

  • [High] Fixed unrestricted redirect in SSO Authentication. Teleport didn’t sufficiently validate the client redirect URL. This could allow an attacker to trick Teleport users into performing an SSO authentication and redirect to an attacker-controlled URL allowing them to steal the credentials. #41834.

  • [High] Fixed CockroachDB authorization bypass. When connecting to CockroachDB using database access, Teleport did not properly consider the username case when running RBAC checks. As such, it was possible to establish a connection using an explicitly denied username when using a different case. #41823.

  • [High] Fixed Long-lived connection persistence issue with expired certificates. Teleport did not terminate some long-running mTLS-authenticated connections past the expiry of client certificates for users with the disconnect_expired_cert option. This could allow such users to perform some API actions after their certificate has expired. #41827.

  • [High] Fixed PagerDuty integration privilege escalation. When creating a role Access Request, Teleport would include PagerDuty annotations from the entire user’s role set rather than a specific role being requested. For users who run multiple PagerDuty access plugins with auto-approval, this could result in a request for a different role being inadvertently auto-approved than the one which corresponds to the user’s active on-call schedule. #41837.

  • [High] Fixed SAML IdP session privilege escalation. When using Teleport as SAML IdP, authorization wasn’t properly enforced on the SAML IdP session creation. As such, authenticated users could use an internal API to escalate their own privileges by crafting a malicious program. #41846.

We strongly recommend all customers upgrade to the latest releases of Teleport.

Other fixes and improvements

  • Fixed Access Request annotations when annotations contain globs, regular expressions, trait expansions, or claims_to_roles is used. #41936.
  • Added AWS Management Console as a guided flow using AWS OIDC integration in the "Enroll New Resource" view in the web UI. #41864.
  • Fixed spurious Windows Desktop sessions screen resize during an MFA ceremony. #41856.
  • Fixed session upload completion with large number of simultaneous session uploads. #41854.
  • Fixed MySQL databases version reporting on new connections. #41819.
  • Added read-only permissions for cluster maintenance config. #41790.
  • Stripped debug symbols from Windows builds, resulting in smaller tsh and tctl binaries. #41787
  • Fixed passkey deletion so that a user may now delete their last passkey if the have a password and another MFA configured. #41771.
  • Changed the default permissions for the Workload Identity Unix socket to 0777 rather than the default as applied by the umask. This will allow the socket to be accessed by workloads running as users other than the user that owns the tbot process. #41754
  • Added ability for teleport-event-handler to skip certain events type when forwarding to an upstream server. #41747.
  • Added automatic GCP label importing. #41733.
  • Fixed missing variable and script options in Default Agentless Installer script. #41723.
  • Removed invalid AWS Roles from Web UI picker. #41707.
  • Added remote address to audit log events emitted when a Bot or Instance join completes, successfully or otherwise. #41700.
  • Simplified how Bots are shown on the Users list page. #41697.
  • Added improved-performance implementation of ProxyCommand for Machine ID and SSH. This will become the default in v16. You can adopt this new mode early by setting TBOT_SSH_CONFIG_PROXY_COMMAND_MODE=new. #41694.
  • Improved EC2 Auto Discovery by adding the SSM script output and more explicit error messages. #41664.
  • Added webauthn diagnostics commands to tctl. #41643.
  • Upgraded application heartbeat service to support 1000+ dynamic applications. #41626
  • Fixed issue where Kubernetes watch requests are written out of order. #41624.
  • Fixed a race condition triggered by a reload during Teleport startup. #41592.
  • Updated discover wizard Install Script to support Ubuntu 24.04. #41589.
  • Fixed systemd unit to always restart Teleport on failure unless explicitly stopped. #41581.
  • Updated Teleport package installers to reload Teleport service config after upgrades. #41547.
  • Fixed file truncation bug in Desktop Directory Sharing. #41540.
  • Fixed WebUI SSH connection leak when browser tab closed during SSH connection establishment. #41518.
  • Fixed AccessList reconciler comparison causing audit events noise. #41517.
  • Added tooling to create SCIM integrations in tctl. #41514.
  • Fixed Windows Desktop error preventing rendering of the remote session. #41498.
  • Fixed issue in the PagerDuty, Opsgenie and ServiceNow access plugins that causing duplicate calls on Access Requests containing duplicate service names. Also increases the timeout so slow external API requests are less likely to fail. #41488.
  • Added basic Unix workload attestation to the tbot SPIFFE workload API. You can now restrict the issuance of certain SVIDs to processes running with a certain UID, GID or PID. #41450.
  • Added "login failed" audit events for invalid passwords on password+webauthn local authentication. #41432. Fixed Terraform provider issue causing the Provision Token options to default to false instead of empty. #41429.
  • Added support to automatically download CA for MongoDB Atlas databases. #41338.
  • Fixed broken "finish" web page for SSO Users on auto discover. #41335.
  • Allow setting Kubernetes Cluster name when using non-default addresses. #41331.
  • Added fallback on GetAccessList cache miss call. #41326.
  • Fixed DiscoveryService panic when auto-enrolling EKS clusters. #41320.
  • Added validation for application URL extracted from the web application launcher request route. #41304.
  • Allow defining custom database names and users when selecting wildcard during test connection when enrolling a database through the web UI. #41301.
  • Fixed broken link for alternative EC2 installation during EC2 discover flow. #41292
  • Updated Go to v1.21.10. #41281.
  • Updated user management to explicitly deny password resets and local logins to SSO users. #41270.
  • Fixed fetching suggested Access Lists with large IDs in Teleport Connect. #41269.
  • Prevents cloud tenants from updating cluster_networking_config fields keep_alive_count_max, keep_alive_interval, tunnel_strategy, or proxy_listener_mode. #41247.
  • Added support for creating Okta integrations with tctl #41888.

15.3.1 (05/07/24)

  • Fixed screen_size behavior for Windows Desktops, which was being overridden by the new resize feature. #41241
  • Ensure that the active sessions page shows up in the web UI for users with permissions to join sessions. #41221
  • Added indicators on the account settings page that tell which authentication methods are active. #41169
  • Fix a bug that was preventing tsh proxy kube certificate renewal from working when accessing a leaf kubernetes cluster via the root. #41158
  • Fixed AccessDeniedException for dynamodb:ConditionCheckItem operations when using Amazon DynamoDB for cluster state storage. #41133
  • Added lock target to lock deletion audit events. #41112
  • Fixed a permissions issue that prevented the teleport-cluster helm chart operator from registering agentless ssh servers. #41108
  • Improve the reliability of the upload completer. #41103
  • Allows the listener for the tbot database-tunnel service to be set to a unix socket. #41008

15.3.0 (04/30/24)

Improved Roles UI

The Roles page of the web UI is now backed by a paginated API, improving load times even on clusters with large numbers of roles.

Resizing for Windows desktop sessions

Windows desktop sessions now automatically resize as the size of the browser window changes.

Hardware key support for agentless nodes

Teleport now supports connecting to agentless OpenSSH nodes even when Teleport is configured to require hardware key MFA checks.

TPM joining

The new TPM join method enables secure joining for agents and Machine ID bots that run on-premise. Based on the secure properties of the host's hardware trusted platform module, this join method removes the need to create and distribute secret tokens, significantly reducing the risk of exfiltration.

Other improvements and fixes

  • Fixed user SSO bypass by performing a local passwordless login. #41067
  • Enforce allow_passwordless server-side. #41057
  • Fixed a memory leak caused by incorrectly passing the offset when paginating all Access Lists' members when there are more than the default pagesize (200) Access Lists. #41045
  • Added resize capability to windows desktop sessions. #41025
  • Fixed a regression causing roles filtering to not work. #40999
  • Allow AWS integration to be used for global services without specifying a valid region. #40991
  • Made account id visible when selecting IAM Role for accessing the AWS Console. #40987

15.2.5 (04/26/24)

  • Extend proxy templates to allow the target host to be resolved via a predicate expression or fuzzy matching. #40966
  • Fix an issue where Access Requests would linger in UI and tctl after expiry. #40964
  • The teleport-cluster Helm chart can configure AccessMonitoring when running in aws mode. #40957
  • Make podSecurityContext configurable in the teleport-cluster Helm chart. #40951
  • Allow to mount extra volumes in the updater pod deployed by the teleport-kube-agentchart. #40946
  • Improve error message when performing an SSO login with a hardware key. #40923
  • Fix a bug in the teleport-cluster Helm chart that happened when sessionRecording was off. #40919
  • Fix audit event failures when using DynamoDB event storage. #40913
  • Allow setting additional Kubernetes labels on resources created by the teleport-cluster Helm chart. #40909
  • Fix Windows cursor getting stuck. #40890
  • Issue cert.create events during device authentication. #40872
  • Add the ability to control ssh_config generation in Machine ID's Identity Outputs. This allows the generation of the ssh_config to be disabled if unnecessary, improving performance and removing the dependency on the Proxy being online. #40861
  • Prevent deleting AWS OIDC integration used by External Audit Storage. #40851
  • Introduce the tpm join method, which allows for secure joining in on-prem environments without the need for a shared secret. #40823
  • Reduce parallelism when polling AWS resources to prevent API throttling when exporting them to Teleport Access Graph. #40811
  • Fix spurious deletion of Access List Membership metadata during SCIM push or sync. #40544
  • Properly enforce session moderation requirements when starting Kubernetes ephemeral containers. #40906

15.2.4 (04/23/24)

  • Fixed a deprecation warning being shown when tbot is used with OpenSSH. #40837
  • Added a new Audit log event that is emitted when an Agent or Bot request to join the cluster is denied. #40814
  • Fixed regenerating cloud account recovery codes. #40786
  • Changed UI for the sign-up and authentication reset flows. #40773
  • Added a new Prometheus metric to track requests initiated by Teleport against the control plane API. #40754
  • Fixed an issue that prevented uploading a zip file larger than 10MiB when updating an AWS Lambda function via tsh app access. #40737
  • Patched CVE-2024-32650. #40735
  • Fixed possible data race that could lead to concurrent map read and map write while proxying Kubernetes requests. #40720
  • Fixed Access Request promotion of windows_desktop resources. #40712
  • Fixed spurious ambiguous host errors in ssh routing. #40706
  • Patched CVE-2023-45288 and CVE-2024-32473. #40695
  • generic "not found" errors are returned whether a remote cluster can't be found or access is denied. #40681
  • Fixed a resource leak in the Teleport proxy server when using proxy peering. #40672
  • Added Azure CLI access support on AKS with Entra Workload ID. #40660
  • Allow other issue types when configuring JIRA plugin. #40644
  • Added regexp.match to Access Request filter and where expressions. #40642
  • Notify the requester in slack review request messages. #40624
  • Handle passwordless in MFA audit events. #40617
  • Added auto discover capability to EC2 enrollment in the web UI. #40605
  • Fixes RDP licensing. #40595
  • Added support for the ascii variants of smartcard calls. #40566
  • Added the ability to configure labels that should be set on the Kubernetes secret when using the kubernetes_secret destination in tbot. #40550
  • Updated cosign to address CVE-2024-29902 and CVE-2024-29903. #40497
  • The Web UI now supports large number of roles by paginating them. #40463
  • Improved the responsiveness of the session player during long periods of idle time. #40442
  • Fixed incorrect format for database_object_import_rule resources with non-empty expiry. #40203
  • Updated Opsgenie annotations so approve-schedules is used for both alert creation and auto approval if notify schedules is not set. #40121

15.2.2 (04/11/24)

  • Updated the cluster selector in the UI to now only be visible when more than one cluster is available. #40478
  • Fixed accidental passkey "downgrades" to MFA. #40409
  • Added tsh proxy kube --exec mode that spawns kube proxy in the background, which re-executes the user shell with the appropriate kubeconfig. #40395
  • Made Amazon S3 fields optional when creating or editing AWS OIDC integration on the web UI. #40368
  • Fixed a bug that prevented the available logins from being displayed for Windows desktops in leaf clusters that were being accessed via the root cluster web ui. #40367
  • Changed Teleport Connect to hide cluster name in the connection list if there is only a single cluster available. #40356
  • Fixed invalid session TTL error when creating Access Request with tsh. #40335
  • Added missing discovery AWS matchers fields "Integration" and "KubeAppDiscovery" to the file configuration. #40320
  • Added automatic role Access Requests. #40285
  • Redesigned the login UI. #40272
  • Added friendly role names for Okta sourced roles. These will be displayed in Access List and Access Request pages in the UI. #40260
  • Added Teleport Machine ID Workload Identity support for legacy systems which are not able to parse DNS SANs, and which are not SPIFFE aware. #40180

15.2.1 (04/05/24)

  • Teleport Connect now shows all recent connections instead of capping them at 10. #40250
  • Limit max read size for the tsh device trust DMI cache file on Linux. #40234
  • Fix an issue that prevents the teleport service from restarting. #40229
  • Add new resource filtering predicates to allow exact matches on a single item of a delimited list stored in a label value. For example, if given the following label containing a string separated list of values foo=bar,baz,bang, it is now possible to match on any resources with a label foo that contains the element bar via contains(split(labels[foo], ","), bar). #40183
  • Updated Go to 1.21.9. #40176
  • Adds disable_exec_plugin option to the Machine ID Kubernetes Output to remove the dependency on tbot existing in the target environment. #40162
  • Adds the database-tunnel service to tbot which allows an authenticated database tunnel to be opened by tbot. This is an improvement over the original technique of using tbot proxy db. #40151
  • Allow diagnostic endpoints to be accessed behind a PROXY protocol enabled loadbalancer/proxy. #40138
  • Include system annotations in audit event entries for Access Requests. #40123
  • Fixed GitHub Auth Connector update event to show in Audit Log with name and description. #40116
  • Re-enabled the show_desktop_wallpaper flag. #40088
  • Reduce default Jamf inventory page size, allow custom values to be provided. #3817

15.2.0 (03/29/24)

Improved Access Requests UI

The Access Requests page of the web UI will be backed by a paginated API, improving load times even on clusters with many Access Requests.

Additionally, the UI allows you to search for Access Requests, sort them based on various attributes, and includes several new filtering options.

Zero-downtime web asset rollout

Teleport 15.2 changes the way that web assets are served and cached, which will allow multiple compatible versions of the Teleport Proxy to run behind the same load balancer.

Workload Identity MVP

With Teleport 15.2, Machine ID can bootstrap and issue identity to services across multiple computing environments and organizational boundaries. Workload Identity issues SPIFFE-compatible x509 certificates that can be used for mTLS between services.

Support for Kubernetes 1.29+

The Kubernetes project is deprecating the SPDY protocol for streaming commands (kubectl exec, kubectl port-forward, etc) and replacing it with a new websocket-based subprotocol. Teleport 15.2.0 will support the new protocol to ensure compatibility with newer Kubernetes clusters.

Automatic database Access Requests

Both tsh db connect and tsh proxy db will offer the option to submit an access request if the user attempts to connect to a database that they don't already have access to.

GCP console access via Workforce Identity Federation

Teleport administrators will be able to setup access to GCP web console through Workforce Identity Federation using Teleport as a SAML identity provider.

IaC support for OpenSSH nodes

Users will be able to register OpenSSH nodes in the cluster using Terraform and Kubernetes Operator.

Access requests start time

Users submitting Access Requests via web UI will be able to request specific access start time up to a week in advance.

Terraform and Operator support for agentless SSH nodes

The Teleport Terraform provider and Kubernetes operator now support declaring agentless OpenSSH and OpenSSH EC2 ICE servers. You can follow this guide to register OpenSSH agents with infrastructure as code.

Setting up EC2 ICE automatic discovery with IaC will come in a future update.

Operator and CRDs can be deployed separately

The teleport-operator and teleport-cluster charts now support deploying only the CRD, the CRD and the operator, or only the operator.

From the teleport-cluster Helm chart:

operator:
  enabled: true|false
  installCRDs: always|never|dynamic

From the teleport-operator Helm chart:

enabled: true|false
installCRDs: always|never|dynamic

In dynamic mode (by default), the chart will install CRDs if the operator is enabled, but will not remove the CRDs if you temporarily disable the operator.

Operator now propagates labels

Kubernetes CR labels are now copied to the Teleport resource when applicable. This allows you to configure RBAC for operator-created resources, and to filter Teleport resources using CR labels.

Terraform provider no longer forces resource re-creation on version change

Teleport v15 introduced two Terraform provider changes:

  • setting the resource version is now mandatory
  • a resource version change triggers the resource re-creation to ensure defaults were correctly set

The second change was too disruptive, especially for roles, as they cannot be deleted if a user or an Access List references them. Teleport 15.2 lifts this restriction and allows version change without forcing the resource deletion.

Another change to ensure resource defaults are correctly set during version upgrades will happen in v16.

Other improvements and fixes

  • Fixed "Invalid URI" error in Teleport Connect when starting mongosh from database connection tab. #40033
  • Adds support for exporting the SPIFFE CA using tls auth export --type tls-spiffe and the /webapi/auth/export endpoint. #40007
  • Update Rust to 1.77.0, enable RDP font smoothing. #39995
  • The role, server and token Teleport operator CRs now display additional information when listed with kubectl get. #39993
  • Improve performance of filtering resources via predicate expressions. #39972
  • Fixes a bug that prevented CA import when a SPIFFE CA was present. #39958
  • Fix a verbosity issue that caused the teleport-kube-agent-updater to output debug logs by default. #39953
  • Reduce default Jamf inventory page size, allow custom values to be provided. #39933
  • AWS IAM Roles are now filterable in the web UI when launching a console app. #39911
  • The teleport-cluster Helm chart now supports using the Amazon Athena event backend. #39907
  • Correctly show the users allowed logins when accessing leaf resources via the root cluster web UI. #39887
  • Improve performance of resource filtering via labels and fuzzy search. #39791
  • Enforce optimistic locking for AuthPreferences, ClusterNetworkingConfig, SessionRecordingConfig. #39785
  • Fix potential issue with some resources expiry being set to 01/01/1970 instead of never. #39773
  • Update default Access Request TTLs to 1 week. #39509
  • Fixed an issue where creating or updating an Access List with Admin MFA would fail in the WebUI. #3827

15.1.10 (03/27/24)

  • Fixed possible phishing links which could result in code execution with install and join scripts. #39837
  • Fixed MFA checks not being prompted when joining a session. #39814
  • Added support for Kubernetes websocket streaming subprotocol v5 connections. #39770
  • Fixed a regression causing MFA prompts to not show up in Teleport Connect. #39739
  • Fixed broken SSO login landing page on certain versions of Google Chrome. #39723
  • Teleport Connect now shows specific error messages instead of generic "access denied". #39720
  • Added audit events for database auto user provisioning. #39665
  • Updated Electron to v29 in Teleport Connect. #39657
  • Added automatic Access Request support for tsh db login, tsh db connect and tsh proxy db. #39617
  • Fixed a bug in Teleport Enterprise (Cloud) causing the hosted ServiceNow plugin to crash when setting up the integration. #39603
  • Fixed a bug of the discovery script failing when jq was not installed. #39599
  • Ensured that audit events are emitted whenever the authentication preferences, cluster networking config, or session recording config are modified. #39522
  • Database object labels will now support templates. #39496

15.1.9 (03/19/24)

  • Improved performance when listing nodes with tsh or tctl. #39567
  • Require AWS S3 bucket fields when creating/editing AWS OIDC integration in the web UII. #39510
  • Added remote port forwarding to tsh. #39441
  • Added support for setting default relay state for SAML IdP initiated logins via the web interface and tctl. For supported preset service provider types, a default value will be applied if the field is not configured. #39401

15.1.8 (03/18/24)

  • Fixed an issue with AWS IAM permissions that may prevent AWS database access when discovery_service is enabled in the same Teleport config as the db_service, namely AWS RDS, Redshift, Elasticache, and MemoryDB. #39488

15.1.7 (03/16/24)

  • Added remote port forwarding for Teleport nodes. #39440
  • Added remote port forwarding for OpenSSH nodes. #39438

15.1.5 (03/15/24)

  • Improve error messaging when creating resources fails because they already exist or updating resources fails because they were removed. #39395
  • The audit entry for access_request.search will now truncate the list of roles in the audit UI if it exceeds 80 characters. #39372
  • Re-enable AWS IMDSv1 fallback due to some EKS clusters having their IMDSv2 hop limit set to 1, leading to IMDSv2 requests failing. Users who wish to keep IMDSv1 fallback disabled can set the AWS_EC2_METADATA_V1_DISABLED environmental variable. #39366
  • Only allow necessary operations during moderated file transfers and limit in-flight file transfer requests to one per session. #39351
  • Make the Jira access plugin log Jira errors properly. #39346
  • Fixed allowing invalid Access Request start time date to be set. #39322
  • Teleport Enterprise now attempts to load the license file from the configured data directory if not otherwise specified. #39314
  • Improve the security for MFA for Admin Actions when used alongside Hardware Key support. #39306
  • The saml_idp_service_provider spec adds a new preset field that can be used to specify predefined SAML service provider profile. #39277
  • Fixed a bug that caused some MFA for Admin Action flows to fail instead of retrying: ex: tctl bots add --token=<token>. #39269

15.1.4 (03/12/24)

  • Raised concurrent connection limits between Teleport Enterprise (Cloud) regions and in clusters that use proxy peering. #39233
  • Improved cleanup of system resources during a shutdown of Teleport. #39211
  • Resolved sporadic errors caused by requests fail to comply with Kubernetes API spec by not specifying resource identifiers. #39168
  • Added a new password change wizard. #39124
  • Fixed the NumLock and Pause keys for desktop access sessions not working. #39095

15.1.3 (03/08/24)

  • Fix a bug when using automatic updates and the Discovery Service. The default install script now installs the correct teleport version by querying the version server. #39099
  • Fix a regression where tsh kube credentials fails to re-login when credentials expire. #39075
  • TBot now supports --proxy-server for explicitly configuring the Proxy address. We recommend switching to this if you currently specify the address of your Teleport proxy to --auth-server. #39055
  • Expand the EC2 joining process to include newly created AWS regions. #39051
  • Added GCP MySQL access IAM Authentication support. #39040
  • Fixed compatibility of the Teleport service file with older versions of systemd. #39032
  • Update WebUI database connection instructions. #39027
  • Teleport Proxy Service now runs a version server by default serving its own version. #39017
  • Significantly reduced latency of network calls in Teleport Connect. #39012
  • SPIFFE SVID generation introduced to tbot (experimental). #39011
  • Adds tsh workload issue command for issuing SVIDs using tsh. #39115
  • Fixed an issue in SAML IdP entity descriptor generator process, which would fail to generate entity descriptor if the configured Entity ID endpoint would return HTTP status code above 200 and below 400 . #38987
  • Updated Go to 1.21.8. #38983
  • Updated electron-builder dependency to address possible arbitrary code execution in the Windows installer of Teleport Connect (CVE-2024-27303). #38964
  • Fixed an issue where it was possible to skip providing old password when setting a new one. #38962
  • Added database permission management support for Postgres. #38945
  • Improved reliability and performance of tbot. #38928
  • Filter terminated sessions from the tsh sessions ls output. #38887
  • Make it easier to identify Teleport browser tabs by placing the session information before the cluster name. #38737
  • The teleport-ent-upgrader package now gracefully restarts the Teleport binary if possible, to avoid cutting off ongoing connections. #3578
  • Trusted device authentication failures may now include a brief explanation message in the corresponding audit event. #3572
  • Okta Access Lists sync will now sync groups without members. #3636

15.1.1 (03/01/24)

  • Fixed panic when an older tsh or proxy changes an Access List. #38861
  • SSH connection resumption now works during graceful upgrades of the Teleport agent. #38842
  • Fixed an issue with over counting of reported Teleport updater metrics. #38831
  • Fixed tsh returning "private key policy not met" errors instead of automatically initiating re-login to satisfy the private key policy. #38819
  • Made graceful shutdown and graceful restart terminate active sessions after 30 hours. #38803

15.1.0 (02/29/24)

New Features

Standalone tbot Docker image

We now ship a new container image that contains tbot but omits other Teleport binaries, providing a light-weight option for Machine ID users.

Custom mouse pointers for remote desktop sessions

Teleport remote desktop sessions now automatically change the mouse cursor depending on context (when hovering over a link, resizing a window, or editing text, for example).

Synchronization of Okta groups and apps

Okta integration now support automatic synchronization of Okta groups and app assignments to Teleport as Access Lists giving users ability to request access to Okta apps without extra configuration.

EKS auto-discovery in Access Management UI

Users going through EKS enrollment flow in Access Management web UI now have an option to enable auto-discovery for EKS clusters.

Other changes

  • Fixed application access events being overwritten when using DynamoDB as event storage. #38815
  • Fixed a regression that had reintroduced long freezes for certain actions like "Run as different user". #38805
  • When teleport is configured to require MFA for admin actions, MFA is required to get certificate authority secrets. Ex: tctl auth export --keys or tctl get cert_authority/host/root.example.com --with-secrets. #38777
  • Added auto-enrolling capabilities to EKS discover flow in the web UI. #38773
  • Heavily optimized the Access List page in the UI, speeding things up considerably. #38764
  • Align DynamoDB BatchWriteItem max items limit. #38763
  • tbot-distroless image is now published. This contains just the tbot binary and therefore has a smaller image size. #38718
  • Fixed a regression with Teleport Connect not showing the re-login reason and connection errors when accessing databases, Kube clusters, and apps with an expired cert. #38716
  • Re-enabled the Windows key and prevents it from sticking or otherwise causing problems when cmd+tab-ing or alt+tab-ing away from the browser during desktop sessions. #38699
  • Resource limits are now correctly applied to the wait-auth-update initContainer in the teleport-cluster Helm chart. #38692
  • When teleport is configured to require MFA for admin actions, MFA is required to create, update, or delete trusted clusters. #38690
  • Fixed error in tctl get users --with-secrets when using SSO. #38663
  • When device trust is required and MFA is optional, users will need to add their first MFA device from a trusted device. #38657
  • Temporary files are no longer created during Discover UI EKS cluster enrollment. #38649
  • When teleport is configured to require MFA for admin actions, MFA is required to get or list tokens with tctl. Ex: tctl tokens ls or tctl get tokens/foo. #38645
  • Implemented dynamic mouse pointer updates to reflect context-specific actions, e.g. window resizing. #38614
  • MFA approval is no longer required in the beginning of EKS Discover flow. #38580
  • Fixed Postgres v16.x compatibility issue preventing multiple connections for auto-provisioned users. #38543
  • Fixed incorrect color of resource cards after changing the theme in Web UI and Connect. #38537
  • Updated the dialog for adding new authentication methods in the account settings screen. #38535
  • Displays review dates for Access Lists in dates, not remaining hours in tsh. #38525
  • Ensure that tsh continues to function if one of its profiles is invalid. #38514
  • Fixed logging output for teleport configure ... commands. #38508
  • Fixed tsh/WebAuthn.dll panic on Windows Server 2019. #38490
  • Fixes an issue that prevented the Web UI from properly displaying the hostname of servers in leaf clusters. #38469
  • Added ssh_service.enhanced_recording.root_path configuration option to change the cgroup slice path used by the agent. #38394
  • Fixed a bug that could cause expired SSH servers from appearing in the Web UI until the Proxy is restarted. #38310
  • Desktops can now be configured to use the same screen resolution for all sessions. #38307
  • The maximum duration for an Access Request is now 14 days, the okta-requester role has been added which takes advantage of this. #38224
  • Added TLS routing native WebSocket connection upgrade support. #38108
  • Fixed a bug allowing the operator to delete resource it does not own. #37750

15.0.2 (02/15/24)

  • Fixed a potential panic in the tsh status command. #38305
  • Fixed SSO user locking in the setup access step of the RDS auto discover flow in the web UI. #38283
  • Optionally permit the Auth Service to terminate client connections from unsupported versions. #38182
  • Fixed Assist obstructing the user dropdown menu when in docked mode. #38156
  • Improved the stability of Teleport during graceful upgrades. #38145
  • Added the ability to view and manage Machine ID bots from the UI. #38122
  • Fixed a bug that prevented desktop clipboard sharing from working when large amounts of text are placed on the clipboard. #38120
  • Added option to validate hardware key serial numbers with hardware key support. #38068
  • Removed access tokens from URL parameters, preventing them from being leaked to intermediary systems that may log them in plaintext. #38032
  • Forced agents to terminate Auth connections if joining fails. #38005
  • Added a tsh sessions ls command to list active sessions. #37969
  • Improved error handling when idle desktop connections are terminated. #37955
  • Updated Go to 1.21.7. #37846
  • Discover flow now starts two instances of DatabaseServices when setting up access to Amazon RDS. #37805

15.0.1 (02/06/24)

  • Correctly handle non-registered U2F keys. #37720
  • Fixed memory leak in tbot caused by never closing reverse tunnel address resolvers. #37718
  • Fixed conditional user modifications (used by certain Teleport subsystems such as Device Trust) on users that have previously been locked out due to repeated recovery attempts. #37703
  • Added okta integration SCIM support for web UI. #37697
  • Added SCIM support in Okta integration (cloud only). #3341
  • Fixed usage data submission becoming stuck sending too many reports at once (Teleport Enterprise only). #37687
  • Fixed cache init issue with Access List members/reviews. #37673
  • Fixed "failed to close stream" log messages. #37662
  • Skip tsh AppID pre-flight check whenever possible. #37642

15.0.0 (01/31/24)

Teleport 15 brings the following new major features and improvements:

  • Desktop access performance improvements
  • Enhanced Device Trust support
  • SSH connection resumption
  • RDS auto-discovery in Access Management UI
  • EKS Integration for Teleport
  • MFA for Administrative Actions
  • Improved SAML IdP configuration flow
  • Improved provisioning for Okta
  • Support for AWS KMS
  • Teleport Connect improvements
  • Session playback improvements
  • Standalone Kubernetes Operator
  • Roles v6 and v7 support for Kubernetes Operator
  • Enhanced ARM64 builds

In addition, this release includes several changes that affect existing functionality listed in the “Breaking changes” section below. Users are advised to review them before upgrading.

Description

Desktop access performance improvements

Teleport 15 leverages a new, more performant RDP engine, resulting in a smoother desktop access experience.

Device Trust for Linux support

Teleport Device Trust now supports TPM joining on Linux devices.

Additionally, tsh proxy app can now solve device challenges, allowing users to enforce the use of a trusted device to access applications.

SSH connection resumption

Teleport v15 introduces automatic SSH connection resumption if the network path between the client and the Teleport node is interrupted due to connectivity issues, and transparent connection migration if the control plane is gracefully upgraded.

The feature is active by default when a v15 client (tsh, OpenSSH or PuTTY configured by tsh config, or Teleport Connect) connects to a v15 Teleport node.

RDS auto-discovery in Access Management UI

Users going through the Access Management UI flow to enroll RDS databases are now able to set up auto-discovery.

EKS Integration for Teleport

Teleport now allows users to enroll EKS clusters via the Access Management UI.

Improved SAML IdP configuration flow

When adding a SAML application via Access Management UI, users are now able to configure attribute mapping and have Teleport fetch service provider's entity descriptor automatically.

Improved provisioning for Okta

Teleport 15 improves performance of receiving user/group updates from Okta by leveraging System for Cross-domain Identity Management (SCIM).

Note: This feature will come out in a later 15.0 patch release.

Support for AWS KMS

Teleport 15 supports the use of AWS Key Management Service (KMS) to store and handle the CA private key material used to sign all Teleport-issued certificates. When enabled, private key material never leaves AWS KMS.

To migrate existing clusters to AWS KMS, you must perform a CA rotation.

MFA for administrative actions

When Teleport is configured to require webauthn (second_factor: webauthn), administrative actions performed via tctl or the web UI will require an additional MFA tap.

Examples of administrative actions include, but are not limited to:

  • Resetting or recovering user accounts
  • Inviting new users
  • Updating cluster configuration resources
  • Creating and approving Access Requests
  • Generating new join tokens

Note: when MFA for administrative actions is enabled, user certificates produced with tctl auth sign will no longer be suitable for automation due to the additional MFA checks, unless run directly on a local Auth Service (legacy setup). We recommend using Machine ID to issue certificates for automated workflows, which uses role impersonation that is not subject to MFA checks.

Teleport Connect improvements

Teleport Connect will now prompt for an MFA tap prior to accessing Kubernetes clusters when per-session MFA is enabled.

Additionally, Teleport Connect includes support for TCP and web applications, and can also launch AWS and SAML apps in a web browser.

Session playback improvements

Prior to Teleport 15, tsh play and the web UI would download the entire session recording before starting playback. As a result, playback of large recordings could be slow to start, and may fail to play at all in the browser.

In Teleport 15, session recordings are streamed from the Auth Service, allowing playback to start before the entire session is downloaded and unpacked.

Additionally, tsh play now supports a --speed flag for adjusting the playback speed, and desktop session playback now supports seeking to arbitrary positions in the recording.

Web UI improvements

Prior to Teleport 15, there was a dropdown in the sidebar between “Resources” and “Management,” and in the Resources mode, there were tabs in the sidebar for Access Requests and Active Sessions. In Teleport 15, all of the above have moved to tabs in a top navbar, and the Resources view is fully responsive across viewport widths. A side navbar still exists in the “Access Management” tab.

Prior to Teleport 15, Passkeys and MFA devices were shown in a single list on the “Account Settings” screen, without a clear distinction between them. In Teleport 15, these have been split into distinct lists so it is clearer which type of authentication you are adding to your account.

Standalone Kubernetes Operator

Prior to Teleport 15, the Teleport Kubernetes Operator had to run as a sidecar of the Teleport auth. It was not possible to use the operator in Teleport Enterprise (Cloud) or against a Teleport cluster not deployed with the teleport-cluster Helm chart.

In Teleport 15, the Teleport Operator can reconcile resources in any Teleport cluster. Teleport Enterprise (Cloud) users can now use the operator to manage their resources.

When deployed with the teleport-cluster chart, the operator now runs in a separate pod. This ensures that Teleport's availability won't be impacted if the operator becomes unready.

See the Standalone Operator guide for installation instructions.

Roles v6 and v7 support for Kubernetes Operator

Starting with Teleport 15, newly supported kinds will contain the resource version. For example: TeleportRoleV6 and TeleportRoleV7 kinds will allow users to create Teleport Roles v6 and v7.

Existing kinds will remain unchanged in Teleport 15, but will be renamed in Teleport 16 for consistency.

To migrate an existing Custom Resource (CR) TeleportRole to a TeleportRoleV7, you must:

  • upgrade Teleport and the operator to v15
  • annotate the exiting TeleportRole CR with teleport.dev/keep: "true"
  • delete the TeleportRole CR (it won't delete the role in Teleport thanks to the annotation)
  • create a new TeleportRoleV7 CR with the same name

Enhanced ARM64 builds

Teleport 15 now provides FIPS-compliant Linux builds on ARM64. Users will now be able to run Teleport in FedRAMP/FIPS mode on ARM64.

Additionally, Teleport 15 includes hardened AWS AMIs for ARM64.

Breaking changes and deprecations

RDP engine requires RemoteFX

Teleport 15 includes a new RDP engine that leverages the RemoteFX codec for improved performance. Additional configuration may be required to enable RemoteFX on your Windows hosts.

If you are using our authentication package for local users, the v15 installer will automatically enable RemoteFX for you.

Alternatively, you can enable RemoteFX by updating the registry:

Set-ItemProperty -Path 'HKLM:\Software\Policies\Microsoft\Windows NT\Terminal Services' -Name 'ColorDepth' -Type DWORD -Value 5
Set-ItemProperty -Path 'HKLM:\Software\Policies\Microsoft\Windows NT\Terminal Services' -Name 'fEnableVirtualizedGraphics' -Type DWORD -Value 1

If you are using Teleport with Windows hosts that are part of an Active Directory environment, you should enable RemoteFX via group policy.

Under Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host, enable:

  1. Remote Session Environment > RemoteFX for Windows Server 2008 R2 > Configure RemoteFX
  2. Remote Session Environment > Enable RemoteFX encoding for RemoteFX clients designed for Windows Server 2008 R2 SP1
  3. Remote Session Environment > Limit maximum color depth

Detailed instructions are available in the setup guide. A reboot may be required for these changes to take effect.

tsh ssh

When running a command on multiple nodes with tsh ssh, each line of output is now labeled with the hostname of the node it was written by. Users that rely on parsing the output from multiple nodes should pass the --log-dir flag to tsh ssh, which will create a directory where the separated output of each node will be written.

drop host user creation mode

The drop host user creation mode has been removed in Teleport 15. It is replaced by insecure-drop, which still creates temporary users but does not create a home directory. Users who need home directory creation should either wrap useradd/userdel or use PAM.

Remove restricted sessions for SSH

The restricted session feature for SSH has been deprecated since Teleport 14 and has been removed in Teleport 15. We recommend implementing network restrictions outside of Teleport (iptables, security groups, etc).

Packages no longer published to legacy Debian and RPM repos

deb.releases.teleport.dev and rpm.releases.teleport.dev were deprecated in Teleport 11. Beginning in Teleport 15, Debian and RPM packages will no longer be published to these repos. Teleport 14 and prior packages will continue to be published to these repos for the remainder of those releases' lifecycle.

All users are recommended to switch to apt.releases.teleport.dev and yum.releases.teleport.dev repositories as described in installation instructions.

The legacy package repos will be shut off in mid 2025 after Teleport 14 has been out of support for many months.

Container images

Teleport 15 contains several breaking changes to improve the default security and usability of Teleport-provided container images.

"Heavy" container images are discontinued

In order to increase default security in 15+, Teleport will no longer publish container images containing a shell and command line environment to Elastic Container Registry's gravitational/teleport image repo. Instead, all users should use the distroless images introduced in Teleport 12. These images can be found at:

For users who need a shell in a Teleport container, a "debug" image is available which contains BusyBox, including a shell and many CLI tools. Find the debug images at:

Do not run debug container images in production environments.

Heavy container images will continue to be published for Teleport 13 and 14 throughout the remainder of these releases' lifecycle.

Helm cluster chart FIPS mode changes

The teleport-cluster chart no longer uses versionOverride and extraArgs to set FIPS mode.

Instead, you should use the following values file configuration:

enterpriseImage: public.ecr.aws/gravitational/teleport-ent-fips-distroless
authentication:
  localAuth: false
Multi-architecture Teleport Operator images

Teleport Operator container images will no longer be published with architecture suffixes in their tags (for example: 14.2.1-amd64 and 14.2.1-arm). Instead, only a single tag will be published with multi-platform support (e.g., 15.0.0). If you use Teleport Operator images with an architecture suffix, remove the suffix and your client should automatically pull the platform-appropriate image. Individual architectures may be pulled with docker pull --platform <arch>.

Quay.io registry

The quay.io container registry was deprecated and Teleport 12 is the last version to publish images to quay.io. With Teleport 15's release, v12 is no longer supported and no new container images will be published to quay.io.

For Teleport 8+, replacement container images can be found in Teleport's public ECR registry.

Users who wish to continue to use unsupported container images prior to Teleport 8 will need to download any quay.io images they depend on and mirror them elsewhere before July 2024. Following brownouts in May and June, Teleport will disable pulls from all Teleport quay.io repositories on Wednesday July 3, 2024.

Amazon AMIs

Teleport 15 contains several breaking changes to improve the default security and usability of Teleport-provided Amazon AMIs.

Hardened AMIs

Teleport-provided Amazon Linux 2023 previously only supported x86_64/amd64. Starting with Teleport 15, arm64-based AMIs will be produced. However, the naming scheme for these AMIs has been changed to include the architecture.

  • Previous naming scheme: teleport-oss-14.0.0-$TIMESTAMP
  • New naming scheme: teleport-oss-15.0.0-x86_64-$TIMESTAMP
Legacy Amazon Linux 2 AMIs

Teleport-provided Amazon Linux 2 AMIs were deprecated, and Teleport 14 is the last version to produce such legacy AMIs. With Teleport 15's release, only the newer hardened Amazon Linux 2023 AMIs will be produced.

The legacy AMIs will continue to be published for Teleport 13 and 14 throughout the remainder of these releases' lifecycle.

windows_desktop_service no longer writes to the NTAuth store

In Teleport 15, the process that periodically publishes Teleport's user CA to the Windows NTAuth store has been removed. It is not necessary for Teleport to perform this step since it must be done by an administrator at installation time. As a result, Teleport's service account can use more restrictive permissions.

Example AWS cluster deployments updated

The AWS terraform examples for Teleport clusters have been updated to use the newer hardened Amazon Linux 2023 AMIs. Additionally, the default architecture and instance type has been changed to ARM64/Graviton.

As a result of this modernization, the legacy monitoring stack configuration used with the legacy AMIs has been removed.

teleport-cluster Helm chart changes

Due to the new separate operator deployment, the operator is deployed by a subchart. This causes the following breaking changes:

  • installCRDs has been replaced by operator.installCRDs
  • teleportVersionOverride does not set the operator version anymore, you must use operator.teleportVersionOverride to override the operator version.

Note: version overrides are dangerous and not recommended. Each chart version is designed to run a specific Teleport and operator version. If you want to deploy a specific Teleport version, use Helm's --version X.Y.Z instead.

The operator now joins using a Kubernetes ServiceAccount token. To validate the token, the Teleport Auth Service must have access to the TokenReview API. The chart configures this for you since v12, unless you disabled rbac creation.

Helm cluster chart FIPS mode changes

The teleport-cluster chart no longer uses versionOverride and extraArgs to set FIPS mode.

Instead, you should use the following values file configuration:

enterpriseImage: public.ecr.aws/gravitational/teleport-ent-fips-distroless
authentication:
  localAuth: false

Resource version is now mandatory and immutable in the Terraform provider

Starting with Teleport 15, each Terraform resource must have its version specified. Before version 15, Terraform was picking the latest version available on resource creation. This caused inconsistencies as new resources creates with the same manifest as old resources were not exhibiting the same behavior.

Resource version is now immutable. Changing a resource version will cause Terraform to delete and re-create the resource. This ensures the correct defaults are set.

Existing resources will continue to work as Terraform already imported their version. However, new resources will require an explicit version.

Other changes

Increased password length

The minimum password length for local users has been increased from 6 to 12 characters.

Increased account lockout interval

The account lockout interval has been increased from 20 to 30 minutes.

14.3.21 (06/20/24)

  • Fixed bug that caused gRPC connections to be disconnected when their certificate expired even though DisconnectCertExpiry was false. #43292
  • Fixed bug where a Teleport instance running only Jamf or Discovery service would never have a healthy /readyz endpoint. #43285
  • Added a missing [Install] section to the teleport-acm systemd unit file as used by Teleport AMIs. #43258
  • Updated teleport to skip jamf_service validation when the Jamf is not enabled. #43170
  • Improved log rotation logic in Teleport Connect; now the non-numbered files always contain recent logs. #43163
  • Made tsh and Teleport Connect return early during login if ping to Proxy Service was not successful. #43087
  • Added ability to edit user traits from the Web UI. #43070
  • Enforce limits when reading events from Firestore to prevent OOM events. #42968
  • Fixed an issue Oracle access failed through trusted cluster. #42929
  • Fixes errors caused by dynamoevents query StartKey not being within the [From, To] window. #42914
  • Fixed updating groups for Teleport-created host users. #42883
  • Update azidentity to v1.6.0 (patches CVE-2024-35255). #42860
  • Remote rate limits on endpoints used extensively to connect to the cluster. #42836
  • Improved the performance of the Athena audit log and S3 session storage backends. #42796
  • Prevented a panic in the Proxy when accessing an offline application. #42787
  • Improve backoff of session recording uploads by teleport agents. #42775
  • Reduced backend writes incurred by tracking status of non-recorded sessions. #42695
  • Fixed listing available DB users in Teleport Connect for databases from leaf clusters obtained through Access Requests. #42681
  • Fixed not being able to logout from the web UI when session invalidation errors. #42654
  • Updated OpenSSL to 3.0.14. #42643
  • Teleport Connect binaries for Windows are now signed. #42473
  • Updated Go to 1.21.11. #42416
  • Fix web UI notification dropdown menu height from growing too long from many notifications. #42338
  • Disabled session recordings for non-interactive sessions when enhanced recording is disabled. #42321
  • Fixed issue where removing an app could make teleport app agents incorrectly report as unhealthy for a short time. #42269
  • Fixed a panic in the DynamoDB audit log backend when the cursor fell outside of the [From,To] interval. #42266
  • The teleport configure command now supports a --node-name flag for overriding the node's hostname. #42249
  • Fixed an issue where mix-and-match of join tokens could interfere with some services appearing correctly in heartbeats. #42188
  • Improved temporary disk space usage for session recording processing. #42175
  • Fixed a regression where Kubernetes Exec audit events were not properly populated and lacked error details. #42146
  • Fix Azure join method when using Resource Groups in the allow section. #42140
  • Fixed resource leak in session recording cleanup. #42069
  • Reduced memory and cpu usage after control plane restarts in clusters with a high number of roles. #42064
  • Fixed the field allowed_https_hostnames in the Teleport Operator resources: SAML, OIDC, and GitHub Connector. #42056
  • Enhanced error messaging for clients using kubectl exec v1.30+ to include warnings about a breaking change in Kubernetes. #41989

Enterprise-Only changes:

  • Improved memory usage when reconciling Access Lists members to prevent Out of Memory events when reconciling a large number of Access Lists members.
  • Prevented Access Monitoring reports from crashing when large datasets are returned.
  • Ensured graceful restart of teleport.service after an upgrade.

14.3.20 (05/23/24)

This release contains fixes for several high-severity security issues, as well as numerous other bug fixes and improvements.

Security Fixes

[High] Unrestricted redirect in SSO Authentication

Teleport didn’t sufficiently validate the client redirect URL. This could allow an attacker to trick Teleport users into performing an SSO authentication and redirect to an attacker-controlled URL allowing them to steal the credentials. #41834.

Warning: Teleport will now disallow non-localhost callback URLs for SSO logins unless otherwise configured. Users of the tsh login --callback feature should modify their auth connector configuration as follows:

version: vX
kind: (saml|oidc|github)
metadata:
  name: ...
spec:
  ...
  client_redirect_settings:
    allowed_https_hostnames:
      - '*.app.github.dev'
      - '^\d+-[a-zA-Z0-9]+\.foo.internal$'

The allowed_https_hostnames field is an array containing allowed hostnames, supporting glob matching and, if the string begins and ends with ^ and $ respectively, full regular expression syntax. Custom callback URLs are required to be HTTPS on the standard port (443).

[High] CockroachDB authorization bypass

When connecting to CockroachDB using database access, Teleport did not properly consider the username case when running RBAC checks. As such, it was possible to establish a connection using an explicitly denied username when using a different case. #41823.

[High] Long-lived connection persistence issue with expired certificates

Teleport did not terminate some long-running mTLS-authenticated connections past the expiry of client certificates for users with the disconnect_expired_cert option. This could allow such users to perform some API actions after their certificate has expired. #41827.

[High] PagerDuty integration privilege escalation

When creating a role Access Request, Teleport would include PagerDuty annotations from the entire user’s role set rather than a specific role being requested. For users who run multiple PagerDuty access plugins with auto-approval, this could result in a request for a different role being inadvertently auto-approved than the one which corresponds to the user’s active on-call schedule. #41837.

[High] SAML IdP session privilege escalation

When using Teleport as SAML IdP, authorization wasn’t properly enforced on the SAML IdP session creation. As such, authenticated users could use an internal API to escalate their own privileges by crafting a malicious program. #41846.

We strongly recommend all customers upgrade to the latest releases of Teleport.

Other fixes and improvements

  • Fixed session upload completion in situations where there's a large number of in-flight session uploads. #41853
  • Debug symbols are now stripped from Windows builds, resulting in smaller tsh and tctl binaries. #41839
  • Fixed an issue that the server version of the registered MySQL databases is not automatically updated upon new connections. #41820
  • Add read-only permissions for cluster maintenance config. #41791
  • Simplified how Bots are shown on the Users list page. #41739
  • Fix missing variable and script options in Default Agentless Installer script. #41722
  • Improved reliability of aggregated usage reporting with some cluster state storage backends (Teleport Enterprise only). #41703
  • Adds the remote address to audit log events emitted when a join for a Bot or Instance fails or succeeds. #41699
  • Allow the Application Service to heartbeat on behalf of more than 1000 dynamic applications. #41627
  • Ensure responses to Kubernetes watch requests are written sequentially. #41625
  • Install Script used in discover wizard now supports Ubuntu 24.04. #41588
  • Ensured that systemd always restarts Teleport on any failure unless explicitly stopped. #41582
  • Teleport service config is now reloaded on upgrades. #41548
  • Fix AccessList reconciler comparison causing audit events noise. #41541
  • Prevent SSH connections opened in the UI from leaking if the browser tab is closed while the SSH connection is being established. #41519
  • Emit login login failed audit events for invalid passwords on password+webauthn local authentication. #41433
  • Allow setting Kubernetes Cluster name when using non-default addresses. #41355
  • Added support to automatically download CA for MongoDB Atlas databases. #41339
  • Fix broken finish web page for SSO user's on auto discover. #41336
  • Add fallback on GetAccessList cache miss call. #41327
  • Validate application URL extracted from the web application launcher request route. #41305
  • Allow defining custom database names and users when selecting wildcard during test connection when enrolling a database through the web UI. #41302
  • Updated Go to v1.21.10. #41282
  • Forbid SSO users from local logins or password changes. #41271
  • Prevents Cloud tenants from updating cluster_networking_config fields keep_alive_count_max, keep_alive_interval, tunnel_strategy, or proxy_listener_mode. #41248

14.3.18 (05/07/24)

  • Ensure that the active sessions page shows up in the web UI for users with permissions to join sessions. #41222
  • Fix a bug that was preventing tsh proxy kube certificate renewal from working when accessing a leaf kubernetes cluster via the root. #41157
  • Add lock target to lock deletion audit events. #41111
  • Improve the reliability of the upload completer. #41104
  • Allows the listener for the tbot database-tunnel service to be set to a unix socket. #41042

14.3.17 (04/30/24)

  • Fixed user SSO bypass by performing a local passwordless login. #41071
  • Enforce allow_passwordless server-side. #41058
  • Fixed a memory leak caused by incorrectly passing the offset when paginating all Access Lists' members when there are more than the default pagesize (200) Access Lists. #41044
  • Fixed a regression causing roles filtering to not work. #41000
  • Allow AWS integration to be used for global services without specifying a valid region. #40990
  • Fixed Access Requests lingering in the UI and tctl after expiry. #40965
  • Made podSecurityContext configurable in the teleport-cluster Helm chart. #40950
  • Allow mounting extra volumes in the updater pod deployed by the teleport-kube-agentchart. #40949
  • Improved error message when performing an SSO login with a hardware key. #40924
  • Fixed a bug in the teleport-cluster Helm chart that happened when sessionRecording was off. #40920
  • Allows setting additional Kubernetes labels on resources created by the teleport-cluster Helm chart. #40916
  • Fixed audit event failures when using DynamoDB event storage. #40912
  • Properly enforce session moderation requirements when starting Kubernetes ephemeral containers. #40907
  • Introduced the tpm join method, which allows for secure joining in on-prem environments without the need for a shared secret. #40875
  • Issue cert.create events during device authentication. #40873
  • Add the ability to control ssh_config generation in Machine ID's Identity Outputs. This allows the generation of the ssh_config to be disabled if unnecessary, improving performance and removing the dependency on the Proxy being online. #40862
  • Prevented deleting AWS OIDC integration used by External Audit Storage. #40853
  • Reduced parallelism when polling AWS resources to prevent API throttling when exporting them to Teleport Access Graph. #40812
  • Added hardware key support for agentless connections #40929

14.3.16 (04/23/24)

  • Fixed a deprecation warning being shown when tbot is used with OpenSSH. #40838
  • Added a new Audit log event that is emitted when an Agent or Bot request to join the cluster is denied. #40815
  • Added a new Prometheus metric to track requests initiated by Teleport against the control plane API. #40755
  • Fixed uploading zip files larger than 10MiB when updating an AWS Lambda function via tsh app access. #40738
  • Fixed possible data race that could lead to concurrent map read and map write while proxying Kubernetes requests. #40721
  • Fixed Access Request promotion of windows_desktop resources. #40711
  • Fixed spurious ambiguous host errors in ssh routing. #40709
  • Patched CVE-2023-45288 and CVE-2024-32473. #40696
  • Generic "not found" errors are returned whether a remote cluster can't be found or access is denied. #40682
  • Fixed a resource leak in the Teleport proxy server when using proxy peering. #40675
  • Allow other issue types when configuring JIRA plugin. #40645
  • Added the ability to configure labels that should be set on the Kubernetes secret when using the kubernetes_secret destination in tbot. #40551
  • Updated cosign to address CVE-2024-29902 and CVE-2024-29903. #40498
  • The Web UI now supports large number of roles by paginating them. #40464

14.3.15 (04/12/24)

  • Fixed accidental passkey "downgrades" to MFA. #40410
  • Added tsh proxy kube --exec mode that spawns kube proxy in the background, which re-executes the user shell with the appropriate kubeconfig. #40394
  • Made Amazon S3 fields optional when creating or editing AWS OIDC integration on the web UI. #40372
  • Changed Teleport Connect to hide cluster name in the connection list if there is only a single cluster available. #40357
  • Changed Teleport Connect to now show all recent connections instead of capping them at 10. #40251
  • Fixed an issue that prevents the Teleport service from restarting. #40230
  • Added a new resource filtering predicates to allow exact matches on a single item of a delimited list stored in a label value. For example, if given the following label containing a string separated list of values foo=bar,baz,bang, it is now possible to match on any resources with a label foo that contains the element bar via contains(split(labels[foo], ","), bar). #40184
  • Updated Go to 1.21.9. #40177
  • Added disable_exec_plugin option to the Machine ID Kubernetes Output to remove the dependency on tbot existing in the target environment. #40163
  • Added the database-tunnel service to tbot which allows an authenticated database tunnel to be opened by tbot. This is an improvement over the original technique of using tbot proxy db. #40160
  • Enabled diagnostic endpoints access behind a PROXY protocol enabled loadbalancer/proxy. #40139
  • Added system annotations to audit event entries for Access Requests. #40122
  • Fixed "Invalid URI" error in Teleport Connect when starting MongoDB mongosh from the database connection tab. #40105
  • Improved the performance of filtering resources via predicate expressions. #39975
  • Fixed a verbosity issue that caused the teleport-kube-agent-updater to output debug logs by default. #39954
  • Reduced default Jamf inventory page size, and added support for custom values. #39934
  • Added support to the teleport-cluster Helm chart for using an Amazon Athena event backend. #39908
  • Improved the performance of resource filtering via labels and fuzzy search. #39792

14.3.14 (03/27/24)

  • Fixed possible phishing links which could result in code execution with install and join scripts. #39838
  • Fixed MFA checks not being prompted when joining a session. #39815
  • Fixed potential issue with some resources expiry being set to 01/01/1970 instead of never. #39774
  • Added support for Kubernetes websocket streaming subprotocol v5 connections. #39771
  • Fixed broken SSO login landing page on certain versions of Google Chrome. #39722
  • Updated Electron to v29 in Teleport Connect. #39658
  • Fixed a bug in Teleport Enterprise (Cloud) causing the hosted ServiceNow plugin to crash when setting up the integration. #39604
  • Fixed Teleport updater metrics for AWS OIDC deployments. #39531
  • Fixed allowing invalid Access Request start time date to be set. #39324

14.3.13 (03/20/24)

  • Fixed the discovery script failing when jq was not installed. #39600
  • Improve performance when listing nodes with tsh or tctl. #39568
  • Require AWS S3 bucket fields when creating/editing AWS OIDC integration in the web UI. #39513
  • Removed implicit AccessList membership and ownership modes. All AccessList owners and members must be explicitly specified. #39388

14.3.11 (03/18/24)

  • Fixed an issue with AWS IAM permissions that may prevent AWS database access when discovery_service is enabled in the same Teleport config as the db_service, namely AWS RDS, Redshift, Elasticache, and MemoryDB. #39487

14.3.10 (03/16/24)

  • Fixed issue with Teleport Auth Service panicking when Access Graph is enabled in Discovery Service. #39456

14.3.8 (03/15/24)

  • Improve error messaging when creating resources fails because they already exist or updating resources fails because they were removed. #39396
  • Support logging in with an identity file with tsh login -i identity.pem. This allows running tsh app login in CI environments where MachineID is impossible. #39374
  • Only allow necessary operations during moderated file transfers and limit in-flight file transfer requests to one per session. #39352
  • Make the Jira access plugin log Jira errors properly. #39347
  • Teleport Enterprise now attempts to load the license file from the configured data directory if not otherwise specified. #39313
  • Patched CVE-2024-27304 (Postgres driver). #39259
  • Raised concurrent connection limits between Teleport Enterprise (Cloud) regions and in clusters that use proxy peering. #39232
  • Improved cleanup of system resources during a shutdown of Teleport. #39213
  • Fixed an issue where it was possible to skip providing old password when setting a new one. #39126

14.3.7 (03/11/24)

  • Resolved sporadic errors caused by requests fail to comply with Kubernetes API spec by not specifying resource identifiers. #39167
  • Fixed a bug when using automatic updates and the Discovery Service. The default install script now installs the correct Teleport version by querying the version server. #39100
  • Teleport Proxy Service now runs a version server by default serving its own version. #39096
  • Fixed a regression where tsh kube credentials fails to re-login when credentials expire. #39074
  • TBot now supports --proxy-server for explicitly configuring the Proxy address. We recommend switching to this if you currently specify the address of your Teleport proxy to --auth-server. #39056
  • Expanded the EC2 joining process to include newly created AWS regions. #39052
  • Added GCP MySQL access IAM Authentication support. #39041
  • Fixed an issue in SAML IdP entity descriptor generator process, which would fail to generate entity descriptor if the configured Entity ID endpoint would return HTTP status code above 200 and below 400. #38988
  • Updated Go to 1.21.8. #38985
  • Updated electron-builder dependency to address possible arbitrary code execution in the Windows installer of Teleport Connect (CVE-2024-27303). #38966
  • Improved reliability and performance of tbot. #38929
  • Filtered terminated sessions from the tsh sessions ls output. #38886
  • Prevented panic when AccessList's status field is not set. #38862
  • Fixed an issue with over counting of reported Teleport updater metrics. #38832
  • Fixed a bug that caused tsh to return "private key policy not met" errors instead of automatically initiating re-login to satisfy the private key policy. #38818
  • Fixed application access events being overwritten when using DynamoDB as event storage. #38816
  • Fixed issue where DynamoDB writes could fail when recording too many records. #38762
  • Added a tbot-only tbot-distroless container image, bringing an 80% size reduction over the Teleport teleport image. #38719
  • Fixed a Postgres v16.x compatibility issue preventing multiple connections for auto-provisioned users. #38542
  • Tsh will now show Access List review deadlines in dates rather than remaining hours.. #38526
  • Fixed an issue where tsh would not function if one of its profiles is invalid. #38513
  • Fixed an issue where teleport configure command logs would not use the configured logger. #38509
  • Removed telnet from legacy Ubuntu images due to CVE-2021-40491. Netcat nc can be used instead. #38506
  • Fixed a tsh WebAuthn.dll panic on Windows Server 2019. #38489
  • Added ssh_service.enhanced_recording.root_path configuration option to change the cgroup slice path used by the agent. #38395
  • Fixed a bug which allowed the operator to delete resources it does not own. #37751

14.3.6 (02/16/24)

  • Fixed a potential panic in the tsh status command. #38304
  • Fixed locking SSO user in the setup access step of the RDS auto discover flow in the web UI. #38284
  • Optionally permit the Auth Service to terminate client connections from unsupported versions. #38186
  • Removed access tokens from URL parameters, preventing them from being leaked to intermediary systems that may log them in plaintext. #38070
  • Added option to validate hardware key serial numbers with hardware key support. #38069
  • Forced agents to terminate Auth connections if joining fails. #38004
  • Added a tsh sessions ls command to list active sessions. #37970
  • Improved error handling when idle desktop connections are terminated. #37956
  • Updated Go to 1.21.7. #37848
  • Discover flow now starts two instances of DatabaseServices when setting up access to Amazon RDS. #37804
  • Fixed incorrect resizing of CLI apps in Teleport Connect on Windows. #37799
  • Fixed handling of non-registered U2F keys. #37722
  • Fixed memory leak in tbot caused by never closing reverse tunnel address resolvers. #37719
  • Fixed app redirection loop on browser's incognito mode and 3rd party cookie block. #37692

14.3.4 (02/01/24)

  • Skip tsh AppID pre-flight check whenever possible. #37643
  • Update OpenSSL to 3.0.13. #37552
  • tsh FIDO2 backend re-written for improved responsiveness and reliability. #37538
  • Do not add alphabetically first Kube cluster's name to a user certificate on login. #37501
  • Allow to replicate proxy pods when using an ingress in the teleport-cluster Helm chart. #37480
  • Fix an issue tsh uses wrong default username for auto-user provisioning enabled databases in remote clusters #37418
  • Prevent backend throttling caused by a large number of app sessions. #37391
  • Emit audit events when SFTP or SCP commands are blocked. #37385
  • Fix goroutine leak on PostgreSQL access. #37342
  • Fixed incompatibility between leaf clusters and ProxyJump. #37319
  • Fixed a potential crash when setting up the Connect My Computer role in Teleport Connect. #37314
  • Fixed CA key generation when two auth servers share a single YubiHSM2. #37296
  • Add support for cancelling CockroachDB requests. #37282
  • Fix Terraform provider creating AccessLists with next audit date set to Epoch. #37262
  • Fix an issue selecting MySQL database is not reflected in the audit logs. #37257
  • The login screen will no longer be rendered for authenticated users. #37230
  • Fixed missing proxy address in GCP and Azure VM auto-discovery. #37215
  • Teleport namespace label prefixes are now sorted toward the end of the labels list in the web UI. #37191
  • Adds tbot proxy kube to support connecting to Kubernetes clusters using Machine ID when the Proxy is behind a L7 LB. #37157
  • Fix a bug that was breaking web UI if automatic upgrades are misconfigured. #37130
  • Fix an issue Amazon Redshift auto-provisioned user not deleted in drop mode. #37036
  • Fix an issue database auto-user provisioning fails to connect a second session on MariaDB older than 10.7. #37028
  • Improved styling of the login form in Connect and Web UI. #37003
  • Ensure that moderated sessions do not get stuck in the event of an unexpected drop in the moderator's connection. #36917
  • The web terminal now properly displays underscores on Linux. #36890
  • Fix tsh panic on Windows if WebAuthn.dll is missing. #36868
  • Increased timeout when waiting for response from Jira API and webhook to reconcile. #36818
  • Ensure connect_to_node_attempts_total is always incremented when dialing hosts. #36739
  • Fixed a potential crash in Teleport Connect after downgrading the app from v15+. #36730
  • Prevent a goroutine leak caused by app sessions not cleaning up resources properly. #36668
  • Added tctl idp saml test-attribute-mapping command to test SAML IdP attribute mapping. #36662
  • Fixed an issue where valid SAML entity descriptors could be rejected. #36485
  • Updated SAML IdP UI to display entity ID, SSO URL and X.509 certificate. #3322
  • Updated Access Request creation dialog to pre-select suggested reviewers. #3325

14.3.3 (01/12/24)

  • Fixed routing to nodes by their public addresses. #36624
  • Enhanced Kubernetes app discovery functionality to provide the ability to disable specific Service imports and configure the TLS Skip Verify option using an annotation. #36611
  • Added client remote IP address to some administrative audit events. #36567

14.3.2 (01/11/24)

  • Fixed routing to nodes by their public address. #36591
  • Verify MFA device locks during user authentication. #36589
  • Fixed tctl get access_list and support creating Access Lists without a next audit date. #36572

14.3.1 (01/10/24)

  • Added support to select database roles from tsh. #36528
  • Fixed goroutine leak per ssh session. #36511
  • Fixed user invites preventing listing tokens. #36492
  • Updated Go to v1.21.6. #36478
  • Fixed refresh_identity = true preventing Access Plugins connecting to Teleport using TLS routing with a L7 LB. #36469
  • Added --callback flag to tsh login. #36468
  • Added auto-enrolling capabilities to RDS discover flow in the web UI. #36434
  • Fixed an issue where bad cache state could cause spurious access denied errors during app access. #36432
  • Resources named . and .. are no longer allowed. Please review the resources in your Teleport instance and rename any resources with these names before upgrading. #36404
  • Ensured that the login time is populated for app sessions. #36373
  • Fixed incorrect report of user's IP address in Kubernetes Audit Logs. #36346
  • Access lists and associated resources are now cached, which should significantly reduce the impact of Access List calculation. #36331
  • Added new certificate extensions and usage reporting flags to explicitly identify Machine ID bots and their cluster activity. #36313
  • Fixed potential panic after backend watcher failure. #36301
  • Prevent deleted users from using account reset links created prior to the user being deleted. #36271
  • Make Unified Resources page in Web UI responsive. #36265
  • Added "Database Roles" column to tsh db ls -v. #36246
  • Safeguard against the disruption of cluster access caused by incorrect Kubernetes APIService configurations. #36227
  • Support running a version server in the proxy for automatic agent upgrades. #36220
  • The user login state generator now uses the cache, which should reduce the number of calls to the backend. #36196
  • Added the --insecure-no-resolve-image flag to the teleport-kube-agent-updater to disable image tag resolution if it cannot pull the image. #36097
  • Added future assume time to Access Requests. #35726

14.3.0

This release of Teleport contains multiple security fixes, improvements and bug fixes.

Security fixes

Other Fixes & Improvements

  • Added the ability to promote an Access Request to an Access List in Teleport Connect
  • Fixed an issue that would prevent websocket upgrades from completing. #36088
  • Enhanced the audit events related to Teleport's SAML IdP #36087
  • Added support for STS session tags in the database configuration for granular DynamoDB access. #36064
  • Added support for the IAM join method in ca-west-1. #36049
  • Improved the formatting of Access List notifications in tsh. #36046
  • Fixed downgrade logic of KubernetesResources to Role v6 #36009
  • Fixed potential panic during early phases of SSH service lifetime #35923
  • Added a tsh latency command to monitor ssh connection latency in realtime #35916
  • Support GitHub joining from Enterprise accounts with include_enterprise_slug enabled. #35900
  • Added vpc-id as a label to auto-discovered RDS databases #35890
  • Improved teleport agent performance when handling a large number of TCP forwarding requests. #35887
  • Bump golang.org/x/crypto to v0.17.0, which addresses the Terrapin vulnerability (CVE-2023-48795) #35879
  • Include the lock expiration time in lock.create audit events #35874
  • Add custom attribute mapping to the saml_idp_service_provider spec. #35873
  • Fixed PIV not being available on Windows tsh binaries #35866
  • Restored direct dial SSH server compatibility with certain SSH tools such as ssh-keyscan (#35647) #35859
  • Prevent users from deleting their last passwordless device #35855
  • the teleport-kube-agent chart now supports passing extra arguments to the updater. #35831
  • New Access Lists with an unspecified NextAuditDate now pick a new date instead of being rejected #35830
  • Changed the minimal supported macOS version of Teleport Connect to 10.15 (Catalina) #35819
  • Add non-AD desktops to Enroll New Resource #35797
  • Fixed a bug in teleport-kube-agent chart when using both appResources and the discovery role. #35783
  • Fixed session upload audit events sometimes containing an incorrect URL for the session recording. #35777
  • Prevent tsh from re-authenticating if the MFA ceremony fails during tsh ssh #35750
  • Prevent attempts to join a nonexistent SSH session from hanging forever #35743
  • Improved Windows hosts registration with a new static_hosts configuration field #35742
  • Fixed the sorting of name and description columns for user groups when creating an Access Request #35729

14.2.3 (12/14/23)

  • Prevent Cloud tenants from being a leaf cluster. #35687
  • Added "Show All Labels" button in the unified resources list view. #35666
  • Added auto approval flow to servicenow plugin. #35658
  • Added guided SAML entity descriptor creation when entity descriptor XML is not yet available. #35657
  • Added a connection test when enrolling a new Connect My Computer resource in Web UI. #35649
  • Fixed regression of Kubernetes Server Address when Teleport runs in multiplex mode. #35633
  • When using the Slack plugin, users will now be notified directly of Access Requests and their approvals or denials. #35577
  • Fixed bug where configuration errors with an individual SSO connector impacted other connectors. #35576
  • Fixed client IP propagation from the Proxy to the Auth during IdP initiated SSO. #35545

14.2.2 (12/07/23)

Note: tsh v14.2.2 has a known issue where tsh kube login uses an incorrect port for clusters with multiplex mode enabled. If you use Kubernetes access with multiplex mode, we recommend downgrading tsh to 14.2.1 until a fix is available.

  • Prevent panic when dialing a deleted Application Server. #35525
  • Fixed regression issue with arm32 binaries in 14.2.1 having higher glibc requirements. #35539
  • Fixed GCP VM auto-discovery not using instances' internal IP address. #35521
  • Calculate latency of Web SSH sessions and report it to users. #35516
  • Fix bot's unable to view or approve Access Requests issue. #35512
  • Fix querying of large audit events with Athena backend. #35483
  • Fix panic on potential nil value when requesting /webapi/presetroles. #35463
  • Add insecure-drop host user creation mode. #35403
  • IAM permissions for rds:DescribeDBProxyTargets are no longer required for RDS Proxy discovery. #35389
  • Update Go to 1.21.5. #35371
  • Desktop connections default to RDP port 3389 if not otherwise specified. #35343
  • Add cluster_auth_preferences to the shortcuts for cluster_auth_preference. #35329
  • Make the podSecurityPolicy configurable in the teleport-kube-agent chart. #35320
  • Prevent EKS fetcher not having correct IAM permissions from stopping whole Discovery service start up. #35319
  • Add database automatic user provisioning support for self-hosted MongoDB. #35317
  • Improve the resilience of tbot to misconfiguration of auth connectors when generating a Kubernetes output. #35309
  • Fix crash when writing kubeconfig with tctl auth sign --tar. #34874

14.2.1 (11/30/23)

  • Fixed issue that could cause app and desktop session recording events to be written to the audit log. #35183
  • Fixed a possible panic when downgrading Teleport roles to older versions. #35236
  • Fixed a regression issue where tsh db connect to Redis 7 fails with an error on REDIS_REPLY_STATUS. #35162
  • Allow Teleport to complete abandoned uploads faster in HA deployments. #35102
  • Fixed error when installing a v13 node with the default installer from a v14 cluster. #35058
  • Fixed issue with the absence of membership expiry circumventing membership requirements check. #35057
  • Added read verb to suggested role spec when enrolling new resources. #35053
  • Added more new "Enroll Integration" tiles for Machine ID guides. #35050
  • Fixed default installer yum error on RHEL and Amazon Linux. #35021
  • External Audit Storage enables Cloud customers to store Audit Logs and Session Recordings in their own AWS account. #35008
  • Fixed IP propagation for nodes/bots joining the cluster and add LoginIP to bot certificates. #34958
  • Fixed an issue tsh db connect <mongodb> does not give reason on connection errors. #34910
  • Updated distroless images to use Debian 12. #34878
  • Added new email-based UI for inviting new local users on Teleport Enterprise (Cloud) clusters. #34869
  • Fix an issue "Allowed Users" in "tsh db ls" shows wrong user for databases with Automatic User Provisioning enabled. #34850
  • Fixed issue with application Access Requests and web UI large file downloads timing out after 30 seconds. #34849
  • Added default database support for PostgreSQL auto-user provisioning. #34840
  • Machine ID: handle kernel version check failing more gracefully. #34828

14.2.0 (11/20/23)

New Features

Advanced Okta Integration (Enterprise Edition only)

Teleport will be able to automatically create SSO connector and sync users when configuring Okta integration.

Connect my Computer support in Web UI

The Teleport web UI will provide a guided flow for joining your computer to the Teleport cluster using Teleport Connect.

Dynamic credential reloading for plugins

Teleport plugins will support dynamic credential reloading, allowing them to take advantage of short-lived (and frequently rotated) credentials generated by Machine ID.

Fixes and Improvements

  • Access list review reminders will now be sent via Slack #34663
  • Improve the error message when attempting to enroll a hardware key that cannot support passwordless #34589
  • Allow selecting multiple resource filters in the search bar in Connect #34543
  • Added a guided flow for joining your computer to the Teleport cluster using Teleport Connect; find it in the Web UI under Enroll New Resource -> Connect My Computer (available only for local users, with prerequisites) #33688

14.1.5 (11/16/2023)

  • Increased the maximum width of the console tabs in the web UI. #34648
  • Fixed accessing dedicated Proxy Kubernetes port when TLS routing is enabled. #34645
  • Fixed tsh --piv-slot custom PIV slot setting for Hardware Key Support. #34592
  • Disabled AWS IMDSv1 fallback and enforced use of FIPS endpoints in FIPS mode. #34433
  • Fixed incorrect permissions when opening X11 listener. #34617
  • Prevented .tsh/environment values from overriding prior set values. #34626
  • Changed Access Lists to respect user locking. #34620
  • Fixed Access Requests to respect explicit deny rules. #34600
  • Added Teleport Access Graph integration. #34569
  • Fixed cleanup of unused GCP KMS keys. #34468
  • Added list view option to the unified resources page. #34466
  • Fixed duplicate entries in resources view when updating nodename #34236 #34453
  • Allow configuring cluster_networking_config and cluster_auth_preference via --bootstrap. #34445
  • Fixed tsh logout with broken key directory. #34435
  • Added binary formatted parameters as base64 encoded strings to PostgreSQL Statement Bind audit log events. #34432
  • Reduced CPU & memory usage, and logging in the operator, by reusing connections to Teleport. #34425
  • Updated the code signing certificate for Windows artifacts. #34377
  • Added IAM Authentication support for Amazon MemoryDB Access. #34348
  • Split large desktop recordings into multiple files during export. #34319
  • Allow setting server labels from tctl. #34137

14.1.3 (11/8/23)

Security Fixes

[Medium] Arbitrary code execution with LD_PRELOAD and SFTP

Teleport implements SFTP using a subcommand. Prior to this release it was possible to inject environment variables into the execution of this subcommand, via shell init scripts or via the SSH environment request.

This is addressed by preventing LD_PRELOAD and other dangerous environment variables from being forwarded during re-exec.

#3274

[Medium] Outbound SSH from Proxy can lead to IP spoofing

If the Teleport auth or proxy services are configured to accept PROXY protocol headers, a malicious actor can use this to spoof their IP address.

This is addressed by requiring that the first bytes of any SSH connection are the SSH protocol prefix, denying a malicious actor the opportunity to send their own proxy headers.

#33729

Other Fixes & Improvements

  • Fixed issue where tbot would select the wrong address for Kubernetes access when in ports separate mode #34283
  • Added post-review state of Access Request in audit log description #34213
  • Updated Operator Reconciliation to skip Teleport Operator on status updates #34194
  • Updated Kube Agent Auto-Discovery to install the Teleport version provided by Automatic Upgrades #34157
  • Updated Server Auto-Discovery installer script to use bash instead of sh #34144
  • When a promotable Access Request targets a resource that belongs to an Access List, owners of that list will now automatically be added as reviewers. #34131
  • Added Database Automatic User Provisioning support for Redshift #34126
  • Added teleport_auth_type config parameter to the AWS Terraform examples #34124
  • Fixed issue where an auto-provisioned PostgreSQL user may keep old roles indefinitely #34121
  • Fixed incorrectly set file mode for Windows TPM files #34113
  • Added dynamic credential reloading for access plugins #34079
  • Fixed Azure Identity federated Application ID #33960
  • Fixed issue where Kubernetes Audit Events reported incorrect information in the exec audit #33950
  • Added support for formatting hostname as host:port to tsh puttyconfig #33883
  • Added support for --set-context-name to tsh proxy kube
  • Fixed various Access List bookkeeping issues #33834
  • Fixed issue where tsh aws ecs execute-command would always fail #33833
  • Updated UI to automatically redirect to login page on missing session cookie #33806
  • Added Dynamic Discovery matching for Databases #33693
  • Fixed formatting errors on empty result sets in tsh #33633
  • Added Database Automatic User Provisioning support for MariaDB #34256
  • Fixed issue where MySQL auto-user deletion fails on usernames with quotes #34304

14.1.1 (10/23/23)

  • Fixed the top bar breaking layout when the window is narrow in Connect #33821
  • Limited Snowflake decompressed request to 10MB #33764
  • Added MySQL auto-user deletion #33710
  • Configured Connect to intercept deep link clicks #33684
  • Added URL and SAML connector name in entity descriptor URL errors #33667
  • Added the ability to run a specific tool to Assist. #33640
  • Added PostgreSQL auto-user deletion #33570
  • Added DiscoveryConfig CRUD operations #33380

14.1.0 (10/18/23)

New features

  • Teleport Connect 14.1 introduces Connect My Computer which makes it possible to add your personal machine to a Teleport cluster in just a couple of clicks. Whether you're exploring capabilities of Teleport or want to make your computer available in your private cluster, Connect My Computer lets you do that without having to use the terminal to get the job done.
  • Resource pinning allows you to pin your most frequently accessed resources to a separate page.
  • Access Monitoring provides a view of risky accounts access and access anti-patterns in clusters using Athena as the audit log backend.
  • Users can connect to EC2 instances via Amazon EC2 Instance Connect endpoints without needing to install Teleport Agents.
  • Access list owners will be able to perform regular periodic reviews of the Access List members.

Security fixes

  • Updated golang.org/x/net dependency. #33420
    • swift-nio-http2 vulnerable to HTTP/2 Stream Cancellation Attack: CVE-2023-44487
  • Updated google.golang.org/grpc to v1.57.1. #33487
    • swift-nio-http2 vulnerable to HTTP/2 Stream Cancellation Attack: CVE-2023-44487
  • Updated OpenTelemetry dependency. #33523 #33550
    • OpenTelemetry-Go Contrib vulnerable to denial of service in otelhttp due to unbound cardinality metrics: CVE-2023-45142
  • Updated babel/core to 7.3.2. #33441
    • Arbitrary code execution when compiling specifically crafted malicious code: CVE-2023-45133

Other fixes and improvements

  • Web SSH sessions are terminated right away when a user closes the tab. #33529
  • Added the ability for bots to submit Access Request reviews. #33509
  • Added access review notifications when logging in via tsh or running tsh status. #33468
  • Added database automatic user provisioning support for MySQL. #33379
  • Added job to update the Teleport version for deployments in Amazon ECS used during RDS Enrollment. #33313
  • Fixed Teleport Assist SQL view names. #33581
  • Fixed hardware key support for sso web login. #33548
  • Fixed Access Lists to allow them to affect Access Request permissions. #33350
  • Prevented remote proxies from impersonating users from different clusters. #33539
  • Added link to Access Request in ServiceNow incidents. #33593
  • Added new "Identity Governance & Security" navigation section in web UI. #33423
  • Fixed tsh connection issue when Proxy is in separate mode and Web port is TLS-terminated by a load balancer. #32531 #33406
  • Fixed panic when trying to register resources from older Kubernetes clusters with extensions/v1beta1 group/version. #33402
  • Fixed Access List audit log messages to properly include user names. #33383
  • Added notification icon to Web UI to show Access List review notifications. #33381
  • Fixed creation of @teleport-access-approver role to v6 to support downgrades to Teleport 13. #33354
  • Added ability to specify PIV slot for hardware key support. #33352 #33353
  • Extended timeout when waiting for hardware key touch/PIN. #33348
  • Added support for Windows AD root domain for PKI operations. #33275
  • Added resources to Slack notification of Access Requests. #33264
  • Fixed provision tokens to make system roles case-insensitive. #33260

14.0.3 (10/11/23)

Security Fixes

[Critical] Privilege escalation through RecursiveChown

When using automatic Linux user creation, an attacker could exploit a race condition in the user creation functionality to chown arbitrary files on the system.

Users who aren't using automatic Linux host user creation aren’t affected by this vulnerability.

#33248

Other Fixes

  • Fixed spurious timeouts in database access sessions #32720
  • Azure VM auto-discovery can now find VMs with multiple managed identities #32800
  • Fixed improperly set Kubernetes impersonation headers #32848
  • tsh puttyconfig now uses Validity format for WinSCP compatibility #32856
  • Teleport client now uses gRPC when connecting to the root cluster #32662
  • Teleport client now uses gRPC when creating tracing client #32663
  • Fixed panic on tsh device enroll --current-device #32756
  • The Teleport etcd backend will now start if some nodes are unreachable #32779
  • Fixed certificate verification issues when using kubectl exec #32768
  • Added Discover flow for enrolling EC2 Instances with Endpoint Instance Connect #32760
  • Added connection information to multiplexer logs #32738
  • Fixed issue causing keys to be incorrectly removed in tsh and Teleport Connect on Windows #32963
  • Improved Unified Resource Cache performance #33027
  • Adds Audit Review recurrence presets #32960
  • Fixed multiple discovery install attempts on Azure & GCP VMs #32569
  • Fixed a corner case of privilege tokens where MFA devices disabled by cluster settings were still counted against the user #32430
  • Fixed Access List caching & eventing issues #32649
  • Fixed user session tracking across trusted clusters #32967
  • Added cost optimized pagination search for athena #33007
  • Teleport now reports initial command to session moderators #33112
  • OneOff install script now installs enterprise Teleport when generated by an enterprise cluster #33148
  • Fixed issue when playing back a session recorded on a leaf cluster #33102
  • Fixed self-signed certificate issue on macOS #33156
  • Discovery EC2 instance listing now shows instance name #33179
  • Fixed HTTP connection hijack issue when using tsh proxy kube #33172
  • Improved error messaging in tsh kube credentials when root cluster roles don't allow Kube access #33210

14.0.1 (09/26/23)

  • Fixed issue where Teleport Connect Kube terminal throws an internal server error #32612
  • Fixed create_host_user_mode issue with TeleportRole in the Teleport Operator CRDs #32557
  • Fixed issue that allowed for duplicate Access List owners #32481
  • Removed unnecessary permission requirement from PostgreSQL backend #32474
  • Added feature allowing for managing host sudoers without also creating users #32400
  • Fixed dynamic labels not being present on server access audit events #32382
  • Added PostHog events for discovered Kubernetes Apps #32379
  • Fixed issue where changing the cluster name leads to cluster being unaccessible #32352
  • Added additional logging for when the Teleport process file is not accessible due to a permission issue upon startup #32348
  • Fixed issue where the teleport-kube-agent Helm chart would created the same ServiceAccount multiple times #32338
  • Fixed GCP VM auto-discovery bugs #32316
  • Added Access List usage events #32297
  • Allowed for including only traits when doing a JWT rewrite for web application access #32291
  • Added IneligibleStatus fields for Access List members and owners #32278
  • Fixed issue where the Auth Service was listed twice in the inventory of connected resources #32270
  • Added three second shutdown delay on on SIGINT/SIGTERM #32189
  • Add initial ServiceNow plugin #32131

14.0.0 (09/20/23)

Teleport 14 brings the following new major features and improvements:

  • Access lists
  • Unified resource view
  • ClickHouse support for database access
  • Advanced audit log
  • Kubernetes apps auto-discovery
  • Extended Kubernetes per-resource RBAC
  • Oracle database access audit logging support
  • Enhanced PuTTY support
  • Support for TLS routing in Terraform deployment examples
  • Discord and ServiceNow hosted plugins
  • Limited passwordless access for local Windows users in Teleport Community Edition
  • Machine ID: Kubernetes Secret destination

In addition, this release includes several changes that affect existing functionality listed in the “Breaking changes” section below. Users are advised to review them before upgrading.

New features

Advanced audit log

Teleport 14 includes support for a new audit log powered by Amazon S3 and Athena that supports efficient searching, sorting, and filtering operations. Teleport Enterprise (Cloud) customers will have their audit log automatically migrated to this new backend.

See the documentation here.

Access lists

Teleport 14 introduces foundational support for Access Lists, an extension to the short-lived Access Request system targeted towards longer-term access. Administrators can add users to Access Lists granting them long-term permissions within the cluster.

As the feature is being developed, future Teleport releases will add support for periodic audit reviews and deeper integration of Access Lists with Okta.

You can find existing Access Lists documentation here.

Unified resources view

The web UI in Teleport 14 has been updated to show all resources in a single unified view.

This is the first step in a series of changes designed to support a customizable Teleport experience and make it easier to access the resources that are most important to you.

Kubernetes apps auto-discovery

Teleport 14 updates its auto-discovery capabilities with support for web applications in Kubernetes clusters. When connected to a Kubernetes cluster (or deployed as a Helm chart), the Teleport Discovery Service will automatically find and enroll web applications with your Teleport cluster.

See documentation here.

Extended Kubernetes per-resource RBAC

Teleport 14 extends resource-based Access Requests to support more Kubernetes resources than just pods, including custom resources, and verbs. Note that this feature requires role version v7.

See Kubernetes resources documentation to see a full list of supported resources.

ClickHouse support for database access

Teleport 14 adds database access support for ClickHouse HTTP and native (TCP) protocols. When using HTTP protocol, the user's query activity is captured in the Teleport audit log.

See how to connect ClickHouse to Teleport here.

Oracle database access audit logging support

In Teleport 14, database access for Oracle integration is updated with query audit logging support.

See documentation on how to configure it in the Oracle guide.

Limited passwordless access for local Windows users in Teleport Community Edition

In Teleport 14, access to Windows desktops with local Windows users has been extended to Community Edition. Teleport will permit users to register and connect to up to 5 desktops with local users without an enterprise license.

For more information on using Teleport with local Windows users, see docs.

Discord and ServiceNow hosted plugins

Teleport 14 includes support for hosted Discord and ServiceNow plugins. Teleport Enterprise (Cloud) users can configure Discord and ServiceNow integrations to receive Access Request notifications.

Discord plugin is available now, ServiceNow is coming in 14.0.1.

Enhanced PuTTY Support

tsh on Windows now supports the tsh puttyconfig command, which can configure saved sessions inside the well-known PuTTY client to connect to Teleport-protected servers.

For more information, see docs.

Support for TLS routing in Terraform deployment examples

The ha-autoscale-cluster and starter-cluster Terraform deployment examples now support a USE_TLS_ROUTING variable to enable TLS routing inside the deployed Teleport cluster.

Machine ID: Kubernetes Secret destination

In Teleport 14, tbot can now be configured to write artifacts such as credentials and configuration files directly to a Kubernetes secret rather than a directory on the local file system.

For more information, see docs.

Breaking changes and deprecations

Please familiarize yourself with the following potentially disruptive changes in Teleport 14 before upgrading.

SSH node open dial no longer supported

Teleport 14 no longer allows connecting to OpenSSH servers not registered with the cluster. Follow the updated agentless OpenSSH integration guide to register your OpenSSH nodes in the cluster’s inventory.

You can set TELEPORT_UNSTABLE_UNLISTED_AGENT_DIALING=yes environment variable on Teleport proxy to temporarily re-enable the open dial functionality. The environment variable will be removed in Teleport 15.

Proxy protocol default change

Starting from version 14, Teleport will require users to explicitly enable or disable PROXY protocol in their proxy_service/auth_service configuration using proxy_protocol: on|off option.

Users who run their proxies behind L4 load balancers with PROXY protocol enabled, should set proxy_protocol: on. Users who don’t run Teleport behind PROXY protocol enabled load balancers, should disable proxy_protocol: off explicitly for security reasons.

By default, Teleport will accept the PROXY line but will prevent connections with IP pinning enabled. IP pinning users will need to explicitly enable/disable proxy protocol like explained above.

See more details in our documentation.

Legacy deb/rpm package repositories are deprecated

Teleport 14 will be the last release published to the legacy package repositories at deb.releases.teleport.dev and rpm.releases.teleport.dev. Starting with Teleport 15, packages will only be published to the new repositories at apt.releases.teleport.dev and yum.releases.teleport.dev.

All users are recommended to switch to apt.releases.teleport.dev and yum.releases.teleport.dev repositories as described in installation instructions.

Cf-Access-Token header no longer included with requests to Teleport-protected applications

Starting from Teleport 14, the Cf-Access-Token header containing the signed JWT token will no longer be included by default with all requests to Teleport-protected applications. All requests will still include Teleport-JWT-Assertion containing the JWT token.

See documentation for details on how to inject the JWT token into any header using header rewriting.

tsh db CLI commands changes

In Teleport 14 tsh db sub-commands will attempt to select a default value for --db-user or --db-name flags if they are not provided by the user by examining their allowed db_users and db_names.

The flags --cert-file and --key-file for tsh proxy db command were also removed, in favor of the --tunnel flag that opens an authenticated local database proxy.

MongoDB versions prior to 3.6 are no longer supported

Teleport 14 includes an update to the MongoDB driver.

Due to the MongoDB team dropping support for servers prior to version 3.6 (which reached EOL on April 30, 2021), Teleport also will no longer be able to support these old server versions.

In order to strengthen the security in Teleport 14, file loading from home directories where the path includes a symlink is no longer allowed. The most common use case for this is loading environment variables from the ~/.tsh/environment file. This will still work normally as long as the path includes no symlinks.

Deprecated audit event

Teleport 14 deprecates the trusted_cluster_token.create audit event, replacing it with a new join_token.create event. The new event is emitted when any join token is created, whether it be for trusted clusters or other Teleport services.

Teleport 14 will emit both events when a trusted cluster join token is created. Starting in Teleport 15, the trusted_cluster_token.create event will no longer be emitted.

Other changes

DynamoDB billing mode defaults to on-demand

In Teleport 14, when creating new DynamoDB tables, Teleport will now create them with the billing mode set to pay_per_request instead of being set to provisioned mode.

The old behavior can be restored by setting the billing_mode option in the storage configuration.

Default role version is v7

The default role version in Teleport 14 is v7 which enables support for extended Kubernetes per-resource RBAC, and changes the kubernetes_resources default to wildcard for better getting started user experience.

You can review role versions in the documentation.

Stricter name validation for auto-discovered databases

In Teleport 14, database discovery via db_service config enforces the same name validation as for databases created via tctl, static config, and discovery_service.

As such, database names in AWS, GCP and Azure must start with a letter, contain only letters, digits, and hyphens and end with a letter or digit (no trailing hyphens).

Access Request API changes

Teleport 14 introduces a new and more secure API for submitting Access Requests. As a result, tsh users may be prompted to upgrade their clients before submitting an Access Request.

Desktop discovery name change

Desktops discovered via LDAP will have a short suffix appended to their name to ensure uniqueness. Users will notice duplicate desktops (with and without the suffix) for up to an hour after upgrading. Connectivity to desktops will not be affected, and the old record will naturally expire after 1 hour.

Machine ID : New configuration schema

Teleport 14 introduces a new configuration schema (v2) for Machine ID’s agent tbot. The new schema is designed to be more explicit and more extensible:

version: v2
onboarding:
 token: gcp-bot
 join_method: gcp
storage:
 type: memory
auth_server: example.teleport.sh:443
outputs:
 - type: identity
   destination:
     type: kubernetes_secret
     name: my-secret

 - type: kubernetes
   kubernetes_cluster: my-cluster
   destination:
     type: directory
     path: ./k8s

 - type: database
   service: my-postgres-service
   database: postgres
   username: postgres
   destination:
     type: directory
     path: ./db

 - type: application
   app_name: my-app
   destination:
     type: directory
     path: ./app

tbot will continue to support the v1 schema for several Teleport versions but it is recommended that you migrate to v2 as soon as possible to benefit from new Machine ID features.

For more details and guidance on how to upgrade to v2, see docs.

13.0.1 (05/xx/23)

  • Helm Charts
    • Fixed issue with invite token being incorrectly overridden when it was manually created. #26055

Breaking Changes

Please familiarize yourself with the following potentially disruptive changes in Teleport 13 before upgrading.

Teleport Kubernetes Agent helm chart

When upgrading to Teleport 13, users of the Teleport Kubernetes Agent Helm chart that manually create their own Teleport token secret (secretName=<secretName> and no auth token provided) will need to set the following values:

# Manages the join token secret creation and its name.
joinTokenSecret:
  # create controls whether the Helm chart should create and manage the join token
  # secret.
  # If false, the chart assumes that the secret with the configured name already exists at the
  # installation namespace.
  create: false
  # Name of the Secret to store the teleport join token.
  name: <secretName>

The Helm chart parameter secretName was deprecated in Teleport 13 in favor of joinTokenSecret.name. joinTokenSecret.create indicates whether the Helm chart should create and manage the join token secret. If create is set to false, the chart assumes that the secret with the configured name already exists at the installation namespace.

13.0.0 (05/08/23)

Teleport 13 brings the following marquee features and improvements:

  • (Preview) Automatic agent upgrades.
  • (Preview) TLS routing through ALB for accessing servers, Kubernetes clusters, and applications.
  • (Preview, Enterprise-only) Ability to import applications and groups from Okta.
  • (Preview) Teleport support for AWS OpenSearch.
  • (Preview) View and control access to OpenSSH nodes natively in Teleport.
  • Cross-cluster search for Teleport Connect.
  • Performance improvements for accessing Kubernetes clusters.
  • Universal binaries (including Apple Silicon) for macOS.
  • Simplified RDS onboarding flow in Access Management UI.
  • Light theme for Web UI.

(Preview) Automatic agent upgrades

In Teleport 13 users can configure their Teleport agents deployed via apt/yum repositories or a Helm chart to be upgraded automatically.

(Preview) TLS routing through ALB accessing servers, Kubernetes clusters, and applications

Teleport 13 adds single-port TLS routing mode support for servers, Kubernetes clusters, and applications for clusters deployed behind application layer load balancers such as AWS ALB.

(Preview, Enterprise-only) Ability to import applications and groups from Okta

In Teleport 13 users can import apps and groups from Okta and use Teleport Access Requests for requesting short-term access to them. This feature is only available in the Teleport Enterprise edition.

(Preview) Teleport support for AWS OpenSearch

Teleport users can now connect to AWS OpenSearch databases.

(Preview) View and control access to OpenSSH nodes natively in Teleport

In Teleport 13 users will be able register OpenSSH nodes as a resource with the cluster.

This will allow users to view the OpenSSH nodes in Web UI and using tsh ls and use RBAC to control access to them.

See the updated OpenSSH integration guide.

Cross-cluster search for Teleport Connect

Teleport Connect now includes a new search experience, allowing you to search for and connect to resources across all logged-in clusters.

Performance improvements for accessing Kubernetes clusters

In Teleport 13 we improved the way the Teleport Proxy Service handles Kubernetes credentials.

Users will experience better performance when interacting with Kubernetes clusters using kubectl or via the API.

Universal binaries (including Apple Silicon) for macOS

Teleport 13 binaries (including Teleport Connect) will have universal architecture and run natively on both Intel and ARM macOS systems.

Simplified RDS onboarding flow in Access Management UI

When connecting an RDS database using Teleport 13 Access Management UI, users can connect their AWS account and select the RDS database to add instead of entering details manually.

To try out the new flow, add an RDS database using the Resource Management UI in your cluster’s Web UI dashboard.

Light theme for Web UI

Teleport's web UI includes an optional light theme.

The light theme is enabled by default but can be changed back to the dark theme via the top-right corner user settings menu.

Windows desktop session recording export

Session recordings for Windows desktop sessions can now be exported to video format for offline playback with the new tsh recordings export command.

SFTP in Moderated Sessions

Teleport 13 adds the ability to transfer files in Moderated Sessions. This feature requires that both the session originator and the moderator have joined the session via the web UI.

Breaking changes

Please familiarize yourself with the following potentially disruptive changes in Teleport 13 before upgrading.

Default session join mode

Teleport 13 defaults to observer (read-only) mode when joining SSH and Kubernetes sessions. Prior versions of Teleport would default to peer mode for SSH sessions and moderator mode for Kubernetes sessions. To override the default join mode, specify the --mode flag with tsh join.

CA rotation deprecation

Teleport 13 removes support for rotating all certificate authorities with tctl auth rotate --type=all. The type flag is now required, which ensures that only one CA is rotated at a time, increasing cluster stability during rotations.

Join token API changes

The default 30-minute expiry no longer applies to tokens created via YAML resource files. If you want to enforce an expiration, ensure this is set in the metadata.expires field. Tokens created using tctl nodes add and tctl tokens add will continue to have a default 30m expiry applied.

Additionally, users of Teleport’s API module will note that the CreateToken and UpsertToken RPCs are now deprecated in favor of CreateTokenV2 and UpsertTokenV2. The new V2 variants no longer have a default expiry, so be sure to set a TTL if you want your tokens to expire.

The original RPCs are still supported in Teleport 13 and will be removed completely for Teleport 14.

Enhanced user validation

Teleport 13 will refuse to create or update users that reference non-existent roles. In some circumstances, older versions of Teleport would permit you to create users and assign them invalid roles. In Teleport 13 this is a hard error.

Quay.io registry

Quay.io registry was deprecated in Teleport 11 and starting with Teleport 13, Teleport container images are no longer being published to it.

Users should use the public ECR registry.

Helm chart uses distroless-based container image by default

Starting with Teleport 13, the Helm charts teleport-cluster and teleport-kube-agent are deploying distroless Teleport images by default. Those images are slimmer and more secure but contain less tooling (e.g. neither bash nor apt are available).

The Debian-based images are deprecated and will be removed in Teleport 14. The chart image can be reverted back to the Debian-based images by setting:

image: "public.ecr.aws/gravitational/teleport"

For debugging purposes, a "debug" image is available and contains BusyBox, which includes a shell and most common POSIX executables: public.ecr.aws/gravitational/teleport-distroless-debug.

12.3.0 (05/01/23)

This release of Teleport contains multiple improvements and bug fixes.

  • Desktop Access
    • Added support for automatic Windows user creation. #25348
  • CLI
    • Fixed MFA permission denied error from tsh for non-SSH protocols. #25430
  • Terraform
    • Fixed AccessControlListNotSupported error in HA terraform. #25335
  • Device Trust
    • Updated Device Trust audit events to have descriptive types. #25320

12.2.5 (04/28/23)

This release of Teleport contains multiple improvements and bug fixes.

  • Auth
    • Fixed issue where Github SSO would fail if a user is a part of more than 30 teams. #25098
    • Fixed issue with tsh login with "required" hardware key policy returning "policy not met" error. #24956
    • Improved Device Trust logging and error reporting. #24912
    • Detect and warn about RPID changes when using WebAuthn. #25289
  • Access Management
    • Fixed issue with running install script on macOS for enterprise clusters. #25076
  • Server Access
    • Fixed issue with headless tsh ssh not working when used in rsync -rsh. #25242
    • Fixed issue with headless tsh ssh prompting users for MFA. #25187
    • Fixed issue with tsh ssh failing to connect over public address with per-session MFA. #25223
    • Fixed issue with tsh scp failing on some destination paths. #24861
    • Require explicit username in headless tsh ssh. #25112
    • Updated automatic user provisioning to sort sudoers lines by role name to ensure stable order. #24792
    • Updated tsh commands to recognize SSH_ environment variables. #24470
  • Database Access
    • Fixed issue with tsh db env and tsh db config not recognizing separate MySQL listener. #24827
  • Kubernetes Access
    • Added --set-context flag to tsh kube login to allow overriding default context name. #25253
  • IdP
    • Fixed issue with SAML IdP not being disabled properly. #25309
  • IP Pinning
    • Fixed interoperability issues with load balancers with proxy protocol v2 enabled. #25302
  • CLI
    • Fixed issue with cluster alerts sometimes not showing up after tsh login. #25300
  • AMIs
    • Fixed issue with startup script failing to acquire lock from AWS metadata. #25296
  • HSM
    • Fixed issue with inadvertent deletion of active HSM keys when using YubiHSM2 SDK version 2023.1. #25208
  • Performance & Scalability
    • Improved performance of MFA ceremony. #24804

12.2.4 (04/18/23)

This release of Teleport contains multiple improvements and bug fixes.

  • Auto-discovery
    • Added ability to specify discovery group for discovery services. #24716
  • CLI
    • Improved tsh performance on some Windows systems. #24573
    • Improved teleport configure error/warning reporting. #24676
    • Added --raw flag to teleport version command. #24772
  • Configuration
    • Prevent proxies from trying to join cluster over reverse tunnel. #24668
  • Server Access
    • Fixed issue with excessive audit logging when copying files over SFTP. #24831
    • Fixed issue with tsh scp not recognizing wildcard patterns. #24831
    • Fixed issue with tsh scp failing when max sessions is set to 1. #24831
    • Improved error reporting from tsh scp when file copying is disabled. #24831
  • Kubernetes Access
    • Fixed issue with tctl auth sign not respecting kube_public_addr. #24516
    • Fixed memory leak when using port forwarding. #24763
    • Reduced log spam when using port forwarding. #24658
  • Database Access
    • Updated teleport db configure to support more AWS databases. #24494
  • Performance & Scalability
    • Reduced thundering herd effect in large clusters. #24719
  • Web UI
    • Fixed issue with downloading files from leaf clusters when per-session MFA is enabled. #24768

12.2.3 (04/13/23)

This release of Teleport contains multiple bug fixes.

  • CLI
    • Fixed potential panic in tsh ssh. #24490
  • Performance & Scalability
    • Improved tsh ssh latency. #24371
  • Kubernetes Access
    • Fixed issue with moderator joining session on a cluster they don't have access to. #23993
  • Security
    • Added IP pinning support to SSO users. #24541

12.2.2 (04/12/23)

This release of Teleport contains multiple improvements and bug fixes.

  • Server Access
    • Restored MajorVersion template variable for EC2 install scripts. #24434
    • Added --mlock flag to headless tsh mode to allow memory locking. #24410
    • Fixed issue with EC2 install script silently failing on errors. #24034
  • Database Access
    • Reduced log spam when AWS database engine name is not recognized. #24413
  • Machine ID
    • Improved post-renewal message by logging correct identity. #24246
  • Kubernetes Access
    • Fixed issue with incorrect status being returned on exec commands. #24155
  • Proxy Peering
    • Improved agent reconnect speed with proxy peering. #24141
  • Helm Charts
    • Fixed issue with securityContext and nodeSelector not being propagated to job hooks. #24134
    • Fixed issue with TLS routing being disabled after v12 upgrade when proxyListenerMode is empty. #24426

12.2.1 (04/04/23)

This release of Teleport contains several new features and improvements.

  • Server Access
    • Added support for headless SSO to tsh ls, tsh ssh and tsh scp. #23360
  • Database Access
    • Added support for connecting to Oracle databases. #23892
  • Moderated Sessions
    • Fixed issue with joining moderated sessions via Web UI. #24018
  • Helm Charts
    • Added support for imagePullSecrets to teleport-cluster chart. #24017
  • Security
    • Added IP pinning support to Kubernetes and database access. #23418
  • Tooling
    • Upgraded Go to 1.20.3. #24062

12.1.5 (03/30/23)

This release of Teleport contains 2 security fixes as well as multiple improvements and bug fixes.

[High] OS authorization bypass in SSH tunneling

When establishing an SSH port forwarding connection, Teleport did not sufficiently validate the specified OS principal.

This could allow an attacker in possession of valid cluster credentials to establish a TCP tunnel to a node using a non-existent Linux user.

The connection attempt would show up in the audit log as a "port" audit event (code T3003I) and include Teleport username in the "user" field.

[High] Teleport authorization bypass in Kubernetes cluster access

When authorizing a request to a Teleport-protected Kubernetes cluster, Teleport did not adequately validate the target Kubernetes cluster.

This could allow an attacker in possession of valid Kubernetes agent credentials or a join token to trick Teleport into forwarding requests to a different Kubernetes cluster.

Every Kubernetes request would show up in the audit log as a "kube.request" audit event (code T3009I) and include the Kubernetes cluster metadata.

Other improvements and fixes

  • AMIs
    • Added support for configuring TLS routing mode in AMIs. #23678
  • Application Access
    • Added support for application access behind ALB. #23054
    • Fixed requests to Teleport-protected applications being redirected to leaf's public address in some cases. #23220
    • Reduced log noise. #23365
    • Added ability to specify command in AWS tsh proxy. #23835
  • Bootstrap
    • Added provision tokens support. #23474
  • CLI
    • Added app_server support to tctl resource commands. #23136
    • Display year in tctl commands output. #23371
    • Fixed issue with tsh reporting errors about missing webauthn.dll on Windows. #23161
    • Updated tsh status to not display internal logins. #23411
    • Added --cluster flag to tsh kube sessions command. #23825
    • Fixed issue with invalid TLS mode when creating database resources. #23808
  • Database Access
    • Added support for canceling in-progress PostgreSQL requests in database access. #23467
    • Fixed issue with query audit events always having success: false status. #23274
  • Desktop Access
    • Updated setup script to be idempotent. #23176
  • Helm Charts
    • Added ability to set resource limits and requests for pre-deployment jobs. #23126
  • Infrastructure
    • Introduced distroless Teleport container images. #22814
  • Kubernetes Access
    • Fixed issue with tsh kube credentials failing on remote clusters. #23354
    • Fixed issue with tsh kube credentials loading incorrect profile. #23716
  • Machine ID
    • Added ability to specify memory backend using CLI parameters. #23495
    • Added support for Azure delegated joining. #23391
    • Added support for Gitlab delegated joining. #23191
    • Added support for trusted clusters. #23390
    • Added FIPS support. #23850
  • Proxy Peering
    • Fixed proxy peering issues when running behind a load balancer. #23506
  • Reverse Tunnels
    • Fixed issue when joining leaf cluster over tunnel port with enabled proxy protocol. #23487
    • Fixed issue with joining agents over reverse tunnel port. #23332
  • Performance & scalability
    • Improved tsh ls -R performance in large clusters. #23596
    • Improved performance when setting session environment variables. #23834
  • Server Access
    • Fixed issue with successful SFTP transfers returning non-zero code. #23729
  • SSO
    • Fixed issue with Github Enterprise SSO not working with custom URLs. #23568
  • Teleport Connect
    • Added support for config customization. #23197
    • Fixed unresponsive terminal on Windows Server 2019. #22996
  • Tooling
    • Updated Electron to 22.3.2. #23048
    • Updated Go to 1.20.2. #22997
    • Updated Rust to 1.68.0. #23101
  • Web UI
    • Added MFA support when copying files. #23195
    • Fixed "ambiguous node" error when downloading files. #23152
    • Fixed intermittent "client connection is closing" errors in web UI after logging in. #23733

12.1.1

This release of Teleport contains multiple improvements and bug fixes.

  • Fixed issue with Access Management's connection tester not working with per-session MFA. #22918, #22943
  • Fixed Kubernetes access panic when using moderated sessions. #22930
  • Fixed tsh db config reporting incorrect port in TLS routing mode. #22889
  • Fixed issue with Teleport always performing OS group check even without auto user provisioning enabled. #22805
  • Fixed issue with desktop access crashing on systems that consume many file descriptors. #22798
  • Fixed issue with teleport start --bootstrap command failing on unexpected resource. #22721
  • Fixed issue with install script not refreshing repository metadata before installing new version. #22585
  • Added ability to export database CA in DER format via tctl auth export. #22896
  • Reduced log spam from proxy multiplexer. #22802
  • Updated EC2 auto-discovery install script to use enterprise binaries for enterprise clusters. #22769
  • Upgraded Go to v1.19.7. #22725
  • Improved idle connections handling. #22908, #22893
  • Improved Kubernetes service labels validation upon startup. #22777
  • Improved tsh login error reporting when proxy is not available. #22763

12.1.0

This release of Teleport contains multiple improvements and bug fixes.

  • Added ability for Teleport to function as SAML IdP (Enterprise edition only).
  • Downgraded Go to v1.19.6 to resolve memory leak issues. #22691
  • Fixed issue with tsh scp overriding copied file permissions without -p flag. #22609
  • Improved performance of fetching remote clusters. #22575

12.0.5

This release of Teleport contains multiple improvements and bug fixes.

  • Fixed issue with tsh not respecting HTTPS_PROXY in some cases. #22492
  • Fixed issue with config validation in Helm charts scratch mode. #22423
  • Added IAM joining support for Azure VMs. #22204
  • Added auto-discovery support for Azure VMs. #22521
  • Added support for ap-southeast-4 AWS region for IAM joining. #22486
  • Added ability to specify web terminal scrollback length in proxy config. #22422
  • Added support for PuTTY's winadj channel requests. #22420
  • Added --trace-profile flag to tsh that allows generating runtime trace profiles. #22406
  • Added enhanced session recording support for arm64 architectures. #22550
  • Updated tctl alert ack to allow acknowledging alerts of any severity. #22582
  • Updated Windows desktop access to display only applicable logins. #22333
  • Improved Kubernetes access performance when using kubectl. #22508
  • Improved Teleport Connect performance when connecting to large clusters. #22316
  • Improved performance and scalability in large clusters. #21495

12.0.4

This release of Teleport contains multiple security fixes, improvements and bug fixes.

Security fixes

  • Fixed issue with malicious SQL Server packet being able to cause proxy crash. #21638
  • Fixed issue with session terminated after a short delay instead of being immediately paused when moderator leaves. #21974

Other improvements and bug fixes

  • Fixed issue with orphaned child processes after session ends. #22222
  • Fixed issue with not being able to see any pods with an active Access Request. #22196
  • Fixed issue with remote cluster state not always being correctly updated. #22088
  • Fixed heartbeat errors from the Database Service. #22087
  • Fixed issue with applications temporarily disappearing during Application Service restart. #21807
  • Fixed issue with some Helm values being accidentally shared between Auth Service and Proxy Service configs. #21768
  • Fixed issues with desktop access flow in Access Management interface. #21756
  • Fixed "access denied" errors in Teleport Connect on Windows. #21720
  • Fixed issue with database GUI client connections requiring random taps when per-session MFA is enabled. #21661
  • Fixed issue with moderated sessions not working on leaf clusters. #21612
  • Fixed issue with missing --request-id flag in UI for Kubernetes login instructions. #21445
  • Fixed issue connecting to AWS resources when using full IAM role ARNs. #21251
  • Fixed issue with local_auth: false setting being ignored without explicitly setting authentication_type. #22215
  • Added tctl resource commands for Device Trust. #22157
  • Added support for assuming roles in tsh proxy aws. #21990
  • Added early feedback for successful security key taps in tsh. #21780
  • Added device lock support. #21751
  • Added support for security contexts in teleport-kube-agent Helm chart. #21535
  • Updated tsh version command to display client version only via --client flag. #22167
  • Updated install script to use enterprise packages for enterprise clusters. #22109
  • Updated install script to use deb/rpm repositories. #22108
  • Updated proxy init container in Helm charts to use security context. #22064
  • Updated tsh to include timestamps with debug logs. #21996
  • Updated AWS access to fetch credentials with TTL matching user's certificate TTL. #21994
  • Updated Go toolchain to 1.20.1. #21931
  • Updated tsh kube login --all to not require cluster name. #21765
  • Updated teleport db configure create command to support more use-cases. #21690
  • Improved performance in large clusters with etcd backend. #21905, #21496

12.0.2

This release of Teleport contains a security fix as well as multiple improvements and bug fixes.

OpenSSL update

  • Updated OpenSSL to 1.1.1t. #21425

Other fixes and improvements

  • Fixed issue with Access Manager interface not accepting valid port numbers. #21651
  • Fixed issue with some requests to Teleport-protected applications failing after proxy restart. #21615
  • Fixed issue with invalid role template namespaces leading to cluster lockouts. #21573
  • Fixed issue with Teleport Connect failing to recognize logged in user sometimes. #21467
  • Fixed issue with the back button not working in Web UI navigation. #21236
  • Fixed issue with Web UI SSH player having scroll bars. #20868
  • Added support for tsh request search --kind=pod command. #21456
  • Updated tsh db configure create to require flag for dynamic resources matching. #21395
  • Improved reconnect stability after Database Service restart. #21635
  • Improved reconnect stability after Kubernetes service restart.#21617
  • Improved tsh ls -R performance. #21577
  • Improved tsh scp error message when no remote path is specified. #21373
  • Improved error message when trying to rename resource. #21179
  • Reduced CPU usage when using enhanced session recording. #21437

12.0.1

Teleport 12 brings the following marquee features and improvements:

  • Device Trust (Preview, Enterprise only)
  • Passwordless Windows access for local users (Preview, Enterprise only)
  • Per-pod RBAC for Kubernetes access (Preview)
  • Azure and GCP CLI support for application access (Preview)
  • Support for more databases in database access:
    • Amazon DynamoDB
    • Amazon Redshift Serverless
    • AWS RDS Proxy for PostgreSQL/MySQL
    • Azure SQLServer Auto Discovery
    • Azure Flexible Servers
  • Refactored Helm charts (Preview)
  • Dropped support for SHA1 in server access
  • Signed/notarized macOS binaries

Device Trust (Preview, Enterprise only)

Teleport 12 includes a preview of our upcoming Device Trust feature, which allows administrators to require that Teleport access is performed from an authenticated and trusted device.

This preview release requires macOS and a native client like tsh or Teleport Connect. These clients leverage the Secure Enclave on macOS to solve device challenges issued by the Teleport CA, proving their identity as a trusted device.

Teleport features requiring the web UI (desktop access, application access) are not currently supported.

Passwordless Windows Access for Local Users (Preview, Enterprise only)

Teleport 12 brings passwordless certificate-based authentication to Windows desktops in environments where Active Directory is not available. This feature requires the installation of a Teleport package on each Windows desktop.

Per-pod RBAC for Kubernetes access (Preview)

Teleport 12 extends RBAC to support controlling access to individual pods in Kubernetes clusters. Pod RBAC integrates with existing Teleport RBAC features such as role templating and Access Requests.

Azure and GCP CLI support for application access (Preview)

In Teleport 12 administrators can interact with Azure and GCP APIs through the Application Service using tsh az and tsh gcloud CLI commands, or using standard az and gcloud tools through the local application proxy.

Support for more databases in database access

Database access in Teleport 12 brings a number of new integrations to AWS-hosted databases such as DynamoDB (now with audit log support), Redshift Serverless and RDS Proxy for PostgreSQL/MySQL.

On Azure, database access adds SQLServer auto-discovery and support for Azure Flexible Server for PostgreSQL/MySQL.

Refactored Helm charts (Preview)

The “teleport-cluster” Helm chart underwent significant refactoring in Teleport 12 to provide better scalability and UX. Proxy and Auth are now separate deployments and the new “scratch” chart mode makes it easier to provide a custom Teleport config.

“Custom” mode users should follow the migration guide.

Dropped support for SHA1 in Teleport-protected servers

Newer OpenSSH clients connecting to Teleport 12 clusters no longer need the “PubAcceptedKeyTypes” workaround to include the deprecated “sha” algorithm.

Signed/notarized macOS binaries

Users who download Teleport 12 Darwin binaries would no longer get an untrusted software warning from macOS.

tctl edit

tctl now supports an edit subcommand, allowing you to edit resources directly in your preferred text editor.

Breaking Changes

Please familiarize yourself with the following potentially disruptive changes in Teleport 12 before upgrading.

Helm charts

The teleport-cluster Helm chart underwent significant changes in Teleport 12. To upgrade from an older version of the Helm chart deployed in “custom” mode, follow the migration guide.

Additionally, PSPs are removed from the chart when installing on Kubernetes 1.23 and higher to account for the deprecation/removal of PSPs by Kubernetes.

tctl auth export

The tctl auth export command only exports the private key when passing the --keys flag. Previously it would output the certificate and private key together.

Desktop access

Windows Desktop sessions disable the wallpaper by default, improving performance. To restore the previous behavior, add show_desktop_wallpaper: true to your windows_desktop_service config.

11.3.2

This release of Teleport contains multiple improvements and bug fixes.

  • Fixed regression issue with accessing SSO apps behind application access. #21049
  • Fixed regression performance issue with tsh scp. #20953
  • Fixed issue with tsh proxy aws --endpoint-url not working. #20880
  • Fixed issue with MongoDB queries failing on large datasets. #21113
  • Fixed issue with direct node dial from web UI. #20928
  • Updated install scripts to download binaries from new CDN location. #21057
  • Updated tsh to detect unplugged devices when using hardware-backed keys. #20949
  • Updated Elasticsearch access to explicitly require --db-user. (#20695) #20919
  • Updated Rust to 1.67.0. #20883

11.3.1

This release of Teleport contains a security fix, as well as multiple improvements and bug fixes.

Moderated Sessions

  • Fixed issue with moderated sessions not being disconnected on Ctrl+C. #20588

Other fixes and improvements

  • Fixed issue with node install script downloading OSS binaries in Enterprise edition. #20816
  • Fixed a regression when renewing Kubernetes dynamic credentials that prevented multiple renewals. #20788
  • Fixed issue with tctl auth sign not respecting Ctrl-C. #20773
  • Fixed occasional key attestation error in tsh login. #20712
  • Fixed issue with being able to create Access Requests with invalid cluster name. #20674
  • Fixed issue with EC2 auto-discovery install script for RHEL instances. #20604
  • Fixed issue connecting with Oracle MySQL client on Windows. #20599
  • Fixed issue with using tctl auth sign --format kubernetes against remote Auth Service instances. #20571
  • Fixed panic in Azure SQL Server access. #20483
  • Added support for Moderated Sessions in the Web UI. #20796
  • Added support for Login Rules for SSO users. #20743, #20738, #20737, #20629
  • Added ability to acknowledge alerts. #20692
  • Added client_idle_timeout_message support to Windows access. #20617
  • Added PodMonitor support in teleport-cluster Helm chart. #20564
  • Added support for passing raw config in teleport-kube-agent Helm chart. #20449
  • Added nodeSelector field to teleport-cluster Helm chart. #20441
  • Improved Kubernetes access stability for slow clients. #20517
  • Updated teleport-cluster Helm chart to reload proxy certificate daily. #20503

11.2.3

This release of Teleport contains multiple improvements and bug fixes.

  • Fixed issue with tsh login defaulting to passwordless and ignoring the --auth and --mfa-mode flags. #20474
  • Fixed regression issue with AWS console access via tsh aws. #20437
  • Fixed issue connecting to MariaDB in non-TLS Routing mode. #20409
  • Fixed the *:* selector in EC2 auto-discovery. #20390
  • Improved handling of unknown events in the events search API. #20329
  • Added support for multiple transformations in role templates. #20296
  • Added the ability to update a Trusted Cluster's role mappings without recreating the cluster. #20286
  • Added dnsConfig support to the teleport-kube-agent Helm chart. #20107

11.2.2

This release of Teleport contains multiple improvements and bug fixes.

  • Fixed issue connecting to leaf cluster nodes via web UI with per-session MFA. #20238
  • Fixed issue with max_kubernetes_connections leading to access denied errors. #20174
  • Fixed issue with kube-agent Helm chart leaving state behind after helm uninstall. #20169
  • Fixed X.509 issue after updating RDS database resource. #20099
  • Fixed issue with some tsh HTTP requests missing extra headers. #20071
  • Improved auto-discovery config validation. #20288
  • Improved graceful shutdown stability. #20225
  • Improved application access authentication flow. #20165
  • Reduced auth load by ensure proxy uses cache for periodic operations. #20153
  • Updated Rust to 1.66.1. #20201
  • Updated macOS binaries to be signed and notarized. #20305

11.2.1

This release of Teleport contains multiple improvements and bug fixes.

  • Added support for periodically reloading the proxy's TLS certificates #20040
  • Improved desktop certificate generation by using the proper field for querying a user's SID #20022
  • Updated the web UI to hide the trusted clusters screen for users who lack the appropriate role #1494
  • Fixed an issue resulting in an "invalid bearer token" message #20102
  • Fixed an issue preventing bots from using IAM joining #20011
  • Fixed an issue where Machine ID Certificates did not respect the provided TTL when using IAM joining #20001
  • Updated to Go 1.19.5 #20084

11.2.0

This release of Teleport contains multiple improvements and bug fixes.

Machine ID GitHub Actions

In addition, we're happy to announce a set of GitHub Actions that you can use in your workflows to assist with accessing Teleport Resources in your CI/CD pipelines.

Visit the individual repositories to find out more and see usage examples:

For a more in-depth guide, see our documentation for using Teleport with GitHub Actions.

Secure certificate mapping for desktop access

Later this year, Windows will begin requiring a stronger mapping from a certificate to an Active Directory user. In anticipation of this change, Teleport 11.2.0 is compliant with the new requirements.

Warning: This feature requires that Teleport's own service account also uses a strong mapping. In order to support this requirement, you must now set a new Security Identifier (sid) field in the LDAP configuration for your Windows Desktop Services. You can find the SID for your service account by running the following PowerShell snippet (replace svc-teleport with the name of the service account you are using):

Get-AdUser -Identity svc-teleport | Select SID

Other improvements and bugfixes

  • Added an improved database joining flow in the web UI #1487
  • Added support for secure certificate mapping for Windows desktop certificates #19737
  • Fixed an issue with desktop directory sharing where large files could be corrupted #1472
  • Fixed an issue where desktop access users may see a an error after ending a session #1470
  • Fixed an issue preventing database agents from joining due to improperly formatted YAML #19958
  • Updated the web UI to use session storage instead of local storage for Teleport's bearer token #1470
  • Added rate limiting to SAML/OIDC routes #19950
  • Fixed an issue connecting to leaf cluster desktops via reverse tunnel #19945
  • Fixed a backwards compatibility issue with database access in 11.1.4 #19940
  • Fixed an issue where Access Requests for Kubernetes clusters used improperly cached credentials #19912
  • Added support for CentOS 7 in ARM64 builds #19895
  • Added rate limiting to unauthenticated routes #19869
  • Add suggested reviewers and requestable roles to Teleport Connect Access Requests #19846
  • Fixed an issue listing all nodes with tsh #19821
  • Made gcp.credentialSecretName optional in the Teleport Cluster Helm chart #19803
  • Fixed an issue preventing audit events that exceed the maximum size limit from being logged #19736
  • Fixed an issue preventing some users from being able to play desktop recordings #19709
  • Added validation of AWS Account IDs when adding databases (#19638) #19702
  • Added a new audit event for DynamoDB requests via application access #19667
  • Added the ability to export tsh traces even when the Auth Service is not configured for tracing #19583
  • Added support for linking Teleport Connect's embedded tsh binary for use outside of Teleport Connect #1488

11.1.4

This release of Teleport contains multiple security fixes, improvements and bug fixes.

Note: This release of Teleport contains an issue that affects backwards compatibility with database access agents. If you are a database access user we recommend skipping straight to version 11.2.0.

[Critical] RBAC bypass in SSH TCP tunneling

When establishing a direct-tcpip channel, Teleport did not sufficiently validate RBAC.

This could allow an attacker in possession of valid cluster credentials to establish a TCP tunnel to a node they didn’t have access to.

The connection attempt would show up in the audit log as a “port” audit event (code T3003I) and include Teleport username in the “user” field.

[High] Application access session hijack

When accepting application Access Requests, Teleport did not sufficiently validate client credentials.

This could allow an attacker in possession of a valid active application session ID to issue requests to this application impersonating the session owner for a limited time window.

Presence of multiple “cert.create” audit events (code TC000I) with the same app session ID in the “route_to_app.session_id” field may indicate the attempt to impersonate an existing user’s application session.

[Medium] SSH IP pinning bypass

When issuing a user certificate, Teleport did not check for the presence of IP restrictions in the client’s credentials.

This could allow an attacker in possession of valid client credentials with IP restrictions to reissue credentials without IP restrictions.

Presence of a “cert.create” audit event (code TC000I) without corresponding “user.login” audit event (codes T1000I or T1101I) for users with IP restricted roles may indicate an issuance of a certificate without IP restrictions.

[Low] Web API session caching

After logging out via the web UI, a user’s session could remain cached in Teleport’s proxy, allowing continued access to resources for a limited time window.

Other improvements and bugfixes

  • Fixed issue with noisy-square distortions in desktop access. #19545
  • Fixed issue with LDAP search pagination in desktop access. #19533
  • Fixed issue with SSH sessions inheriting OOM score of the parent process. #19521
  • Fixed issue with ambiguous host resolution in web UI. #19513
  • Fixed issue with using desktop access with Windows 10. #19504
  • Fixed issue with session.start events being overwritten by session.exec events. #19497
  • Fixed issue with tsh login --format kubernetes not setting SNI info. #19433
  • Fixed issue with WebSockets not working via app access if the upstream web server is using HTTP/2. #19423
  • Fixed TLS routing in insecure mode. #19410
  • Fixed issue with connecting to ElastiCache 7.0.4 in database access. #19400
  • Fixed issue with SAML connector validation calling descriptor URL prior to authz checks. #19317
  • Fixed issue with database access complaining about "redis" engine not being registered. #19251
  • Fixed issue with disconnect_expired_cert and require_session_mfa settings conflicting with each other. #19178
  • Fixed startup failure when MongoDB URI is not resolvable. #18984
  • Added resource names for Access Requests in Teleport Connect. #19549
  • Added support for Github Enterprise join method. #19518
  • Added the ability to supply Access Request TTLs. #19385
  • Added new instance.join and bot.join audit events. #19343
  • Added support for port-forward over websocket protocol in Kubernetes access. #19181
  • Reduced latency of tsh ls -R. #19482
  • Updated desktop access config script to disable password prompt. #19427
  • Updated Go to 1.19.4. #19127
  • Improved performance when converting traits to roles. #19170
  • Improved handling of expired database certificates in Teleport Connect. #19096

11.1.2

This release of Teleport contains multiple improvements and bug fixes.

  • Fixed issue with EC2 discovery failing to install Teleport on older Ubuntu instances. #18965
  • Fixed issue with log spam when cleaning up groups for automatically created Linux users. #18990
  • Fixed issue with tctl windows_desktops ls not producing results in JSON and YAML formats. #19016
  • Fixed issue with web SSH sessions in proxy recording mode. #19021
  • Improved handling of corrupted session recordings. #19040

11.1.1

This release of Teleport contains a security fix as well as multiple improvements and bug fixes.

Insecure TOTP MFA seed removal

Fixed issue where an attacker with physical access to user's computer and raw access to the filesystem could potentially recover the seed QR code.

#18917

Other improvements and fixes

  • Fixed issue with Teleport Connect not working on macOS. #18921
  • Added support for Cloud HSM on Google Cloud. #18835
  • Added server_hostname to session.* audit events. #18832
  • Added ability to specify roles when making Access Requests in web UI. #18868
  • Improved error reporting from etcd backend. #18822
  • Improved failed session recording upload logs to include upload and session IDs. #18872

11.1.0

This release of Teleport contains multiple improvements and bug fixes.

  • Added support for self-hosted Github Enterprise SSO connectors in Teleport Enterprise edition. #18521, #18687
  • Added audit events for DynamoDB via AWS CLI access. #18035
  • Added auth connectors support in Kubernetes Operator. #18350
  • Added audit events for desktop access directory sharing. #18398
  • Added trusted clusters support for desktop access. #18666
  • Added support for user.spec syntax in moderated session filters. #18455
  • Added support for GKE auto-discovery to Kubernetes access. #18396
  • Added FIPS support to desktop access. #18743
  • Added teleport discovery bootstrap command. #18641
  • Added windows_desktops as the correct resource for tctl commands. #18816
  • Updated tsh db ls JSON and YAML output to include allowed users. #18543
  • Updated tctl auth sign --format kubernetes to allow merging multiple clusters in the same kubeconfig. #18525
  • Improved web UI SSH performance. #18797, #18839
  • Improved tsh play output in JSON and YAML formats. #18825
  • Fixed issue with RDS auto-discovery failing to start in some cases. #18590
  • Fixed "cannot read properties of null" error when trying to add a new server using web UI. webapps#1356
  • Fixed issue with applications list pagination in web UI. #18601
  • Fixed issue with MongoDB commands sometimes failing through database access. #18738
  • Fixed issue with automatically imported cloud labels not being used in RBAC in App Access. #18642
  • Fixed issue with Kubernetes sessions lingering after all participants have disconnected. #18684
  • Fixed issue with Auth Service being down affecting ability to establish new non-moderated SSH sessions. #18441
  • Fixed issue with launching SSH sessions when SELinux is enabled. #18810
  • Fixed issue with not being able to create SAML connectors with templated role names. #18766

11.0.3

This release of Teleport contains multiple improvements and bug fixes.

  • Fixed issue with validation of U2F devices. #17876
  • Fixed tsh ssh -J not being able to connect to leaf cluster nodes. #18268
  • Fixed issue with failed database connection when client requests GSS encryption. #17811
  • Fixed issue with setting Teleport version to v10 in Helm charts resulting in invalid config. #18008
  • Fixed issue with Teleport Kubernetes resource name conflicting with builtin resources. #17717
  • Fixed issue with invalid MS Teams plugin systemd service file. #18028
  • Fixed issue with failing to connect to OpenSSH 7.x servers. #18248
  • Fixed issue with extra trailing question mark in application Access Requests. #17955
  • Fixed issue with application access websocket requests sometimes failing in Chrome. #18002
  • Fixed issue with multiple tbot's concurrently using the same output directory. #17999
  • Fixed issue with tbot failing to parse version on some kernels. #18298
  • Fixed panic when v9 node runs against v11 Auth Service. #18383
  • Fixed issue with Kubernetes proxy caching client credentials between sessions. #18109
  • Fixed issue with agents not being able to reconnect to proxies in some cases. #18149
  • Fixed issue with remote tunnel connections not being closed properly. #18224
  • Added CircleCI support to Machine ID. #17996
  • Added support for arm and arm64 Docker images for Teleport and Operator. #18222
  • Added PostgreSQL and MySQL RDS Proxy support to database access. #18045
  • Improved database access denied error messages. #17856
  • Improved desktop access errors in case of locked sessions. #17549
  • Improved web UI handling of private key policy errors. #17991
  • Improved memory usage in clusters with large numbers of active sessions. #18051
  • Updated tsh proxy ssh to support HTTPS_PROXY. #18295
  • Updated Azure hosted databases to fetch the new CA. #18172
  • Updated tsh kube login to support providing default user, group and namespace. #18185
  • Updated web UI session listing to include active sessions of all types. #18229
  • Updated user locking to terminate in progress TCP application access connections. #18187
  • Updated teleport configure command to produce v2 config when Auth Service is provided. #17914
  • Updated all systemd service files to set max open files limit. #17961

11.0.1

This release of Teleport contains a security fix and multiple bug fixes.

Block SFTP in Moderated Sessions

Teleport did not block SFTP protocol in Moderated Sessions.

#17727

Other fixes

  • Fixed issue with agent forwarding not working for auto-created users. #17586
  • Fixed "traits missing" error in application access. #17737
  • Fixed connection leak issue in IAM joining. #17737
  • Fixed panic in "tsh db ls". #17780
  • Fixed issue with "tsh mfa add" not displaying OTP QR code image on Windows. #17703
  • Fixed issue with tctl rm windows_desktop/<name> removing all desktops. #17732
  • Fixed issue connecting to Redis 7.0 in cluster mode. #17849
  • Fixed "failed to open user account database" error after exiting SSH session. #17825
  • Improved tctl UX when using hardware-backed private keys. #17681
  • Improved tsh mfa add error reporting. #17580

11.0.0

Teleport 11 brings the following new major features and improvements:

  • Hardware-backed private keys support for server access (Enterprise only).
  • Replacement of obsolete SCP protocol with SFTP for server access.
  • Removal of persistent storage requirement for Helm charts.
  • Automatic discovery and enrollment of EKS/AKS clusters for Kubernetes access.
  • Richer Azure integrations for server and database access.
  • Cassandra and Scylla support for database access, including Amazon Keyspaces.
  • GitHub Actions and Terraform support for Machine ID.
  • Access Requests and file upload/download support for Teleport Connect.

Hardware-backed private keys (Enterprise Only)

Teleport 11 clients (such as tsh or Connect) support storing their private key material on Yubikey devices instead of filesystem which helps prevent credentials exfiltration attacks.

See how to enable it in the documentation:

Hardware-backed private keys is an enterprise only feature, and is currently supported for server access only.

SFTP protocol

Teleport 11 adds server-side support for SFTP protocol which many IDEs such as VSCode or JetBrains PyCharm, GoLand and others use for browsing, copying, and editing files on remote systems.

The following guides explain how to use IDEs to connect to a remote machine via Teleport:

In addition, Teleport 11 clients will use SFTP protocol for file transfer under the hood instead of the obsolete scp protocol. Server-side scp is still supported so existing clients aren’t affected.

Helm charts persistent storage

In Teleport 11 users no longer need to use persistent storage when deploying Helm charts. When running on Kubernetes, Teleport services will now store their identities in Kubernetes Secrets which removes the need for using persistent storage or static join tokens.

For existing deployments, this change involves migration from Deployment to StatefulSet which is performed automatically during Helm upgrade to Teleport 11.

EKS/AKS discovery

Teleport 11 adds support for automatic discovery and enrollment of AWS Elastic Kubernetes Service (EKS) and Azure Kubernetes Service (AKS) clusters.

Azure integrations

Teleport 11 improves Azure support in multiple areas.

Teleport agents running on Azure VMs will now automatically import Azure tags to label resources.

Teleport database access now supports auto-discovery for Azure-hosted PostgreSQL and MySQL databases. See the Azure guide for more details.

In addition, Teleport database access will now use Azure AD managed identity authentication for Azure-hosted SQL Server databases.

Cassandra/ScyllaDB

Teleport 11 adds support for Cassandra and ScyllaDB databases in Database Access. This includes support for Amazon Keyspaces.

Machine ID

Teleport 11 adds support for secret-less joining of Machine ID agents in GitHub Actions workflows. See the guide for more details: TODO

We have also released a GitHub Action for setting up the Teleport binaries within a GitHub workflow environment. More details regarding this can be found at the Teleport GitHub Actions repository:

https://github.com/gravitational/teleport-actions

In addition, the Teleport Terraform plugin now supports the creation of Machine ID Bots and Bot Tokens.

tsh MFA on Windows

tsh 11 adds support for MFA and passwordless logins via Windows Hello and FIDO2 devices.

Teleport Connect

Teleport Connect has added support for Access Requests and file upload/download.

Breaking Changes

Please familiarize yourself with the following potentially disruptive changes in Teleport 11 before upgrading.

Removed Github external SSO

Beginning in Teleport 11, GitHub SAML SSO will only be available in our Enterprise Edition. GitHub SSO without SAML will continue to work with OSS Teleport.

To keep using GitHub SSO with Teleport Community Edition, SAML SSO needs to be disabled for your GitHub organization. Teleport Community Edition users can continue to use GitHub SSO if using a Github Free or Team GitHub Plan.

Changed Terraform OIDC connector redirect_url type to array

In Teleport Plugins 11, redirect_url property in OIDC connectors created via a Terraform module expects an array:

redirect_url = [ "http://example.com" ]

Deprecated Quay.io registry

Starting with Teleport 11, Quay.io as a container registry has been deprecated. Customers should use the new AWS ECR registry to pull Teleport Docker images.

Quay.io registry support will be removed in a future release.

Deprecated old deb/rpm repositories

In Teleport 11, old deb/rpm repositories (deb.releases.teleport.dev and rpm.releases.teleport.dev) have been deprecated. Customers should use the new repositories (apt.releases.teleport.dev and yum.releases.teleport.dev) to install Teleport.

Support for our old deb/rpm repositories will be removed in a future release.

Changed teleport-kube-agent Helm chart to StatefulSet

Teleport 11 agents will now store their identities in Kubernetes Secrets when deployed via a Helm chart which eliminates the need for using persistent storage or static join tokens. Due to this change, Teleport agents are now always deployed as part of StatefulSet regardless of whether persistent storage is enabled or not.

Existing agents that were deployed as Kubernetes Deployments (i.e. without persistent storage) will be automatically converted to StatefulSets during Teleport 11 Helm upgrade.

Removed PostgreSQL backend

The preview PostgreSQL backend was deleted due to performance and scalability concerns.

Removed desktop access support for 32-bit ARM and 386 architectures

32-bit support for desktop access on ARM and 386 architectures has been removed due to performance issues on these devices.

This also reduces the binary size for these builds, making them slightly more convenient for smaller resource-constrained devices.

10.0.0

Teleport 10 is a major release that brings the following new features.

Platform:

  • Passwordless (Preview)
  • Resource Access Requests (Preview)
  • Proxy Peering (Preview)

Server access:

  • IP-Based Restrictions (Preview)
  • Automatic User Provisioning (Preview)

Database access:

  • Audit Logging for Microsoft SQL Server database access
  • Snowflake database access (Preview)
  • ElastiCache/MemoryDB database access (Preview)

Teleport Connect:

  • Teleport Connect for server and database access (Preview)

Machine ID:

  • Machine ID database access support (Preview)

Passwordless (Preview)

Teleport 10 introduces passwordless support to your clusters. To use passwordless users may register a security key with resident credentials or use a built-in authenticator, like Touch ID.

See the documentation.

Resource Access Requests (Preview)

Teleport 10 expands just-in-time Access Requests to allow for requesting access to specific resources. This lets you grant users the least privileged access needed for their workflows.

Just-in-time Access Requests are only available in Teleport Enterprise Edition.

Proxy Peering (Preview)

Proxy peering enables Teleport deployments to scale without an increase in load from the number of agent connections. This is accomplished by allowing Proxy Services to tunnel client connections to the desired agent through a neighboring proxy and decoupling the number of agent connections from the number of Proxies.

Proxy peering can be enabled with the following configurations:

auth_service:
  tunnel_strategy:
    type: proxy_peering
    agent_connection_count: 1
proxy_service:
  peer_listen_addr: 0.0.0.0:3021

Network connectivity between proxy servers to the peer_listen_addr is required for this feature to work.

Proxy peering is only available in Teleport Enterprise Edition.

IP-Based Restrictions (Preview)

Teleport 10 introduces a new role option to pin the source IP in SSH certificates. When enabled, the source IP that was used to request certificates is embedded in the certificate, and SSH servers will reject connection attempts from other IPs. This protects against attacks where valid credentials are exfiltrated from disk and copied out into other environments.

IP-based restrictions are only available in Teleport Enterprise Edition.

Automatic User Provisioning (Preview)

Teleport 10 can be configured to automatically create Linux host users upon login without having to use Teleport's PAM integration. Users can be added to specific Linux groups and assigned appropriate “sudoer” privileges.

To learn more about configuring automatic user provisioning read the documentation.

Audit Logging for Microsoft SQL Server database access

Teleport 9 introduced a preview of database access support for Microsoft SQL Server which didn’t include audit logging of user queries. Teleport 10 captures users' queries and prepared statements and sends them to the audit log, similarly to other supported database protocols.

Teleport database access for SQL Server remains in Preview mode with more UX improvements coming in future releases.

Refer to the guide to set up access to a SQL Server with Active Directory authentication.

Snowflake database access (Preview)

Teleport 10 brings support for Snowflake to database access. Administrators can set up access to Snowflake databases through Teleport for their users with standard database access features like role-based access control and audit logging, including query activity.

Connect your Snowflake database to Teleport following the documentation.

Elasticache/MemoryDB database access (Preview)

Teleport 9 added Redis protocol support to database access. Teleport 10 improves this integration by adding native support for AWS-hosted Elasticache and MemoryDB, including auto-discovery and automatic credential management in some deployment configurations.

Learn more about it in the documentation.

Teleport Connect for server and database access (Preview)

Teleport Connect is a graphical macOS application that simplifies access to your Teleport resources. Teleport Connect 10 supports server access and database access. Other protocols and Windows support are coming in a future release.

Get Teleport Connect installer from the macOS tab on the downloads page: https://goteleport.com/download/.

Machine ID database access support (Preview)

In Teleport 10 we’ve added database access support to Machine ID. Applications can use Machine ID to access databases protected by Teleport.

You can find Machine ID guide for database access in the documentation.

Breaking changes

Please familiarize yourself with the following potentially disruptive changes in Teleport 10 before upgrading.

Auth Service version check

Teleport 10 agents will now refuse to start if they detect that the Auth Service is more than one major version behind them. You can use the --skip-version-check flag to bypass the version check.

Take a look at component compatibility guarantees in the documentation.

HTTP_PROXY for reverse tunnels

Reverse tunnel connections will now respect HTTP_PROXY environment variables. This may result in reverse tunnel agents not being able to re-establish connections if the HTTP proxy is set in their environment and does not allow connections to the Teleport Proxy Service.

Refer to the documentation for more details.

New APT repos

With Teleport 10 we’ve migrated to new APT repositories that now support multiple release channels, Teleport versions and OS distributions. The new repositories have been backfilled with Teleport versions starting from 6.2.31 and we recommend upgrading to them. The old repositories will be maintained for the foreseeable future.

See the installation instructions.

Removed “tctl access ls”

The tctl access ls command that returned information about user server access within the cluster was removed. Please use a previous tctl version if you’d like to keep using it.

Relaxed session join permissions

In previous versions of Teleport users needed full access to a Node/Kubernetes pod in order to join a session. Teleport 10 relaxes this requirement. Joining sessions remains deny-by-default but now only join_sessions statements are checked for session join RBAC.

See the Moderated Sessions guide for more details.

GitHub connectors

The GitHub authentication connector’s teams_to_logins field is deprecated in favor of the new teams_to_roles field. The old field will be removed in a future release.

Teleport FIPS AWS endpoints

Teleport 10 will now automatically use FIPS endpoints for AWS S3 and DynamoDB when started with the --fips flag. You can use the use_fips_endpoint=false connection endpoint option to use regular endpoints for Teleport in FIPS mode, for example:

s3://bucket/path?region=us-east-1&use_fips_endpoint=false

See the S3/DynamoDB backend documentation for more information.

9.3.9

This release of Teleport contains a security fix, as well as multiple improvements and bug fixes.

Auth bypass in Moderated Sessions

When checking a user’s roles prior to starting a session, Teleport may have incorrectly allowed a session to proceed without moderation depending on the order roles are received from the backend.

Other improvements and fixes

  • Fixed issue with per-session MFA swallowing key presses. #13822
  • Fixed issue with tsh db ls -R now showing allowed users. #13626
  • Fixed vertical and horizontal scroll in desktop access. #13905
  • Fixed issue with invalid query filters forcing tsh relogin. #13747
  • Fixed issue with TLS routing and proxy jump. #13928
  • Fixed issue with MongoDB connections timing out in certain scenarios. #13859
  • Fixed issue with Machine ID certificate renewal with empty requested roles. #13893
  • Fixed issue with Windows desktops not being labeled with LDAP attribute labels. #13681
  • Fixed issue with desktop access streaming not being terminated properly. #14024
  • Added ability to use FIPS endpoints for S3 and DynamoDB using use_fips_endpoint connection option. #13703
  • Added ability to specify CA pin as a file path in the config. #13089
  • Improved reconnect reliability after root proxy restart. #13967
  • Improved error messages for failed auth client connections. #13835

9.3.7

This release of Teleport contains multiple improvements and bug fixes.

  • Fixed issue with startup delay caused by AWS EC2 check. #13167
  • Added tsh ls -R that displays resources across all clusters and profiles. #13313
  • Fixed issue with tsh not correctly reporting "address in use" error during port forwarding. #13679
  • Fixed two potential panics. #13590, #13655
  • Fixed issue with enhanced session recording not working on recent Ubuntu versions. #13650
  • Fixed issue with CA rotation when Database Service does not contain any databases. #13517
  • Fixed issue with desktop access connection failing with "invalid channel name rdpsnd" error. #13450
  • Fixed issue with invalid Teleport config when enabling IMDSv2 in Terraform config. #13537

9.3.6

This release of Teleport contains multiple improvements and bug fixes.

  • Added Unicode clipboard support to desktop access. #13391
  • Fixed backwards compatibility issue with fetch Access Requests from older servers. #13490
  • Fixed issue with requests to Teleport-protected apps periodically failing with 500 errors. #13469
  • Fixed issues with pagination when displaying applications. #13451
  • Fixed file descriptor leak in Machine ID. #13386

9.3.5

This release of Teleport contains multiple improvements and bug fixes.

  • Fixed backwards compatibility issue with fetching Access Requests from older servers. #13428
  • Fixed issue with using Microsoft SQL Server Management Studio with database access. #13337
  • Added support for tsh proxy ssh -J to improve interoperability with OpenSSH clients. #13311
  • Added ability to provide security context in Helm charts. #13286
  • Added Application and database access support to reference AWS Terraform deployment. #13383
  • Improved reliability of dialing the Auth Service through the Proxy Service. #13399
  • Improved kubectl exec auditing by logging access denied attempts. #12831, #13400

9.3.4

This release of Teleport contains multiple security, bug fixes and improvements.

Escalation attack in agent forwarding

When setting up agent forwarding on the node, Teleport did not handle unix socket creation in a secure manner.

This could have given a potential attacker an opportunity to get Teleport to change arbitrary file permissions to the attacker’s user.

WebSockets CSRF

When handling websocket requests, Teleport did not verify that the provided Bearer token was generated for the correct user.

This could have allowed a malicious low privileged Teleport user to use a social engineering attack to gain higher privileged access on the same Teleport cluster.

Denial of service in Access Requests

When accepting an Access Request, Teleport did not enforce the maximum request reason size.

This could allow a malicious actor to mount a DoS attack by creating an Access Request with a very large request reason.

Auth bypass in moderated sessions

When initializing a moderated session, Teleport did not discard participant’s input prior to the moderator joining.

This could prevent a moderator from being able to interrupt a malicious command executed by a participant.

Other fixes

  • Fixed issue with stdin hijacking when per-session MFA is enabled. #13212
  • Added support for automatic tags import when running on AWS EC2. #12593
  • Added ability to use multiple redirect URLs in OIDC connectors. #13046
  • Fixed issue with ANSI escape sequences being broken when using tsh on Windows. #13221
  • Fixed issue with tsh ssh printing extra error upon exit if last command was unsuccessful. #12903
  • Added support for Proxy Protocol v2 in MySQL proxy. #12993
  • Upgraded to Go v1.17.11. #13104
  • Added Windows desktops labeling based on their LDAP attributes. #13238
  • Improved performance when listing resources for users with many roles. #13263

9.3.2

This release of Teleport contains two bug fixes.

  • Fixed issue with Machine ID's tsh version check. #13037
  • Fixed AWS related log spam in database agent when not running on AWS. #12984

9.3.0

This release of Teleport contains multiple improvements and bug fixes.

  • Fixed issue with tctl not taking TELEPORT_HOME environment variable into account. #12738
  • Fixed issue with Redis AUTH command not always authenticating the user in database access. #12754
  • Fixed issue with Teleport not starting with deprecated U2F configuration. #12826
  • Fixed issue with tsh db ls not showing allowed users for leaf clusters. #12853
  • Fixed issue with teleport configure failing when given non-existent data directory. #12806
  • Fixed issue with tctl not outputting debug logs. #12920
  • Fixed issue with Kubernetes access not working when using default CA pool. #12874
  • Fixed issue with Machine ID not working in TLS routing mode. #12990
  • Improved connection performance in large clusters. #12832
  • Improved memory usage in large clusters. #12724

Breaking Changes

Teleport 9.3.0 reduces the minimum GLIBC requirement to 2.18 and enforces more secure cipher suites for desktop access.

As a result of these changes, desktop access users with desktops running Windows Server 2012R2 will need to perform additional configuration to force Windows to use compatible cipher suites.

Windows desktops running Windows Server 2016 and newer will continue to operate normally - no additional configuration is required.

9.2.4

This release of Teleport contains multiple improvements and bug fixes.

  • Fixed compatibility issue with agents connected to older Auth Service instances. #12728
  • Fixed issue with TLS routing endpoint advertising preference for http/1.1 over h2. #12749
  • Implemented multiple proxy restart stability improvements. #12632, #12488, #12689
  • Improved compatibility with PuTTY. #12662
  • Added support for global tsh config file /etc/tsh.yaml. #12626
  • Added tbot configure command. #12576
  • Fixed issue with desktop access not working in Teleport Enterprise (Cloud). #12781
  • Improved Web UI performance in large clusters. #12637
  • Fixed issue with running MySQL stored procedures via database access. #12734

9.2.3

This release of Teleport contains multiple improvements and bug fixes.

  • Fixed issue with HTTP_PROXY being inadvertently respected in reverse tunnel connections. #12335
  • Added --format flag to tctl token add command. #12588
  • Fixed backwards compatibility issues with session upload. #12535
  • Added support for persistency in custom mode in Helm charts. #12218
  • Fixed issue with PostgreSQL backend not respecting username from certificate. #12553
  • Fixed issues with kubectl cp and kubectl exec not working through Kubernetes access. #12541
  • Fixed issues with dynamic registration logic for cloud databases. #12451
  • Fixed issue with automatic Add Application script failing to join the cluster. #12539
  • Fixed issue with tctl crashing when PAM is enabled. #12572
  • Added support for setting priority class and extra labels in Helm charts. #12568
  • Fixed issue with App Access JWT tokens not including iat claim. #12589
  • Added ability to inject App Access JWT tokens in rewritten headers. #12589
  • Desktop access automatically adds a teleport.dev/ou label for desktops discovered via LDAP. #12502
  • Updated Machine ID to generates identity files compatible with tctl and tsh. #12500
  • Updated internal build infrastructure to Go 1.17.10. #12607
  • Improved proxy memory usage in clusters with large number of nodes. #12573

9.2.1

This release of Teleport contains an improvement and several bug fixes.

  • Updated tctl rm command to support removing tokens. #12439
  • Fixed issue with Teleport failing to start when using DynamoDB backend in pay-per-request mode. #12461
  • Fixed issue with Kubernetes port forwarding not working. #12468
  • Fixed issue with IAM policy limit when using database auto-discovery on Kubernetes. #12457

9.2.0

This release of Teleport contains multiple improvements, security and bug fixes.

  • Fixed issue with U2F facets not being properly validated. #12208
  • Hardened SQLite permissions. #12360
  • Fixed issue with OIDC callback not checking email_verified claim. #12360
  • Added max_kubernetes_connections role option for limiting simultaneous Kubernetes connections. #12360
  • Fixed issue with Teleport failing to start with pay-per-request DynamoDB mode. #12360
  • Reduced Machine ID verbosity in case of missing secure symlink kernel support. #12423
  • Fixed tsh proxy db tunnel mode not working for CockroachDB connections. #12400
  • Added support for database access certificates in Machine ID. #12195
  • Improved shutdown/restart stability in certain scenarios. #12393
  • Added support for clickable labels in web UI. #12422

9.1.3

This release of Teleport contains multiple improvements and bug fixes.

  • Fixed issue with some MySQL clients not being able to connect to MySQL 8.0 servers. #12340
  • Fixed multiple conditions that could lead to SSH sessions freezing. #12286
  • Fixed issue with tsh db ls failing for leaf clusters. #12320
  • Fixed a scenario in which Teleport's internal cache could potentially become unhealthy. #12251, #12002
  • Improved performance when opening new application access sessions. #12300
  • Added flags to the teleport configure command. #12267
  • Improved CA rotation stability. #12333
  • Fixed issue with mongosh certificate verification when using TLS routing. #12363

9.1.2

This release of Teleport contains two bug fixes.

  • Fixed issue with Teleport pods not becoming ready on Kubernetes. #12243
  • Fixed issue with Teleport processes crashing upon restart after failed host UUID generation. #12222

9.1.1

This release of Teleport contains multiple bug fixes and improvements.

  • Fixed regression issue where reverse tunnel connections inadvertently started respecting HTTP_PROXY. #12035
  • Fixed potential deadlock in SSH server. #12122
  • Fixed issue with Kubernetes service not reporting its readiness. #12152
  • Fixed issue with JumpCloud identity provider. #11936
  • Fixed issue with deleting many records from Firestore backend. #12177

9.1.0

Teleport 9.1 is a minor release that brings several new features, security and bug fixes.

Security

Teleport build infrastructure was updated to use Go v1.17.9 to fix CVE-2022-24675, CVE-2022-28327 and CVE-2022-27536.

SQL backend (preview)

Teleport users can now use PostgreSQL or CockroachDB for storing Auth Service data.

See the documentation for more information.

Server-side filtering and pagination

Searching and filtering resources is now handled on the server, improving the efficiency of queries with tsh, tctl, or the web UI.

The web UI loads resources faster by leveraging server-side pagination. Additionally, the web UI supports bookmarking searches by including the query in the URL.

Other improvements and fixes

  • Fixed issue with stdin being ignored after refreshing expired credentials. #11847
  • Fixed issue with tsh requiring host login when using identity files for some commands. #11793
  • Added support for calling proxy over plain HTTP in insecure mode. #11403
  • Fixed multiple issues that could lead to sessions output freezing. #11853
  • Added optional gRPC client/server latency metrics. #11773
  • Fixed issue with connecting to self-hosted databases in TLS insecure mode. #11758
  • Improved error message when incorrect auth connector name is used. #11884
  • Implemented multiple moderated session stability improvements. #11803, #11890
  • Added authenticated tunnel mode to tsh proxy db command. #11808
  • Fixed issue with application sessions not being deleted upon web logout. #11956
  • Improved MySQL audit logging to include support for additional commands. #11949
  • Improved reliability of Teleport services restart. #11795
  • Fixed issue with Okta OIDC auth connector not working. #11718
  • Added support for json and yaml formatting to all tsh commands. #12050
  • Added support for setting kubernetes_users, kubernetes_groups, db_names, db_users and aws_role_arns traits when creating users. #12133
  • Fixed potential CA rotation panic. #12004
  • Updated tsh db ls to display allowed database usernames. #11942
  • Fixed goroutine leak in OIDC client. #12078

9.0.4

This release of Teleport contains multiple improvements and fixes.

  • Fixed issue with : not being allowed in label keys. #11563
  • Fixed potential panic in Kubernetes access. #11614
  • Added teleport_connect_to_node_attempts_total Prometheus metric. #11629
  • Multiple CA rotation stability improvements. #11658
  • Fixed console player Ctrl-C and Ctrl-D functionality. #11559
  • Improved logging in case of node with existing state joining an new cluster. #11751
  • Added preview of PostgreSQL/CockroachDB backend. #11667
  • Fixed compatibility issues with CA loading between old and new tsh versions. #11663
  • Fixed loggers not respecting JSON configuration. #11655
  • Added support for Proxy Protocol v2. #11722
  • Fixed a number of tsh player stability issues. #11491
  • Improved network utilization caused by session uploader. #11698
  • Improved remote clusters inventory bookkeeping. #11707

9.0.3

This release of Teleport contains multiple fixes.

  • Fixed issue with tctl ignoring TELEPORT_HOME environment variable. #11561
  • Fixed multiple moderated sessions stability issues. #11494
  • Fixed issue with tsh version exiting with error when tsh config file is not present. #11571
  • Fixed issue with tsh not respecting proxy hosts. #11496
  • Fixed issue with Kubernetes forwarder taking HTTP proxies into account. #11462
  • Fixed issue with stale DynamoDB Auth Service instances disrupting agent reconnect attempts. #11598

9.0.2

This release of Teleport contains multiple features, improvements and bug fixes.

  • Added support for per-user tsh configuration preferences. #10336
  • Added support for role bootstrapping in OSS. #11175
  • Added HTTP_PROXY support to tsh. #10209
  • Improved error messages tsh and tctl show to include usage information on invalid command line invocation. #11174
  • Improved tctl <resource> ls output to make it consistent across all resources. #9519
  • Fixed multiple issues with CA rotation, graceful restart, and stability. #10706 #11074 #11283
  • Fixed issue where MOTD was not always shown. #10735
  • Fixed an issue where certificate extension not being included in tctl auth sign. #10949
  • Fixed a panic that could occur in the Web UI. #11389

9.0.1

This release of Teleport contains multiple improvements and bug fixes.

  • Fixed issue with Ctrl-C freezing sessions. #11188
  • Improved handling of unknown audit events. #11064
  • Improved calculation of public addresses for dynamically registered apps. #11139
  • Fixed tsh aws ecr returning 500 errors. #11108
  • Fixed issue with deleting certain users. #11131
  • Fixed issue with Machine ID not detecting token in file config. #11206

9.0.0

Teleport 9.0 is a major release that brings:

  • Teleport desktop access GA
  • Teleport Machine ID Preview
  • Various additions to Teleport database access
  • Moderated Sessions for server and Kubernetes access

Desktop access adds support for clipboard sharing, session recording, and per-session MFA.

Teleport Machine ID Preview extends identity-based access to machines. It's the easiest way to issue, renew, and manage SSH and X.509 certificates for service accounts, microservices, CI/CD automation and all other forms of machine-to-machine access.

Database access brings self-hosted Redis support, RDS MariaDB (10.6 and higher) support, auto-discovery for Redshift clusters, and auto-IAM configuration improvements to GA. Additionally, this release also brings Microsoft SQL Server with AD authentication to Preview.

Moderated Sessions enables the creation of sessions where a moderator has to be present. This feature can be selectively enabled for specific sessions via RBAC and can be used in conjunction with per-session MFA.

Desktop access

Clipboard Support

Desktop access now supports copying and pasting text between your local workstation and a remote Windows Desktop. This feature requires a Chromium-based browser and can be disabled via RBAC.

Session Recording

Desktop sessions are now recorded and stored alongside SSH sessions, and can be viewed in Teleport's web interface. Desktop session recordings are fully compatible with the RBAC for sessions feature introduced in Teleport 8.1.

Per-session MFA

Per-session MFA settings now apply to desktop sessions. This allows cluster administrators to require an additional MFA "tap" prior to opening a desktop session. This feature requires a WebAuthn device.

Machine ID (Preview)

Machine ID allows the creation of machine / bot / service account users who can automatically issue, renew, and manage SSH and X.509 certificates to facilitate machine-to-machine access.

Machine ID is a service that programmatically issues and renews short-lived certificates to any service account (e.g., a CI/CD server) by retrieving credentials from the Teleport Auth Service. This enables fine-grained role-based access controls and audit.

Some of the things you can do with Machine ID:

  • Machines can retrieve short-lived SSH certificates for CI/CD pipelines.
  • Machines can retrieve short-lived X.509 certificates for use with databases or applications.
  • Configure role-based access controls and locking for machines.
  • Capture access events in the audit log.

Machine ID getting started guide

Database access

Redis

You can now use database access to connect to a self-hosted Redis instance or Redis cluster and view Redis commands in the Teleport audit log. We will be adding support for Amazon Elasticache in the coming weeks.

Self-hosted Redis guide

SQL Server (Preview)

Teleport 9 includes a preview release of Microsoft SQL Server with Active Directory authentication support for database access. Audit logging of query activity is not included in the preview release and will be implemented in a later 9.x release.

SQL Server guide

RDS MariaDB

Teleport 9 updates MariaDB support with auto-discovery and connection to AWS RDS MariaDB databases using IAM authentication. The minimum MariaDB version that supports IAM authentication is 10.6.

Updated RDS guide

Other Improvements

In addition, Teleport 9 expands auto-discovery to support Redshift databases and 2 new commands which simplify the database access getting started experience: "teleport db configure create", which generates Database Service configuration, and "teleport db configure bootstrap", which configures IAM permissions for the Database Service when running on AWS.

CLI commands reference:

Moderated Sessions

With Moderated Sessions, Teleport administrators can define policies that allow users to invite other users to participate in SSH or Kubernetes sessions as observers, moderators or peers.

Moderated Sessions guide

Breaking Changes

CentOS 6

CentOS 6 support was deprecated in Teleport 8 and has now been removed.

Desktop access

desktop access now authenticates to LDAP using X.509 client certificates. Support for the password_file configuration option has been removed.

8.0.0

Teleport 8.0 is a major release of Teleport that contains new features, improvements, and bug fixes.

New Features

Windows desktop access Preview

Teleport 8.0 includes a preview of the Windows desktop access feature, allowing users passwordless login to Windows Desktops via any modern web browser.

Teleport users can connect to Active Directory enrolled Windows hosts running Windows 10, Windows Server 2012 R2 and newer Windows versions.

To try this feature yourself, check out our Getting Started Guide.

Review the desktop access design in:

TLS Routing

In TLS routing mode all client connections are wrapped in TLS and multiplexed on a single Teleport proxy port.

TLS routing can be enabled by including the following Auth Service configuration:

auth_service:
  proxy_listener_mode: multiplex
  ...

and setting proxy configuration version to v2 to prevent legacy listeners from being created:

version: v2
proxy_service:
  ...

AWS CLI

Teleport application access extends AWS console support to CLI . Users are able to log into their AWS console using tsh apps login and use tsh aws commands to interact with AWS APIs.

See more info in the documentation.

Application and Database Dynamic Registration

With dynamic registration users are able to manage applications and databases without needing to update static YAML configuration or restart application or database agents.

See dynamic registration guides for apps and databases.

RDS Automatic Discovery

With RDS auto discovery Teleport database agents can automatically discover RDS instances and Aurora clusters in an AWS account.

See updated RDS guide for more information.

WebAuthn

WebAuthn support enables Teleport users to use modern multi-factor options, including Apple FaceID and TouchID.

In addition, the Teleport Web UI includes new multi-factor management tools, enabling users to configure and update their multi-factor devices via their web browser.

Lastly, our UI becomes more secure by requiring an additional multi-factor confirmation for certain privileged actions (editing roles for multi-factor confirmation, for example).

Improvements

  • Added support for CockroachDB to Database Access. #8505
  • Reduced network utilization on large clusters during login. #8471
  • Added metrics and added the ability for tctl top to show network utilization for resource propagation. #8338 #8603 #8491
  • Added support for account recovery and cancellation. #6769
  • Added per-session MFA support to database access. #8270
  • Added support for profile specific kubeconfig. #7840

Fixes

  • Fixed issues with web applications that utilized EventSource with application access. #8359
  • Fixed issue were interactive sessions would always return exit code 0. #8081
  • Fixed issue where JWT signer was omitted from bootstrap logic. #8119

Breaking Changes

CentOS 6

CentOS 6 support will be deprecated in Teleport 8 and removed in Teleport 9.

Teleport 8 will continue to receive security patches for about 9 months after which it will be EOL. Users are encouraged to upgrade to CentOS 7 in that time frame.

Updated dependencies

New run time dependencies have been added to Teleport 8 due to the inclusion of Rust in the build chain. Teleport 8 requires libgcc_s.so and libm.so be installed on systems running Teleport.

Users of distroless container images are encouraged to use the gcr.io/distroless/cc-debian11 image to run Teleport.

FROM gcr.io/distroless/cc-debian11

Alpine users are recommended to install the libgcc package in addition to any glibc compatibility layer they have already been using.

apk --update --no-cache add libgcc

Database access Certificates

With the GODEBUG=x509ignoreCN=0 flag removed in Go 1.17, database access users will no longer be able to connect to databases that include their hostname in the CommonName field of the presented certificate. Users are recommended to update their database certificates to include hostname in the Subject Alternative Name extension instead.

Subscribe to Github issue #7636 which will add ability to control level of TLS verification as a workaround.

Role Changes

New clusters will no longer have the default admin role, it has been replaced with 3 smaller scoped roles: access, auditor, and editor.

7.0.0

Teleport 7.0 is a major release of Teleport that contains new features, improvements, and bug fixes.

New Features

MongoDB

Added support for MongoDB to Teleport database access. #6600.

View the database access with MongoDB for more details.

Cloud SQL MySQL

Added support for GCP Cloud SQL MySQL to Teleport database access. #7302

View the Cloud SQL MySQL guide for more details.

AWS Console

Added support for AWS Console to Teleport application access. #7590

Teleport application access can now automatically sign users into the AWS Management Console using Identity federation. View AWS Management Console guide for more details.

Restricted Sessions

Added the ability to block network traffic (IPv4 and IPv6) on a per-SSH session basis. Implemented using BPF tooling which required kernel 5.8 or above. #7099

Enhanced Session Recording

Updated Enhanced Session Recording to no longer require the installation of external compilers like bcc-tools. Implemented using BPF tooling which required kernel 5.8 or above. #6027

Improvements

  • Added the ability to terminate database access certificates when the certificate expires. #5476
  • Added additional FedRAMP compliance controls, such as custom disconnect and MOTD messages. #6091 #7396
  • Added the ability to export Audit Log and session recordings using the Teleport API. #6731 #7360
  • Added the ability to partially configure a cluster. #5857 RFD #28
  • Added the ability to disable port forwarding on a per-host basis. #6989
  • Added ability to configure tsh home directory. #7035
  • Added ability to generate OpenSSH client configuration snippets using tsh config. #7437
  • Added default-port detection to tsh #6374
  • Improved performance of the Web UI for users with many roles. #7588

Fixes

  • Fixed a memory leak that could affect etcd users. #7631
  • Fixed an issue where tsh login could fail if the user had multiple public addresses defined on the proxy. #7368

Breaking Changes

Enhanced Session Recording

Enhanced Session Recording has been updated to use CO-RE BPF executables. This means that you no longer have to install bcc-tools, but comes with a higher minimum kernel version of 5.8 and above. #6027

Kubernetes access

Kubernetes access will no longer automatically register a cluster named after the Teleport cluster if the proxy is running within a Kubernetes cluster. Users wishing to retain this functionality now have to explicitly set kube_cluster_name. #6786

tsh

tsh login has been updated to no longer change the current Kubernetes context. While tsh login will write credentials to kubeconfig it will only update your context if tsh login --kube-cluster or tsh kube login <kubeCluster> is used. #6045

6.2

Teleport 6.2 contains new features, improvements, and bug fixes.

Note: the DynamoDB indexing change described below may cause rate-limiting errors from AWS APIs and is slow on large deployments (1000+ existing audit events). The next patch release, v6.2.1, will improve the migration performance. If you run a large DynamoDB-based cluster, we advise you to wait for v6.2.1 before upgrading.

New Features

Added Amazon Redshift Support

Added support for Amazon Redshift to Teleport database access.#6479.

View the database access with Redshift on AWS guide for more details.

Improvements

  • Added pass-through header support for Teleport application access. #6601
  • Added ability to propagate claim information from root to leaf clusters. #6540
  • Added Proxy Protocol for MySQL database access. #6594
  • Added prepared statement support for Postgres database access. #6303
  • Added GetSessionEventsRequest RPC endpoint for Audit Log pagination. RFD 19 #6731
  • Changed DynamoDB indexing strategy for events. RFD 24 #6583

Fixes

  • Fixed multiple per-session MFA issues. #6542 #6567 #6625 #6779 #6948
  • Fixed etcd JWT renewal issue. #6905
  • Fixed issue where kubectl exec sessions were not being recorded when the target pod was killed. #6068
  • Fixed an issue that prevented Teleport from starting on ARMv7 systems. #6711.
  • Fixed issue that caused Access Requests to inconsistently allow elevated Kubernetes access. #6492
  • Fixed an issue that could cause session.end events not to be emitted. #6756
  • Fixed an issue with PAM variable interpolation. #6558

Breaking Changes

Agent Forwarding

Teleport 6.2 brings a potentially backward incompatible change with tsh agent forwarding.

Prior to Teleport 6.2, tsh ssh -A would create an in-memory SSH agent from your ~/.tsh directory and forward that agent to the target host.

Starting in Teleport 6.2 tsh ssh -A by default now forwards your system SSH agent (available at $SSH_AUTH_SOCK). Users wishing to retain the prior behavior can use tsh ssh -o "ForwardAgent local".

For more details see RFD 22 and implementation in #6525.

DynamoDB Indexing Change

DynamoDB users should note that the events backend indexing strategy has changed and a data migration will be triggered after upgrade. For optimal performance perform this migration with only one Auth Service instance online. It may take some time and progress will be periodically written to the Auth Service log. During this migration, only events that have been migrated will appear in the Web UI. After completion, all events will be available.

For more details see RFD 24 and implementation in #6583.

6.1.5

This release of Teleport contains multiple bug fixes.

  • Added additional Prometheus Metrics. #6511
  • Updated the TLS handshake timeout to 5 seconds to avoid timeout issues on large clusters. #6692
  • Fixed issue that caused non-interactive SSH output to show up in logs. #6683
  • Fixed two issues that could cause Teleport to panic upon startup. #6431 #5712

6.1.3

This release of Teleport contains a bug fix.

  • Added support for PROXY protocol to database access (MySQL). #6517

6.1.2

This release of Teleport contains a new feature.

  • Added log formatting and support to enable timestamps for logs. #5898

6.1.1

This release of Teleport contains a bug fix.

6.1.0

Teleport 6.1 contains multiple new features, improvements, and bug fixes.

New Features

U2F for Kubernetes and SSH sessions

Added support for U2F authentication on every SSH and Kubernetes "connection" (a single tsh ssh or kubectl call). This is an advanced security feature that protects users against compromises of their on-disk Teleport certificates. Per-session MFA can be enforced cluster-wide or only for some specific roles.

For more details see Per-Session MFA documentation or RFD 14 and RFD 15 for technical details.

Dual Authorization Workflows

Added ability to request multiple users to review and approve Access Requests.

See #5071 for technical details.

Improvements

  • Added the ability to propagate SSO claims to PAM modules. #6158
  • Added support for cluster routing to reduce latency to leaf clusters. RFD 21
  • Added support for Google Cloud SQL to database access. #6090
  • Added support CLI credential issuance for application access. #5918
  • Added support for Encrypted SAML Assertions. #5598
  • Added support for user impersonation. #6073

Fixes

  • Fixed interoperability issues with gpg-agent. RFD 18
  • Fixed websocket support in application access. #6028
  • Fixed file argument issues with tsh play. #1580
  • Fixed utmp regressions that caused issues in LXC containers. #6256

6.0.3

This release of Teleport contains a bug fix.

  • Fixed a issue that caused high network on deployments with many leaf Trusted Clusters. #6263

6.0.2

This release of Teleport contains bug fixes and adds new default roles.

  • Fixed an issue with proxy web endpoint resetting connection when run with --insecure-no-tls flag. #5923
  • Introduced role presets: auditor, editor and access. #5968
  • Added ability to inline google_service_account field into Google Workspace OIDC connector. #5563

6.0.1

This release of Teleport contains multiple bug fixes.

  • Fixed issue that caused ACME default configuration to fail with TLS-ALPN-01 challenge. #5839
  • Fixed regression in ADFS integration. #5880

6.0.0

Teleport 6.0 is a major release with new features, functionality, and bug fixes.

We have implemented database access, open sourced role-based access control (RBAC), and added official API and a Go client library.

Users can review the 6.0 milestone on Github for more details.

New Features

Database access

Review the database access design in RFD #11.

With database access users can connect to PostgreSQL and MySQL databases using short-lived certificates, configure SSO authentication and role-based access controls for databases, and capture SQL query activity in the audit log.

Getting Started

Configure database access following the Getting Started guide.

Guides
Resources

To learn more about configuring role-based access control for database access, check out the RBAC section.

Architecture provides a more in-depth look at database access internals such as networking and security.

See Reference for an overview of database access related configuration and CLI commands.

Finally, check out Frequently Asked Questions.

OSS RBAC

Open source RBAC support was introduced in RFD #7.

RBAC support gives OSS administrators more granular access controls to servers and other resources with a cluster (like session recording access). An example of an RBAC policy could be: "admins can do anything, developers must never touch production servers and interns can only SSH into staging servers as guests"

In addition, some Access Workflow Plugins will now become available to open source users.

  • Access Workflows Golang SDK and API
  • Slack
  • Gitlab
  • Mattermost
  • JIRA Plugin
  • PagerDuty Plugin

Client libraries and API

API and Client Libraries support was introduced in RFD #10.

The new API and client library reduces the dependencies needed to use the Teleport API as well as making it easier to use. An example of using the new API is below.

// Create a client connected to the Auth server with an exported identity file.
clt, err := client.NewClient(client.Config{
  Addrs: []string{"auth.example.com:3025"},
  Credentials: []client.Credentials{
    client.LoadIdentityFile("identity.pem"),
  },
})
if err != nil {
  log.Fatalf("Failed to create client: %v.", err)
}
defer clt.Close()

// Create a Access Request.
accessRequest, err := types.NewAccessRequest(uuid.New(), "access-admin", "admin")
if err != nil {
  log.Fatalf("Failed to build access request: %v.", err)
}
if err = clt.CreateAccessRequest(ctx, accessRequest); err != nil {
  log.Fatalf("Failed to create access request: %v.", err)
}

Improvements

  • Added utmp/wtmp support for SSH in #5491.
  • Added the ability to set a Kubernetes specific public address in #5611.
  • Added Proxy Protocol support to Kubernetes access in #5299.
  • Added ACME (Let's Encrypt) support to make getting and using TLS certificates easier. #5177.
  • Added the ability to manage local users to the Web UI in #2945.
  • Added the ability to preserve timestamps when using tsh scp in #2889.

Fixes

  • Fixed authentication failure when logging in via CLI with Access Workflows after removing .tsh directory in #5323.
  • Fixed tsh login failure when --proxy differs from actual proxy public address in #5380.
  • Fixed session playback issues in #2945.
  • Fixed several UX issues in #5559, #5568, #4965, and #5057.

Upgrade Notes

Please follow our standard upgrade procedure to upgrade your cluster.

Note, for clusters using GitHub SSO and Trusted Clusters, when upgrading SSO users will lose connectivity to leaf clusters. Local users will not be affected.

To restore connectivity to leaf clusters for SSO users, leaf admins should update the trusted_cluster role mapping resource like below.

kind: trusted_cluster
version: v2
metadata:
   name: "zztop-oss"
spec:
   enabled: true
   token: "bar"
   web_proxy_addr: 172.10.1.1:3080
   tunnel_addr: 172.10.1.1:3024
   role_map:
   - remote: "admin"
     local: ['admin']
   - remote: "^(github-.*)$"
     local: ['admin']

5.1.0

This release of Teleport adds a new feature.

  • Support for creating and assuming Access Workflow requests from within the Web UI (first step toward full Workflow UI support: #4937).

5.0.2

This release of Teleport contains a security fix.

Any Enterprise SSO users using Okta, Active Directory, OneLogin or custom SAML connectors should upgrade their Auth Service to version 5.0.2 and restart Teleport. If you are unable to upgrade immediately, we suggest disabling SAML connectors for all clusters until the updates can be applied.

5.0.1

This release of Teleport contains multiple bug fixes.

  • Always set expiry times on server resource in heartbeats #5008
  • Fixes streaming k8s responses (kubectl logs -f, kubectl run -it, etc) #5009
  • Multiple fixes for the k8s forwarder #5038

5.0.0

Teleport 5.0 is a major release with new features, functionality, and bug fixes. Users can review 5.0 closed issues on Github for details of all items.

New Features

Teleport 5.0 introduces two distinct features: Teleport application access and significant Kubernetes access improvements - multi-cluster support.

Teleport application access

Teleport can now be used to provide secure access to web applications. This new feature was built with the express intention of securing internal apps which might have once lived on a VPN or had an authorization and authentication mechanism with little to no audit trail. application access works with everything from dashboards to single page Javascript applications (SPA).

Application access uses mutually authenticated reverse tunnels to establish a secure connection with the Teleport unified Access Platform which can then becomes the single ingress point for all traffic to an internal application.

Adding an application follows the same UX as adding SSH servers or Kubernetes clusters, starting with creating a static or dynamic invite token.

$ tctl tokens add --type=app

Then simply start Teleport with a few new flags.

$ teleport start --roles=app --token=xyz --auth-server=proxy.example.com:3080 \
    --app-name="example-app" \
    --app-uri="http://localhost:8080"

This command will start an app server that proxies the application "example-app" running at http://localhost:8080 at the public address https://example-app.example.com.

Applications can also be configured using the new app_service section in teleport.yaml.

app_service:
   # Teleport application access is enabled.
   enabled: yes
   # We've added a default sample app that will check
   # that Teleport application access is working
   # and output JWT tokens.
   # https://dumper.teleport.example.com:3080/
   debug_app: true
   apps:
   # application access can be used to proxy any HTTP endpoint.
   # Note: Name can't include any spaces and should be DNS-compatible A-Za-z0-9-._
   - name: "internal-dashboard"
     uri: "http://10.0.1.27:8000"
     # By default Teleport will make this application
     # available on a sub-domain of your Teleport proxy's hostname
     # internal-dashboard.teleport.example.com
     # - thus the importance of setting up wildcard DNS.
     # If you want, it's possible to set up a custom public url.
     # DNS records should point to the proxy server.
     # internal-dashboard.teleport.example.com
     # Example Public URL for the internal-dashboard app.
     # public_addr: "internal-dashboard.acme.com"
     # Optional labels
     # Labels can be combined with RBAC rules to provide access.
     labels:
       customer: "acme"
       env: "production"
     # Optional dynamic labels
     commands:
     - name: "os"
       command: ["/usr/bin/uname"]
       period: "5s"
     # A proxy can support multiple applications. application access
     # can also be deployed with a Teleport node.
     - name: "arris"
       uri: "http://localhost:3001"
       public_addr: "arris.example.com"

Application access requires two additional changes. DNS must be updated to point the application domain to the proxy and the proxy must be loaded with a TLS certificate for the domain. Wildcard DNS and TLS certificates can be used to simplify deployment.

# When adding the app_service certificates are required to provide a TLS
# connection. The certificates are managed by the proxy_service
proxy_service:
  # We've extended support for https certs. Teleport can now load multiple
  # TLS certificates. In the below example we've obtained a wildcard cert
  # that'll be used for proxying the applications.
  # The correct certificate is selected based on the hostname in the HTTPS
  # request using SNI.
  https_keypairs:
  - key_file: /etc/letsencrypt/live/teleport.example.com/privkey.pem
    cert_file: /etc/letsencrypt/live/teleport.example.com/fullchain.pem
  - key_file: /etc/letsencrypt/live/*.teleport.example.com/privkey.pem
    cert_file: /etc/letsencrypt/live/*.teleport.example.com/fullchain.pem

You can learn more in Introduction to Enrolling Applications.

Teleport Kubernetes access

Teleport 5.0 also introduces two highly requested features for Kubernetes.

  • The ability to connect multiple Kubernetes Clusters to the Teleport Access Platform, greatly reducing operational complexity.
  • Complete Kubernetes audit log capture #4526, going beyond the existing kubectl exec capture.

For a full overview please review the Kubernetes RFD.

To support these changes, we've introduced a new service. This moves Teleport Kubernetes configuration from the proxy_service into its own dedicated kubernetes_service section.

When adding the new Kubernetes service, a new type of join token is required.

tctl tokens add --type=kube

Example configuration for the new kubernetes_service:

# ...
kubernetes_service:
   enabled: yes
   listen_addr: 0.0.0.0:3027
   kubeconfig_file: /secrets/kubeconfig

Note: a Kubernetes port still needs to be configured in the proxy_service via kube_listen_addr.

New "tsh kube" commands

tsh kube commands are used to query registered clusters and switch kubeconfig context:

$ tsh login --proxy=proxy.example.com --user=awly

# list all registered clusters
$ tsh kube ls
Cluster Name       Status
-------------      ------
a.k8s.example.com  online
b.k8s.example.com  online
c.k8s.example.com  online

# on login, kubeconfig is pointed at the first cluster (alphabetically)
$ kubectl config current-context
proxy.example.com-a.k8s.example.com

# but all clusters are populated as contexts
$ kubectl config get-contexts
CURRENT   NAME                     CLUSTER             AUTHINFO
*         proxy.example.com-a.k8s.example.com   proxy.example.com   proxy.example.com-a.k8s.example.com
          proxy.example.com-b.k8s.example.com   proxy.example.com   proxy.example.com-b.k8s.example.com
          proxy.example.com-c.k8s.example.com   proxy.example.com   proxy.example.com-c.k8s.example.com

# switch between different clusters:
$ tsh kube login c.k8s.example.com

# the traditional way is also supported:
$ kubectl config use-context proxy.example.com-c.k8s.example.com

# check current cluster
$ kubectl config current-context
proxy.example.com-c.k8s.example.com

Other Kubernetes changes:

  • Support k8s clusters behind firewall/NAT using a single Teleport cluster #3667
  • Support multiple k8s clusters with a single Teleport proxy instance #3952
Additional User and Token Resource

We've added two new RBAC resources; these provide the ability to limit token creation and to list and modify Teleport users:

- resources: [user]
  verbs: [list,create,read,update,delete]
- resources: [token]
  verbs: [list,create,read,update,delete]

Learn more about Teleport's RBAC Resources

Cluster Labels

Teleport 5.0 also adds the ability to set labels on Trusted Clusters. The labels are set when creating a trusted cluster invite token. This lets teams use the same RBAC controls used on nodes to approve or deny access to clusters. This can be especially useful for MSPs that connect hundreds of customers' clusters - when combined with access workflows, cluster access can be delegated. Learn more by reviewing our Truster Cluster Setup & RBAC Docs

Creating a trusted cluster join token for a production environment:

$ tctl tokens add --type=trusted_cluster --labels=env=prod
kind: role
#...
  deny:
    # cluster labels control what clusters user can connect to. The wildcard ('*')
    # means any cluster. By default, deny rules are empty to preserve backwards
    # compatibility
    cluster_labels:
      'env': 'prod'
Teleport UI Updates

Teleport 5.0 also iterates on the UI Refresh from 4.3. We've moved the cluster list into our sidebar and have added an Application launcher. For customers moving from 4.4 to 5.0, you'll notice that we have moved session recordings back to their own dedicated section.

Other updates:

  • We now provide local user management via https://[cluster-url]/web/users, providing the ability to edit, reset and delete local users.
  • Teleport Node & App Install scripts. This is currently an Enterprise-only feature that provides customers with an 'auto-magic' installer script. Enterprise customers can enable this feature by modifying the 'token' resource. See note above.
  • We've added a Waiting Room for customers using Access Workflows. Docs
Signed RPM and Releases

Starting with Teleport 5.0, we now provide an RPM repo for stable releases of Teleport. We've also started signing our RPMs to provide assurance that you're always using an official build of Teleport.

See https://rpm.releases.teleport.dev/ for more details.

Improvements

  • Added --format=json playback option for tsh play. For example tsh play --format=json ~/play/0c0b81ed-91a9-4a2a-8d7c-7495891a6ca0.tar | jq '.event can be used to show all events within an a local archive. #4578
  • Added support for continuous backups and auto scaling for DynamoDB. #4780
  • Added a Linux ARM64/ARMv8 (64-bit) Release. #3383
  • Added https_keypairs field which replaces https_key_file and https_cert_file. This allows administrators to load multiple HTTPS certs for Teleport application access. Teleport 5.0 is backwards compatible with the old format, but we recommend updating your configuration to use https_keypairs.

Enterprise Only:

  • tctl can load credentials from ~/.tsh #4678
  • Teams can require a user submitted reason when using Access Workflows #4573

Fixes

  • Updated tctl to always format resources as lists in JSON/YAML. #4281
  • Updated tsh status to now print Kubernetes status. #4348
  • Fixed intermittent issues with loginuid.so. #3245
  • Reduced access denied to Proxy log spam. #2920
  • Various AMI fixes: paths are now consistent with other Teleport packages and configuration files will not be overwritten on reboot.

Documentation

We've added an API Guide to simply developing applications against Teleport.

Upgrade Notes

Please follow our standard upgrade procedure.

  • Optional: Consider updating https_key_file & https_cert_file to our new https_keypairs: format.
  • Optional: Consider migrating Kubernetes access from proxy_service to kubernetes_service after the upgrade.

4.4.6

This release of teleport contains a security fix and a bug fix.

Any Enterprise SSO users using Okta, Active Directory, OneLogin or custom SAML connectors should upgrade their Auth Service to version 4.4.6 and restart Teleport. If you are unable to upgrade immediately, we suggest disabling SAML connectors for all clusters until the updates can be applied.

  • Fix an issue where tsh login would fail with an AccessDenied error if the user was perviously logged into a leaf cluster. #5105

4.4.5

This release of Teleport contains a bug fix.

  • Fixed an issue where a slow or unresponsive Teleport Auth Service instance could hang client connections in async recording mode. #4696

4.4.4

This release of Teleport adds enhancements to the Access Workflows API.

  • Support for creating limited roles that trigger Access Requests on login, allowing users to be configured such that no nodes can be accessed without externally granted roles.

  • Teleport UI support for automatically generating Access Requests and assuming new roles upon approval (Access Requests were previously only available in tsh).

  • New claims_to_roles mapping that can use claims from external identity providers to determine which roles a user can request.

  • Various minor API improvements to help make requests easier to manage and audit, including support for human-readable request/approve/deny reasons and structured annotations.

4.4.2

This release of Teleport adds support for a new build architecture.

  • Added automatic arm64 builds of Teleport to the download portal.

4.4.1

This release of Teleport contains a bug fix.

  • Fixed an issue where defining multiple logging configurations would cause Teleport to crash. #4598

4.4.0

This is a major Teleport release with a focus on new features, functionality, and bug fixes. It’s a substantial release and users can review 4.4 closed issues on Github for details of all items.

New Features

Concurrent Session Control

This addition to Teleport helps customers obtain AC-10 control. We now provide two new optional configuration values: max_connections and max_sessions.

max_connections

This value is the total number of concurrent sessions within a cluster to nodes running Teleport. This value is applied at a per user level. If you set max_connections to 1, a tsh user would only be able to tsh ssh into one node at a time.

max_sessions per connection

This value limits the total number of session channels which can be established across a single SSH connection (typically used for interactive terminals or remote exec operations). This is for cases where nodes have Teleport set up, but a user is using OpenSSH to connect to them. It is essentially equivalent to the MaxSessions configuration value accepted by sshd.

spec:
  options:
    # Optional: Required to be set for AC-10 Compliance
    max_connections: 2
    # Optional: To match OpenSSH behavior set to 10
    max_sessions: 10
session_control_timeout

A new session_control_timeout configuration value has been added to the auth_service configuration block of the Teleport config file. It's unlikely that you'll need to modify this.

auth_service:
  session_control_timeout: 2m # default
# ...

Session Streaming Improvements

Teleport 4.4 includes a complete refactoring of our event system. This resolved a few customer bug reports such as #3800: Events overwritten in DynamoDB and #3182: Teleport consuming all disk space with multipart uploads.

Along with foundational improvements, 4.4 includes two new experimental session_recording options: node-sync and proxy-sync. NOTE: These experimental modes require all Teleport Auth Service instances, Proxy Service instances, and nodes to be running Teleport 4.4.

# This section configures the Auth Service:
auth_service:
    # Optional setting for configuring session recording. Possible values are:
    #     "node"  : sessions will be recorded on the node level (the default)
    #     "proxy" : recording on the proxy level, see "recording proxy mode" section.
    #     "off"   : session recording is turned off
    #
    #     EXPERIMENTAL *-sync modes: proxy and node send logs directly to S3 or other
    #     storage without storing the records on disk at all. This mode will kill a
    #     connection if network connectivity is lost.
    #     NOTE: These experimental modes require all Teleport Auth Service instances, 
    #     Proxy Service instances, and nodes to be running Teleport 4.4.
    #
    #     "node-sync" : sessions recording will be streamed from node -> auth -> storage
    #     "proxy-sync : sessions recording will be streamed from proxy -> auth -> storage
    #
    session_recording: "node-sync"

Improvements

  • Added session streaming. #4045
  • Added concurrent session control. #4138
  • Added ability to specify leaf cluster when generating kubeconfig via tctl auth sign. #4446
  • Added output options (like JSON) for tsh ls. #4390
  • Added node ID to heartbeat debug log #4291
  • Added the option to trigger pam_authenticate on login #3966

Fixes

  • Fixed issue that caused some idle kubectl exec sessions to terminate. #4377
  • Fixed symlink issued when using tsh on Windows. #4347
  • Fixed tctl top so it runs without the debug flag and on dark terminals. #4282 #4231
  • Fixed issue that caused DynamoDB not to respect HTTP CONNECT proxies. #4271
  • Fixed /readyz endpoint to recover much quicker. #4223

Documentation

  • Updated Google Workspace documentation to add clarification on supported account types. #4394
  • Updated IoT instructions on necessary ports. #4398
  • Updated Trusted Cluster documentation on how to remove trust from root and leaf clusters. #4358
  • Updated the PAM documentation with PAM authentication usage information. #4352

Upgrade Notes

Please follow our standard upgrade procedure.

4.3.9

This release of Teleport contains a security fix.

Any Enterprise SSO users using Okta, Active Directory, OneLogin or custom SAML connectors should upgrade their Auth Service to version 4.3.9 and restart Teleport. If you are unable to upgrade immediately, we suggest disabling SAML connectors for all clusters until the updates can be applied.

4.3.8

This release of Teleport adds support for a new build architecture.

  • Added automatic arm64 builds of Teleport to the download portal.

4.3.7

This release of Teleport contains a security fix and a bug fix.

  • Mitigated CVE-2020-15216 by updating github.com/russellhaering/goxmldsig.

Details

A vulnerability was discovered in the github.com/russellhaering/goxmldsig library which is used by Teleport to validate the signatures of XML files used to configure SAML 2.0 connectors. With a carefully crafted XML file, an attacker can completely bypass XML signature validation and pass off an altered file as a signed one.

Actions

The goxmldsig library has been updated upstream and Teleport 4.3.7 includes the fix. Any Enterprise SSO users using Okta, Active Directory, OneLogin or custom SAML connectors should upgrade their Auth Service to version 4.3.7 and restart Teleport.

If you are unable to upgrade immediately, we suggest deleting SAML connectors for all clusters until the updates can be applied.

  • Fixed an issue where DynamoDB connections made by Teleport would not respect the HTTP_PROXY or HTTPS_PROXY environment variables. #4271

4.3.6

This release of Teleport contains multiple bug fixes.

  • Fixed an issue with prefix migration that could lead to loss of cluster state. #4299 #4345
  • Fixed an issue that caused excessively slow loading of the UI on large clusters. #4326
  • Updated /readyz endpoint to recover faster after node goes into degraded state. #4223
  • Added node UUID to debug logs to allow correlation between TCP connections and nodes. #4291

4.3.5

This release of Teleport contains a bug fix.

  • Fixed issue that caused Teleport Docker images to be built incorrectly. #4201

4.3.4

This release of Teleport contains multiple bug fixes.

  • Fixed issue that caused intermittent login failures when using PAM modules like pam_loginuid.so and pam_selinux.so. #4133
  • Fixed issue that required users to manually verify a certificate when exporting an identity file. #4003
  • Fixed issue that prevented local user creation using Firestore. #4160
  • Fixed issue that could cause tsh to panic when using a PEM file. #4189

4.3.2

This release of Teleport contains multiple bug fixes.

  • Reverted base OS in container images to Ubuntu. #4054
  • Fixed an issue that prevented changing the path for the Audit Log. #3771
  • Fixed an issue that allowed servers with invalid labels to be added to the cluster. #4034
  • Fixed an issue that caused Cloud Firestore to panic on startup. #4041
  • Fixed an error that would cause Teleport to fail to load with the error "list of proxies empty". #4005
  • Fixed an issue that would prevent playback of Kubernetes session #4055
  • Fixed regressions in the UI. #4013 #4012 #4035 #4051 #4044

4.3.0

This is a major Teleport release with a focus on new features, functionality, and bug fixes. It’s a substantial release and users can review 4.3 closed issues on Github for details of all items.

New Features

Web UI

Teleport 4.3 includes a completely redesigned Web UI. The new Web UI expands the management functionality of a Teleport cluster and the user experience of using Teleport. Teleport's new terminal provides a jumping-off point to access nodes and nodes on other clusters via the web.

Teleport's Web UI now exposes Teleport’s Audit log, letting auditors and administrators view Teleport access events, SSH events, recording session, and enhanced session recording all in one view.

Teleport Plugins

Teleport 4.3 introduces four new plugins that work out of the box with Approval Workflow. These plugins allow you to automatically support role escalation with commonly used third party services. The built-in plugins are listed below.

Improvements

  • Added the ability for local users to reset their own passwords. #2387
  • Added user impersonation (kube_users) support to Kubernetes Proxy. #3369
  • Added support for third party S3-compatible storage for sessions. #3057
  • Added support for GCP backend data stores. #3766 #3014
  • Added support for X11 forwarding to OpenSSH servers. #3401
  • Added support for auth plugins in proxy kubeconfig. #3655
  • Added support for OpenSSH-like escape sequence. #3752
  • Added --browser flag to tsh. #3737
  • Updated teleport configure output to be more useful out of the box. #3429
  • Updated ability to only show SSO on the login page. #2789
  • Updated help and support section in Web UI. #3531
  • Updated default SSH signing algorithm to SHA-512 for new clusters. #3777
  • Standardized audit event fields.

Fixes

  • Fixed removing existing user definitions in kubeconfig. #3209
  • Fixed an issue where port forwarding could fail in certain circumstances. #3749
  • Fixed temporary role grants issue when forwarding Kubernetes requests. #3624
  • Fixed an issue that prevented copy/paste in the web termination. #92
  • Fixed an issue where the proxy did not test Kubernetes permissions at startup. #3812
  • Fixed tsh and gpg-agent integration. #3169
  • Fixed Vulnerabilities in Teleport Docker Image https://quay.io/repository/gravitational/teleport?tab=tags

Upgrade Notes

Always follow the recommended upgrade procedure to upgrade to this version.

New Signing Algorithm

If you’re upgrading an existing version of Teleport, you may want to consider rotating CA to SHA-256 or SHA-512 for RSA SSH certificate signatures. The previous default was SHA-1, which is now considered to be weak against brute-force attacks. SHA-1 certificate signatures are also no longer accepted by OpenSSH versions 8.2 and above. All new Teleport clusters will default to SHA-512 based signatures. To upgrade an existing cluster, set the following in your teleport.yaml:

teleport:
    ca_signature_algo: "rsa-sha2-512"

Rotate the cluster CA, following these docs.

Web UI

Due to the number of changes included in the redesigned Web UI, some URLs and functionality have shifted. Refer to the following ticket for more details. #3580

RBAC for Audit Log and Recorded Sessions

Teleport 4.3 has made the audit log accessible via the Web UI. Enterprise customers can limit access by changing the options on the new event resource.

# list and read audit log, including audit events and recorded sessions
- resources: [event]
  verbs: [list, read]
Kubernetes Permissions

The minimum set of Kubernetes permissions that need to be granted to Teleport proxies has been updated. If you use the Kubernetes integration, please make sure that the ClusterRole used by the proxy has sufficient permissions.

Path prefix for etcd

The etcd backend now correctly uses the “prefix” config value when storing data. Upgrading from 4.2 to 4.3 will migrate the data as needed at startup. Make sure you follow our Teleport upgrade guidance.

Note: If you use an etcd backend with a non-default prefix and need to downgrade from 4.3 to 4.2, you should backup Teleport data and restore it into the downgraded cluster.

4.2.12

This release of Teleport contains a security fix.

  • Mitigated CVE-2020-15216 by updating github.com/russellhaering/goxmldsig.

Details

A vulnerability was discovered in the github.com/russellhaering/goxmldsig library which is used by Teleport to validate the signatures of XML files used to configure SAML 2.0 connectors. With a carefully crafted XML file, an attacker can completely bypass XML signature validation and pass off an altered file as a signed one.

Actions

The goxmldsig library has been updated upstream and Teleport 4.2.12 includes the fix. Any Enterprise SSO users using Okta, Active Directory, OneLogin or custom SAML connectors should upgrade their Auth Service to version 4.2.12 and restart Teleport.

If you are unable to upgrade immediately, we suggest deleting SAML connectors for all clusters until the updates can be applied.

4.2.11

This release of Teleport contains multiple bug fixes.

  • Fixed an issue that prevented upload of session archives to NFS volumes. #3780
  • Fixed an issue with port forwarding that prevented TCP connections from being closed correctly. #3801
  • Fixed an issue in tsh that would cause connections to the Auth Service to fail on large clusters. #3872
  • Fixed an issue that prevented the use of Write-Only roles with S3 and GCS. #3810

4.2.10

This release of Teleport contains multiple bug fixes.

  • Fixed an issue that caused Teleport environment variables not to be available in PAM modules. #3725
  • Fixed an issue with tsh login <clusterName> not working correctly with Kubernetes clusters. #3693

4.2.9

This release of Teleport contains multiple bug fixes.

  • Fixed an issue where double tsh login would be required to login to a leaf cluster. #3639
  • Fixed an issue that was preventing connection reuse. #3613
  • Fixed an issue that could cause tsh ls to return stale results. #3536

4.2.8

This release of Teleport contains multiple bug fixes.

  • Fixed issue where ^C would not terminate tsh. #3456
  • Fixed an issue where enhanced session recording could cause Teleport to panic. #3506

4.2.7

As part of a routine security audit of Teleport, a security vulnerability was discovered that affects all recent releases of Teleport. We strongly suggest upgrading to the latest patched release to mitigate this vulnerability.

Details

Due to a flaw in how the Teleport Web UI handled host certificate validation, host certificate validation was disabled for clusters where connections were terminated at the node. This means that an attacker could impersonate a Teleport node without detection when connecting through the Web UI.

Clusters where sessions were terminated at the proxy (recording proxy mode) are not affected.

Command line programs like tsh (or ssh) are not affected by this vulnerability.

Actions

To mitigate this issue, upgrade and restart all Teleport proxy processes.

4.2.6

This release of Teleport contains a bug fix.

  • Fixed a regression in reissuing certificate that could cause nodes to not start. #3449

4.2.5

This release of Teleport contains multiple bug fixes.

  • Added support for custom OIDC prompts. #3409
  • Added support for kubernetes_users in roles. #3409
  • Added support for extended variable interpolation. #3409
  • Added SameSite attribute to CSRF cookie. #3441

4.2.4

This release of Teleport contains bug fixes.

  • Fixed issue where Teleport could connect to the wrong node and added support to connect via UUID. #2396
  • Fixed issue where tsh login would fail to output identity when using the --out parameter. #3339

4.2.3

This release of Teleport contains bug and security fixes.

  • Mitigated CVE-2020-9283 by updating golang.org/x/crypto.
  • Fixed PAM integration to support user creation upon login. #3317 #3346
  • Improved Teleport performance on large IoT clusters. #3227
  • Added support for PluginData to Teleport plugins. #3286 #3298

4.2.2

This release of Teleport contains bug fixes and improvements.

  • Fixed a regression in role mapping between trusted clusters. #3252
  • Improved variety of issues with Enhanced Session Recording including support for more operating systems and install from packages. #3279

4.2.1

This release of Teleport contains bug fixes and minor usability improvements.

  • New build command for client-only (tsh) .pkg builds. #3159
  • Added support for etcd password auth. #3234
  • Added third-party s3 support. #3234
  • Fixed an issue where access-request event system fails when cache is enabled. #3223
  • Fixed cgroup resolution so enhanced session recording works on Debian based distributions. #3215

4.2.0

This is a minor Teleport release with a focus on new features and bug fixes.

Improvements

  • Alpha: Enhanced Session Recording lets you know what's really happening during a Teleport Session. #2948
  • Alpha: Workflows API lets admins escalate RBAC roles in response to user requests. Read the docs. #3006
  • Beta: Teleport provides HA Support using Firestore and Google Cloud Storage using Google Cloud Platform. Read the docs. #2821
  • Remote tctl execution is now possible. Read the docs. #1525 #2991

Fixes

  • Fixed issue in socks4 when rendering remote address #3110

Documentation

4.1.11

This release of Teleport contains a security fix.

  • Mitigated CVE-2020-15216 by updating github.com/russellhaering/goxmldsig.

Details

A vulnerability was discovered in the github.com/russellhaering/goxmldsig library which is used by Teleport to validate the signatures of XML files used to configure SAML 2.0 connectors. With a carefully crafted XML file, an attacker can completely bypass XML signature validation and pass off an altered file as a signed one.

Actions

The goxmldsig library has been updated upstream and Teleport 4.1.11 includes the fix. Any Enterprise SSO users using Okta, Active Directory, OneLogin or custom SAML connectors should upgrade their Auth Service to version 4.1.11 and restart Teleport.

If you are unable to upgrade immediately, we suggest deleting SAML connectors for all clusters until the updates can be applied.

4.1.10

As part of a routine security audit of Teleport, a security vulnerability was discovered that affects all recent releases of Teleport. We strongly suggest upgrading to the latest patched release to mitigate this vulnerability.

Details

Due to a flaw in how the Teleport Web UI handled host certificate validation, host certificate validation was disabled for clusters where connections were terminated at the node. This means that an attacker could impersonate a Teleport node without detection when connecting through the Web UI.

Clusters where sessions were terminated at the proxy (recording proxy mode) are not affected.

Command line programs like tsh (or ssh) are not affected by this vulnerability.

Actions

To mitigate this issue, upgrade and restart all Teleport proxy processes.

4.1.9

This release of Teleport contains a security fix.

4.1.8

This release of Teleport contains a bug fix.

  • Fixed a regression in role mapping between trusted clusters. #3252

4.1.7

This release of Teleport contains a bug fix.

  • Fixed issue where the port forwarding option in a role was ignored. #3208

4.1.6

This release of Teleport contains a bug fix.

  • Fixed an issue that caused Teleport not to start with certain OIDC claims. #3053

4.1.5

This release of Teleport adds support for an older version of Linux.

  • Added RHEL/CentOS 6.x builds to the build pipeline. #3175

4.1.4

This release of Teleport contains a bug fix.

  • Fixed GSuite integration by adding support for service accounts. #3122

4.1.3

This release of Teleport contains multiple bug fixes.

  • Removed TLS_RSA_WITH_AES_128_GCM_SHA{256,384} from default ciphersuites due to compatibility issues with HTTP2.
  • Fixed issues with local_auth for FIPS builds. #3100
  • Upgraded Go runtime to 1.13.2 to mitigate CVE-2019-16276 and CVE-2019-17596.

4.1.2

This release of Teleport contains improvements to the build code.

  • Added support for building Docker images using the FIPS-compliant version of Teleport. The first of these images is quay.io/gravitational/teleport-ent:4.1.2-fips
  • In future, these images will be automatically built for use by Teleport Enterprise customers.

4.1.1

This release of Teleport contains a bug fix.

  • Fixed an issue with multi-cluster EKS when the Teleport proxy runs outside EKS. #3070

4.1.0

This is a major Teleport release with a focus on stability and bug fixes.

Improvements

  • Support for IPv6. #2124
  • Kubernetes support does not require SNI. #2766
  • Support use of a path for auth_token in teleport.yaml. #2515
  • Implement ProxyJump compatibility. #2543
  • Audit logs should show roles. #2823
  • Allow tsh to go background and without executing remote command. #2297
  • Provide a high level tool to backup and restore the cluster state. #2480
  • Investigate nodes using stale list when connecting to proxies (discovery protocol). #2832

Fixes

  • Proxy can hang due to invalid OIDC connector. #2690
  • Proper -D flag parsing. #2663
  • tsh status does not show correct cluster name. #2671
  • Teleport truncates MOTD with PAM. #2477
  • Miscellaneous fixes around error handling and reporting.

4.0.16

As part of a routine security audit of Teleport, a security vulnerability was discovered that affects all recent releases of Teleport. We strongly suggest upgrading to the latest patched release to mitigate this vulnerability.

Details

Due to a flaw in how the Teleport Web UI handled host certificate validation, host certificate validation was disabled for clusters where connections were terminated at the node. This means that an attacker could impersonate a Teleport node without detection when connecting through the Web UI.

Clusters where sessions were terminated at the proxy (recording proxy mode) are not affected.

Command line programs like tsh (or ssh) are not affected by this vulnerability.

Actions

To mitigate this issue, upgrade and restart all Teleport proxy processes.

4.0.15

This release of Teleport contains a security fix.

4.0.14

This release of Teleport contains a bug fix.

  • Fixed a regression in role mapping between trusted clusters. #3252

4.1.13

This release of Teleport contains a bug fix.

  • Fixed issue where the port forwarding option in a role was ignored. #3208

4.0.12

This release of Teleport contains a bug fix.

  • Fixed an issue that caused Teleport not to start with certain OIDC claims. #3053

4.0.11

This release of Teleport adds support for an older version of Linux.

  • Added RHEL/CentOS 6.x builds to the build pipeline. #3175

4.0.10

This release of Teleport contains a bug fix.

  • Fixed a goroutine leak that occurred whenever a leaf cluster disconnected from the root cluster. #3037

4.0.9

This release of Teleport contains a bug fix.

  • Fixed issue where Web UI could not connect to older nodes within a cluster. #2993

4.0.8

This release of Teleport contains two bug fixes.

Description

  • Fixed issue where new versions of tsh could not connect to older clusters. #2969
  • Fixed trait encoding to be more robust. #2970

4.0.6

This release of Teleport contains a bug fix.

  • Fixed issue introduced in 4.0.5 that broke session recording when using the recording proxy. #2957

4.0.4

This release of Teleport contains a bug fix.

  • Fixed a memory leak in the cache module. #2892

4.0.3

  • Reduced keep-alive interval to improve interoperability with popular load balancers. #2845
  • Fixed issue where non-RSA certificates were rejected when not in FIPS mode. #2805

4.0.2

This release of Teleport contains multiple bug fixes.

  • Fixed an issue that caused active sessions not to be shown. #2801
  • Fixed further issues with host certificate principal generation. #2812
  • Fixed issue where fetching CA would sometimes return not found. #2805

4.0.1

This release of Teleport contains multiple bug fixes.

  • Fixed issue that caused processes to be spawned with an incorrect GID. #2791
  • Fixed host certificate principal generation to only include hosts or IP addresses. #2790
  • Fixed issue preventing tsh 4.0 from connection to 3.2 clusters. #2784

4.0.0

This is a major Teleport release which introduces support for Teleport Internet of Things (IoT). In addition to this new feature this release includes usability, performance, and bug fixes listed below.

New Features

Teleport for IoT

With Teleport 4.0, nodes gain the ability to use reverse tunnels to dial back to a Teleport cluster to bypass firewall restrictions. This allows connections even to nodes that a cluster does not have direct network access to. Customers that have been using Trusted Clusters to achieve this can now utilize a unified interface to access all nodes within their infrastructure.

FedRamp Compliance

With this release of Teleport, we have built out the foundation to help Teleport Enterprise customers build and meet the requirements in a FedRAMP System Security Plan (SSP). This includes a FIPS 140-2 friendly build of Teleport Enterprise as well as a variety of improvements to aid in complying with security controls even in FedRAMP High environments.

Improvements

Bug Fixes

  • Switched to xdg-open to open a browser window on Linux. #2536
  • Increased SSO callback timeout to 180 seconds. #2533
  • Set permissions on TTY similar to OpenSSH. #2508

The lists of improvements and bug fixes above mention only the significant changes, please take a look at the complete list on Github for more.

Upgrading

Teleport 4.0 is backwards compatible with Teleport 3.2 and later. Follow the recommended upgrade procedure to upgrade to this version.

Note that due to substantial changes between Teleport 3.2 and 4.0, we recommend creating a backup of the backend datastore (DynamoDB, etcd, or dir) before upgrading a cluster to Teleport 4.0 to allow downgrades.

Notes on compatibility

Teleport has always validated host certificates when a client connects to a server, however prior to Teleport 4.0, Teleport did not validate the host the user requests a connection to is in the list of principals on the certificate. To avoid issues during the upgrade, make sure the hosts you connect to have the appropriate address set in public_addr in teleport.yaml before upgrading.

3.2.15

This release of Teleport contains a bug fix.

  • Fixed a regression in role mapping between trusted clusters. #3252

3.2.14

This release of Teleport contains a bug fix and a feature.

  • Restore CreateWebSession method used by some integrations. #3076
  • Add Docker registry and Helm repository support to tsh login. #3045

3.2.13

This release of Teleport contains a bug fix.

Description

  • Fixed issue with TLS certificate not included in identity exported by tctl auth sign. #3001

3.2.12

This release of Teleport contains a bug fix.

  • Fixed issue where Web UI could not connect to older nodes within a cluster. #2993

3.2.11

This release of Teleport contains two bug fixes.

  • Fixed issue where new versions of tsh could not connect to older clusters. #2969
  • Fixed trait encoding to be more robust. #2970

3.2.9

This release of Teleport contains a bug fix.

  • Fixed issue introduced in 3.2.8 that broke session recording when using the recording proxy. #2957

3.2.4

This release of Teleport contains multiple bug fixes.

  • Read cluster name from TELEPORT_SITE environment variable in tsh. #2675
  • Multiple improvements around logging in and saving tsh profiles. #2657

3.2.2

This release of Teleport contains a bug fix.

Changes

  • Fixed issue with --bind-addr implementation. #2650

3.2.1

This release of Teleport contains a new feature.

Changes

  • Added --bind-addr to force tsh to bind to a specific port during SSO login. #2620

3.2

This version brings support for Amazon's managed Kubernetes offering (EKS).

Starting with this release, Teleport proxy uses the impersonation API instead of the CSR API.

3.1.14

This release of Teleport contains a bug fix.

  • Fixed issue where Web UI could not connect to older nodes within a cluster. #2993

3.1.13

This release of Teleport contains two bug fixes.

  • Fixed issue where new versions of tsh could not connect to older clusters. #2969
  • Fixed trait encoding to be more robust. #2970

3.1.11

This release of Teleport contains a bug fix.

  • Fixed issue introduced in 3.1.10 that broke session recording when using the recording proxy. #2957

3.1.8

This release of Teleport contains a bug fix.

Changes

  • Fixed issue where SSO users TTL was set incorrectly. #2564

3.1.7

This release of Teleport contains a bug fix.

Changes

  • Fixed issue where tctl users ls output contained duplicates. #2569 #2107

3.1.6

This release of Teleport contains bug fixes, security fixes, and user experience improvements.

Changes

  • Use xdg-open instead of sensible-browser to open links on Linux. #2454
  • Increased SSO callback timeout to 180 seconds. #2483
  • Improved Teleport error messages when it fails to start. #2525
  • Sort tsh ls output by node name. #2511
  • Support different regions for S3 (sessions) and DynamoDB (audit log). #2007
  • Fixed syslog output even when Teleport is in debug mode. #2550
  • Fixed audit log naming conventions. #2388
  • Fixed issue where ~/.tsh/profile was deleted upon logout. #2546
  • Fixed output of tctl get to be compatible with tctl create. #2479
  • Fixed issue where multiple file upload with scp did not work correctly. #2094
  • Correctly set permissions TTY. #2540
  • Mitigated scp issues when connected to malicious server #2539

3.1.5

Teleport 3.1.5 contains a bug fix and security fix.

Bug fixes

  • Fixed issue where certificate authorities were not fetched during every login. #2526
  • Upgraded Go to 1.11.5 to mitigate CVE-2019-6486: CPU denial of service in P-521 and P-384 elliptic curve implementation.

3.1.4

Teleport 3.1.4 contains one new feature and two bug fixes.

New Feature

  • Added support for GSuite as a SSO provider. #2455

Bug fixes

  • Fixed issue where Kubernetes groups were not being passed to remote clusters. #2484
  • Fixed issue where the client was pulling incorrect CA for trusted clusters. #2487

3.1.3

Teleport 3.1.3 contains two security fixes.

Bugfixes

  • Updated xterm.js to mitigate a RCE in xterm.js.
  • Mitigate potential timing attacks during bearer token authentication. #2482
  • Fixed x509: certificate signed by unknown authority error when connecting to DynamoDB within Gravitational publish Docker image. #2473

3.1.2

Teleport 3.1.2 contains a security fix. We strongly encourage anyone running Teleport 3.1.1 to upgrade.

Bugfixes

  • Due to the flaw in internal RBAC verification logic, a compromised node, trusted cluster or authenticated non-privileged user can craft special request to Teleport's internal Auth Service API to gain access to the private key material of the cluster's internal certificate authorities and elevate their privileges to gain full administrative access to the Teleport cluster. This vulnerability only affects authenticated clients, there is no known way to exploit this vulnerability outside the cluster for unauthenticated clients.

3.1.1

Teleport 3.1.1 contains a security fix. We strongly encourage anyone running Teleport 3.1.0 to upgrade.

  • Upgraded Go to 1.11.4 to mitigate CVE-2018-16875: CPU denial of service in chain validation Go. For customers using the RHEL5.x compatible release of Teleport, we've backported this fix to Go 1.9.7, before releasing RHEL 5.x compatible binaries.

3.1

This is a major Teleport release with a focus on backwards compatibility, stability, and bug fixes. Some of the improvements:

  • Added support for regular expressions in RBAC label keys and values. #2161
  • Added support for configurable server side keepalives. #2334
  • Added support for some -o to improve OpenSSH interoperability. #2330
  • Added i386 binaries as well as binaries built with older version of Go to support legacy systems. #2277
  • Added SOCKS5 support to tsh. #1693
  • Improved UX and security for nodes joining a cluster. #2294
  • Improved Kubernetes UX. #2291 #2258 #2304
  • Fixed bug that did not allow copy and paste of texts over 128 in the Web UI. #2313
  • Fixes issues with scp when using the Web UI. #2300

3.0.5

Teleport 3.0.5 contains a security fix.

Bug fixes

  • Upgraded Go to 1.11.5 to mitigate CVE-2019-6486: CPU denial of service in P-521 and P-384 elliptic curve implementation.

3.0.4

Teleport 3.0.4 contains two security fixes.

Bugfixes

  • Updated xterm.js to mitigate a RCE in xterm.js.
  • Mitigate potential timing attacks during bearer token authentication. #2482

3.0.3

Teleport 3.0.3 contains a security fix. We strongly encourage anyone running Teleport 3.0.2 to upgrade.

Bugfixes

  • Due to the flaw in internal RBAC verification logic, a compromised node, trusted cluster or authenticated non-privileged user can craft special request to Teleport's internal Auth Service API to gain access to the private key material of the cluster's internal certificate authorities and elevate their privileges to gain full administrative access to the Teleport cluster. This vulnerability only affects authenticated clients, there is no known way to exploit this vulnerability outside the cluster for unauthenticated clients.

3.0.2

Teleport 3.0.2 contains a security fix. We strongly encourage anyone running Teleport 3.0.1 to upgrade.

  • Upgraded Go to 1.11.4 to mitigate CVE-2018-16875: CPU denial of service in chain validation Go. For customers using the RHEL5.x compatible release of Teleport, we've backported this fix to Go 1.9.7, before releasing RHEL 5.x compatible binaries.

3.0.1

This release of Teleport contains the following bug fix:

  • Fix regression that marked ADFS claims as invalid. #2293

3.0

This is a major Teleport release which introduces support for Kubernetes clusters. In addition to this new feature this release includes several usability and performance improvements listed below.

Kubernetes Support

  • tsh login can retrieve and install certificates for both Kubernetes and SSH at the same time.
  • Full audit log support for kubectl commands, including recording of the sessions if kubectl exec command was interactive.
  • Unified (AKA "single pane of glass") RBAC for both SSH and Kubernetes permissions.

Improvements

  • Teleport administrators can now fine-tune the enabled ciphersuites #1999
  • Improved user experience linking trusted clusters together #1971
  • All Teleport components (proxy, auth and nodes) now support public_addr setting which allows them to be hosted behind NAT/Load Balancers. #1793
  • We have documented the previously undocumented monitoring endpoints #2103
  • The etcd back-end has been updated to implement 3.3+ protocol. See the upgrading notes below.
  • Listing nodes via tsh ls or the web UI no longer shows nodes that the currently logged in user has no access to. #1954
  • It is now possible to build tsh client on Windows. Note: only tsh login command is implemented. #1996.
  • -i flag to tsh login is now guarantees to be non-interactive. #2221

Bugfixes

  • Removed the bogus error message "access denied to perform action create on user" #2132
  • scp implementation in "recording proxy" mode did not work correctly. #2176
  • Removed the limit of 8 trusted clusters with SSO. #2192
  • tsh ls now works correctly when executed on a remote/trusted cluster #2204

The lists of improvements and bug fixes above mention only the significant changes, please take a look at the complete list on Github for more.

Upgrading to 3.0

Follow the recommended upgrade procedure to upgrade to this version.

WARNING: if you are using Teleport with the etcd back-end, make sure your etcd version is 3.3 or newer prior to upgrading to Teleport 3.0.

2.7.9

Teleport 2.7.9 contains a security fix.

Bug fixes

  • Upgraded Go to 1.11.5 to mitigate CVE-2019-6486: CPU denial of service in P-521 and P-384 elliptic curve implementation.

2.7.8

Teleport 2.7.8 contains two security fixes.

Bugfixes

  • Updated xterm.js to mitigate a RCE in xterm.js.
  • Mitigate potential timing attacks during bearer token authentication. #2482

2.7.7

Teleport 2.7.7 contains two security fixes. We strongly encourage anyone running Teleport 2.7.6 to upgrade.

Bugfixes

  • Due to the flaw in internal RBAC verification logic, a compromised node, trusted cluster or authenticated non-privileged user can craft special request to Teleport's internal Auth Service API to gain access to the private key material of the cluster's internal certificate authorities and elevate their privileges to gain full administrative access to the Teleport cluster. This vulnerability only affects authenticated clients, there is no known way to exploit this vulnerability outside the cluster for unauthenticated clients.
  • Upgraded Go to 1.11.4 to mitigate CVE-2018-16875: CPU denial of service in chain validation Go.

2.7.6

This release of Teleport contains the following bug fix:

  • Fix regression that marked ADFS claims as invalid. #2293

2.7.5

This release of Teleport contains the following bug fix:

  • Teleport Auth Service instances do not delete temporary files named /tmp/multipart- #2250

2.7.4

This release of Teleport focuses on bugfixes.

Bug Fixes

  • Fixed issues with client_idle_timeout. #2166
  • Added support for scalar and list values for node_labels in roles. #2136
  • Improved font support on Ubuntu.

2.7.3

This release of Teleport focuses on bugfixes.

Bug Fixes

  • Fixed issue that cause failed executing request: user agent missing missing error when upgrading from 2.6.

2.7.2

This release of Teleport focuses on bugfixes.

Bug Fixes

  • Fixed issue in Teleport 2.7.2 where rollback to Go 1.9.7 was not complete for linux-amd64 binaries.

2.7.1

This release of Teleport focuses on bugfixes.

Bug Fixes

  • Rollback to Go 1.9.7 for users with custom CA running into x509: certificate signed by unknown authority.

2.7.0

The primary goal of 2.7.0 release was to address the community feedback and improve the performance and flexibility when running Teleport clusters with large number of nodes.

New Features

  • The Web UI now includes scp (secure copy) functionality. This allows Windows users and other users of the Web UI to upload/download files into SSH nodes using a web browser.
  • Fine-grained control over forceful session termination has been added #1935. It is now possible to:
    • Forcefully disconnect idle clients (no client activity) after a specified timeout.
    • Forcefully disconnect clients when their certificates expire in the middle of an active SSH session.

Performance Improvements

  • Performance of SSH login commands have been improved on large clusters (thousands of nodes). #2061
  • DynamoDB storage back-end performance has been improved. #2021
  • Performance of session recording via a proxy has been improved #1966
  • Connections between trusted clusters are managed better #2023

Bug Fixes

As always, this release contains several bug fixes. The full list can be seen here. Here are some notable ones:

  • It is now possible to issue certificates with a long TTL via admin's auth sign tool. Previously they were limited to 30 hours for undocumented reason. 1745
  • Dynamic label values were shown as empty strings. 2056

Upgrading

Follow the recommended upgrade procedure to upgrade to this version.

2.6.9

This release of Teleport focuses on bugfixes.

Bug Fixes

  • Fixed issue in Teleport 2.6.8 where rollback to Go 1.9.7 was not complete for linux-amd64 binaries.

2.6.8

This release of Teleport focuses on bugfixes.

Bug Fixes

  • Rollback to Go 1.9.7 for users with custom CA running into x509: certificate signed by unknown authority.

2.6.7

This release of Teleport focuses on bugfixes.

Bug Fixes

  • Resolved dynamic label regression. #2056

2.6.5

This release of Teleport focuses on bugfixes.

Bug Fixes

  • Remote clusters no longer try to re-connect to proxies that have been permanently removed. #2023
  • Speed up login on systems with many users. #2021
  • Improve overall performance of the etcd backend. #2030
  • Role login validation now applies after variables have been substituted. #2022

2.6.3

This release of Teleport focuses on bugfixes.

Bug Fixes

  • Remote clusters no longer try to re-connect to proxies that have been permanently removed. #2023
  • Speed up login on systems with many users. #2021
  • Improve overall performance of the etcd backend. #2030
  • Role login validation now applies after variables have been substituted. #2022

2.6.2

This release of Teleport focuses on bugfixes.

Bug Fixes

  • Reduced go routine usage by the forwarding proxy. #1966
  • Teleport no longer sends full version in the SSH handshake. #970
  • Force flag works correctly for Trusted Clusters. #1871
  • Allow manual creation of Certificate Authorities. #2001
  • Include Teleport username in port forwarding events. #2004
  • Allow tctl auth sign to create user certificate with arbitrary TTL values. #1745
  • Upgrade to Go 1.10.3. #2008

2.6.1

This release of Teleport focuses on bugfixes.

Bug Fixes

  • Use ciphers, KEX, and MAC algorithms from Teleport configuration in reverse tunnel server. #1984
  • Update path sanitizer it allow @. #1985

2.6.0

This release of Teleport brings new features, significant performance and usability improvements as well usual bugfixes.

During this release cycle, the Teleport source code has been audited for security vulnerabilities by Cure53 and this release (2.6.0) contains patches for the discovered problems.

New Features

  • Support for DynamoDB for storing the audit log events. #1755
  • Support for Amazon S3 for storing the recorded SSH sessions. #1755
  • Support for rotating certificate authorities (CA rotation). [#1899] (https://github.com/gravitational/teleport/pull/1899)
  • Integration with Linux PAM (pluggable authentication modules) subsystem. #742 and #1766
  • The new CLI command tsh status shows users which Teleport clusters they are authenticated with. #1628

Additionally, Teleport 2.6.0 has been submitted to the AWS marketplace. Soon AWS users will be able to create properly configured, secure and highly available Teleport clusters with ease.

Configuration Changes

  • Role templates (depreciated in Teleport 2.3) were fully removed. We recommend migrating to role variables which are documented here

  • Resource names (like roles, connectors, trusted clusters) can no longer contain unicode or other special characters. Update the names of all user created resources to only include characters, hyphens, and dots.

  • advertise_ip has been deprecated and replaced with public_addr setting. See #1803 The existing configuration files will still work, but we advise Teleport administrators to update it to reflect the new format.

  • Teleport no longer uses boltdb back-end for storing cluster state by default. The new default is called dir and it uses JSON files stored in /var/lib/teleport/backend. This change applies to brand new Teleport installations, the existing clusters will continue to use boltdb.

  • The default set of enabled cryptographic primitives has been updated to reflect the latest state of SSH and TLS security. #1856.

Bug Fixes

The list of most visible bug fixes in this release:

  • tsh now properly handles Ctrl+C #1882
  • High CPU utilization on ARM platforms during daemon start-up. #1886
  • Terminal window size can get out of sync on AWS. #1874
  • Some CLI commands print errors twice. #1889
  • SSH session playback can be interrupted for long sessions. #1774
  • Processing HUP UNIX signal is unreliable when teleport daemon runs under systemd. #1844

You can see the full list of 2.6.0 changes here.

Upgrading

Follow the recommended upgrade procedure to upgrade to this version.

2.5.7

This release of Teleport focuses on bugfixes.

Bug Fixes

  • Allow creation of users from tctl create. #1949

2.5.6

This release of Teleport focuses on bugfixes.

Bug Fixes

  • Improvements to Teleport HUP signal handling for more reliable reload. #1844
  • Restore output format of tctl nodes add --format=json. #1846

2.5.5

This release of Teleport focuses on bugfixes.

Bug Fixes

  • Allow creation of multiple sessions per connection (fixes Ansible issues with the recording proxy). #1811

2.5.4

This release of Teleport focuses on bugfixes.

Bug Fixes

  • Only reset SIGINT handler if it has not been set to ignore. #1814
  • Improvement of user-visible errors. #1798 #1779

2.5.3

This release of Teleport focuses on bugfixes.

Bug Fixes

  • Fix logging, collect status of forked processes. #1785 #1776
  • Turn off proxy support when no-tls is used. #1800
  • Correct the signup URL. #1777
  • Fix GitHub team pagination issues. #1734
  • Increase global dial timeout to 30 seconds. #1760
  • Reuse existing singing key. #1713
  • Don't panic on channel failures. #1808

2.5.2

This release of Teleport includes bug fixes and regression fixes.

Bug Fixes

  • Run session migration in the background. #1784
  • Include node name in regenerated host certificates. #1786

2.5.1

This release of Teleport fixes a regression in Teleport binaries.

Bug Fixes

  • Binaries for macOS have been rebuilt to resolve "certificate signed by a unknown authority" issue.

2.5.0

This is a major release of Teleport. Its goal is to make cloud-native deployments easier. Numerous AWS users have contributed feedback to this release, which includes:

New Features

  • Auth servers in highly available (HA) configuration can share the same /var/lib/teleport data directory when it's hosted on NFS (or AWS EFS). #1351

  • There is now an AWS reference deployment in examples/aws directory. It uses Terraform and demonstrates how to deploy large Teleport clusters on AWS using best practices like auto-scaling groups, security groups, secrets management, load balancers, etc.

  • The Teleport daemon now implements built-in connection draining which allows zero-downtime upgrades. See documentation.

  • Dynamic join tokens for new nodes can now be explicitly set via tctl node add --token. This allows Teleport admins to use an external mechanism for generating cluster invitation tokens. #1615

  • Teleport now correctly manages certificates for accessing proxies behind a load balancer with the same domain name. The new configuration parameter public_addr must be used for this. #1174.

Improvements

  • Switching to a new TLS-based Auth Service API improves performance of large clusters. #1528

  • Session recordings are now compressed by default using gzip. This reduces storage requirements by up to 80% in our real-world tests. #1579

  • More user-friendly authentication errors in Teleport audit log helps Teleport admins troubleshoot configuration errors when integrating with SAML/OIDC providers. #1554, #1553, #1599

  • tsh client will now report if a server's API is no longer compatible.

Bug Fixes

  • tsh logout will now correctly log out from all active Teleport sessions. This is useful for users who're connected to multiple Teleport clusters at the same time. #1541

  • When parsing YAML, Teleport now supports -- list item separator to create multiple resources with a single tctl create command. #1663

  • Fixed a panic in the Web UI backend #1558

Behavior Changes

Certain components of Teleport behave differently in version 2.5. It is important to note that these changes are not breaking Teleport functionality. They improve Teleport behavior on large clusters deployed on highly dynamic cloud environments such as AWS. This includes:

  • Session list in the Web UI is now limited to 1,000 sessions.
  • The audit log and recorded session storage has been moved from /var/lib/teleport/log to /var/lib/teleport/log/<auth-server-id>. This is related to #1351 described above.
  • When connecting a trusted cluster users can no longer pick an arbitrary name for them. Their own (local) names will be used, i.e. the cluster_name setting now defines how the cluster is seen from the outside. #1543

2.4.7

This release of Teleport contains a bugfix.

Bug Fixes

  • Only reset SIGINT handler if it has not been set to ignore. #1814

2.4.6

This release of Teleport focuses on bugfixes.

Bug Fixes

  • Increase global dial timeout to 30 seconds. #1760
  • Don't panic on channel failures. #1808

2.4.5

This release of Teleport fixes a regression in Teleport binaries.

Bug Fixes

  • Binaries for macOS have been rebuilt to resolve "certificate signed by a unknown authority" issue.

2.4.4

This release of Teleport focuses on bugfixes.

Bug Fixes

  • Resolved tsh logout regression. #1541
  • Binaries for supported platforms all built with Go 1.9.2.

2.4.3

This release of Teleport focuses on bugfixes.

Bug Fixes

  • Resolved "access denied" regression in Trusted Clusters. #1733
  • Key written with wrong username to ~/.tsh. #1749
  • Resolved Trusted Clusters toggling regression. #1751

2.4.2

This release of Teleport focuses on bugfixes.

Bug Fixes

  • Wait for copy to complete before propagating exit-status. #1646
  • Don't discard initial bytes in HTTP CONNECT tunnel. #1659
  • Pass caching key generator to services and use cache in recording proxy. #1639
  • Only display "Change Password" in UI for local users. #1669
  • Update Signup URL. #1643
  • Improved Teleport version reporting. #1538
  • Fixed regressions in terminal size handling and Trusted Clusters introduced in 2.4.1. #1674 #1692

2.4.1

This release is focused on fixing a few regressions in Teleport as well as adding a new feature.

New Features

  • Exposed the --compat flag to Web UI users. #1542

Bug Fixes

  • Wrap lines correctly on initial login. #1087
  • Accept port numbers larger than 32767: #1576
  • Don't show the Join button when using the recording proxy. #1421
  • Don't double record sessions when using the recording proxy and Teleport nodes. #1582
  • Fixed regressions in tsh login and tsh logout. #1611 #1541

2.4.0

This release adds two major new features and a few improvements and bugfixes.

New Features

  • New Commercial Teleport Editions: "Pro" and "Business" allow users to purchase a Teleport subscription without signing contracts.
  • Teleport now supports SSH session recording even for nodes running OpenSSH #1327 This feature is called "recording proxy mode".
  • Users of open source edition of Teleport can now authenticate against Github #1445
  • The Web UI now supports persistent URLs to Teleport nodes which can be integrated into 3rd party web apps. #1511
  • Session recording can now be turned off #1430

Deprecated Features

  • Teleport client tsh no longer supports being an SSH agent. We recommend using build-in SSH agents for MacOS and Linux, like ssh-agent from openssh-client package.

Bug Fixes

There have been numerous small usability and performance improvements, but some notable fixed bugs are listed below:

  • Resource (file descriptor) leak #1433
  • Correct handling of the terminal type #1402
  • Crash on startup #1395

2.3.5

This release is focused on fixing a few regressions in configuration and UI/UX.

Improvements

  • Updated documentation to accurately reflect 2.3 changes
  • Web UI can use introspection so users can skip explicitly specifying SSH port #1410

Bug fixes

  • Fixed issue of MFA users getting prematurely locked out #1347
  • UI (regression) when invite link is expired, nothing is shown to the user #1400
  • OIDC regression with some providers #1371
  • Legacy configuration for trusted clusters regression: #1381
  • Dynamic tokens for adding nodes: "access denied" #1348

2.3.1

Bug fixes

  • Added CSRF protection to login endpoint. #1356
  • Proxy subsystem handling is more robust. #1336

2.3

This release focus was to increase Teleport user experience in the following areas:

  • Easier configuration via tctl resource commands.
  • Improved documentation, with expanded 'examples' directory.
  • Improved CLI interface.
  • Web UI improvements.

Improvements

  • Web UI: users can connect to OpenSSH servers using the Web UI.
  • Web UI now supports arbitrary SSH logins, in addition to role-defined ones, for better compatibility with OpenSSH.
  • CLI: trusted clusters can now be managed on the fly without having to edit Teleport configuration. #1137
  • CLI: tsh login supports exporting a user identity into a file to be used later with OpenSSH.
  • tsh agent command has been deprecated: users are expected to use native SSH Agents on their platforms.

Teleport Enterprise

  • More granular RBAC rules #1092
  • Role definitions now support templates. #1120
  • Authentication: Teleport now supports multiple OIDC/SAML endpoints.
  • Configuration: local authentication is always enabled as a fallback if a SAML/OIDC endpoints go offline.
  • Configuration: SAML/OIDC endpoints can be created on the fly using tctl and without having to edit configuration file or restart Teleport.
  • Web UI: it is now easier to turn a trusted cluster on/off #1199.

Bug Fixes

  • Proper handling of ENV_SUPATH from login.defs #1004
  • Reverse tunnels would periodically lose connectivity. #1156
  • tsh now stores user identities in a format compatible with OpenSSH. 1171.

2.2.7

Bug fixes

  • Updated YAML parsing library. #1226

2.2.6

Bug fixes

  • Fixed issue with SSH dial potentially hanging indefinitely. #1153

2.2.5

Bug fixes

  • Fixed issue where node did not have correct permissions. #1151

2.2.4

Bug fixes

  • Fixed issue with remote tunnel timeouts. #1140.

2.2.3

Bug fixes

  • Fixed issue with Trusted Clusters where a clusters could lose its signing keys. #1050.
  • Fixed SAML signing certificate export in Enterprise. #1109.

2.2.2

Bug fixes

  • Fixed an issue where in certain situations tctl ls would not work. #1102.

2.2.1

Improvements

  • Added --compat=oldssh to both tsh and tctl that can be used to request certificates in the legacy format (no roles in extensions). #1083

Bugfixes

  • Fixed multiple regressions when using SAML with dynamic roles. #1080

2.2.0

Features

  • HTTP CONNECT tunneling for Trusted Clusters. #860
  • Long lived certificates and identity export which can be used for automation. #1033
  • New terminal for Web UI. #933
  • Read user environment files. #1014
  • Improvements to Auth Service resiliency and availability. #1071
  • Server side configuration of support ciphers, key exchange (KEX) algorithms, and MAC algorithms. #1062
  • Renaming tsh to ssh or making a symlink tsh -> ssh removes the need to type tsh ssh, making it compatible with familiar ssh user@host. #929

Enterprise Features

  • SAML 2.0. #1070
  • Role mapping for Trusted Clusters. #983
  • ACR parsing for OIDC identity providers. #901

Improvements

  • Improvements to OpenSSH interoperability.
    • Certificate export format changes to match OpenSSH. #1068
    • CA export format changes to match OpenSSH. #918
    • Improvements to scp implementation to fix incompatibility issues. #1048
    • OpenSSH keep alive messages are now processed correctly. #963
  • tsh profile is now always read. #1047
  • Correct signal handling when Teleport is launched using sysvinit. #981
  • Role templates now automatically fill out default values when omitted. #912

2.0.6

Bugfixes

  • Fixed regression in TLP-01-009.

2.0.5

Teleport 2.0.5 contains a variety of security fixes. We strongly encourage anyone running Teleport 2.0.0 and above to upgrade to 2.0.5.

The most pressing issues (a phishing attack which can potentially be used to extract plaintext credentials and an attack where an already authenticated user can escalate privileges) can be resolved by upgrading the web proxy. However, however all nodes need to be upgraded to mitigate all vulnerabilities.

Bugfixes

  • Patch for TLP-01-001 and TLP-01-003: Check redirect.
  • Patch for TLP-01-004: Always check is namespace is valid.
  • Patch for TLP-01-005: Check user principal when joining session.
  • Patch for TLP-01-006 and TLP-01-007: Validate Session ID.
  • Patch for TLP-01-008: Use a fake hash for password authentication if user does not exist.
  • Patch for TLP-01-009: Command injection in scp.

2.0.4

Bugfixes

  • Roles created in the Web UI now have node resource. #949

2.0.3

Bugfixes

  • Execute commands using user's shell. #943
  • Allow users to read their own roles. #941
  • Fix User CA import. #919
  • Role template defaults. #916
  • Skip UserInfo if not provided. #915

2.0.2

Bugfixes

  • Agent socket had wrong permissions. #936

2.0.1

Features

  • Introduced Dynamic Roles. #897

Improvements

  • Improved OpenSSH interoperability. #902, #911
  • Enhanced OIDC Functionality. #882

Bugfixes

2.0

This is a major new release of Teleport.

Features

  • Native support for DynamoDB back-end for storing cluster state.
  • It is now possible to turn off 2nd factor authentication.
  • 2nd factor now uses TOTP. #522
  • New framework for implementing secret storage plug-ins.
  • Audit log format has been finalized and documented.
  • Experimental file-based secret storage back-end.
  • SSH agent forwarding.

Improvements

  • Friendlier CLI error messages.
  • tsh login is now compatible with SSH agents.

Enterprise Features

  • Role-based access control (RBAC)
  • Dynamic configuration: ability to manage roles and trusted clusters at runtime.

Full list of Github issues: https://github.com/gravitational/teleport/milestone/8

1.3.2

v1.3.2 is a maintenance release which fixes a Web UI issue when in some cases static web assets like custom fonts would not load properly.

Bugfixes

  • Issue #687 - broken web assets on some browsers.

1.3.1

v1.3.1 is a maintenance release which fixes a few issues found in 1.3

Bugfixes

  • Teleport session recorder can skip characters.
  • U2F was enabled by default in "demo mode" if teleport.yaml file was missing.

Improvements

  • U2F documentation has been improved

1.3

This release includes several major new features and it's recommended for production use.

Features

  • Support for hardware U2F keys for 2nd factor authentication.
  • CLI client profiles: tsh can now remember its --proxy setting.
  • tctl auth sign command to allow administrators to generate user session keys
  • Web UI is now served directly from the executable. There is no more need for web assets in /usr/local/share/teleport

Bugfixes

  • Multiple Auth Service instances in config doesn't work if the last on is not reachable. #593
  • tsh scp -r does not handle directory upload properly #606

1.2

This is a maintenance release and it's a drop-in replacement for previous versions.

Changes

  • Usability bugfixes as can be seen here
  • Updated documentation
  • Added examples directory with sample configuration and systemd unit file.

1.1.0

This is a maintenance release meant to be a drop-in upgrade of previous versions.

Changes

  • User experience improvements: nicer error messages
  • Better compatibility with ssh command: -t flag can be used to force allocation of TTY

1.0.5

This release was recommended for production with one reservation: time-limited certificates did not work correctly in this release due to #529

  • Improvements in performance and usability of the Web UI
  • Smaller binary sizes thanks to Golang v1.7

Bugfixes

  • Wrong url to register new users. #497
  • Logged in users inherit Teleport supplemental groups bug security. #507
  • Joining a session running on a trusted cluster does not work. #504

1.0.4

This release only includes the addition of the ability to specify non-standard HTTPS port for Teleport proxy for tsh --proxy flag.

1.0.3

This release only includes one major bugfix #486 plus minor changes not exposed to Teleport Community Edition users.

Bugfixes

  • Guessing advertise_ip chooses IPv6 address space. #486

1.0

The first official release of Teleport!