The easiest, and most secure way to access and protect all of your infrastructure.
AGPL-3.0 License
Bot releases are hidden (Show)
tsh ssh
performance for concurrent execs. #45162
1.22.6
. #45194
Download the current and previous releases of Teleport at https://goteleport.com/download.
Download the current release of Teleport plugins from the links below.
Published by camscale 2 months ago
tsh aws
may display extra text in addition to the original command output. #45168
metadata.expires
field. #45130
TERM_PROGRAM: Teleport_Connect
and TERM_PROGRAM_VERSION: <app_version>
environment variables in the integrated terminal. #45063
tbot
startup when the requested certificate TTL exceeds the maximum allowed value. #44989
Enterprise:
Download the current and previous releases of Teleport at https://goteleport.com/download.
Download the current release of Teleport plugins from the links below.
Published by r0mant 3 months ago
kubernetes-secret
schema. #44801
SIGUSR1
. #44758
tctl get saml/<connector-name> | tctl create -f
without the --with-secrets
flag. #44666
tbot
when unable to lookup the user from a given UID in containerized environments for checking ACL configuration. #44645
tsh puttyconfig
is invoked without --port
. #44572
teleport.icon
in the web UI. #44566
application-tunnel
service to Machine ID for establishing a long-lived tunnel to a HTTP or TCP application for Machine to Machine access. #44443
pg_temp
schema. #44409
teleport.yaml
config. #44379
build
directory, which was accidentally added upon v16.0.0 release. #44300
--skip-idle-time
flag to tsh play
. #44013
Download the current and previous releases of Teleport at https://goteleport.com/download.
Download the current release of Teleport plugins from the links below.
Published by camscale 3 months ago
SIGUSR1
. #44759
Download the current and previous releases of Teleport at https://goteleport.com/download.
Download the current release of Teleport plugins from the links below.
Published by camscale 3 months ago
tbot
when unable to lookup the user from a given UID in containerized environments for checking ACL configuration. #44646
tsh puttyconfig
is invoked without --port
. #44573
teleport.icon
in the web UI. #44568
teleport.yaml
config. #44378
build
directory, which was accidentally added upon v15.4.5 release. #44301
kube-agent-updater
bug affecting resolutions of private images. #44192
teleport-cluster
chart can now use existing ingresses instead of creating its own. #44147
tsh login
outputs accurate status information for the new session. #44144
tctl
. #44134
--skip-idle-time
flag to tsh play
. #44095
tbot install systemd
command for installing tbot as a service on Linux systems. #44082
tctl
cli tool. #44072
tbot
compilable on Windows. #44070
Enterprise:
Download the current and previous releases of Teleport at https://goteleport.com/download.
Download the current release of Teleport plugins from the links below.
Published by camscale 3 months ago
We're excited to announce an update to the Teleport logo. This refresh aligns
with our evolving brand and will be reflected across the product, our marketing
site (goteleport.com), branded content, swag, and more.
The new logo will appear in the web UI starting with this release and on the
marketing website starting from July 17th, 2024.
Database Access users will be able to watch PostgreSQL query replays in the web
UI or with tsh.
tsh vnet
or Teleport Connect. #44225
kube-agent-updater
bug affecting resolutions of private images. #44191
show_resources
option is no longer required for statically configured proxy ui settings. #44181
teleport-cluster
chart can now use existing ingresses instead of creating its own. #44146
tsh login
outputs accurate status information for the new session. #44143
tctl
. #44133
tbot install systemd
command for installing tbot as a service on Linux systems. #44083
tctl
. #44071
v1.64.1
(patches GO-2024-2978
). #44067
/etc/default/teleport
as regular Teleport package installations do. #43962
tbot
compilable on Windows. #43959
extraLabels
configured in teleport-kube-agent
chart values are now correctly propagated to post-delete hooks. A new extraLabels.job
object has been added for labels which should only apply to the post-delete job. #43932
TELEPORT_REPORTING_HTTP(S)_PROXY
environment variable to specify the URL of the HTTP(S) proxy used for connections to our usage reporting ingest service. #4568
Download the current and previous releases of Teleport at https://goteleport.com/download.
Download the current release of Teleport plugins from the links below.
Published by camscale 3 months ago
/etc/default/teleport
as regular Teleport package installations do. #43961
extraLabels
configured in teleport-kube-agent chart values to post-delete hooks. A new extraLabels.job
object has been added for labels which should only apply to the post-delete job. #43931
Enterprise:
Download the current and previous releases of Teleport at https://goteleport.com/download.
Download the current release of Teleport plugins from the links below.
Published by camscale 4 months ago
disable_exec_plugin
. #43656
cluster.local
. #43632
Enterprise:
TELEPORT_REPORTING_HTTP(S)_PROXY
environment variable to specify the URL of the HTTP(S) proxy used for connections to our usage reporting ingest service.Download the current and previous releases of Teleport at https://goteleport.com/download.
Download the current release of Teleport plugins from the links below.
Published by camscale 4 months ago
disable_exec_plugin
. #43655
cluster.local
. #43631
Enterprise:
TELEPORT_REPORTING_HTTP(S)_PROXY
environment variable to specify the URL of the HTTP(S) proxy used for connections to our usage reporting ingest service.Download the current and previous releases of Teleport at https://goteleport.com/download.
Download the current release of Teleport plugins from the links below.
Published by tcsc 4 months ago
This release of Teleport contains a fix for a medium-level security issue impacting Teleport Enterprise, as well as various other updates and improvements
[Medium] Fixes issue where a SCIM client could potentially overwrite. Teleport system Roles using specially crafted groups. This issue impacts Teleport Enterprise deployments using the Okta integration with SCIM support enabled.
We strongly recommend all customers upgrade to the latest releases of Teleport.
go-retryablehttp
to v0.7.7 (fixes CVE-2024-6104). #43475
tctl alerts ls
now displays remaining alert ttl. #43435
Debug
setting for event-handler. #43409
Download the current and previous releases of Teleport at https://goteleport.com/download.
Download the current release of Teleport plugins from the links below.
--
labels: security-patch=yes
Published by tcsc 4 months ago
This release of Teleport contains a fix for a medium-level security issue impacting Teleport Enterprise, as well as various other updates and improvements
[Medium] Fixes issue where a SCIM client could potentially overwrite Teleport system Roles using specially crafted groups. This issue impacts Teleport Enterprise deployments using the Okta integration with SCIM support enabled.
We strongly recommend all customers upgrade to the latest releases of Teleport.
go-retryablehttp
to v0.7.7 (fixes CVE-2024-6104). #43474
tctl alerts ls
now displays remaining alert ttl. #43436
Debug
setting for event-handler. #43408
/readyz
endpoint. #43283
[Install]
section to the teleport-acm
systemd unit file as used by Teleport AMIs. #43257
tctl desktop bootstrap
for bootstrapping AD environments to work with Desktop Access. #43150
Download the current and previous releases of Teleport at https://goteleport.com/download.
Download the current release of Teleport plugins from the links below:
--
labels: security-patch=yes
Published by tcsc 4 months ago
[Install]
section to the teleport-acm
systemd unit file as used by Teleport AMIs. #43256
tctl
to ignore a configuration file if the auth_service
section is disabled, and prefer loading credentials from a given identity file or tsh profile instead. #43203
teleport
to skip jamf_service
validation when the Jamf service is not enabled. #43169
tsh
and Teleport Connect return early during login if ping to proxy service was not successful. #43086
crown_jewel
resource. #42866
/readyz
endpoint. #43284
Download the current and previous releases of Teleport at https://goteleport.com/download.
Download the current release of Teleport plugins from the links below.
Published by tcsc 4 months ago
/readyz
endpoint. #43285
[Install]
section to the teleport-acm
systemd unit file as used by Teleport AMIs. #43258
teleport
to skip jamf_service
validation when the Jamf is not enabled. #43170
dynamoevents
query StartKey
not being within the [From, To] window. #42914
teleport configure
command now supports a --node-name
flag for overriding the node's hostname. #42249
allowed_https_hostnames
in the Teleport Operator resources: SAML, OIDC, and GitHub Connector. #42056
kubectl exec
v1.30+ to include warnings about a breaking change in Kubernetes. #41989
teleport.service
after an upgrade.Download the current and previous releases of Teleport at https://goteleport.com/download.
Published by camscale 4 months ago
tctl
now ignores any configuration file if the auth_service section is disabled, and prefer loading credentials from a given identity file or tsh profile instead. #43115
jamf_service
validation when the service is not enabled. #43095
vnet_config
. #42957
Download the current and previous releases of Teleport at https://goteleport.com/download.
Download the current release of Teleport plugins from the links below.
Published by r0mant 4 months ago
dynamoevents
query StartKey
not being within the [From, To] window. #42915
Download the current and previous releases of Teleport at https://goteleport.com/download.
Download the current release of Teleport plugins from the links below.
Published by r0mant 4 months ago
Teleport 16 brings the following new features and improvements:
tctl
for WindowsTeleport 16 introduces Teleport VNet, a new feature that provides a virtual IP subnet and DNS server which automatically proxies TCP connections to Teleport apps over mutually authenticated tunnels.
This allows scripts and software applications to connect to any Teleport-protected application as if they were connected to a VPN, without the need to manage local tunnels.
Teleport VNet is powered by the Teleport Connect client and is available for macOS. Support for other operating systems will come in a future release.
Teleport Device Trust can now be enforced for browser-based workflows like remote desktop and web application access. The Teleport Connect client must be installed in order to satisfy device locality checks.
Teleport 16 now supports per-session MFA checks when accessing both web and TCP applications via all supported clients (Web UI, tsh
, and Teleport Connect).
Additionally, Teleport Connect now includes support for per-session MFA when accessing database resources.
Teleport’s Web UI includes a new notifications system that notifies users of items requiring attention (for example, access requests needing review).
The resources view in the web UI now shows both resources you currently have access to and resources you can request access to. This allows users to request access to resources without navigating to a separate page.
Cluster administrators who prefer the previous behavior of hiding requestable resources from the main view can set show_resources: accessible_only
in their UI config:
For dynamic configuration, run tctl edit ui_config
:
kind: ui_config
version: v1
metadata:
name: ui-config
spec:
show_resources: accessible_only
Alternatively, self-hosted Teleport users can update the ui
section of their proxy configuration:
proxy_service:
enabled: yes
ui:
show_resources: accessible_only
tctl
for WindowsTeleport 16 includes Windows builds of the tctl
administrative tool, allowing Windows users to administer their cluster without the need for a macOS or Linux workstation.
Additionally, there are no longer enterprise-specific versions of tctl
. All Teleport clients (tsh
, tctl
, and Teleport Connect) are available in a single distribution that works on both Enterprise and Community Edition clusters.
Teleport 16 includes major improvements to the plugins. All plugins now have:
public.ecr.aws/gravitational/teleport-plugin-email:16
)In addition, we now support plugins for each supported major version, starting with v15. This means that if we fix a bug or security issue in a v16 plugin version, we will also apply and release the change for the v15 plugin version.
The Jamf plugin now authenticates with Jamf API credentials instead of username and password.
Starting with this release, Teleport Community Edition restricts commercial usage.
https://goteleport.com/blog/teleport-community-license/
Teleport 16 introduces license file validation on startup. This only applies to customers running Teleport Enterprise Self-Hosted. No action is required for customers running Teleport Enterprise Cloud or Teleport Community Edition.
If, after updating to Teleport 16, you receive an error message regarding an outdated license file, follow our step-by-step guide to update your license file.
Support for disabling second factor authentication has been removed. Teleport will refuse to start until the second_factor
setting is set to on
, webauthn
or otp
.
This change only affects self-hosted Teleport users, as Teleport Cloud has always required second factor authentication.
⚠️ Important: To avoid locking users out, we recommend the following steps:
tctl alerts create
to help spread the word.second_factor: on
. This will help identify any users who have not registered MFA devices and allow you to quickly revert to second_factor: optional
if necessary.Any users who do not register MFA devices prior to the Teleport 16 upgrade will be unable to log in and must be reset by an administrator (tctl users reset
).
In accordance with our component compatibility
guidelines, Teleport 16 will start rejecting connections from clients and agents running incompatible (ie too old) versions.
If Teleport detects connection attempts from outdated clients, it will show an alert to cluster administrators in both the web UI and tsh
.
To disable this behavior and run in an unsupported configuration that allows incompatible agents to connect to your cluster, start your auth server with the TELEPORT_UNSTABLE_ALLOW_OLD_CLIENTS=yes
environment variable.
Prior to Teleport 16, when using an Opsgenie plugin, the teleport.dev/schedules
role annotation was used to specify both schedules for access request notifications as well as schedules to check for the request auto-approval.
Starting with Teleport 16, the annotations were split to provide behavior consistent with other access request plugins: a role must now contain the teleport.dev/notify-services
to receive notifications on Opsgenie and the teleport.dev/schedules
to check for auto-approval.
Detailed setup instructions are available in the documentation.
Teleport clusters using the DynamoDB backend on AWS now require the dynamodb:ConditionCheckItem
permissions. For a full list of required permissions, see the IAM policy example.
On Windows and Linux, some of Teleport Connect’s keyboard shortcuts conflicted with the default bash or nano shortcuts (Ctrl+E, Ctrl+K, etc). On those platforms, the default shortcuts have been changed to a combination of Ctrl+Shift+*.
On macOS, the default shortcut to open a new terminal has been changed to Ctrl+Shift+`.
See the configuration guide for a list of updated keyboard shortcuts.
Users with custom ssh_config
should modify their ProxyCommand
to use the new, more performant tbot ssh-proxy
command. See the v16 upgrade guide for more details.
The Active Directory installation and configuration wizard has been removed. Users who don’t already have Active Directory should leverage Teleport’s local user support, and users with existing Active Directory environments should follow the manual setup guide.
All Teleport Assist functionality and OpenAI integration has been removed from Teleport. auth_service.assist
and proxy_service.assist
options have been removed from the configuration. Teleport will not start if these options are present.
During the migration from v15 to v16, the options mentioned above should be removed from the configuration.
Download the current and previous releases of Teleport at https://goteleport.com/download.
Download the current release of Teleport plugins from the links below.
Published by r0mant 4 months ago
Note: This release includes a new binary, fdpass-teleport
, that can be optionally used by Machine ID to significantly reduce resource consumption in use-cases that create large numbers of SSH connections (e.g. Ansible). Refer to the documentation for more details.
azidentity
to v1.6.0
(patches CVE-2024-35255
). #42859
tbot
. #42829
ssh-multiplexer
service for significant improvements in SSH performance. #42761
Download the current and previous releases of Teleport at https://goteleport.com/download.
Download the current release of Teleport plugins from the links below.
Published by r0mant 4 months ago
Pre-releases are not production ready, use at your own risk!
Published by camscale 4 months ago
insecure-drop
mode. #42660
teleport configure
command now supports a --node-name
flag for overriding the node's hostname. #42250
tctl
tool. #42224
Download the current and previous releases of Teleport at https://goteleport.com/download.
Download the current release of Teleport plugins from the links below.
Published by r0mant 5 months ago
Hosted Slack plugin users can now configure notification routing rules for role-based access requests.
Database access users can now connect to GCP Spanner.
Teleport Workload ID now supports basic workload attestation on Unix systems, allowing cluster administrators to restrict the issuance of SVIDs to specific workloads based on UID/PID/GID.
kubectl exec
functionality when Teleport is running behind L7 load balancer. #42192
teleport debug set-log-level / profile
commands changing instance log level without a restart and collecting pprof profiles. #42122
tctl
. #42092
Ctrl+Alt+Del
sequence to remote desktops. #41720
Download the current and previous releases of Teleport at https://goteleport.com/download.