The easiest, and most secure way to access and protect all of your infrastructure.
AGPL-3.0 License
Bot releases are visible (Hide)
Published by r0mant over 1 year ago
This release of Teleport contains a security fix as well as multiple improvements and bug fixes.
1.1.1t
. #21426
--as
flag. #21148
tsh db connect
when using hardware-backed private keys. #21042
Download the current and previous releases of Teleport at https://goteleport.com/download.
labels: security-patch=yes
Published by r0mant over 1 year ago
Teleport 12 brings the following marquee features and improvements:
Teleport 12 includes a preview of our upcoming Device Trust feature, which
allows administrators to require that Teleport access is performed from an
authenticated and trusted device.
This preview release requires macOS and a native client like tsh or Teleport
Connect. These clients leverage the Secure Enclave on macOS to solve device
challenges issued by the Teleport CA, proving their identity as a trusted
device.
Teleport features requiring the web UI (Desktop Access, Application Access) are
not currently supported.
Teleport 12 brings passwordless certificate-based authentication to Windows
desktops in environments where Active Directory is not available. This feature
requires the installation of a Teleport package on each Windows desktop.
Teleport 12 extends RBAC to support controlling access to individual pods in
Kubernetes clusters. Pod RBAC integrates with existing Teleport RBAC features
such as role templating and access requests.
In Teleport 12 administrators can interact with Azure and GCP APIs through
Application Access using tsh az
and tsh gcloud
CLI commands, or using
standard az
and gcloud
tools through the local application proxy.
Database Access in Teleport 12 brings a number of new integrations to AWS-hosted
databases such as DynamoDB (now with audit log support), Redshift Serverless and
RDS Proxy for PostgreSQL/MySQL.
On Azure, Database Access adds SQLServer auto-discovery and support for Azure
Flexible Server for PostgreSQL/MySQL.
The “teleport-cluster” Helm chart underwent significant refactoring in Teleport
12 to provide better scalability and UX. Proxy and Auth are now separate
deployments and the new “scratch” chart mode makes it easier to provide a custom
Teleport config.
“Custom” mode users should follow the migration guide:
https://goteleport.com/docs/ver/12.x/deploy-a-cluster/helm-deployments/migration-v12/
Newer OpenSSH clients connecting to Teleport 12 clusters no longer need the
“PubAcceptedKeyTypes” workaround to include the deprecated “sha” algorithm.
Users who download Teleport 12 Darwin binaries would no longer get an untrusted
software warning from macOS.
tctl now supports an edit subcommand, allowing you to edit resources directly in
your preferred text editor.
Please familiarize yourself with the following potentially disruptive changes in
Teleport 12 before upgrading.
The teleport-cluster Helm chart underwent significant changes in Teleport 12. To
upgrade from an older version of the Helm chart deployed in “custom” mode, use
the following migration guide:
https://goteleport.com/docs/ver/12.x/deploy-a-cluster/helm-deployments/migration-v12/
Additionally, PSPs are removed from the chart when installing on Kubernetes 1.23
and higher to account for the deprecation/removal of PSPs by Kubernetes.
The tctl auth export command only exports the private key when passing the
--keys flag. Previously it would output the certificate and private key
together.
Windows Desktop sessions disable the wallpaper by default, improving
performance. To restore the previous behavior, add show_desktop_wallpaper: true
to your windows_desktop_service config.
Kubernetes Access users migrating to RoleV6 should include the following permission
in their roles:
kubernetes_resources:
- kind: pod
name: '*'
namespace: '*'
See Kubernetes Access RBAC documentation for more details.
Download the current and previous releases of Teleport at https://goteleport.com/download.
Published by zmb3 over 1 year ago
This package allows passwordless login to Windows desktops that are not joined to an Active Directory domain.
This preview release requires a Teleport Enterprise Auth Server running v12.0.0 or later.
Published by r0mant over 1 year ago
Pre-releases are not production ready, use at your own risk!
Download the current and previous releases of Teleport at https://goteleport.com/download.
Published by r0mant over 1 year ago
This release of Teleport contains multiple improvements and bug fixes.
tsh scp
. #20953
tsh proxy aws --endpoint-url
not working. #20880
tsh
to detect unplugged devices when using hardware-backed keys. #20949
--db-user
. (#20695) #20919
Download the current and previous releases of Teleport at https://goteleport.com/download.
Published by r0mant over 1 year ago
This release of Teleport contains a security fix, as well as multiple improvements and bug fixes.
tctl auth sign
not respecting Ctrl-C. #20773
tsh login
. #20712
tctl auth sign --format kubernetes
against remote auth server. #20571
client_idle_timeout_message
support to Windows access. #20617
teleport-cluster
Helm chart. #20564
teleport-kube-agent
Helm chart. #20449
teleport-cluster
Helm chart. #20441
teleport-cluster
Helm chart to reload proxy certificate daily. #20503
Download the current and previous releases of Teleport at https://goteleport.com/download.
labels: security-patch=yes
Published by r0mant over 1 year ago
Pre-releases are not production ready, use at your own risk!
Download the current and previous releases of Teleport at https://goteleport.com/download.
Published by r0mant over 1 year ago
This release of Teleport contains multiple improvements and bug fixes.
tsh login
defaulting to passwordless and ignoring the --auth
and --mfa-mode
flags. #20474
tsh aws
. #20437
*:*
selector in EC2 auto-discovery. #20390
dnsConfig
support to the teleport-kube-agent
Helm chart. #20107
Download the current and previous releases of Teleport at https://goteleport.com/download.
Published by r0mant almost 2 years ago
This release of Teleport contains multiple improvements and bug fixes.
max_kubernetes_connections
leading to access denied errors. #20174
kube-agent
Helm chart leaving state behind after helm uninstall
. #20169
tsh
HTTP requests missing extra headers. #20071
1.66.1
. #20201
Download the current and previous releases of Teleport at https://goteleport.com/download.
Published by r0mant almost 2 years ago
Pre-releases are not production ready, use at your own risk!
Download the current and previous releases of Teleport at https://goteleport.com/download.
Published by zmb3 almost 2 years ago
This release of Teleport contains multiple improvements and bug fixes.
tsh
to set extra proxy headers in all HTTP requests #20111
tsh recordings ls
options and added better error messages #19955
gcp.credentialSecretName
optional in the Teleport Cluster Helm chart #19804
Download the current and previous releases of Teleport at https://goteleport.com/download/
Published by zmb3 almost 2 years ago
This release of Teleport contains multiple improvements and bug fixes.
gcp.credentialSecretName
optional in the Teleport Cluster Helm chart #19809
tsh proxy db
from running if database CLI tools are unavailable #19773
gravitational/trace
package version #19719
tsh
traces even when the Auth Server is not configured for tracing #19588
Download the current and previous releases of Teleport at https://goteleport.com/download/
Published by zmb3 almost 2 years ago
This release of Teleport contains multiple improvements and bug fixes.
Download the current and previous releases of Teleport at https://goteleport.com/download/
Published by zmb3 almost 2 years ago
This release of Teleport contains multiple improvements and bug fixes.
In addition, we're happy to announce a set of GitHub Actions that you can use in your workflows to assist with accessing Teleport Resources in your CI/CD pipelines.
Visit the individual repositories to find out more and see usage examples:
For a more in-depth guide, see our refreshed documentation for using Teleport with GitHub Actions at https://goteleport.com/docs/machine-id/guides/github-actions/
Later this year, Windows will begin requiring a stronger mapping from a certificate to an Active Directory user. In anticipation of this change, Teleport 11.2.0 is compliant with the new requirements.
Warning: This feature requires that Teleport's own service account also uses a strong mapping. In order to support this requirement, you must now set a new Security Identifier (sid
) field in the LDAP configuration for your Windows Desktop Services. You can find the SID for your service account by running the following PowerShell snippet (replace svc-teleport
with the name of the service account you are using):
Get-AdUser -Identity svc-teleport | Select SID
tsh
#19821
gcp.credentialSecretName
optional in the Teleport Cluster Helm chart #19803
tsh
traces even when the Auth Server is not configured for tracing #19583
tsh
binary for use outside of Teleport Connect #1488
Download the current and previous releases of Teleport at https://goteleport.com/download/
Published by zmb3 almost 2 years ago
This release of Teleport contains multiple security fixes, improvements and bug fixes.
When accepting Application Access requests, Teleport did not sufficiently
validate client credentials.
This could allow an attacker in possession of a valid active application session
ID to issue requests to this application impersonating the session owner for a
limited time window.
Presence of multiple “cert.create” audit events (code TC000I) with the same app
session ID in the “route_to_app.session_id” field may indicate the attempt to
impersonate an existing user’s application session.
After logging out via the web UI, a user’s session could remain cached in
Teleport’s proxy, allowing continued access to resources for a limited time
window.
session.start
event being overwritten by session.exec
event. #19499
tsh login --format kubernetes
command. #19434
tsh ls -R
latency. #19484
Download the current and previous releases of Teleport at https://goteleport.com/download.
labels: security-patch=yes
Published by zmb3 almost 2 years ago
This release of Teleport contains multiple security fixes, improvements and bug fixes.
When establishing a direct-tcpip channel, Teleport did not sufficiently validate
RBAC.
This could allow an attacker in possession of valid cluster credentials to
establish a TCP tunnel to a node they didn’t have access to.
The connection attempt would show up in the audit log as a “port” audit event
(code T3003I) and include Teleport username in the “user” field.
When accepting Application Access requests, Teleport did not sufficiently
validate client credentials.
This could allow an attacker in possession of a valid active application session
ID to issue requests to this application impersonating the session owner for a
limited time window.
Presence of multiple “cert.create” audit events (code TC000I) with the same app
session ID in the “route_to_app.session_id” field may indicate the attempt to
impersonate an existing user’s application session.
When issuing a user certificate, Teleport did not check for the presence of IP
restrictions in the client’s credentials.
This could allow an attacker in possession of valid client credentials with IP
restrictions to reissue credentials without IP restrictions.
Presence of a “cert.create” audit event (code TC000I) without corresponding
“user.login” audit event (codes T1000I or T1101I) for users with IP restricted
roles may indicate an issuance of a certificate without IP restrictions.
After logging out via the web UI, a user’s session could remain cached in
Teleport’s proxy, allowing continued access to resources for a limited time
window.
session.start
event being overwritten with session.exec
event. #19496
tsh login --format kubernetes
command. #19432
disconnect_expired_cert
and require_session_mfa
settings conflicting with each other. #19204
tctl windows_desktops ls
output. #19015
tsh ls -R
latency. #19483
labels: security-patch=yes
Published by zmb3 almost 2 years ago
This release of Teleport contains multiple security fixes, improvements and bug fixes.
When establishing a direct-tcpip channel, Teleport did not sufficiently validate
RBAC.
This could allow an attacker in possession of valid cluster credentials to
establish a TCP tunnel to a node they didn’t have access to.
The connection attempt would show up in the audit log as a “port” audit event
(code T3003I) and include Teleport username in the “user” field.
When accepting Application Access requests, Teleport did not sufficiently
validate client credentials.
This could allow an attacker in possession of a valid active application session
ID to issue requests to this application impersonating the session owner for a
limited time window.
Presence of multiple “cert.create” audit events (code TC000I) with the same app
session ID in the “route_to_app.session_id” field may indicate the attempt to
impersonate an existing user’s application session.
When issuing a user certificate, Teleport did not check for the presence of IP
restrictions in the client’s credentials.
This could allow an attacker in possession of valid client credentials with IP
restrictions to reissue credentials without IP restrictions.
Presence of a “cert.create” audit event (code TC000I) without corresponding
“user.login” audit event (codes T1000I or T1101I) for users with IP restricted
roles may indicate an issuance of a certificate without IP restrictions.
After logging out via the web UI, a user’s session could remain cached in
Teleport’s proxy, allowing continued access to resources for a limited time
window.
session.start
events being overwritten by session.exec
events. #19497
tsh login --format kubernetes
not setting SNI info. #19433
disconnect_expired_cert
and require_session_mfa
settings conflicting with each other. #19178
instance.join
and bot.join
audit events. #19343
tsh ls -R
. #19482
Download the current and previous releases of Teleport at https://goteleport.com/download.
labels: security-patch=yes
Published by r0mant almost 2 years ago
This release of Teleport contains multiple improvements and bug fixes.
tctl windows_desktops ls
not producing results in JSON and YAML formats. #19016
Download the current and previous releases of Teleport at https://goteleport.com/download.
Published by r0mant almost 2 years ago
This release of Teleport contains two security fixes as well as multiple improvements and bug fixes.
Fixed issue with SFTP connections not being blocked when moderated sessions are
enforced.
Fixed issue where an attacker with physical access to user's computer and raw
access to the filesystem could potentially recover the seed QR code.
teleport-kube-agent
Helm chart joining not working with static tokens. #18971
tsh db ls
panic. #17781
tbot
failing to parse some kernel versions. #18301
tsh aws s3
failing in some scenarios. #18435
tsh
sessions. #18112
LimitNOFILE
to all systemd unit files. #17973
user.spec
syntax in moderated session filters. #18456
teleport-kube-agent
Helm chart. #18201
windows_desktops
as a valid resource name for tctl
resource commands. #18817
tsh play
JSON and YAML output. #18827
tsh
performance by reducing number of roundtrips to the cluster. #17804, #18057
Download the current and previous releases of Teleport at https://goteleport.com/download.
labels: security-patch=yes
Published by r0mant almost 2 years ago
This release of Teleport contains a security fix as well as multiple improvements and bug fixes.
Fixed issue where an attacker with physical access to user's computer and raw
access to the filesystem could potentially recover the seed QR code.
user.spec
syntax in moderated session filters. #18454
tctl auth sign --format kubernetes
to support merging multiple clusters in the same kubeconfig. #18526
tctl
to support windows_desktop
resource name. #18815
tsh play
JSON and YAML output. #18824
Download the current and previous releases of Teleport at https://goteleport.com/download.
labels: security-patch=yes