The easiest, and most secure way to access and protect all of your infrastructure.
AGPL-3.0 License
Bot releases are visible (Hide)
Published by r0mant 5 months ago
Pre-releases are not production ready, use at your own risk!
Download the current and previous releases of Teleport at https://goteleport.com/download.
Published by tcsc 5 months ago
This release contains fixes for several high-severity security issues, as well as numerous other bug fixes and improvements.
Teleport didn’t sufficiently validate the client redirect URL. This could allow an attacker to trick Teleport users into performing an SSO authentication and redirect to an attacker-controlled URL allowing them to steal the credentials. #41836.
Warning: Teleport will now disallow non-localhost callback URLs for SSO logins unless otherwise configured. Users of the tsh login --callback
feature should modify their auth connector configuration as follows:
version: vX
kind: (saml|oidc|github)
metadata:
name: ...
spec:
...
client_redirect_settings:
allowed_https_hostnames:
- '*.app.github.dev'
- '^\d+-[a-zA-Z0-9]+\.foo.internal$'
The allowed_https_hostnames
field is an array containing allowed hostnames, supporting glob matching and, if the string begins and ends with ^
and $
respectively, full regular expression syntax. Custom callback URLs are required to be HTTPS on the standard port (443).
When connecting to CockroachDB using Database Access, Teleport did not properly consider the username case when running RBAC checks. As such, it was possible to establish a connection using an explicitly denied username when using a different case. #41825.
Teleport did not terminate some long-running mTLS-authenticated connections past the expiry of client certificates for users with the disconnect_expired_cert
option. This could allow such users to perform some API actions after their certificate has expired. #41829.
When creating a role access request, Teleport would include PagerDuty annotations from the entire user’s role set rather than a specific role being requested. For users who run multiple PagerDuty access plugins with auto-approval, this could result in a request for a different role being inadvertently auto-approved than the one which corresponds to the user’s active on-call schedule. #41831.
When using Teleport as SAML IdP, authorization wasn’t properly enforced on the SAML IdP session creation. As such, authenticated users could use an internal API to escalate their own privileges by crafting a malicious program. #41849.
We strongly recommend all customers upgrade to the latest releases of Teleport.
claims_to_roles
is used. #41938.tsh
andtctl
binaries. #41838.systemd
unit to always restart Teleport on failure unless explicitlyDownload the current and previous releases of Teleport at https://goteleport.com/download.
--
labels: security-patch=yes, security-patch-alts=v15.3.4
Published by tcsc 5 months ago
Download the current and previous releases of Teleport at https://goteleport.com/download.
Published by r0mant 5 months ago
This release contains fixes for several high-severity security issues, as well as numerous other bug fixes and improvements.
Teleport didn’t sufficiently validate the client redirect URL. This could allow
an attacker to trick Teleport users into performing an SSO authentication and
redirect to an attacker-controlled URL allowing them to steal the credentials.
#41834.
Warning: Teleport will now disallow non-localhost callback URLs for SSO logins
unless otherwise configured. Users of the tsh login --callback
feature should
modify their auth connector configuration as follows:
version: vX
kind: (saml|oidc|github)
metadata:
name: ...
spec:
...
client_redirect_settings:
allowed_https_hostnames:
- '*.app.github.dev'
- '^\d+-[a-zA-Z0-9]+\.foo.internal$'
The allowed_https_hostnames
field is an array containing allowed hostnames,
supporting glob matching and, if the string begins and ends with ^
and $
respectively, full regular expression syntax. Custom callback URLs are required
to be HTTPS on the standard port (443).
When connecting to CockroachDB using Database Access, Teleport did not properly
consider the username case when running RBAC checks. As such, it was possible to
establish a connection using an explicitly denied username when using a
different case. #41823.
Teleport did not terminate some long-running mTLS-authenticated connections past
the expiry of client certificates for users with the disconnect_expired_cert
option. This could allow such users to perform some API actions after their
certificate has expired.
#41827.
When creating a role access request, Teleport would include PagerDuty
annotations from the entire user’s role set rather than a specific role being
requested. For users who run multiple PagerDuty access plugins with
auto-approval, this could result in a request for a different role being
inadvertently auto-approved than the one which corresponds to the user’s active
on-call schedule.
#41837.
When using Teleport as SAML IdP, authorization wasn’t properly enforced on the
SAML IdP session creation. As such, authenticated users could use an internal
API to escalate their own privileges by crafting a malicious program.
#41846.
We strongly recommend all customers upgrade to the latest releases of Teleport.
cluster_networking_config
fields keep_alive_count_max
, keep_alive_interval
, tunnel_strategy
, or proxy_listener_mode
. #41248
Download the current and previous releases of Teleport at https://goteleport.com/download.
--
labels: security-patch=yes, security-patch-alts=v14.3.19
Published by r0mant 5 months ago
This release contains fixes for several high-severity security issues, as well as numerous other bug fixes and improvements.
Teleport didn’t sufficiently validate the client redirect URL. This could allow an attacker to trick Teleport users into performing an SSO authentication and redirect to an attacker-controlled URL allowing them to steal the credentials. #41834.
Warning: Teleport will now disallow non-localhost callback URLs for SSO logins unless otherwise configured. Users of the tsh login --callback
feature should modify their auth connector configuration as follows:
version: vX
kind: (saml|oidc|github)
metadata:
name: ...
spec:
...
client_redirect_settings:
allowed_https_hostnames:
- '*.app.github.dev'
- '^\d+-[a-zA-Z0-9]+\.foo.internal$'
The allowed_https_hostnames
field is an array containing allowed hostnames, supporting glob matching and, if the string begins and ends with ^
and $
respectively, full regular expression syntax. Custom callback URLs are required to be HTTPS on the standard port (443).
When connecting to CockroachDB using Database Access, Teleport did not properly consider the username case when running RBAC checks. As such, it was possible to establish a connection using an explicitly denied username when using a different case. #41823.
Teleport did not terminate some long-running mTLS-authenticated connections past the expiry of client certificates for users with the disconnect_expired_cert
option. This could allow such users to perform some API actions after their certificate has expired. #41827.
When creating a role access request, Teleport would include PagerDuty annotations from the entire user’s role set rather than a specific role being requested. For users who run multiple PagerDuty access plugins with auto-approval, this could result in a request for a different role being inadvertently auto-approved than the one which corresponds to the user’s active on-call schedule. #41837.
When using Teleport as SAML IdP, authorization wasn’t properly enforced on the SAML IdP session creation. As such, authenticated users could use an internal API to escalate their own privileges by crafting a malicious program. #41846.
We strongly recommend all customers upgrade to the latest releases of Teleport.
claims_to_roles
is used. #41936.tsh
andtctl
binaries. #41787
0777
tbot
process. #41754
teleport-event-handler
to skip certain events type whenTBOT_SSH_CONFIG_PROXY_COMMAND_MODE=new
. #41694.tctl
. #41643.systemd
unit to always restart Teleport on failure unless explicitly stopped. #41581.tbot
SPIFFE workload API. Youfalse
instead of empty. #41429.cluster_networking_config
fields keep_alive_count_max
, keep_alive_interval
, tunnel_strategy
, or proxy_listener_mode
. #41247.tctl
#41888.Download the current and previous releases of Teleport at https://goteleport.com/download.
--
labels: security-patch=yes, security-patch-alts=v15.3.5|v15.3.4|v15.3.3|v15.3.2
Published by camscale 6 months ago
Download the current and previous releases of Teleport at https://goteleport.com/download.
Published by camscale 6 months ago
Download the current and previous releases of Teleport at https://goteleport.com/download.
Published by camscale 6 months ago
screen_size
behavior for Windows Desktops, which was being overridden by the new resize feature. #41241
AccessDeniedException
for dynamodb:ConditionCheckItem
operations when using AWS DynamoDB for cluster state storage. #41133
tbot
database-tunnel
service to be set to a unix socket. #41008
Download the current and previous releases of Teleport at https://goteleport.com/download.
Published by camscale 6 months ago
podSecurityContext
configurable in the teleport-cluster
Helm chart. #40950
teleport-kube-agent
chart. #40949
teleport-cluster
Helm chart that happened when sessionRecording
was off
. #40920
teleport-cluster
Helm chart. #40916
ssh_config
generation in Machine ID's Identity Outputs. This allows the generation of the ssh_config
to be disabled if unnecessary, improving performance and removing the dependency on the Proxy being online. #40862
Download the current and previous releases of Teleport at https://goteleport.com/download.
Published by camscale 6 months ago
The Roles page of the web UI is now backed by a paginated API, ensuring fast
load times even on clusters with large numbers of roles.
Windows desktop sessions now automatically resize as the size of the browser
window changes.
Teleport now supports connecting to agentless OpenSSH nodes even when Teleport
is configured to require hardware key MFA checks.
The new TPM join method enables secure joining for agents and Machine ID bots
that run on-premise. Based on the secure properties of the host's hardware
trusted platform module, this join method removes the need to create and
distribute secret tokens, significantly reducing the risk of exfiltration.
Download the current and previous releases of Teleport at https://goteleport.com/download.
Published by r0mant 6 months ago
teleport-cluster
Helm chart can configure AccessMonitoring when running in aws
mode. #40957
podSecurityContext
configurable in the teleport-cluster
Helm chart. #40951
teleport-kube-agent
chart. #40946
teleport-cluster
Helm chart that happened when sessionRecording
was off
. #40919
teleport-cluster
Helm chart. #40909
cert.create
events during device authentication. #40872
ssh_config
generation in Machine ID's Identity Outputs. This allows the generation of the ssh_config
to be disabled if unnecessary, improving performance and removing the dependency on the Proxy being online. #40861
tpm
join method, which allows for secure joining in on-prem environments without the need for a shared secret. #40823
Download the current and previous releases of Teleport at https://goteleport.com/download.
Published by camscale 6 months ago
teleport-cluster
Helm chart that happened when sessionRecording
was off
. #40921
teleport-kube-agent-updater
to output debug logs by default. #39955
Download the current and previous releases of Teleport at https://goteleport.com/download.
Published by camscale 6 months ago
tbot
is used with OpenSSH. #40838
kubernetes_secret
destination in tbot
. #40551
Download the current and previous releases of Teleport at https://goteleport.com/download.
Published by fheinecke 6 months ago
tbot
is used with OpenSSH. #40837
regexp.match
to access request filter
and where
expressions. #40642
kubernetes_secret
destination in tbot
. #40550
Download the current and previous releases of Teleport at https://goteleport.com/download.
Published by fheinecke 6 months ago
tsh proxy kube --exec
mode that spawns kube proxy in the background, which re-executes the user shell with the appropriate kubeconfig. #40395
invalid session TTL
error when creating access request with tsh
. #40335
Download the current and previous releases of Teleport at https://goteleport.com/download.
Published by r0mant 7 months ago
foo=bar,baz,bang
, it is now possible to match on any resources with a label foo
that contains the element bar
via contains(split(labels[foo], ","), bar)
. #40183
disable_exec_plugin
option to the Machine ID Kubernetes Output to remove the dependency on tbot
existing in the target environment. #40162
database-tunnel
service to tbot
which allows an authenticated database tunnel to be opened by tbot
. This is an improvement over the original technique of using tbot proxy db
. #40151
show_desktop_wallpaper
flag. #40088
Download the current and previous releases of Teleport at https://goteleport.com/download.
Published by r0mant 7 months ago
The access requests page of the web UI will be backed by a paginated API,
ensuring fast load times even on clusters with many access requests.
Additionally, the UI allows you to search for access requests, sort them based
on various attributes, and includes several new filtering options.
Teleport 15.2 changes the way that web assets are served and cached, which will
allow multiple compatible versions of the Teleport Proxy to run behind the same
load balancer.
With Teleport 15.2, Machine ID can bootstrap and issue identity to services
across multiple computing environments and organizational boundaries. Workload
Identity issues SPIFFE-compatible x509 certificates that can be used for mTLS
between services.
The Kubernetes project is deprecating the SPDY protocol for streaming commands
(kubectl exec, kubectl port-forward, etc) and replacing it with a new
websocket-based subprotocol. Teleport 15.2.0 will support the new protocol to
ensure compatibility with newer Kubernetes clusters.
Both tsh db connect and tsh proxy db will offer the option to submit an access
request if the user attempts to connect to a database that they don't already
have access to.
Teleport administrators will be able to setup access to GCP web console through
Workforce Identity Federation using Teleport as a SAML identity provider.
Users will be able to register OpenSSH nodes in the cluster using Terraform and
Kubernetes Operator.
Users submitting access requests via web UI will be able to request specific
access start time up to a week in advance.
The Teleport Terraform provider and Kubernetes operator now support declaring
agentless OpenSSH and OpenSSH EC2 ICE servers. You can follow this
guide
to register OpenSSH agents with infrastructure as code.
Setting up EC2 ICE automatic discovery with IaC will come in a future update.
The teleport-operator
and teleport-cluster
charts now support deploying only
the CRD, the CRD and the operator, or only the operator.
From the teleport-cluster
Helm chart:
operator:
enabled: true|false
installCRDs: always|never|dynamic
From the teleport-operator
Helm chart:
enabled: true|false
installCRDs: always|never|dynamic
In dynamic mode (by default), the chart will install CRDs if the operator is
enabled, but will not remove the CRDs if you temporarily disable the operator.
Kubernetes CR labels are now copied to the Teleport resource when applicable.
This allows you to configure RBAC for operator-created resources, and to filter
Teleport resources more easily.
Teleport v15 introduced two Terraform provider changes:
The second change was too disruptive, especially for roles, as they cannot be
deleted if a user or an access list references them. Teleport 15.2 lifts this
restriction and allows version change without forcing the resource deletion.
Another change to ensure resource defaults are correctly set during version
upgrades will happen in v16.
tls auth export --type tls-spiffe
and the /webapi/auth/export
endpoint. #40007
kubectl get
. #39993
teleport-kube-agent-updater
to output debug logs by default. #39953
teleport-cluster
Helm chart now supports using the Amazon Athena event backend. #39907
Download the current and previous releases of Teleport at https://goteleport.com/download.
Published by tcsc 7 months ago
jq
was not installed. #39601
Download the current and previous releases of Teleport at https://goteleport.com/download.
Published by tcsc 7 months ago
Download the current and previous releases of Teleport at https://goteleport.com/download.
Published by tcsc 7 months ago
tsh db login
, tsh db connect
and tsh proxy db
. #39617
jq
was not installed. #39599
Download the current and previous releases of Teleport at https://goteleport.com/download.