teleport

This release of Teleport contains a bug fix.

Description

• Added support for PROXY protocol to Database Access (MySQL). #6517

Download

Download the current and previous releases of Teleport at https://goteleport.com/teleport/download.

This release of Teleport contains a new feature.

Description

• Added log formatting and support to enable timestamps for logs. #5898

Download

Download the current and previous releases of Teleport at https://goteleport.com/teleport/download.

This release of Teleport contains a bug fix.

Description

• Fixed an issue where DEB builds were not published to the Teleport DEB repository.

Download

Download the current and previous releases of Teleport at https://goteleport.com/teleport/download.

Teleport 6.1 contains multiple new features, improvements, and bug fixes.

New Features

U2F for Kubernetes and SSH sessions

Added support for U2F authentication on every SSH and Kubernetes "connection" (a single tsh ssh or kubectl call). This is an advanced security feature that protects users against compromises of their on-disk Teleport certificates. Per-session MFA can be enforced cluster-wide or only for some specific roles.

For more details see Per-Session MFA documentation or RFD 14 and RFD 15 for technical details.

Dual Authorization Workflows

Added ability to request multiple users to review and approve access requests.

See #5071 for technical details.

Improvements

• Added the ability to propagate SSO claims to PAM modules. #6158
• Added support for cluster routing to reduce latency to leaf clusters. RFD 21
• Added support for Google Cloud SQL to Database Access. #6090
• Added support CLI credential issuance for Application Access. #5918
• Added support for Encrypted SAML Assertions. #5598
• Added support for user impersonation. #6073

Fixes

• Fixed interoperability issues with gpg-agent. RFD 18
• Fixed websocket support in Application Access. #6028
• Fixed file argument issues with tsh play. #1580
• Fixed utmp regressions that caused issues in LXC containers. #6256

Download

Download the current and previous releases of Teleport at https://gravitational.com/teleport/download.

Warning

Pre-releases are not production ready, use at your own risk!

Download

Download the current and previous releases of Teleport at https://gravitational.com/teleport/download.

This release of Teleport contains a bug fix.

Description

• Fixed a issue that caused high network utilization on deployments with many leaf clusters. #6263

Download

Download the current and previous releases of Teleport at https://goteleport.com/teleport/download.

Warning

Pre-releases are not production ready, use at your own risk!

Download

Download the current and previous releases of Teleport at https://gravitational.com/teleport/download.

This release of Teleport contains a bug fix.

Description

• Restored session.upload event to Audit Log. #5636

Download

Download the current and previous releases of Teleport at https://goteleport.com/teleport/download.

This release of Teleport contains multiple bug fixes.

Description

• Fixed an issue with proxy web endpoint resetting connection when run with --insecure-no-tls flag. #5923
• Introduced role presets: auditor, editor and access. #5968
• Added ability to inline google_service_account field into Google Workspace OIDC connector. #5563

Download

Download the current and previous releases of Teleport at https://goteleport.com/teleport/download.

This release of Teleport contains multiple bug fixes.

Description

• Fixed issue that caused ACME default configuration to fail with TLS-ALPN-01 challenge. #5839
• Fixed regression in ADFS integration. #5880

Download

Download the current and previous releases of Teleport at https://goteleport.com/teleport/download.

Teleport 6.0 is a major release with new features, functionality, and bug fixes.

New Features

We have implemented Database Access, open sourced role-based access control (RBAC), and added official API and a Go client library.

Users can review the 6.0 milestone on Github for more details.

Database Access

Review the Database Access design in RFD #11.

With Database Access users can connect to PostgreSQL and MySQL databases using short-lived certificates, configure SSO authentication and role-based access controls for databases, and capture SQL query activity in the audit log.

Getting Started

Configure Database Access following the Getting Started guide.

Guides

• AWS RDS/Aurora PostgreSQL
• AWS RDS/Aurora MySQL
• Self-hosted PostgreSQL
• Self-hosted MySQL
• GUI clients

Resources

To learn more about configuring role-based access control for Database Access, check out the RBAC section.

Architecture provides a more in-depth look at Database Access internals such as networking and security.

See Reference for an overview of Database Access related configuration and CLI commands.

Finally, check out Frequently Asked Questions.

OSS RBAC

Open source RBAC support was introduced in RFD #7.

RBAC support gives OSS administrators more granular access controls to servers and other resources with a cluster (like session recording access). An example of an RBAC policy could be: "admins can do anything, developers must never touch production servers and interns can only SSH into staging servers as guests"

In addition, some Access Workflow Plugins will now become available to open source users.

• Access Workflows Golang SDK and API
• Slack
• Gitlab
• Mattermost
• JIRA Plugin
• PagerDuty Plugin

Client libraries and API

API and Client Libraries support was introduced in RFD #10.

The new API and client library reduces the dependencies needed to use the Teleport API as well as making it easier to use. An example of using the new API is below.

// Create a client connected to the Auth server with an exported identity file.
clt, err := client.NewClient(client.Config{
  Addrs: []string{"auth.example.com:3025"},
  Credentials: []client.Credentials{
    client.LoadIdentityFile("identity.pem"),
  },
})
if err != nil {
  log.Fatalf("Failed to create client: %v.", err)
}
defer clt.Close()

// Create a Access Request.
accessRequest, err := types.NewAccessRequest(uuid.New(), "access-admin", "admin")
if err != nil {
  log.Fatalf("Failed to build access request: %v.", err)
}
if err = clt.CreateAccessRequest(ctx, accessRequest); err != nil {
  log.Fatalf("Failed to create access request: %v.", err)
}

Improvements

• Added utmp/wtmp support for SSH in #5491.
• Added the ability to set a Kubernetes specific public address in #5611.
• Added Proxy Protocol support to Kubernetes Access in #5299.
• Added ACME (Let's Encrypt) support to make getting and using TLS certificates easier. #5177.
• Added the ability to manage local users to the Web UI in #2945.
• Added the ability to preserve timestamps when using tsh scp in #2889.

Fixes

• Fixed authentication failure when logging in via CLI with Access Workflows after removing .tsh directory in #5323.
• Fixed tsh login failure when --proxy differs from actual proxy public address in #5380.
• Fixed session playback issues in #2945.
• Fixed several UX issues in #5559, #5568, #4965, and #5057.

Upgrade Notes

Please follow our standard upgrade procedure to upgrade your cluster.

Note, for clusters using GitHub SSO and Trusted Clusters, when upgrading SSO users will lose connectivity to leaf clusters. Local users will not be affected.

To restore connectivity to leaf clusters for SSO users, leaf admins should update the trusted_cluster role mapping resource like below.

kind: trusted_cluster
version: v2
metadata:
   name: "zztop-oss"
spec:
   enabled: true
   token: "bar"
   web_proxy_addr: 172.10.1.1:3080
   tunnel_addr: 172.10.1.1:3024
   role_map:
   - remote: "admin"
     local: ['admin']
   - remote: "^(github-.*)$"
     local: ['admin']

Download

Download the current and previous releases of Teleport at https://gravitational.com/teleport/download.

This release of Teleport contains a number of bug fixes.

Warning

Pre-releases are not production ready, use at your own risk!

Download

Download the current and previous releases of Teleport at https://gravitational.com/teleport/download.

This release of Teleport contains multiple security fixes.

Description

As part of a routine security audit of Teleport, several security vulnerabilities and miscellaneous issues were discovered in Teleport 5.0, 4.4, and 4.3. We strongly suggest upgrading to the latest release.

Details

Below we highlight the most serious issues found, as well as the components of Teleport they affect.

Teleport Application Access

If an attacker can convince a user to click on a malicious link, the attacker can steal the victim’s session cookie or force them to log into an attacker controlled Application Access account.

Trusted Clusters

Under certain circumstances, an already privileged user within a root cluster could potentially elevate their privileges further by gaining the exact same roles in the leaf as they have in the root cluster (instead of the mapped roles).

All

An unauthenticated attacker that has network access to the Teleport Web Proxy could stage a DOS attack causing it to crash.

Changes In Behavior

Trusted Clusters

Trusted clusters now correctly handle role mapping for Kubernetes. If you had identically-named roles in root and leaf clusters for granting Kubernetes access, leaf clusters now use kubernetes_users and kubernetes_groups from the leaf role instead of the root role.

Actions

For all users, we recommend upgrading the Teleport Proxy process.

For Application Access users, we also recommend upgrading the Application Access processes.

For Trusted Cluster users, we also recommend upgrading the Teleport Auth process within both leaf and root clusters.

For Kubernetes Access users who rely on Trusted Clusters, we recommend reviewing the leaf cluster roles and making sure that they grant the correct kubernetes_users and kubernetes_groups.

Upgrades should follow the normal Teleport upgrade procedure: https://goteleport.com/teleport/docs/admin-guide/#upgrading-teleport.

Download

Download one of the following releases to mitigate the issue:

• Teleport 5.2.1*
• Teleport 4.4.8
• Teleport 4.3.10

* For Enterprise customers, 5.2.1 is identical to 5.2.0. A new release had to be made due to an issue with the build process.

All current and previous releases of Enterprise can be downloaded from https://dashboard.goteleport.com.

This release of Teleport contains multiple security fixes.

Description

As part of a routine security audit of Teleport, several security vulnerabilities and miscellaneous issues were discovered in Teleport 5.0, 4.4, and 4.3. We strongly suggest upgrading to the latest release.

Details

Below we highlight the most serious issues found, as well as the components of Teleport they affect.

Teleport Application Access

If an attacker can convince a user to click on a malicious link, the attacker can steal the victim’s session cookie or force them to log into an attacker controlled Application Access account.

Trusted Clusters

Under certain circumstances, an already privileged user within a root cluster could potentially elevate their privileges further by gaining the exact same roles in the leaf as they have in the root cluster (instead of the mapped roles).

All

An unauthenticated attacker that has network access to the Teleport Web Proxy could stage a DOS attack causing it to crash.

Changes In Behavior

Trusted Clusters

Trusted clusters now correctly handle role mapping for Kubernetes. If you had identically-named roles in root and leaf clusters for granting Kubernetes access, leaf clusters now use kubernetes_users and kubernetes_groups from the leaf role instead of the root role.

Actions

For all users, we recommend upgrading the Teleport Proxy process.

For Application Access users, we also recommend upgrading the Application Access processes.

For Trusted Cluster users, we also recommend upgrading the Teleport Auth process within both leaf and root clusters.

For Kubernetes Access users who rely on Trusted Clusters, we recommend reviewing the leaf cluster roles and making sure that they grant the correct kubernetes_users and kubernetes_groups.

Upgrades should follow the normal Teleport upgrade procedure: https://goteleport.com/teleport/docs/admin-guide/#upgrading-teleport.

Download

Download one of the following releases to mitigate the issue:

• Enterprise 5.2.0
• Enterprise 4.4.8
• Enterprise 4.3.10

All current and previous releases of Enterprise can be downloaded from https://dashboard.goteleport.com.

This release of Teleport contains multiple security fixes.

Description

As part of a routine security audit of Teleport, several security vulnerabilities and miscellaneous issues were discovered in Teleport 5.0, 4.4, and 4.3. We strongly suggest upgrading to the latest release.

Details

Below we highlight the most serious issues found, as well as the components of Teleport they affect.

Teleport Application Access

If an attacker can convince a user to click on a malicious link, the attacker can steal the victim’s session cookie or force them to log into an attacker controlled Application Access account.

Trusted Clusters

Under certain circumstances, an already privileged user within a root cluster could potentially elevate their privileges further by gaining the exact same roles in the leaf as they have in the root cluster (instead of the mapped roles).

All

An unauthenticated attacker that has network access to the Teleport Web Proxy could stage a DOS attack causing it to crash.

Changes In Behavior

Trusted Clusters

Trusted clusters now correctly handle role mapping for Kubernetes. If you had identically-named roles in root and leaf clusters for granting Kubernetes access, leaf clusters now use kubernetes_users and kubernetes_groups from the leaf role instead of the root role.

Actions

For all users, we recommend upgrading the Teleport Proxy process.

For Application Access users, we also recommend upgrading the Application Access processes.

For Trusted Cluster users, we also recommend upgrading the Teleport Auth process within both leaf and root clusters.

For Kubernetes Access users who rely on Trusted Clusters, we recommend reviewing the leaf cluster roles and making sure that they grant the correct kubernetes_users and kubernetes_groups.

Upgrades should follow the normal Teleport upgrade procedure: https://goteleport.com/teleport/docs/admin-guide/#upgrading-teleport.

Download

Download one of the following releases to mitigate the issue:

• Enterprise 5.2.0
• Enterprise 4.4.8
• Enterprise 4.3.10

All current and previous releases of Enterprise can be downloaded from https://dashboard.goteleport.com.

This release of Teleport contains a number of improvements and bug fixes.

• Added tsh env command: #5395
• OSS RBAC: #5419
• Add MySQL support for database access: #5453
• Implement utmp/wtmp support: #5491
• Apply traits to kube, app and database labels: #5597
• Add kube_public_addr config field to proxy_service:#5611

Warning

Pre-releases are not production ready, use at your own risk!

Download

Download the current and previous releases of Teleport at https://gravitational.com/teleport/download.

This release of Teleport contains multiple bug fixes.

Description

• Fix truncated audit log when using DynamoDB #5381
• Determine node registration method based on server port #5347
• Propagate username updates in tsh #5323
• Always enable proxy protocol support for Kubernetes listeners #5299
• Always register access requests against root cluster #5226
• Tweaks for Kubernetes support detection in tsh #5172
• Augment session events with cluster name #4994

Download

Download the current and previous releases of Teleport at https://gravitational.com/teleport/download.

This release of Teleport contains a number of improvements and bug fixes.

• Enable proxy protocol support for Teleport Kubernetes proxy service: #5299.
• Update tsh db ls command to include connection information and add tsh db config command: #5319.
• Fix authentication failure when logging in via CLI with Access Workflows after removing .tsh directory: #5323.
• Rename Database Access service database role to db: #5359.
• Fix tsh login failure when --proxy differs from actual proxy public address: #5380.

Warning

Pre-releases are not production ready, use at your own risk!

Download

Download the current and previous releases of Teleport at https://gravitational.com/teleport/download.

This release of Teleport contains multiple bug fixes.

• Fixed an issue where the request_access: reason role option was triggering
  the reason dialogue when opening new tabs/windows in Firefox.

• Ensure tsh always registers access requests against root cluster: #5226

• Ensure that tsh uses the correct username after login with an external identity provider: #5323

Download

Download the current and previous releases of Teleport at https://gravitational.com/teleport/download.

This release of Teleport introduces Database Access with PostgreSQL support.

See Database Access Preview docs for more information.

Warning

Pre-releases are not production ready, use at your own risk!

Download

Download the current and previous releases of Teleport at https://gravitational.com/teleport/download.