The easiest, and most secure way to access and protect all of your infrastructure.
AGPL-3.0 License
This release of Teleport adds a new feature.
NOTE: The new Access Requests
section of the UI (accessed via the Activity
dopdown) is currently only available to users that hold the read
and list
permissions for the access_request
resource. This requirement will be lifted in a future patch release so that all users can always see their own requests.
Download the current and previous releases of Teleport at https://gravitational.com/teleport/download.
Published by russjones almost 4 years ago
This release of Teleport contains a security fix.
github.com/russellhaering/gosaml2
.A vulnerability was discovered in the github.com/russellhaering/gosaml2
library which is used by Teleport for SSO authentication via the SAML protocol.
With a carefully crafted SAML response, an attacker could inject malicious content, bypassing signature validation, permitting full authentication bypass.
All Enterprise SSO users using Okta, Active Directory, OneLogin or custom SAML connectors should upgrade their auth servers to the latest release of Teleport.
If you are unable to upgrade immediately, we suggest disabling SAML connectors for all clusters until the updates can be applied.
Download the current and previous releases of Teleport at https://gravitational.com/teleport/download.
Published by russjones almost 4 years ago
This release of Teleport contains a security fix.
github.com/russellhaering/gosaml2
.A vulnerability was discovered in the github.com/russellhaering/gosaml2
library which is used by Teleport for SSO authentication via the SAML protocol.
With a carefully crafted SAML response, an attacker could inject malicious content, bypassing signature validation, permitting full authentication bypass.
All Enterprise SSO users using Okta, Active Directory, OneLogin or custom SAML connectors should upgrade their auth servers to the latest release of Teleport.
If you are unable to upgrade immediately, we suggest disabling SAML connectors for all clusters until the updates can be applied.
Download the current and previous releases of Teleport at https://gravitational.com/teleport/download.
Published by fspmarshall almost 4 years ago
This release of Teleport contains a security fix and a bug fix.
github.com/russellhaering/gosaml2
.tsh login
would fail with an AccessDenied
error if the user was perviously logged into a leaf cluster. #5105
A vulnerability was discovered in the github.com/russellhaering/gosaml2
library which is used by Teleport for SSO authentication via the SAML protocol.
With a carefully crafted SAML response, an attacker could inject malicious content, bypassing signature validation, permitting full authentication bypass.
All Enterprise SSO users using Okta, Active Directory, OneLogin or custom SAML connectors should upgrade their auth servers to the latest release of Teleport.
If you are unable to upgrade immediately, we suggest disabling SAML connectors for all clusters until the updates can be applied.
Download the current and previous releases of Teleport at https://gravitational.com/teleport/download.
Published by webvictim almost 4 years ago
This release of Teleport contains multiple bug fixes.
kubectl logs -f
, kubectl run -it
, etc) #5009
Download the current and previous releases of Teleport at https://gravitational.com/teleport/download.
Published by webvictim almost 4 years ago
Teleport 5.0 is a major release with new features, functionality, and bug fixes. Users can review 5.0 closed issues on Github for details of all items.
Teleport 5.0 introduces two distinct features: Teleport Application Access and significant Kubernetes Access improvements - multi-cluster support.
Teleport can now be used to provide secure access to web applications. This new feature was built with the express intention of securing internal apps which might have once lived on a VPN or had a simple authorization and authentication mechanism with little to no audit trail. Application Access works with everything from dashboards to single page Javascript applications (SPA).
Application Access uses mutually authenticated reverse tunnels to establish a secure connection with the Teleport unified Access Plane which can then becomes the single ingress point for all traffic to an internal application.
Adding an application follows the same UX as adding SSH servers or Kubernetes clusters, starting with creating a static or dynamic invite token.
$ tctl tokens add --type=app
Then simply start Teleport with a few new flags.
$ teleport start --roles=app --token=xyz --auth-server=proxy.example.com:3080 \
--app-name="example-app" \
--app-uri="http://localhost:8080"
This command will start an app server that proxies the application "example-app" running at http://localhost:8080
at the public address https://example-app.example.com
.
Applications can also be configured using the new app_service
section in teleport.yaml
.
app_service:
# Teleport Application Access is enabled.
enabled: yes
# We've added a default sample app that will check
# that Teleport Application Access is working
# and output JWT tokens.
# https://dumper.teleport.example.com:3080/
debug_app: true
apps:
# Application Access can be used to proxy any HTTP endpoint.
# Note: Name can't include any spaces and should be DNS-compatible A-Za-z0-9-._
- name: "internal-dashboard"
uri: "http://10.0.1.27:8000"
# By default Teleport will make this application
# available on a sub-domain of your Teleport proxy's hostname
# internal-dashboard.teleport.example.com
# - thus the importance of setting up wilcard DNS.
# If you want, it's possible to set up a custom public url.
# DNS records should point to the proxy server.
# internal-dashboard.teleport.example.com
# Example Public URL for the internal-dashboard app.
# public_addr: "internal-dashboard.acme.com"
# Optional labels
# Labels can be combined with RBAC rules to provide access.
labels:
customer: "acme"
env: "production"
# Optional dynamic labels
commands:
- name: "os"
command: ["/usr/bin/uname"]
period: "5s"
# A proxy can support multiple applications. Application Access
# can also be deployed with a Teleport node.
- name: "arris"
uri: "http://localhost:3001"
public_addr: "arris.example.com"
Application access requires two additional changes. DNS must be updated to point the application domain to the proxy and the proxy must be loaded with a TLS certificate for the domain. Wildcard DNS and TLS certificates can be used to simplify deployment.
# When adding the app_service certificates are required to provide a TLS
# connection. The certificates are managed by the proxy_service
proxy_service:
# We've extended support for https certs. Teleport can now load multiple
# TLS certificates. In the below example we've obtained a wildcard cert
# that'll be used for proxying the applications.
# The correct certificate is selected based on the hostname in the HTTPS
# request using SNI.
https_keypairs:
- key_file: /etc/letsencrypt/live/teleport.example.com/privkey.pem
cert_file: /etc/letsencrypt/live/teleport.example.com/fullchain.pem
- key_file: /etc/letsencrypt/live/*.teleport.example.com/privkey.pem
cert_file: /etc/letsencrypt/live/*.teleport.example.com/fullchain.pem
You can learn more at https://goteleport.com/teleport/docs/application-access/
Teleport 5.0 also introduces two highly requested features for Kubernetes.
kubectl exec
capture.For a full overview please review the Kubernetes RFD.
To support these changes, we've introduced a new service. This moves Teleport Kubernetes configuration from the proxy_service
into its own dedicated kubernetes_service
section.
When adding the new Kubernetes service, a new type of join token is required.
tctl tokens add --type=kube
Example configuration for the new kubernetes_service
:
# ...
kubernetes_service:
enabled: yes
listen_addr: 0.0.0.0:3027
kubeconfig_file: /secrets/kubeconfig
Note: a Kubernetes port still needs to be configured in the proxy_service
via kube_listen_addr
.
tsh kube
commands are used to query registered clusters and switch kubeconfig
context:
$ tsh login --proxy=proxy.example.com --user=awly
# list all registered clusters
$ tsh kube ls
Cluster Name Status
------------- ------
a.k8s.example.com online
b.k8s.example.com online
c.k8s.example.com online
# on login, kubeconfig is pointed at the first cluster (alphabetically)
$ kubectl config current-context
proxy.example.com-a.k8s.example.com
# but all clusters are populated as contexts
$ kubectl config get-contexts
CURRENT NAME CLUSTER AUTHINFO
* proxy.example.com-a.k8s.example.com proxy.example.com proxy.example.com-a.k8s.example.com
proxy.example.com-b.k8s.example.com proxy.example.com proxy.example.com-b.k8s.example.com
proxy.example.com-c.k8s.example.com proxy.example.com proxy.example.com-c.k8s.example.com
# switch between different clusters:
$ tsh kube login c.k8s.example.com
# the traditional way is also supported:
$ kubectl config use-context proxy.example.com-c.k8s.example.com
# check current cluster
$ kubectl config current-context
proxy.example.com-c.k8s.example.com
Other Kubernetes changes:
We've added two new RBAC resources; these provide the ability to limit token creation and to list and modify Teleport users:
- resources: [user]
verbs: [list,create,read,update,delete]
- resources: [token]
verbs: [list,create,read,update,delete]
Learn more about Teleport's RBAC Resources
Teleport 5.0 also adds the ability to set labels on Trusted Clusters. The labels are set when creating a trusted cluster invite token. This lets teams use the same RBAC controls used on nodes to approve or deny access to clusters. This can be especially useful for MSPs that connect hundreds of customers' clusters - when combined with Access Workflows, cluster access can easily be delegated. Learn more by reviewing our Truster Cluster Setup & RBAC Docs
Creating a trusted cluster join token for a production environment:
$ tctl tokens add --type=trusted_cluster --labels=env=prod
kind: role
#...
deny:
# cluster labels control what clusters user can connect to. The wildcard ('*')
# means any cluster. By default, deny rules are empty to preserve backwards
# compatibility
cluster_labels:
'env': 'prod'
Teleport 5.0 also iterates on the UI Refresh from 4.3. We've moved the cluster list into our sidebar and have added an Application launcher. For customers moving from 4.4 to 5.0, you'll notice that we have moved session recordings back to their own dedicated section.
Other updates:
https://[cluster-url]/web/users
, providing the ability to easily edit, reset and delete local users.Starting with Teleport 5.0, we now provide an RPM repo for stable releases of Teleport. We've also started signing our RPMs to provide assurance that you're always using an official build of Teleport.
See https://rpm.releases.teleport.dev/ for more details.
--format=json
playback option for tsh play
. For example tsh play --format=json ~/play/0c0b81ed-91a9-4a2a-8d7c-7495891a6ca0.tar | jq '.event
can be used to show all events within an a local archive. #4578
https_keypairs
field which replaces https_key_file
and https_cert_file
. This allows administrators to load multiple HTTPS certs for Teleport Application Access. Teleport 5.0 is backwards compatible with the old format, but we recommend updating your configuration to use https_keypairs
.Enterprise Only:
tctl
can load credentials from ~/.tsh
#4678
tctl
to always format resources as lists in JSON/YAML. #4281
tsh status
to now print Kubernetes status. #4348
loginuid.so
. #3245
access denied to Proxy
log spam. #2920
We've added an API Reference to simply developing applications against Teleport.
Please follow our standard upgrade procedure.
https_key_file
& https_cert_file
to our new https_keypairs:
format.proxy_service
to kubernetes_service
after the upgrade.Published by russjones almost 4 years ago
Pre-releases are not production ready, use at your own risk!
CHANGELOG available at https://github.com/gravitational/teleport/pull/4785.
Download the current and previous releases of Teleport at https://gravitational.com/teleport/download
Published by webvictim almost 4 years ago
Pre-releases are not production ready, use at your own risk!
Download the current and previous releases of Teleport at https://gravitational.com/teleport/download
Published by webvictim almost 4 years ago
This release of Teleport contains a bug fix.
Download the current and previous releases of Teleport at https://gravitational.com/teleport/download.
Published by russjones almost 4 years ago
Pre-releases are not production ready, use at your own risk!
Download the current and previous releases of Teleport at https://gravitational.com/teleport/download
Published by fspmarshall almost 4 years ago
This release of Teleport adds enhancements to the Access Workflows API.
Support for creating limited roles that trigger access requests
on login, allowing users to be configured such that no nodes can
be accessed without externally granted roles.
Teleport UI support for automatically generating access requests and
assuming new roles upon approval (access requests were previously
only available in tsh
).
New claims_to_roles
mapping that can use claims from external
identity providers to determine which roles a user can request.
Various minor API improvements to help make requests easier to
manage and audit, including support for human-readable
request/approve/deny reasons and structured annotations.
Download the current and previous releases of Teleport at https://gravitational.com/teleport/download.
Published by webvictim almost 4 years ago
This release of Teleport adds support for a new build architecture.
Download the current and previous releases of Teleport at https://gravitational.com/teleport/download.
Published by russjones almost 4 years ago
Pre-releases are not production ready, use at your own risk!
Download the current and previous releases of Teleport at https://gravitational.com/teleport/download
Published by russjones almost 4 years ago
Pre-releases are not production ready, use at your own risk!
Download the current and previous releases of Teleport at https://gravitational.com/teleport/download
Published by russjones almost 4 years ago
Pre-releases are not production ready, use at your own risk!
Download the current and previous releases of Teleport at https://gravitational.com/teleport/download
Published by russjones almost 4 years ago
Pre-releases are not production ready, use at your own risk!
Download the current and previous releases of Teleport at https://gravitational.com/teleport/download
Published by webvictim about 4 years ago
This release of Teleport contains a bug fix.
Download the current and previous releases of Teleport at https://gravitational.com/teleport/download.
Published by russjones about 4 years ago
This is a major Teleport release with a focus on new features, functionality, and bug fixes. It’s a substantial release and users can review 4.4 closed issues on Github for details of all items.
This addition to Teleport helps customers obtain AC-10 control. We now provide two new optional configuration values: max_connections
and max_sessions
.
max_connections
This value is the total number of concurrent sessions within a cluster to nodes running Teleport. This value is applied at a per user level. If you set max_connections
to 1, a tsh
user would only be able to tsh ssh
into one node at a time.
max_sessions
per connectionThis value limits the total number of session channels which can be established across a single SSH connection (typically used for interactive terminals or remote exec operations). This is for cases where nodes have Teleport set up, but a user is using OpenSSH to connect to them. It is essentially equivalent to the MaxSessions
configuration value accepted by sshd
.
spec:
options:
# Optional: Required to be set for AC-10 Compliance
max_connections: 2
# Optional: To match OpenSSH behavior set to 10
max_sessions: 10
session_control_timeout
A new session_control_timeout
configuration value has been added to the auth_service
configuration block of the Teleport config file. It's unlikely that you'll need to modify this.
auth_service:
session_control_timeout: 2m # default
# ...
Teleport 4.4 includes a complete refactoring of our event system. This resolved a few customer bug reports such as #3800: Events overwritten in DynamoDB and #3182: Teleport consuming all disk space with multipart uploads.
Along with foundational improvements, 4.4 includes two new experimental session_recording
options: node-sync
and proxy-sync
.
NOTE: These experimental modes require all Teleport auth servers, proxy servers and nodes to be running Teleport 4.4.
# This section configures the 'auth service':
auth_service:
# Optional setting for configuring session recording. Possible values are:
# "node" : sessions will be recorded on the node level (the default)
# "proxy" : recording on the proxy level, see "recording proxy mode" section.
# "off" : session recording is turned off
#
# EXPERIMENTAL *-sync modes: proxy and node send logs directly to S3 or other
# storage without storing the records on disk at all. This mode will kill a
# connection if network connectivity is lost.
# NOTE: These experimental modes require all Teleport auth servers, proxy servers and
# nodes to be running Teleport 4.4.
#
# "node-sync" : sessions recording will be streamed from node -> auth -> storage
# "proxy-sync : sessions recording will be streamed from proxy -> auth -> storage
#
session_recording: "node-sync"
kubeconfig
via tctl auth sign
. #4446
tsh ls
. #4390
pam_authenticate
on login #3966
kubectl exec
sessions to terminate. #4377
tsh
on Windows. #4347
tctl top
so it runs without the debug flag and on dark terminals. #4282 #4231
/readyz
endpoint to recover much quicker. #4223
Please follow our standard upgrade procedure.
Published by russjones about 4 years ago
Pre-releases are not production ready, use at your own risk!
Download the current and previous releases of Teleport at https://gravitational.com/teleport/download
Published by russjones about 4 years ago
Pre-releases are not production ready, use at your own risk!
Download the current and previous releases of Teleport at https://gravitational.com/teleport/download