teleport

Warning

Pre-releases are not production ready, use at your own risk!

Download

Download the current and previous releases of Teleport at https://gravitational.com/teleport/download

Warning

Pre-releases are not production ready, use at your own risk!

Download

Download the current and previous releases of Teleport at https://gravitational.com/teleport/download

Warning

Pre-releases are not production ready, use at your own risk!

Download

Download the current and previous releases of Teleport at https://gravitational.com/teleport/download

Warning

Pre-releases are not production ready, use at your own risk!

Download

Download the current and previous releases of Teleport at https://gravitational.com/teleport/download

This release of Teleport contains a security fix and a bug fix.

• Mitigated CVE-2020-15216 by updating github.com/russellhaering/goxmldsig.

Details

A vulnerability was discovered in the github.com/russellhaering/goxmldsig library which is used by Teleport to validate the
signatures of XML files used to configure SAML 2.0 connectors. With a carefully crafted XML file, an attacker can completely
bypass XML signature validation and pass off an altered file as a signed one.

Actions

The goxmldsig library has been updated upstream and Teleport 4.3.7 includes the fix. Any Enterprise SSO users using Okta,
Active Directory, OneLogin or custom SAML connectors should upgrade their auth servers to version 4.3.7 and restart Teleport.

If you are unable to upgrade immediately, we suggest deleting SAML connectors for all clusters until the updates can be applied.

• Fixed an issue where DynamoDB connections made by Teleport would not respect the HTTP_PROXY or HTTPS_PROXY environment variables. #4271

Download

Download the current and previous releases of Teleport at https://gravitational.com/teleport/download.

This release of Teleport contains a security fix.

• Mitigated CVE-2020-15216 by updating github.com/russellhaering/goxmldsig.

Details

A vulnerability was discovered in the github.com/russellhaering/goxmldsig library which is used by Teleport to validate the
signatures of XML files used to configure SAML 2.0 connectors. With a carefully crafted XML file, an attacker can completely
bypass XML signature validation and pass off an altered file as a signed one.

Actions

The goxmldsig library has been updated upstream and Teleport 4.2.12 includes the fix. Any Enterprise SSO users using Okta,
Active Directory, OneLogin or custom SAML connectors should upgrade their auth servers to version 4.2.12 and restart Teleport.

If you are unable to upgrade immediately, we suggest deleting SAML connectors for all clusters until the updates can be applied.

Download

Download the current and previous releases of Teleport at https://gravitational.com/teleport/download.

This release of Teleport contains a security fix.

• Mitigated CVE-2020-15216 by updating github.com/russellhaering/goxmldsig.

Details

A vulnerability was discovered in the github.com/russellhaering/goxmldsig library which is used by Teleport to validate the
signatures of XML files used to configure SAML 2.0 connectors. With a carefully crafted XML file, an attacker can completely
bypass XML signature validation and pass off an altered file as a signed one.

Actions

The goxmldsig library has been updated upstream and Teleport 4.1.11 includes the fix. Any Enterprise SSO users using Okta,
Active Directory, OneLogin or custom SAML connectors should upgrade their auth servers to version 4.1.11 and restart Teleport.

If you are unable to upgrade immediately, we suggest deleting SAML connectors for all clusters until the updates can be applied.

Download

Download the current and previous releases of Teleport at https://gravitational.com/teleport/download.

Warning

Pre-releases are not production ready, use at your own risk!

Download

Download the current and previous releases of Teleport at https://gravitational.com/teleport/download

This release of Teleport contains multiple bug fixes.

Description

• Fixed an issue with prefix migration that could lead to loss of cluster state. #4299 #4345
• Fixed an issue that caused excessively slow loading of the UI on large clusters. #4326
• Updated /readyz endpoint to recover faster after node goes into degraded state. #4223
• Added node UUID to debug logs to allow correlation between TCP connections and nodes. #4291

Download

Download the current and previous releases of Teleport at https://gravitational.com/teleport/download.

This release of Teleport contains multiple bug fixes.

Description

• Fixed issue that caused Teleport Docker images to be built incorrectly. #4201

This release also includes the following bug fixes from 4.3.4.

• Fixed issue that caused intermittent login failures when using PAM modules like pam_loginuid.so and pam_selinux.so. #4133
• Fixed issue that required users to manually verify a certificate when exporting an identity file. #4003
• Fixed issue that prevented local user creation using Firestore. #4160
• Fixed issue that could cause tsh to panic when using a PEM file. #4189

Download

Download the current and previous releases of Teleport at https://gravitational.com/teleport/download.

This release of Teleport contains multiple bug fixes.

Description

• Reverted base OS in container images to Ubuntu. #4054
• Fixed an issue that prevented changing the path for the Audit Log. #3771
• Fixed an issue that allowed servers with invalid labels to be added to the cluster. #4034
• Fixed an issue that caused Cloud Firestore to panic on startup. #4041
• Fixed an error that would cause Teleport to fail to load with the error "list of proxies empty". #4005
• Fixed an issue that would prevent playback of Kubernetes session #4055
• Fixed regressions in the UI. #4013 #4012 #4035 #4051 #4044

Download

Download the current and previous releases of Teleport at https://gravitational.com/teleport/download.

This is a major Teleport release with a focus on new features, functionality, and bug fixes. It’s a substantial release and users can review 4.3 closed issues on Github for details of all items. We would love your feedback - please pick a time slot for a remote UX feedback session if you’re interested.

New Features

Web UI

Teleport 4.3 includes a completely redesigned Web UI. The new Web UI expands the management functionality of a Teleport cluster and the user experience of using Teleport to make it easier and simpler to use. Teleport's new terminal provides a quick jumping-off point to access nodes and nodes on other clusters via the web.

Teleport's Web UI now exposes Teleport’s Audit log, letting auditors and administrators view Teleport access events, SSH events, recording session, and enhanced session recording all in one view.

Teleport Plugins

Teleport 4.3 introduces four new plugins that work out of the box with Approval Workflow. These plugins allow you to automatically support role escalation with commonly used third party services. The built-in plugins are listed below.

• PagerDuty
• Jira Server and Jira Cloud
• Slack
• Mattermost

Improvements

• Added the ability for local users to reset their own passwords. #2387
• Added user impersonation (kube_users) support to Kubernetes Proxy. #3369
• Added support for third party S3-compatible storage for sessions. #3057
• Added support for GCP backend data stores. #3766 #3014
• Added support for X11 forwarding to OpenSSH servers. #3401
• Added support for auth plugins in proxy kubeconfig. #3655
• Added support for OpenSSH-like escape sequence. #3752
• Added --browser flag to tsh. #3737
• Updated teleport configure output to be more useful out of the box. #3429
• Updated ability to only show SSO on the login page. #2789
• Updated help and support section in Web UI. #3531
• Updated default SSH signing algorithm to SHA-512 for new clusters. #3777
• Standardized audit event fields.

Fixes

• Fixed removing existing user definitions in kubeconfig. #3209
• Fixed an issue where port forwarding could fail in certain circumstances. #3749
• Fixed temporary role grants issue when forwarding Kubernetes requests. #3624
• Fixed an issue that prevented copy/paste in the web termination. #92
• Fixed an issue where the proxy did not test Kubernetes permissions at startup. #3812
• Fixed tsh and gpg-agent integration. #3169
• Fixed Vulnerabilities in Teleport Docker Image https://quay.io/repository/gravitational/teleport?tab=tags

Documentation

• Moved SSO under Enterprise Section
• Documented Teleport Plugins
• Documented Kubernetes Role Mapping

Upgrade Notes

Always follow the recommended upgrade procedure to upgrade to this version.

New Signing Algorithm

If you’re upgrading an existing version of Teleport, you may want to consider rotating CA to SHA-256 or SHA-512 for RSA SSH certificate signatures. The previous default was SHA-1, which is now considered to be weak against brute-force attacks. SHA-1 certificate signatures are also no longer accepted by OpenSSH versions 8.2 and above. All new Teleport clusters will default to SHA-512 based signatures. To upgrade an existing cluster, set the following in your teleport.yaml:

teleport:
    ca_signature_algo: "rsa-sha2-512"

Rotate the cluster CA, following these docs.

Web UI

Due to the number of changes included in the redesigned Web UI, some URLs and functionality have shifted. Refer to the following ticket for more details. #3580

Kubernetes Permissions

The minimum set of Kubernetes permissions that need to be granted to Teleport proxies has been updated. If you use the Kubernetes integration, please make sure that the ClusterRole used by the proxy has sufficient permissions.

Path prefix for etcd

The etcd backend now correctly uses the “prefix” config value when storing data. Upgrading from 4.2 to 4.3 will migrate the data as needed at startup. Make sure you follow our Teleport upgrade guidance.

Note: If you use an etcd backend with a non-default prefix and need to downgrade from 4.3 to 4.2, you should backup Teleport data and restore it into the downgraded cluster.

Download

Download the current and previous releases of Teleport at https://gravitational.com/teleport/download.

This release of Teleport contains multiple bug fixes.

Description

• Fixed an issue that prevented upload of session archives to NFS volumes. #3780
• Fixed an issue with port forwarding that prevented TCP connections from being closed correctly. #3801
• Fixed an issue in tsh that would cause connections to the Auth Server to fail on large clusters. #3872
• Fixed an issue that prevented the use of Write-Only roles with S3 and GCS. #3810

Download

Download the current and previous releases of Teleport at https://gravitational.com/teleport/download.

Warning

Pre-releases are not production ready, use at your own risk!

Download

Download the current and previous releases of Teleport at https://gravitational.com/teleport/download

This release of Teleport contains multiple bug fixes.

Description

• Fixed an issue that caused Teleport environment variables not to be available in PAM modules. #3725
• Fixed an issue with tsh login <clusterName> not working correctly with Kubernetes clusters. #3693

Download

Download the current and previous releases of Teleport at https://gravitational.com/teleport/download.

This release of Teleport contains multiple bug fixes.

Description

• Fixed an issue where double tsh login would be required to login to a leaf cluster. #3639
• Fixed an issue that was preventing connection reuse. #3613
• Fixed an issue that could cause tsh ls to return stale results. #3536

Download

Download the current and previous releases of Teleport at https://gravitational.com/teleport/download.

Warning

Pre-releases are not production ready, use at your own risk!

Download

Download the current and previous releases of Teleport at https://gravitational.com/teleport/download

Warning

Pre-releases are not production ready, use at your own risk!

Download

Download the current and previous releases of Teleport at https://gravitational.com/teleport/download

This release of Teleport contains multiple bug fixes.

Description

• Fixed issue where ^C would not terminate tsh. #3456
• Fixed an issue where enhanced session recording could cause Teleport to panic. #3506

Download

Download the current and previous releases of Teleport at https://gravitational.com/teleport/download.

As part of a routine security audit of Teleport, a security vulnerability was discovered that affects all recent releases of Teleport. We strongly suggest upgrading to the latest patched release to mitigate this vulnerability.

Details

Due to a flaw in how the Teleport Web UI handled host certificate validation, host certificate validation was disabled for clusters where connections were terminated at the node. This means that an attacker could impersonate a Teleport node without detection when connecting through the Web UI.

Clusters where sessions were terminated at the proxy (recording proxy mode) are not affected.

Command line programs like tsh (or ssh) are not affected by this vulnerability.

Actions

To mitigate this issue, upgrade and restart all Teleport proxy processes.

Downloads

Download the current and previous releases of Teleport at https://gravitational.com/teleport/download.