The easiest, and most secure way to access and protect all of your infrastructure.
AGPL-3.0 License
Bot releases are hidden (Show)
Published by fheinecke 8 months ago
tsh status
command. #38305
Download the current and previous releases of Teleport at https://goteleport.com/download.
Published by camscale 9 months ago
teleport-cluster
Helm chart. #37481
--join-token
has not been specified. #37448
tctl create
commands. #36702
Download the current and previous releases of Teleport at https://goteleport.com/download.
Published by camscale 9 months ago
Note: This is expected to be the last release in the v12 line. Users are encouraged to upgrade to a supported version.
Download the current and previous releases of Teleport at https://goteleport.com/download.
Published by camscale 9 months ago
Download the current and previous releases of Teleport at https://goteleport.com/download.
Published by r0mant 9 months ago
tsh
AppID pre-flight check whenever possible. #37643
3.0.13
. #37552
tsh
FIDO2 backend re-written for improved responsiveness and reliability. #37538
teleport-cluster
Helm chart. #37480
tsh
uses wrong default username for auto-user provisioning enabled databases in remote clusters #37418
tbot proxy kube
to support connecting to Kubernetes clusters using Machine ID when the Proxy is behind a L7 LB. #37157
tsh
panic on Windows if WebAuthn.dll
is missing. #36868
connect_to_node_attempts_total
is always incremented when dialing hosts. #36739
tctl idp saml test-attribute-mapping
command to test SAML IdP attribute mapping. #36662
Download the current and previous releases of Teleport at https://goteleport.com/download.
Published by r0mant 9 months ago
Teleport 15 brings the following new major features and improvements:
In addition, this release includes several changes that affect existing functionality listed in the “Breaking changes” section below. Users are advised to review them before upgrading.
Teleport 15 leverages a new, more performant RDP engine, resulting in a smoother desktop access experience.
Teleport Device Trust now supports TPM joining on Linux devices.
Additionally, tsh proxy app
can now solve device challenges, allowing users to enforce the use of a trusted device to access applications.
Teleport v15 introduces automatic SSH connection resumption if the network path between the client and the Teleport node is interrupted due to connectivity issues, and transparent connection migration if the control plane is gracefully upgraded.
The feature is active by default when a v15 client (tsh
, OpenSSH or PuTTY configured by tsh config
, or Teleport Connect) connects to a v15 Teleport node.
Users going through the Access Management UI flow to enroll RDS databases are now able to set up auto-discovery.
Teleport now allows users to enroll EKS clusters via the Access Management UI.
When adding a SAML application via Access Management UI, users are now able to configure attribute mapping and have Teleport fetch service provider's entity descriptor automatically.
Teleport 15 improves performance of receiving user/group updates from Okta byleveraging System for Cross-domain Identity Management (SCIM).
Note: This feature will come out in a later 15.0 patch release.
Teleport 15 supports the use of AWS Key Management Service (KMS) to store and handle the CA private key material used to sign all Teleport-issued certificates. When enabled, private key material never leaves AWS KMS.
To migrate existing clusters to AWS KMS, you must perform a CA rotation.
When Teleport is configured to require webauthn (second_factor: webauthn
), administrative actions performed via tctl
or the web UI will require an additional MFA tap.
Examples of administrative actions include, but are not limited to:
Note: when MFA for administrative actions is enabled, user certificates produced with tctl auth sign
will no longer be suitable for automation due to the additional MFA checks, unless run directly on a local Auth server (legacy setup). We recommend using Machine ID to issue certificates for automated workflows, which uses role impersonation that is not subject to MFA checks.
Teleport Connect will now prompt for an MFA tap prior to accessing Kubernetes clusters when per-session MFA is enabled.
Additionally, Teleport Connect includes support for TCP and web applications, and can also launch AWS and SAML apps in a web browser.
Prior to Teleport 15, tsh play
and the web UI would download the entire session recording before starting playback. As a result, playback of large recordings could be slow to start, and may fail to play at all in the browser.
In Teleport 15, session recordings are streamed from the auth server, allowing playback to start before the entire session is downloaded and unpacked.
Additionally, tsh play
now supports a --speed
flag for adjusting the playback speed, and desktop session playback now supports seeking to arbitrary positions in the recording.
Prior to Teleport 15, there was a dropdown in the sidebar between “Resources” and “Management,” and in the Resources mode, there were tabs in the sidebar for Access Requests and Active Sessions. In Teleport 15, all of the above have moved to tabs in a top navbar, and the Resources view is fully responsive across viewport widths. A side navbar still exists in the “Access Management” tab.
Prior to Teleport 15, Passkeys and MFA devices were shown in a single list on the “Account Settings” screen, without a clear distinction between them. In Teleport 15, these have been split into distinct lists so it is clearer which type of authentication you are adding to your account.
Prior to Teleport 15, the Teleport Kubernetes Operator had to run as a sidecar of the Teleport auth. It was not possible to use the operator in Teleport Cloud or against a Teleport cluster not deployed with the teleport-cluster
Helm chart.
In Teleport 15, the Teleport Operator can reconcile resources in any Teleport cluster. Teleport Cloud users can now use the operator to manage their resources.
When deployed with the teleport-cluster
chart, the operator now runs in a separate pod. This ensures that Teleport's availability won't be impacted if the operator becomes unready.
See the Standalone Operator guide for installation instructions.
Starting with Teleport 15, newly supported kinds will contain the resource version. For example: TeleportRoleV6
and TeleportRoleV7
kinds will allow users to create Teleport Roles v6 and v7.
Existing kinds will remain unchanged in Teleport 15, but will be renamed in Teleport 16 for consistency.
To migrate an existing Custom Resource (CR) TeleportRole
to a TeleportRoleV7
, you must:
TeleportRole
CR with teleport.dev/keep: "true"
TeleportRole
CR (it won't delete the role in Teleport thanks toTeleportRoleV7
CR with the same nameTeleport 15 now provides FIPS-compliant Linux builds on ARM64. Users will now be able to run Teleport in FedRAMP/FIPS mode on ARM64.
Additionally, Teleport 15 includes hardened AWS AMIs for ARM64.
Teleport 15 includes a new RDP engine that leverages the RemoteFX codec for improved performance. Additional configuration may be required to enable RemoteFX on your Windows hosts.
If you are using our authentication package for local users, the v15 installer will automatically enable RemoteFX for you.
Alternatively, you can enable RemoteFX by updating the registry:
Set-ItemProperty -Path 'HKLM:\Software\Policies\Microsoft\Windows NT\Terminal Services' -Name 'ColorDepth' -Type DWORD -Value 5
Set-ItemProperty -Path 'HKLM:\Software\Policies\Microsoft\Windows NT\Terminal Services' -Name 'fEnableVirtualizedGraphics' -Type DWORD -Value 1
If you are using Teleport with Windows hosts that are part of an Active Directory environment, you should enable RemoteFX via group policy.
Under Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host, enable:
Detailed instructions are available in the setup guide. A reboot may be required for these changes to take effect.
tsh ssh
When running a command on multiple nodes with tsh ssh
, each line of output is now labeled with the hostname of the node it was written by. Users that rely on parsing the output from multiple nodes should pass the --log-dir
flag to tsh ssh
, which will create a directory where the separated output of each node will be written.
drop
host user creation modeThe drop
host user creation mode has been removed in Teleport 15. It is replaced by insecure-drop
, which still creates temporary users but does not create a home directory. Users who need home directory creation should either wrap useradd
/userdel
or use PAM.
The restricted session feature for SSH has been deprecated since Teleport 14 and has been removed in Teleport 15. We recommend implementing network restrictions outside of Teleport (iptables, security groups, etc).
deb.releases.teleport.dev
and rpm.releases.teleport.dev
were deprecated in Teleport 11. Beginning in Teleport 15, Debian and RPM packages will no longer be published to these repos. Teleport 14 and prior packages will continue to be published to these repos for the remainder of those releases' lifecycle.
All users are recommended to switch to apt.releases.teleport.dev
and yum.releases.teleport.dev
repositories as described in installation instructions.
The legacy package repos will be shut off in mid 2025 after Teleport 14 has been out of support for many months.
Teleport 15 contains several breaking changes to improve the default security and usability of Teleport-provided container images.
In order to increase default security in 15+, Teleport will no longer publish container images containing a shell and rich command line
environment to Elastic Container Registry's
gravitational/teleport image repo. Instead, all users should use the distroless images introduced in Teleport 12. These images can be found at:
For users who need a shell in a Teleport container, a "debug" image is available which contains BusyBox, including a shell and many CLI tools. Find the debug images at:
Do not run debug container images in production environments.
Heavy container images will continue to be published for Teleport 13 and 14 throughout the remainder of these releases' lifecycle.
Teleport Operator container images will no longer be published with architecture suffixes in their tags (for example: 14.2.1-amd64
and 14.2.1-arm
). Instead, only a single tag will be published with multi-platform support (e.g., 15.0.0
). If you use Teleport Operator images with an architecture suffix, remove the suffix and your client should automatically pull the platform-appropriate image. Individual architectures may be pulled with docker pull --platform <arch>
.
The quay.io container registry was deprecated and Teleport 12 is the last version to publish images to quay.io. With Teleport 15's release, v12 is no longer supported and no new container images will be published to quay.io.
For Teleport 8+, replacement container images can be found in Teleport's public ECR registry.
Users who wish to continue to use unsupported container images prior to Teleport 8 will need to download any quay.io images they depend on and mirror them elsewhere before July 2024. Following brownouts in May and June, Teleport will disable pulls from all Teleport quay.io repositories on Wednesday July 3, 2024.
Teleport 15 contains several breaking changes to improve the default security and usability of Teleport-provided Amazon AMIs.
Teleport-provided Amazon Linux 2023 previously only supported x86_64/amd64. Starting with Teleport 15, arm64-based AMIs will be produced. However, the naming scheme for these AMIs has been changed to include the architecture.
teleport-oss-14.0.0-$TIMESTAMP
teleport-oss-15.0.0-x86_64-$TIMESTAMP
Teleport-provided Amazon Linux 2 AMIs were deprecated, and Teleport 14 is the last version to produce such legacy AMIs. With Teleport 15's release, only the newer hardened Amazon Linux 2023 AMIs will be produced.
The legacy AMIs will continue to be published for Teleport 13 and 14 throughout the remainder of these releases' lifecycle.
windows_desktop_service
no longer writes to the NTAuth storeIn Teleport 15, the process that periodically publishes Teleport's user CA to the Windows NTAuth store has been removed. It is not necessary for Teleport to perform this step since it must be done by an administrator at installation time. As a result, Teleport's service account can use more restrictive permissions.
The AWS terraform examples for Teleport clusters have been updated to use the newer hardened Amazon Linux 2023 AMIs. Additionally, the default architecture and instance type has been changed to ARM64/Graviton.
As a result of this modernization, the legacy monitoring stack configuration used with the legacy AMIs has been removed.
teleport-cluster
Helm chart changesDue to the new separate operator deployment, the operator is deployed by a subchart. This causes the following breaking changes:
installCRDs
has been replaced by operator.installCRDs
teleportVersionOverride
does not set the operator version anymore, you must use operator.teleportVersionOverride
to override the operator version.Note: version overrides are dangerous and not recommended. Each chart version isdesigned to run a specific Teleport and operator version. If you want to deploy a specific Teleport version, use Helm's --version X.Y.Z
instead.
The operator now joins using a Kubernetes ServiceAccount token. To validate the token, the Teleport Auth Service must have access to the TokenReview
API. The chart configures this for you since v12, unless you disabled rbac
creation.
Starting with Teleport 15, each Terraform resource must have its version specified. Before version 15, Terraform was picking the latest version available on resource creation. This caused inconsistencies as new resources creates with the same manifest as old resources were not exhibiting the same behavior.
Resource version is now immutable. Changing a resource version will cause Terraform to delete and re-create the resource. This ensures the correct defaults are set.
Existing resources will continue to work as Terraform already imported their version. However, new resources will require an explicit version.
The minimum password length for local users has been increased from 6 to 12 characters.
The account lockout interval has been increased from 20 to 30 minutes.
Published by r0mant 9 months ago
Pre-releases are not production ready, use at your own risk!
Download the current and previous releases of Teleport at https://goteleport.com/download.
Published by r0mant 9 months ago
Pre-releases are not production ready, use at your own risk!
Download the current and previous releases of Teleport at https://goteleport.com/download.
Published by r0mant 9 months ago
Download the current and previous releases of Teleport at https://goteleport.com/download.
Published by camscale 9 months ago
tctl get access_list
and support creating Access Lists without a next audit date. #36572
Download the current and previous releases of Teleport at https://goteleport.com/download.
Published by camscale 9 months ago
tsh
. #36528
refresh_identity = true
preventing Access Plugins connecting to Teleport using TLS routing with a L7 LB. #36469
.
and ..
are no longer allowed. Please review the resources in your Teleport instance and rename any resources with these names before upgrading. #36404
tsh db ls -v
. #36246
--insecure-no-resolve-image
flag to the teleport-kube-agent-updater
to disable image tag resolution if it cannot pull the image. #36097
Download the current and previous releases of Teleport at https://goteleport.com/download.
Published by camscale 9 months ago
refresh_identity = true
preventing Access Plugins connecting to Teleport using TLS routing with a L7 LB. #36470
.
and ..
are no longer allowed. Please review the resources in your Teleport instance and rename any resources with these names before upgrading. #36403
--insecure-no-resolve-image
flag to the teleport-kube-agent-updater
to disable image tag resolution if it cannot pull the image. #36098
Download the current and previous releases of Teleport at https://goteleport.com/download.
Published by camscale 9 months ago
.
and ..
are no longer allowed. Please review the resources in your Teleport instance and rename any resources with these names before upgrading. #36402
Download the current and previous releases of Teleport at https://goteleport.com/download.
Published by zmb3 10 months ago
This release of Teleport contains multiple security fixes, improvements and bug fixes.
DYLD_
variables. Documented under https://github.com/gravitational/teleport/security/advisories/GHSA-vfxf-76hv-v4w4 #36135
jose2go
to version 1.5.1-0.20231206184617-48ba0b76bc88 #35984
lock.create
audit events #35876
lock.create
audit events #35864
Download the current and previous releases of Teleport at https://goteleport.com/download.
labels: security-patch=yes, security-patch-alts=v12.4.31
Published by zmb3 10 months ago
This release of Teleport contains multiple security fixes, improvements and bug fixes.
DYLD_
variables. Documented under https://github.com/gravitational/teleport/security/advisories/GHSA-vfxf-76hv-v4w4 #36135
tsh latency
command to monitor ssh connection latency in realtime #35916
include_enterprise_slug
enabled. #35900
lock.create
audit events #35874
saml_idp_service_provider
spec. #35873
ssh-keyscan
(#35647) #35859
teleport-kube-agent
chart now supports passing extra arguments to the updater. #35831
teleport-kube-agent
chart when using both appResources
and the discovery
role. #35783
tsh ssh
#35750
static_hosts
configuration field #35742
Download the current and previous releases of Teleport at https://goteleport.com/download.
labels: security-patch=yes, security-patch-alts=v14.2.4
Published by zmb3 10 months ago
This release of Teleport contains multiple security fixes, improvements and bug fixes.
DYLD_
variables. Documented under https://github.com/gravitational/teleport/security/advisories/GHSA-vfxf-76hv-v4w4 #36135
jose2go
to version 1.5.1-0.20231206184617-48ba0b76bc88 #35985
HeartbeatV2
around .Spec.CloudMetadata
(#35912) #35924
lock.create
audit events #35875
teleport-kube-agent
chart now supports passing extra arguments to the updater #35832
Download the current and previous releases of Teleport at https://goteleport.com/download.
labels: security-patch=yes, security-patch-alts=v13.4.13
Published by camscale 10 months ago
Download the current and previous releases of Teleport at https://goteleport.com/download.
Published by camscale 10 months ago
/webapi/presetroles
. #35462
--fips
flag. #35111
tsh db connect <mongodb>
to give reason on connection errors. #34909
Download the current and previous releases of Teleport at https://goteleport.com/download.
Published by camscale 10 months ago
--fips
flag. #35110
tsh db connect <mongodb>
to give reason on connection errors. #34908
Download the current and previous releases of Teleport at https://goteleport.com/download.
Published by r0mant 11 months ago
/webapi/presetroles
. #35463
insecure-drop
host user creation mode. #35403
rds:DescribeDBProxyTargets
are no longer required for RDS Proxy discovery. #35389
1.21.5
. #35371
cluster_auth_preferences
to the shortcuts for cluster_auth_preference
. #35329
podSecurityPolicy
configurable in the teleport-kube-agent
chart. #35320
tbot
to misconfiguration of auth connectors when generating a Kubernetes output. #35309
tctl auth sign --tar
. #34874
Download the current and previous releases of Teleport at https://goteleport.com/download.