teleport

The easiest, and most secure way to access and protect all of your infrastructure.

AGPL-3.0 License

Stars
17.1K
Committers
305
View Code on GitHub Visit Website View on X
Ecosystems: PostgreSQL, Kubernetes, Go

Bot releases are hidden (Show)

teleport - Teleport 16.1.4 Latest Release

Published by fheinecke 2 months ago

Description

  • Improved tsh ssh performance for concurrent execs. #45162
  • Fixed issue with loading cluster features when agents are upgraded prior to auth. #45226
  • Updated Go to 1.22.6. #45194

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Download the current release of Teleport plugins from the links below.

teleport - Teleport 16.1.3

Published by camscale 2 months ago

Description

  • Fixed an issue where tsh aws may display extra text in addition to the original command output. #45168
  • Fixed regression that denied access to launch some Apps. #45149
  • Bot resources now honor their metadata.expires field. #45130
  • Teleport Connect now sets TERM_PROGRAM: Teleport_Connect and TERM_PROGRAM_VERSION: <app_version> environment variables in the integrated terminal. #45063
  • Fixed a panic in the Microsoft Teams plugin when it receives an error. #45011
  • Added a background item for VNet in Teleport Connect; VNet now prompts for a password only during the first launch. #44994
  • Added warning on tbot startup when the requested certificate TTL exceeds the maximum allowed value. #44989
  • Fixed a race condition between session recording uploads and session recording upload cleanup. #44978
  • Prevented Kubernetes per-Resource RBAC from blocking access to namespaces when denying access to a single resource kind in every namespace. #44974
  • SSO login flows can now authorize web sessions with Device Trust. #44906
  • Added support for Kubernetes Workload Attestation into Teleport Workload Identity to allow the authentication of pods running within Kubernetes without secrets. #44883

Enterprise:

  • Fixed a redirection issue with the SAML IdP authentication middleware which prevented users from signing into the service provider when an SAML authentication request was made with an HTTP-POST binding protocol, and user's didn't already have an active session with Teleport.
  • SAML applications can now be deleted from the Web UI.

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Download the current release of Teleport plugins from the links below.

teleport - Teleport 16.1.1

Published by r0mant 3 months ago

Description

  • Added option to allow client redirects from IPs in specified CIDR ranges in SSO client logins. #44846
  • Machine ID can now be configured to use Kubernetes Secret destinations from the command line using the kubernetes-secret schema. #44801
  • Prevent discovery service from overwriting Teleport dynamic resources that have the same name as discovered resources. #44785
  • Reduced the probability that the event-handler deadlocks when encountering errors processing session recordings. #44771
  • Improved event-handler diagnostics by providing a way to capture profiles dynamically via SIGUSR1. #44758
  • Teleport Connect now uses ConPTY for better terminal resizing and accurate color rendering on Windows, with an option to disable it in the app config. #44742
  • Fixed event-handler Helm charts using the wrong command when starting the event-handler container. #44697
  • Improved stability of very large Teleport clusters during temporary backend disruption/degradation. #44694
  • Resolved compatibility issue with Paramiko and Machine ID's SSH multiplexer SSH agent. #44673
  • Teleport no longer creates invalid SAML Connectors when calling tctl get saml/<connector-name> | tctl create -f without the --with-secrets flag. #44666
  • Fixed a fatal error in tbot when unable to lookup the user from a given UID in containerized environments for checking ACL configuration. #44645
  • Fixed Application Access regression where an HTTP header wasn't set in forwarded requests. #44628
  • Added Server auto-discovery support for Rocky and AlmaLinux distros. #44612
  • Use the registered port of the target host when tsh puttyconfig is invoked without --port. #44572
  • Added more icons for guessing application icon by name or by label teleport.icon in the web UI. #44566
  • Remove deprecated S3 bucket option when creating or editing AWS OIDC integration in the web UI. #44485
  • Fixed terminal sessions with a database CLI client in Teleport Connect hanging indefinitely if the client cannot be found. #44465
  • Added application-tunnel service to Machine ID for establishing a long-lived tunnel to a HTTP or TCP application for Machine to Machine access. #44443
  • Fixed a regression that caused Teleport Connect to fail to start on Intel Macs. #44435
  • Improved auto-discovery resiliency by recreating Teleport configuration when the node fails to join the cluster. #44432
  • Fixed a low-probability panic in audit event upload logic. #44425
  • Fixed Teleport Connect binaries not being signed correctly. #44419
  • Prevented DoSing the cluster during a mass failed join event by agents. #44414
  • The availability filter is now a toggle to show (or hide) requestable resources. #44413
  • Moved PostgreSQL auto provisioning users procedures to pg_temp schema. #44409
  • Added audit events for AWS and Azure integration resource actions. #44403
  • Fixed automatic updates with previous versions of the teleport.yaml config. #44379
  • Added support for Rocky and AlmaLinux when enrolling a new server from the UI. #44332
  • Fixed PostgreSQL session playback not rendering queries line breaks correctly. #44315
  • Fixed Teleport access plugin tarballs containing a build directory, which was accidentally added upon v16.0.0 release. #44300
  • Prevented an infinite loop in DynamoDB event querying by advancing the cursor to the next day when the limit is reached at the end of a day with an empty iterator. This ensures the cursor does not reset to the beginning of the day. #44275
  • The clipboard sharing tooltip for desktop sessions now indicates why clipboard sharing is disabled. #44237
  • Prevented redirects to arbitrary URLs when launching an app. #44188
  • Added a --skip-idle-time flag to tsh play. #44013
  • Added audit events for discovery config actions. #43793
  • Enabled Access Monitoring Rules routing with Mattermost plugin. #43601
  • SAML application can now be deleted from the Web UI. #4778
  • Fixed an Access List permission bug where an access list owner, who is also a member, was not able to add/remove access list member. #4744
  • Fixed a bug in Web UI where clicking SAML GCP Workforce Identity Federation discover tile would throw an error, preventing from using the guided enrollment feature. #4720
  • Fixed an issue with incorrect yum/zypper updater packages being installed. #4684

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Download the current release of Teleport plugins from the links below.

teleport - Teleport 15.4.11

Published by camscale 3 months ago

Description

  • Fixed an issue that could cause auth servers to panic when their backend connectivity was interrupted. #44787
  • Reduced the probability that the event-handler deadlocks when encountering errors processing session recordings. #44772
  • Improved event-handler diagnostics by providing a way to capture profiles dynamically via SIGUSR1. #44759
  • Added support for Teams to Opsgenie plugin alert creation. #44330

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Download the current release of Teleport plugins from the links below.

teleport - Teleport 15.4.10

Published by camscale 3 months ago

Description

  • Improved stability of very large teleport clusters during temporary backend disruption/degradation. #44695
  • Resolved compatibility issue with Paramiko and Machine ID's SSH multiplexer SSH agent. #44672
  • Fixed a fatal error in tbot when unable to lookup the user from a given UID in containerized environments for checking ACL configuration. #44646
  • Fixed Application Access regression where an HTTP header wasn't set in forwarded requests. #44629
  • Use the registered port of the target host when tsh puttyconfig is invoked without --port. #44573
  • Added more icons for guessing application icon by name or by label teleport.icon in the web UI. #44568
  • Removed deprecated S3 bucket option when creating or editing AWS OIDC integration in the web UI. #44487
  • Fixed terminal sessions with a database CLI client in Teleport Connect hanging indefinitely if the client cannot be found. #44466
  • Added application-tunnel service to Machine ID for establishing a long-lived tunnel to a HTTP or TCP application for Machine to Machine access. #44446
  • Fixed a low-probability panic in audit event upload logic. #44424
  • Fixed Teleport Connect binaries not being signed correctly. #44420
  • Prevented DoSing the cluster during a mass failed join event by agents. #44415
  • Added audit events for AWS and Azure integration resource actions. #44404
  • Fixed automatic updates with previous versions of the teleport.yaml config. #44378
  • Added support for Rocky and AlmaLinux when enrolling a new server from the UI. #44331
  • Fixed Teleport access plugin tarballs containing a build directory, which was accidentally added upon v15.4.5 release. #44301
  • Prevented an infinite loop in DynamoDB event querying by advancing the cursor to the next day when the limit is reached at the end of a day with an empty iterator. This ensures the cursor does not reset to the beginning of the day. #44274
  • The clipboard sharing tooltip for desktop sessions now indicates why clipboard sharing is disabled. #44238
  • Fixed a kube-agent-updater bug affecting resolutions of private images. #44192
  • Prevented redirects to arbitrary URLs when launching an app. #44189
  • Added audit event field describing if the "MFA for admin actions" requirement changed. #44185
  • The teleport-cluster chart can now use existing ingresses instead of creating its own. #44147
  • Ensured that tsh login outputs accurate status information for the new session. #44144
  • Fixed "device trust mode x requires Teleport Enterprise" errors on tctl. #44134
  • Added a --skip-idle-time flag to tsh play. #44095
  • Added the tbot install systemd command for installing tbot as a service on Linux systems. #44082
  • Added ability to list access list members in json format in tctl cli tool. #44072
  • Made tbot compilable on Windows. #44070
  • For slack integration, Access List reminders are batched into 1 message and provides link out to the web UI. #44035
  • Fixed denying access despite access being configured for Notification Routing Rules in the web UI. #44028
  • Fixed eBPF error occurring during startup on Linux RHEL 9. #44024
  • Lowered latency of detecting Kubernetes cluster becoming online. #43971
  • Enabled Access Monitoring Rules routing with Mattermost plugin. #43600

Enterprise:

  • Fixed an Access List permission bug where an access list owner, who is also a member, was not able to add/rm access list member.
  • Fixed an issue with incorrect yum/zypper updater packages being installed.
  • Fixed empty condition from unquoted string with yaml editor for Notification Routing Rules in the Web UI.

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Download the current release of Teleport plugins from the links below.

teleport - Teleport 16.1.0

Published by camscale 3 months ago

Description

New logo

We're excited to announce an update to the Teleport logo. This refresh aligns
with our evolving brand and will be reflected across the product, our marketing
site (goteleport.com), branded content, swag, and more.

The new logo will appear in the web UI starting with this release and on the
marketing website starting from July 17th, 2024.

Database Access session replay

Database Access users will be able to watch PostgreSQL query replays in the web
UI or with tsh.

Other improvements and fixes

  • Fixed "staircase" text output for non-interactive Kube exec sessions in Web UI. #44249
  • Fixed a leak in the admin process spawned by starting VNet through tsh vnet or Teleport Connect. #44225
  • Fixed a kube-agent-updater bug affecting resolutions of private images. #44191
  • The show_resources option is no longer required for statically configured proxy ui settings. #44181
  • The teleport-cluster chart can now use existing ingresses instead of creating its own. #44146
  • Ensure that tsh login outputs accurate status information for the new session. #44143
  • Fixes "device trust mode x requires Teleport Enterprise" errors on tctl. #44133
  • Added the tbot install systemd command for installing tbot as a service on Linux systems. #44083
  • Added ability to list access list members in json format in tctl. #44071
  • Update grpc to v1.64.1 (patches GO-2024-2978). #44067
  • Batch access review reminders into 1 message and provide link out to the web UI. #44034
  • Fixed denying access despite access being configured for Notification Routing Rules in the web UI. #44029
  • Honor proxy templates in tsh ssh. #44026
  • Fixed eBPF error occurring during startup on Linux RHEL 9. #44023
  • Fixed Redshift auto-user deactivation/deletion failure that occurs when a user is created or deleted and another user is deactivated concurrently. #43968
  • Lower latency of detecting Kubernetes cluster becoming online. #43967
  • Teleport AMIs now optionally source environment variables from /etc/default/teleport as regular Teleport package installations do. #43962
  • Make tbot compilable on Windows. #43959
  • Add a new event to the database session recording with query/command result information. #43955
  • Enabled setting event types to forward, skip events, skip session types in event-handler helm chart. #43938
  • extraLabels configured in teleport-kube-agent chart values are now correctly propagated to post-delete hooks. A new extraLabels.job object has been added for labels which should only apply to the post-delete job. #43932
  • Add support for Teams to Opsgenie plugin alert creation. #43916
  • Machine ID outputs now execute individually and concurrently, meaning that one failing output does not disrupt other outputs, and that performance when generating a large number of outputs is improved. #43876
  • SAML IdP service provider resource can now be updated from the Web UI. #4651
  • Fixed empty condition from unquoted string with YAML editor for Notification Routing Rules in the Web UI. #4636
  • Teleport Enterprise now supports the TELEPORT_REPORTING_HTTP(S)_PROXY environment variable to specify the URL of the HTTP(S) proxy used for connections to our usage reporting ingest service. #4568
  • Fixed inaccurately notifying user that access list reviews are due in the web UI. #4521

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Download the current release of Teleport plugins from the links below.

teleport - Teleport 15.4.9

Published by camscale 3 months ago

Description

  • Honor proxy templates in tsh ssh. #44027
  • Fixed Redshift auto-user deactivation/deletion failure that occurs when a user is created or deleted and another user is deactivated concurrently. #43975
  • Teleport AMIs now optionally source environment variables from /etc/default/teleport as regular Teleport package installations do. #43961
  • Enabled setting event types to forward, skip events, skip session types in event-handler helm chart. #43939
  • Correctly propagate extraLabels configured in teleport-kube-agent chart values to post-delete hooks. A new extraLabels.job object has been added for labels which should only apply to the post-delete job. #43931
  • Machine ID outputs now execute individually and concurrently, meaning that one failing output does not disrupt other outputs, and that performance when generating a large number of outputs is improved. #43883
  • Omit control plane services from the inventory list output for Cloud-Hosted instances. #43778
  • Fixed session recordings getting overwritten or not uploaded. #42164

Enterprise:

  • Fixed inaccurately notifying user that access list reviews are due in the web UI.

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Download the current release of Teleport plugins from the links below.

teleport - Teleport 15.4.7

Published by camscale 4 months ago

Description

  • Added audit events for discovery config actions. #43794
  • Updated Go toolchain to v1.22.5. #43769
  • Reduced CPU usage in auth servers experiencing very high concurrent request load. #43760
  • Machine ID defaults to disabling the use of the Kubernetes exec plugin when writing a Kubeconfig to a directory destination. This removes the need to manually configure disable_exec_plugin. #43656
  • Fixed startup crash of Teleport Connect on Ubuntu 24.04 by adding an AppArmor profile. #43652
  • Added support for dialling leaf clusters to the tbot SSH multiplexer. #43635
  • Extend Teleport ability to use non-default cluster domains in Kubernetes, avoiding the assumption of cluster.local. #43632
  • Wait for user MFA input when reissuing expired certificates for a kube proxy. #43613
  • Improved error diagnostics when using Machine ID's SSH multiplexer. #43587

Enterprise:

  • Increased Access Monitoring refresh interval to 24h.
  • Teleport Enterprise now supports the TELEPORT_REPORTING_HTTP(S)_PROXY environment variable to specify the URL of the HTTP(S) proxy used for connections to our usage reporting ingest service.

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Download the current release of Teleport plugins from the links below.

teleport - Teleport 16.0.4

Published by camscale 4 months ago

Description

  • Omit control plane services from the inventory list output for Cloud-Hosted instances. #43779
  • Updated Go toolchain to v1.22.5. #43768
  • Reduced CPU usage in auth servers experiencing very high concurrent request load. #43755
  • Machine ID defaults to disabling the use of the Kubernetes exec plugin when writing a Kubeconfig to a directory destination. This removes the need to manually configure disable_exec_plugin. #43655
  • Fixed startup crash of Teleport Connect on Ubuntu 24.04 by adding an AppArmor profile. #43653
  • Added support for dialling leaf clusters to the tbot SSH multiplexer. #43634
  • Extend Teleport ability to use non-default cluster domains in Kubernetes, avoiding the assumption of cluster.local. #43631
  • Wait for user MFA input when reissuing expired certificates for a kube proxy. #43612
  • Improved error diagnostics when using Machine ID's SSH multiplexer. #43586

Enterprise:

  • Teleport Enterprise now supports the TELEPORT_REPORTING_HTTP(S)_PROXY environment variable to specify the URL of the HTTP(S) proxy used for connections to our usage reporting ingest service.

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Download the current release of Teleport plugins from the links below.

teleport - Teleport 15.4.6

Published by tcsc 4 months ago

Description

This release of Teleport contains a fix for a medium-level security issue impacting Teleport Enterprise, as well as various other updates and improvements

Security Fixes

[Medium] Fixes issue where a SCIM client could potentially overwrite. Teleport system Roles using specially crafted groups. This issue impacts Teleport Enterprise deployments using the Okta integration with SCIM support enabled.

We strongly recommend all customers upgrade to the latest releases of Teleport.

Other updates and improvements

  • Fixed Discover setup access error when updating user. #43561
  • Updated Go toolchain to 1.22. #43550
  • Fixed remote port forwarding validation error. #43517
  • Added support to trust system CAs for self-hosted databases. #43500
  • Added error display in the Web UI for SSH and Kubernetes sessions. #43491
  • Update go-retryablehttp to v0.7.7 (fixes CVE-2024-6104). #43475
  • Fixed accurate inventory reporting of the updater after it is removed.. #43453
  • tctl alerts ls now displays remaining alert ttl. #43435
  • Fixed input search for Teleport Connect's access request listing. #43430
  • Added Debug setting for event-handler. #43409
  • Fixed Headless auth for sso users, including when local auth is disabled. #43362
  • Added configuration for custom CAs in the event-handler helm chart. #43341
  • Fixed an issue with Database Access Controls preventing users from making additional database connections depending on their permissions. #43302
  • Fixed Connect My Computer in Teleport Connect failing with "bind: invalid argument". #43288

Enterprise only updates and improvements

  • The teleport updater will no longer default to using the global version channel, avoiding incompatible updates.

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Plugins

Download the current release of Teleport plugins from the links below.

--
labels: security-patch=yes

teleport - Teleport 16.0.3

Published by tcsc 4 months ago

Description

This release of Teleport contains a fix for a medium-level security issue impacting Teleport Enterprise, as well as various other updates and improvements

Security Fixes

[Medium] Fixes issue where a SCIM client could potentially overwrite Teleport system Roles using specially crafted groups. This issue impacts Teleport Enterprise deployments using the Okta integration with SCIM support enabled.

We strongly recommend all customers upgrade to the latest releases of Teleport.

Other updates and improvements

  • Update go-retryablehttp to v0.7.7 (fixes CVE-2024-6104). #43474
  • Fixed Discover setup access error when updating user. #43560
  • Added audit event field describing if the "MFA for admin actions" requirement changed. #43541
  • Fixed remote port forwarding validation error. #43516
  • Added support to trust system CAs for self-hosted databases. #43493
  • Added error display in the Web UI for SSH and Kubernetes sessions. #43485
  • Fixed accurate inventory reporting of the updater after it is removed. #43454
  • tctl alerts ls now displays remaining alert ttl. #43436
  • Fixed input search for Teleport Connect's access request listing. #43429
  • Added Debug setting for event-handler. #43408
  • Fixed Headless auth for sso users, including when local auth is disabled. #43361
  • Added configuration for custom CAs in the event-handler helm chart. #43340
  • Updated VNet panel in Teleport Connect to list custom DNS zones and DNS zones from leaf clusters. #43312
  • Fixed an issue with Database Access Controls preventing users from making additional database connections. #43303
  • Fixed bug that caused gRPC connections to be disconnected when their certificate expired even though DisconnectCertExpiry was false. #43290
  • Fixed Connect My Computer in Teleport Connect failing with "bind: invalid argument". #43287
  • Fix a bug where a Teleport instance running only Jamf or Discovery service would never have a healthy /readyz endpoint. #43283
  • Added a missing [Install] section to the teleport-acm systemd unit file as used by Teleport AMIs. #43257
  • Patched timing variability in curve25519-dalek. #43246
  • Fixed setting request reason for automatic ssh access requests. #43178
  • Improved log rotation logic in Teleport Connect; now the non-numbered files always contain recent logs. #43161
  • Added tctl desktop bootstrap for bootstrapping AD environments to work with Desktop Access. #43150

Enterprise only changes and improvements

  • The teleport updater will no longer default to using the global version channel, avoiding incompatible updates.

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Plugins

Download the current release of Teleport plugins from the links below:

--
labels: security-patch=yes

teleport - Teleport 15.4.5

Published by tcsc 4 months ago

Description

  • Added a missing [Install] section to the teleport-acm systemd unit file as used by Teleport AMIs. #43256
  • Patched timing variability in curve25519-dalek. #43249
  • Updated tctl to ignore a configuration file if the auth_service section is disabled, and prefer loading credentials from a given identity file or tsh profile instead. #43203
  • Fixed setting request reason for automatic ssh access requests. #43180
  • Updated teleport to skip jamf_service validation when the Jamf service is not enabled. #43169
  • Improved log rotation logic in Teleport Connect; now the non-numbered files always contain recent logs. #43162
  • Made tsh and Teleport Connect return early during login if ping to proxy service was not successful. #43086
  • Added ability to edit user traits from the Web UI. #43068
  • Enforce limits when reading events from Firestore to prevent OOM events. #42967
  • Fixed updating groups for Teleport-created host users. #42884
  • Added support for crown_jewel resource. #42866
  • Added ability to edit user traits from the Web UI. #43068
  • Fixed gRPC disconnection on certificate expiry even though DisconnectCertExpiry was false. #43291
  • Fixed issue where a Teleport instance running only Jamf or Discovery service would never have a healthy /readyz endpoint. #43284

Enterprise-only changes

  • Fixed sync error in Okta SCIM integration.

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Plugins

Download the current release of Teleport plugins from the links below.

teleport - Teleport 14.3.21

Published by tcsc 4 months ago

Description

  • Fixed bug that caused gRPC connections to be disconnected when their certificate expired even though DisconnectCertExpiry was false. #43292
  • Fixed bug where a Teleport instance running only Jamf or Discovery service would never have a healthy /readyz endpoint. #43285
  • Added a missing [Install] section to the teleport-acm systemd unit file as used by Teleport AMIs. #43258
  • Updated teleport to skip jamf_service validation when the Jamf is not enabled. #43170
  • Improved log rotation logic in Teleport Connect; now the non-numbered files always contain recent logs. #43163
  • Made tsh and Teleport Connect return early during login if ping to proxy service was not successful. #43087
  • Added ability to edit user traits from the Web UI. #43070
  • Enforce limits when reading events from Firestore to prevent OOM events. #42968
  • Fixed an issue Oracle access failed through trusted cluster. #42929
  • Fixes errors caused by dynamoevents query StartKey not being within the [From, To] window. #42914
  • Fixed updating groups for Teleport-created host users. #42883
  • Update azidentity to v1.6.0 (patches CVE-2024-35255). #42860
  • Remote rate limits on endpoints used extensively to connect to the cluster. #42836
  • Improved the performance of the Athena audit log and S3 session storage backends. #42796
  • Prevented a panic in the Proxy when accessing an offline application. #42787
  • Improve backoff of session recording uploads by teleport agents. #42775
  • Reduced backend writes incurred by tracking status of non-recorded sessions. #42695
  • Fixed listing available DB users in Teleport Connect for databases from leaf clusters obtained through access requests. #42681
  • Fixed not being able to logout from the web UI when session invalidation errors. #42654
  • Updated OpenSSL to 3.0.14. #42643
  • Teleport Connect binaries for Windows are now signed. #42473
  • Updated Go to 1.21.11. #42416
  • Fix web UI notification dropdown menu height from growing too long from many notifications. #42338
  • Disabled session recordings for non-interactive sessions when enhanced recording is disabled. #42321
  • Fixed issue where removing an app could make teleport app agents incorrectly report as unhealthy for a short time. #42269
  • Fixed a panic in the DynamoDB audit log backend when the cursor fell outside of the [From,To] interval. #42266
  • The teleport configure command now supports a --node-name flag for overriding the node's hostname. #42249
  • Fixed an issue where mix-and-match of join tokens could interfere with some services appearing correctly in heartbeats. #42188
  • Improved temporary disk space usage for session recording processing. #42175
  • Fixed a regression where Kubernetes Exec audit events were not properly populated and lacked error details. #42146
  • Fix Azure join method when using Resource Groups in the allow section. #42140
  • Fixed resource leak in session recording cleanup. #42069
  • Reduced memory and cpu usage after control plane restarts in clusters with a high number of roles. #42064
  • Fixed the field allowed_https_hostnames in the Teleport Operator resources: SAML, OIDC, and GitHub Connector. #42056
  • Enhanced error messaging for clients using kubectl exec v1.30+ to include warnings about a breaking change in Kubernetes. #41989

Enterprise-Only changes:

  • Improved memory usage when reconciling Access Lists members to prevent Out of Memory events when reconciling a large number of Access Lists members.
  • Prevented Access Monitoring reports from crashing when large datasets are returned.
  • Ensured graceful restart of teleport.service after an upgrade.

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

teleport - Teleport 16.0.1

Published by camscale 4 months ago

Description

  • tctl now ignores any configuration file if the auth_service section is disabled, and prefer loading credentials from a given identity file or tsh profile instead. #43115
  • Skip jamf_service validation when the service is not enabled. #43095
  • Fix v16.0.0 amd64 Teleport plugin images using arm64 binaries. #43084
  • Add ability to edit user traits from the Web UI. #43067
  • Enforce limits when reading events from Firestore for large time windows to prevent OOM events. #42966
  • Allow all authenticated users to read the cluster vnet_config. #42957
  • Improve search and predicate/label based dialing performance in large clusters under very high load. #42943

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Download the current release of Teleport plugins from the links below.

teleport - Teleport 15.4.4

Published by r0mant 4 months ago

Description

  • Improve search and predicate/label based dialing performance in large clusters under very high load. #42941
  • Fix an issue Oracle access failed through trusted cluster. #42928
  • Fix errors caused by dynamoevents query StartKey not being within the [From, To] window. #42915
  • Fix Jira Issue creation when Summary exceeds the max allowed size. #42862
  • Fix editing reviewers from being ignored/overwritten when creating an access request from the web UI. #4397

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Plugins

Download the current release of Teleport plugins from the links below.

teleport - Teleport 16.0.0

Published by r0mant 4 months ago

Description

Teleport 16 brings the following new features and improvements:

  • Teleport VNet
  • Device Trust for the Web UI
  • Increased support for per-session MFA
  • Web UI notification system
  • Access requests from the resources view
  • tctl for Windows
  • Teleport plugins improvements

Description

Teleport VNet

Teleport 16 introduces Teleport VNet, a new feature that provides a virtual IP subnet and DNS server which automatically proxies TCP connections to Teleport apps over mutually authenticated tunnels.

This allows scripts and software applications to connect to any Teleport-protected application as if they were connected to a VPN, without the need to manage local tunnels.

Teleport VNet is powered by the Teleport Connect client and is available for macOS. Support for other operating systems will come in a future release.

Device Trust for the Web UI

Teleport Device Trust can now be enforced for browser-based workflows like remote desktop and web application access. The Teleport Connect client must be installed in order to satisfy device locality checks.

Increased support for per-session MFA

Teleport 16 now supports per-session MFA checks when accessing both web and TCP applications via all supported clients (Web UI, tsh, and Teleport Connect).

Additionally, Teleport Connect now includes support for per-session MFA when accessing database resources.

Web UI notification system

Teleport’s Web UI includes a new notifications system that notifies users of items requiring attention (for example, access requests needing review).

Access requests from the resources view

The resources view in the web UI now shows both resources you currently have access to and resources you can request access to. This allows users to request access to resources without navigating to a separate page.

Cluster administrators who prefer the previous behavior of hiding requestable resources from the main view can set show_resources: accessible_only in their UI config:

For dynamic configuration, run tctl edit ui_config:

kind: ui_config
version: v1
metadata:
  name: ui-config
spec:
  show_resources: accessible_only

Alternatively, self-hosted Teleport users can update the ui section of their proxy configuration:

proxy_service:
  enabled: yes
  ui:
    show_resources: accessible_only

tctl for Windows

Teleport 16 includes Windows builds of the tctl administrative tool, allowing Windows users to administer their cluster without the need for a macOS or Linux workstation.

Additionally, there are no longer enterprise-specific versions of tctl. All Teleport clients (tsh, tctl, and Teleport Connect) are available in a single distribution that works on both Enterprise and Community Edition clusters.

Teleport plugins improvements

Teleport 16 includes major improvements to the plugins. All plugins now have:

  • amd64 and arm64 binaries available
  • amd64 and arm64 multi-arch images
  • Major and minor version rolling tags (ie
    public.ecr.aws/gravitational/teleport-plugin-email:16)
  • Image signatures for all images
  • Additional debug images with all of the above features

In addition, we now support plugins for each supported major version, starting with v15. This means that if we fix a bug or security issue in a v16 plugin version, we will also apply and release the change for the v15 plugin version.

Other

The Jamf plugin now authenticates with Jamf API credentials instead of username and password.

🚨 Breaking changes and deprecations 🚨

Community Edition license

Starting with this release, Teleport Community Edition restricts commercial usage.

https://goteleport.com/blog/teleport-community-license/

License file validation on startup

Teleport 16 introduces license file validation on startup. This only applies to customers running Teleport Enterprise Self-Hosted. No action is required for customers running Teleport Enterprise Cloud or Teleport Community Edition.

If, after updating to Teleport 16, you receive an error message regarding an outdated license file, follow our step-by-step guide to update your license file.

Multi-factor authentication is now required for local users

Support for disabling second factor authentication has been removed. Teleport will refuse to start until the second_factor setting is set to on, webauthn or otp.

This change only affects self-hosted Teleport users, as Teleport Cloud has always required second factor authentication.

⚠️ Important: To avoid locking users out, we recommend the following steps:

  1. Ensure that all cluster administrators have second factor devices registered in Teleport so that they will be able to reset any other users.
  2. Announce to the user base that all users must register an MFA device. Consider creating a cluster alert with tctl alerts create to help spread the word.
  3. While you are still on Teleport 15, set second_factor: on. This will help identify any users who have not registered MFA devices and allow you to quickly revert to second_factor: optional if necessary.
  4. Upgrade to Teleport 16.

Any users who do not register MFA devices prior to the Teleport 16 upgrade will be unable to log in and must be reset by an administrator (tctl users reset).

Incompatible clients are rejected

In accordance with our component compatibility
guidelines, Teleport 16 will start rejecting connections from clients and agents running incompatible (ie too old) versions.

If Teleport detects connection attempts from outdated clients, it will show an alert to cluster administrators in both the web UI and tsh.

To disable this behavior and run in an unsupported configuration that allows incompatible agents to connect to your cluster, start your auth server with the TELEPORT_UNSTABLE_ALLOW_OLD_CLIENTS=yes environment variable.

Opsgenie plugin annotations

Prior to Teleport 16, when using an Opsgenie plugin, the teleport.dev/schedules role annotation was used to specify both schedules for access request notifications as well as schedules to check for the request auto-approval.

Starting with Teleport 16, the annotations were split to provide behavior consistent with other access request plugins: a role must now contain the teleport.dev/notify-services to receive notifications on Opsgenie and the teleport.dev/schedules to check for auto-approval.

Detailed setup instructions are available in the documentation.

New required permissions for DynamoDB

Teleport clusters using the DynamoDB backend on AWS now require the dynamodb:ConditionCheckItem permissions. For a full list of required permissions, see the IAM policy example.

Updated keyboard shortcuts in Teleport connect

On Windows and Linux, some of Teleport Connect’s keyboard shortcuts conflicted with the default bash or nano shortcuts (Ctrl+E, Ctrl+K, etc). On those platforms, the default shortcuts have been changed to a combination of Ctrl+Shift+*.

On macOS, the default shortcut to open a new terminal has been changed to Ctrl+Shift+`.

See the configuration guide for a list of updated keyboard shortcuts.

Machine ID and OpenSSH client config changes

Users with custom ssh_config should modify their ProxyCommand to use the new, more performant tbot ssh-proxy command. See the v16 upgrade guide for more details.

Removal of Active Directory configuration flow

The Active Directory installation and configuration wizard has been removed. Users who don’t already have Active Directory should leverage Teleport’s local user support, and users with existing Active Directory environments should follow the manual setup guide.

Teleport Assist is removed

All Teleport Assist functionality and OpenAI integration has been removed from Teleport. auth_service.assist and proxy_service.assistoptions have been removed from the configuration. Teleport will not start if these options are present.

During the migration from v15 to v16, the options mentioned above should be removed from the configuration.

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Plugins

Download the current release of Teleport plugins from the links below.

teleport - Teleport 15.4.3

Published by r0mant 4 months ago

Description

Note: This release includes a new binary, fdpass-teleport, that can be optionally used by Machine ID to significantly reduce resource consumption in use-cases that create large numbers of SSH connections (e.g. Ansible). Refer to the documentation for more details.

  • Update azidentity to v1.6.0 (patches CVE-2024-35255). #42859
  • Remote rate limits on endpoints used extensively to connect to the cluster. #42835
  • Machine ID SSH multiplexer now only writes artifacts if they have not changed, resolving a potential race condition with the OpenSSH client. #42830
  • Use more efficient API when querying SSH nodes to resolve Proxy Templates in tbot. #42829
  • Improve the performance of the Athena audit log and S3 session storage backends. #42795
  • Prevent a panic in the Proxy when accessing an offline application. #42786
  • Improve backoff of session recording uploads by teleport agents. #42776
  • Introduce the new Machine ID ssh-multiplexer service for significant improvements in SSH performance. #42761
  • Reduce backend writes incurred by tracking status of non-recorded sessions. #42694
  • Fix not being able to logout from the web UI when session invalidation errors. #42648
  • Fix access list listing not updating when creating or deleting an access list in the web UI. #4383
  • Fix crashes related to importing GCP labels. #42871

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Plugins

Download the current release of Teleport plugins from the links below.

teleport - Teleport 16.0.0-rc.1

Published by r0mant 4 months ago

Warning

Pre-releases are not production ready, use at your own risk!

teleport - Teleport 15.4.2

Published by camscale 4 months ago

Description

  • Fixed a Desktop Access resize bug which occurs when window was resized during MFA. #42705
  • Fixed listing available db users in Teleport Connect for databases from leaf clusters obtained through access requests. #42679
  • Fixed file upload/download for Teleport-created users in insecure-drop mode. #42660
  • Updated OpenSSL to 3.0.14. #42642
  • Fixed fetching resources with tons of metadata (such as labels or description) in Teleport Connect. #42627
  • Added support for Microsoft Entra ID directory synchronization (Teleport Enterprise only, preview). #42555
  • Added experimental support for storing audit events in cockroach. #42549
  • Teleport Connect binaries for Windows are now signed. #42472
  • Updated Go to 1.21.11. #42404
  • Added GCP Cloud SQL for PostgreSQL backend support. #42399
  • Added Prometheus metrics for the Postgres event backend. #42384
  • Fixed the event-handler Helm chart causing stuck rollouts when using a PVC. #42363
  • Fixed web UI notification dropdown menu height from growing too long from many notifications. #42336
  • Disabled session recordings for non-interactive sessions when enhanced recording is disabled. There is no loss of auditing or impact on data fidelity because these recordings only contained session.start, session.end, and session.leave events which were already captured in the audit log. This will cause all teleport components to consume less resources and reduce storage costs. #42320
  • Fixed an issue where removing an app could make teleport app agents incorrectly report as unhealthy for a short time. #42270
  • Fixed a panic in the DynamoDB audit log backend when the cursor fell outside of the [From,To] interval. #42267
  • The teleport configure command now supports a --node-name flag for overriding the node's hostname. #42250
  • Added support plugin resource in tctl tool. #42224

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Plugins

Download the current release of Teleport plugins from the links below.

teleport - Teleport 15.4.0

Published by r0mant 5 months ago

Description

Access requests notification routing rules

Hosted Slack plugin users can now configure notification routing rules for role-based access requests.

Database access for Spanner

Database access users can now connect to GCP Spanner.

Unix Workload Attestation

Teleport Workload ID now supports basic workload attestation on Unix systems, allowing cluster administrators to restrict the issuance of SVIDs to specific workloads based on UID/PID/GID.

Other improvements and fixes

  • Fixed an issue where mix-and-match of join tokens could interfere with some services appearing correctly in heartbeats. #42189
  • Added an alternate EC2 auto discover flow using AWS Systems Manager as a more scalable method than EICE in the "Enroll New Resource" view in the web UI. #42205
  • Fixed kubectl exec functionality when Teleport is running behind L7 load balancer. #42192
  • Fixed the plugins AMR cache to be updated when Access requests are removed from the subject of an existing rule. #42186
  • Improved temporary disk space usage for session recording processing. #42174
  • Fixed a regression where Kubernetes Exec audit events were not properly populated and lacked error details. #42145
  • Fixed Azure join method when using Resource Groups in the allow section. #42141
  • Added new teleport debug set-log-level / profile commands changing instance log level without a restart and collecting pprof profiles. #42122
  • Added ability to manage access monitoring rules via tctl. #42092
  • Added access monitoring rule routing for slack access plugin. #42087
  • Extended Discovery Service to self-bootstrap necessary permissions for Kubernetes Service to interact with the Kubernetes API on behalf of users. #42075
  • Fixed resource leak in session recording cleanup. #42066
  • Reduced memory and CPU usage after control plane restarts in clusters with a high number of roles. #42062
  • Added an option to send a Ctrl+Alt+Del sequence to remote desktops. #41720
  • Added support for GCP Spanner to Teleport Database Service. #41349

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Package Rankings
Top 1.05% on Proxy.golang.org
Related Projects
terraform-aws-eks-cluster

Terraform module for provisioning an EKS cluster

07 Jul 2018 506
geodesic

🚀 Geodesic is a DevOps Linux Toolbox in Docker

06 Dec 2016 943
terraform-aws-eks-node-group

Terraform module to provision a fully managed AWS EKS Node Group

05 Dec 2019 90
terraform-aws-eks-workers

Terraform module to provision an AWS AutoScaling Group, IAM Role, and Security Group for EKS Workers

07 Jul 2018 91