teleport

Description

This release of Teleport contains a security fix as well as multiple improvements and bug fixes.

OpenSSL update

• Updated OpenSSL to the latest security patch 1.1.1t. #21426

Other fixes and improvements

• Fixed panic when terminating moderated session with Ctrl-D. #21350
• Fixed issue with Teleport installer script failing with 404. #21242
• Fixed issue with Teleport Connect installation on some Debian systems. #21221
• Fixed issue with Kubernetes Access impersonation via --as flag. #21148
• Fixed issue with Teleport generating audit events for preset roles after each restart. #21142
• Fixed issue with Desktop Access losing connections to desktops when LDAP discovery is disabled. #21083
• Fixed tsh db connect when using hardware-backed private keys. #21042
• Fixed issue with Desktop Access sessions being recorded on disk with disabled recording. #21011
• Fixed issue with web UI sessions not being accounted for during graceful shutdown. #20914
• Reduced CPU usage when using enhanced session recording. #21438
• Multiple performance and scalability improvements for large clusters. #21493, #21494

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

labels: security-patch=yes

Description

Teleport 12 brings the following marquee features and improvements:

• Device Trust (Preview, Enterprise only)
• Passwordless Windows access for local users (Preview, Enterprise only)
• Per-pod RBAC for Kubernetes Access (Preview)
• Azure and GCP CLI support for Application Access (Preview)
• Support for more databases in Database Access:
  • AWS DynamoDB
  • AWS Redshift Serverless
  • AWS RDS Proxy for PostgreSQL/MySQL
  • Azure SQLServer Auto Discovery
  • Azure Flexible Servers
• Refactored Helm charts (Preview)
• Dropped support for SHA1 in Server Access
• Signed/notarized macOS binaries

Device Trust (Preview, Enterprise only)

Teleport 12 includes a preview of our upcoming Device Trust feature, which
allows administrators to require that Teleport access is performed from an
authenticated and trusted device.

This preview release requires macOS and a native client like tsh or Teleport
Connect. These clients leverage the Secure Enclave on macOS to solve device
challenges issued by the Teleport CA, proving their identity as a trusted
device.

Teleport features requiring the web UI (Desktop Access, Application Access) are
not currently supported.

Passwordless Windows Access for Local Users (Preview, Enterprise only)

Teleport 12 brings passwordless certificate-based authentication to Windows
desktops in environments where Active Directory is not available. This feature
requires the installation of a Teleport package on each Windows desktop.

Per-pod RBAC for Kubernetes Access (Preview)

Teleport 12 extends RBAC to support controlling access to individual pods in
Kubernetes clusters. Pod RBAC integrates with existing Teleport RBAC features
such as role templating and access requests.

Azure and GCP CLI support for Application Access (Preview)

In Teleport 12 administrators can interact with Azure and GCP APIs through
Application Access using tsh az and tsh gcloud CLI commands, or using
standard az and gcloud tools through the local application proxy.

Support for more databases in Database Access

Database Access in Teleport 12 brings a number of new integrations to AWS-hosted
databases such as DynamoDB (now with audit log support), Redshift Serverless and
RDS Proxy for PostgreSQL/MySQL.

On Azure, Database Access adds SQLServer auto-discovery and support for Azure
Flexible Server for PostgreSQL/MySQL.

Refactored Helm charts (Preview)

The “teleport-cluster” Helm chart underwent significant refactoring in Teleport
12 to provide better scalability and UX. Proxy and Auth are now separate
deployments and the new “scratch” chart mode makes it easier to provide a custom
Teleport config.

“Custom” mode users should follow the migration guide:

https://goteleport.com/docs/ver/12.x/deploy-a-cluster/helm-deployments/migration-v12/

Dropped support for SHA1 in Server Access

Newer OpenSSH clients connecting to Teleport 12 clusters no longer need the
“PubAcceptedKeyTypes” workaround to include the deprecated “sha” algorithm.

Signed/notarized macOS binaries

Users who download Teleport 12 Darwin binaries would no longer get an untrusted
software warning from macOS.

tctl edit

tctl now supports an edit subcommand, allowing you to edit resources directly in
your preferred text editor.

Breaking Changes

Please familiarize yourself with the following potentially disruptive changes in
Teleport 12 before upgrading.

Helm charts

The teleport-cluster Helm chart underwent significant changes in Teleport 12. To
upgrade from an older version of the Helm chart deployed in “custom” mode, use
the following migration guide:

https://goteleport.com/docs/ver/12.x/deploy-a-cluster/helm-deployments/migration-v12/

Additionally, PSPs are removed from the chart when installing on Kubernetes 1.23
and higher to account for the deprecation/removal of PSPs by Kubernetes.

tctl auth export

The tctl auth export command only exports the private key when passing the
--keys flag. Previously it would output the certificate and private key
together.

Desktop Access

Windows Desktop sessions disable the wallpaper by default, improving
performance. To restore the previous behavior, add show_desktop_wallpaper: true
to your windows_desktop_service config.

RoleV6 and Kubernetes Access

Kubernetes Access users migrating to RoleV6 should include the following permission
in their roles:

    kubernetes_resources:
    - kind: pod
      name: '*'
      namespace: '*'

See Kubernetes Access RBAC documentation for more details.

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

This package allows passwordless login to Windows desktops that are not joined to an Active Directory domain.

This preview release requires a Teleport Enterprise Auth Server running v12.0.0 or later.

Warning

Pre-releases are not production ready, use at your own risk!

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Description

This release of Teleport contains multiple improvements and bug fixes.

• Fixed regression issue with accessing SSO apps behind application access. #21049
• Fixed regression performance issue with tsh scp. #20953
• Fixed issue with tsh proxy aws --endpoint-url not working. #20880
• Fixed issue with MongoDB queries failing on large datasets. #21113
• Fixed issue with direct node dial from web UI. #20928
• Updated install scripts to download binaries from new CDN location. #21057
• Updated tsh to detect unplugged devices when using hardware-backed keys. #20949
• Updated Elasticsearch access to explicitly require --db-user. (#20695) #20919
• Updated Rust to 1.67.0. #20883

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Description

This release of Teleport contains a security fix, as well as multiple improvements and bug fixes.

Moderated Sessions

• Fixed issue with moderated sessions not being disconnected on Ctrl+C. #20588

Other fixes and improvements

• Fixed issue with node install script downloading OSS binaries in Enterprise edition. #20816
• Fixed a regression when renewing Kubernetes dynamic credentials that prevented multiple renewals. #20788
• Fixed issue with tctl auth sign not respecting Ctrl-C. #20773
• Fixed occasional key attestation error in tsh login. #20712
• Fixed issue with being able to create access request with invalid cluster name. #20674
• Fixed issue with EC2 auto-discovery install script for RHEL instances. #20604
• Fixed issue connecting with Oracle MySQL client on Windows. #20599
• Fixed issue with using tctl auth sign --format kubernetes against remote auth server. #20571
• Fixed panic in Azure SQL Server access. #20483
• Added support for Moderated Sessions in the Web UI. #20796
• Added support for Login Rules for SSO users. #20743, #20738, #20737, #20629
• Added ability to acknowledge alerts. #20692
• Added client_idle_timeout_message support to Windows access. #20617
• Added PodMonitor support in teleport-cluster Helm chart. #20564
• Added support for passing raw config in teleport-kube-agent Helm chart. #20449
• Added nodeSelector field to teleport-cluster Helm chart. #20441
• Improved Kubernetes Access stability for slow clients. #20517
• Updated teleport-cluster Helm chart to reload proxy certificate daily. #20503

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

labels: security-patch=yes

Warning

Pre-releases are not production ready, use at your own risk!

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Description

This release of Teleport contains multiple improvements and bug fixes.

• Fixed issue with tsh login defaulting to passwordless and ignoring the --auth and --mfa-mode flags. #20474
• Fixed regression issue with AWS console access via tsh aws. #20437
• Fixed issue connecting to MariaDB in non-TLS Routing mode. #20409
• Fixed the *:* selector in EC2 auto-discovery. #20390
• Improved handling of unknown events in the events search API. #20329
• Added support for multiple transformations in role templates. #20296
• Added the ability to update a Trusted Cluster's role mappings without recreating the cluster. #20286
• Added dnsConfig support to the teleport-kube-agent Helm chart. #20107

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Description

This release of Teleport contains multiple improvements and bug fixes.

• Fixed issue connecting to leaf cluster nodes via web UI with per-session MFA. #20238
• Fixed issue with max_kubernetes_connections leading to access denied errors. #20174
• Fixed issue with kube-agent Helm chart leaving state behind after helm uninstall. #20169
• Fixed X.509 issue after updating RDS database resource. #20099
• Fixed issue with some tsh HTTP requests missing extra headers. #20071
• Improved auto-discovery config validation. #20288
• Improved graceful shutdown stability. #20225
• Improved application access authentication flow. #20165
• Reduced auth load by ensure proxy uses cache for periodic operations. #20153
• Updated Rust to 1.66.1. #20201
• Updated macOS binaries to be signed and notarized. #20305

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Warning

Pre-releases are not production ready, use at your own risk!

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

This release of Teleport contains multiple improvements and bug fixes.

• Updated Go to 1.19.5 #20085
• Updated Rust to 1.66.0 #19769
• Improved the graceful shutdown procedure when there are active sessions #20224
• Updated the authentication flow for application access #20166
• Updated the proxy to use the cache for periodic operations #20154
• Upated tsh to set extra proxy headers in all HTTP requests #20111
• Added support for periodically reloading the proxy's TLS certificates #20041
• Improved tsh recordings ls options and added better error messages #19955
• Added support for CentOS 7 in ARM64 builds #19896
• Added rate limiting to unauthenticated routes #19870
• Made gcp.credentialSecretName optional in the Teleport Cluster Helm chart #19804
• Added support for secure certificate mapping for Windows desktop certificates #19801
• Added the ability to export tsh traces even when the Auth Server is not configured for tracing #19582
• Improved desktop error messages for server-initiated disconnects #19547
• Fixed an issue with desktop directory sharing where large files could be corrupted #1473
• Fixed an issue preventing per-session MFA from working with leaf clusters #20239
• Fixed an issue that resulted in an user account database error message when closing SSH sessions #20160
• Fixed an issue preventing kubernetes agents from respecting `max_kubernetes_connections #20205
• Fixed an issue where Machine ID Certificates did not respect the provided TTL when using IAM joining #20000
• Fixed an issue connecting to leaf cluster desktops via reverse tunnel #19946
• Fixed a goroutine leak in Kubernetes Access #19764
• Fixed an issue where access requests for Kubernetes clusters used improperly cached credentials #19913
• Fixed an issue listing all nodes with tsh #19822
• Fixed an issue preventing audit events that exceed the maximum size limit from being logged #19738
• Fixed an issue preventing some users from being able to play desktop recordings #19708
• Fixed an issue with RDS auto-discovery failing to start in some cases #18618

Download

Download the current and previous releases of Teleport at https://goteleport.com/download/

This release of Teleport contains multiple improvements and bug fixes.

• Updated the proxy to use the cache for periodic operations #20152
• Fixed an issue resulting in a certificate error after reconciling a dynamic RDS resource #20101
• Fixed an issue where Machine ID Certificates did not respect the provided TTL when using IAM joining #20002
• Fixed a bug preventing Teleport's ALPN Proxy from working with HTTP CONNECT proxies #19898
• Fixed an issue listing all nodes in tsh #19823
• Made gcp.credentialSecretName optional in the Teleport Cluster Helm chart #19809
• Added support for secure certificate mapping for Windows desktop certificates #19808
• Fixed an issue preventing tsh proxy db from running if database CLI tools are unavailable #19773
• Update Rust to 1.66.0 #19770
• Bump gravitational/trace package version #19719
• Support certificate expiry on bot join #19717
• Fixed an issue preventing some users from being able to play desktop recordings #19711
• Added the ability to export tsh traces even when the Auth Server is not configured for tracing #19588
• Fixed issue with noisy-square distortions in desktop access #19546

Download

Download the current and previous releases of Teleport at https://goteleport.com/download/

This release of Teleport contains multiple improvements and bug fixes.

• Added support for periodically reloading the proxy's TLS certificates #20040
• Improved desktop certificate generation by using the proper field for querying a user's SID #20022
• Updated the web UI to hide the trusted clusters screen for users who lack the appropriate role #1494
• Fixed an issue resulting in an "invalid bearer token" message #20102
• Fixed an issue preventing bots from using IAM joining #20011
• Fixed an issue where Machine ID Certificates did not respect the provided TTL when using IAM joining #20001
• Updated to Go 1.19.5 #20084

Download

Download the current and previous releases of Teleport at https://goteleport.com/download/

This release of Teleport contains multiple improvements and bug fixes.

Machine ID GitHub Actions

In addition, we're happy to announce a set of GitHub Actions that you can use in your workflows to assist with accessing Teleport Resources in your CI/CD pipelines.

Visit the individual repositories to find out more and see usage examples:

• https://github.com/teleport-actions/setup
• https://github.com/teleport-actions/auth
• https://github.com/teleport-actions/auth-k8s

For a more in-depth guide, see our refreshed documentation for using Teleport with GitHub Actions at https://goteleport.com/docs/machine-id/guides/github-actions/

Secure certificate mapping for Desktop Access

Later this year, Windows will begin requiring a stronger mapping from a certificate to an Active Directory user. In anticipation of this change, Teleport 11.2.0 is compliant with the new requirements.

Warning: This feature requires that Teleport's own service account also uses a strong mapping. In order to support this requirement, you must now set a new Security Identifier (sid) field in the LDAP configuration for your Windows Desktop Services. You can find the SID for your service account by running the following PowerShell snippet (replace svc-teleport with the name of the service account you are using):

Get-AdUser -Identity svc-teleport | Select SID

Other improvements and bugfixes

• Added an improved database joining flow in the web UI #1487
• Added support for secure certificate mapping for Windows desktop certificates #19737
• Fixed an issue with desktop directory sharing where large files could be corrupted #1472
• Fixed an issue where Desktop Access users may see a an error after ending a session #1470
• Fixed an issue preventing database agents from joining due to improperly formatted YAML #19958
• Updated the web UI to use session storage instead of local storage for Teleport's bearer token #1470
• Added rate limiting to SAML/OIDC routes #19950
• Fixed an issue connecting to leaf cluster desktops via reverse tunnel #19945
• Fixed a backwards compability issue with Database Access in 11.1.4 #19940
• Fixed an issue where access requests for Kubernetes clusters used improperly cached credentials #19912
• Added support for CentOS 7 in ARM64 builds #19895
• Added rate limiting to unauthenticated routes #19869
• Add suggested reviewers and requestable roles to Teleport Connect access requests #19846
• Fixed an issue listing all nodes with tsh #19821
• Made gcp.credentialSecretName optional in the Teleport Cluster Helm chart #19803
• Fixed an issue preventing audit events that exceed the maximum size limit from being logged #19736
• Fixed an issue preventing some users from being able to play desktop recordings #19709
• Added validation of AWS Account IDs when adding databases (#19638) #19702
• Added a new audit event for DynamoDB requests via Application Access #19667
• Added the ability to export tsh traces even when the Auth Server is not configured for tracing #19583
• Added support for linking Teleport Connect's embedded tsh binary for use outside of Teleport Connect #1488

Download

Download the current and previous releases of Teleport at https://goteleport.com/download/

Description

This release of Teleport contains multiple security fixes, improvements and bug fixes.

[High] Application Access session hijack

When accepting Application Access requests, Teleport did not sufficiently
validate client credentials.

This could allow an attacker in possession of a valid active application session
ID to issue requests to this application impersonating the session owner for a
limited time window.

Presence of multiple “cert.create” audit events (code TC000I) with the same app
session ID in the “route_to_app.session_id” field may indicate the attempt to
impersonate an existing user’s application session.

[Low] Web API session caching

After logging out via the web UI, a user’s session could remain cached in
Teleport’s proxy, allowing continued access to resources for a limited time
window.

Other improvements and fixes

• Fixed LDAP pagination issues in desktop access. #19535
• Fixed issue with SSH sessions inheriting OOM score of parent process. #19523
• Fixed issue with session.start event being overwritten by session.exec event. #19499
• Fixed issue with SNI info not being set by tsh login --format kubernetes command. #19434
• Fixed issue with websocket connections to HTTP/2 enabled apps over app access. #19425
• Fixed issue with SAML connector validation calling issuer URL before auth checks. #19319
• Improved tsh ls -R latency. #19484
• Improved handling of corrupted session recordings. #19263
• Improved web UI SSH performance. #19191
• Improved performance of traits to roles mapping. #19182

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

labels: security-patch=yes

Description

This release of Teleport contains multiple security fixes, improvements and bug fixes.

[Critical] RBAC bypass in SSH TCP tunneling

When establishing a direct-tcpip channel, Teleport did not sufficiently validate
RBAC.

This could allow an attacker in possession of valid cluster credentials to
establish a TCP tunnel to a node they didn’t have access to.

The connection attempt would show up in the audit log as a “port” audit event
(code T3003I) and include Teleport username in the “user” field.

[High] Application Access session hijack

When accepting Application Access requests, Teleport did not sufficiently
validate client credentials.

This could allow an attacker in possession of a valid active application session
ID to issue requests to this application impersonating the session owner for a
limited time window.

Presence of multiple “cert.create” audit events (code TC000I) with the same app
session ID in the “route_to_app.session_id” field may indicate the attempt to
impersonate an existing user’s application session.

[Medium] SSH IP pinning bypass

When issuing a user certificate, Teleport did not check for the presence of IP
restrictions in the client’s credentials.

This could allow an attacker in possession of valid client credentials with IP
restrictions to reissue credentials without IP restrictions.

Presence of a “cert.create” audit event (code TC000I) without corresponding
“user.login” audit event (codes T1000I or T1101I) for users with IP restricted
roles may indicate an issuance of a certificate without IP restrictions.

[Low] Web API session caching

After logging out via the web UI, a user’s session could remain cached in
Teleport’s proxy, allowing continued access to resources for a limited time
window.

Other improvements and fixes

• Fixed issue with noisy-square distortions in desktop access. #19544
• Fixed LDAP pagination issue in desktop access. (#19002) #19534
• Fixed issue with SSH sessions inheriting parent's OOM score. #19522
• Fixed issue with session.start event being overwritten with session.exec event. #19496
• Fixed issue with SNI info not being set by tsh login --format kubernetes command. #19432
• Fixed issue with websockets not working in app access when target app is using HTTP/2. #19424
• Fixed TLS routing in insecure mode. #19409
• Fixed issue with incorrect UACC wtmp path. #19382
• Fixed issue with SAML connector validation calling issuer URL before auth checks. #19318
• Fixed issue with corrupted uploads being retried indefinitely. #19259
• Fixed issue with disconnect_expired_cert and require_session_mfa settings conflicting with each other. #19204
• Fixed issue with Teleport ALPN proxy not respecting HTTP CONNECT proxy. #19039
• Fixed tctl windows_desktops ls output. #19015
• Fixed issue with starting node sessions due to unknown group error. #18991
• Added support for Kubernetes port-forward over websockets protocol. #19184
• Updated desktop access config script to disable password prompt. #19428
• Updated Go to 1.19.4. #19155
• Improved tsh ls -R latency. #19483
• Improved performance when mapping traits to roles. #19183
• Improved web UI SSH performance. #19119
• Improved connection resiliency when auth service is offline. #18914

labels: security-patch=yes

Description

This release of Teleport contains multiple security fixes, improvements and bug fixes.

[Critical] RBAC bypass in SSH TCP tunneling

When establishing a direct-tcpip channel, Teleport did not sufficiently validate
RBAC.

This could allow an attacker in possession of valid cluster credentials to
establish a TCP tunnel to a node they didn’t have access to.

The connection attempt would show up in the audit log as a “port” audit event
(code T3003I) and include Teleport username in the “user” field.

[High] Application Access session hijack

When accepting Application Access requests, Teleport did not sufficiently
validate client credentials.

This could allow an attacker in possession of a valid active application session
ID to issue requests to this application impersonating the session owner for a
limited time window.

Presence of multiple “cert.create” audit events (code TC000I) with the same app
session ID in the “route_to_app.session_id” field may indicate the attempt to
impersonate an existing user’s application session.

[Medium] SSH IP pinning bypass

When issuing a user certificate, Teleport did not check for the presence of IP
restrictions in the client’s credentials.

This could allow an attacker in possession of valid client credentials with IP
restrictions to reissue credentials without IP restrictions.

Presence of a “cert.create” audit event (code TC000I) without corresponding
“user.login” audit event (codes T1000I or T1101I) for users with IP restricted
roles may indicate an issuance of a certificate without IP restrictions.

[Low] Web API session caching

After logging out via the web UI, a user’s session could remain cached in
Teleport’s proxy, allowing continued access to resources for a limited time
window.

Other improvements and bugfixes

• Fixed issue with noisy-square distortions in desktop access. #19545
• Fixed issue with LDAP search pagination in desktop access. #19533
• Fixed issue with SSH sessions inheriting OOM score of the parent process. #19521
• Fixed issue with ambiguous host resolution in web UI. #19513
• Fixed issue with using desktop access with Windows 10. #19504
• Fixed issue with session.start events being overwritten by session.exec events. #19497
• Fixed issue with tsh login --format kubernetes not setting SNI info. #19433
• Fixed issue with websockets not working via app access if the upstream web server is using HTTP/2. #19423
• Fixed TLS routing in insecure mode. #19410
• Fixed issue with connecting to ElastiCache 7.0.4 in database access. #19400
• Fixed issue with SAML connector validation calling descriptor URL prior to authz checks. #19317
• Fixed issue with database access complaining about "redis" engine not being registered. #19251
• Fixed issue with disconnect_expired_cert and require_session_mfa settings conflicting with each other. #19178
• Fixed startup failure when MongoDB URI is not resolvable. #18984
• Added resource names for access requests in Teleport Connect. #19549
• Added support for Github Enterprise join method. #19518
• Added the ability to supply Access Request TTLs. #19385
• Added new instance.join and bot.join audit events. #19343
• Added support for port-forward over websocket protocol in Kubernetes access. #19181
• Reduced latency of tsh ls -R. #19482
• Updated desktop access config script to disable password prompt. #19427
• Updated Go to 1.19.4. #19127
• Improved performance when converting traits to roles. #19170
• Improved handling of expired database certificates in Teleport Connect. #19096

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

labels: security-patch=yes

Description

This release of Teleport contains multiple improvements and bug fixes.

• Fixed issue with EC2 discovery failing to install Teleport on older Ubuntu instances. #18965
• Fixed issue with log spam when cleaning up groups for automatically created Linux users. #18990
• Fixed issue with tctl windows_desktops ls not producing results in JSON and YAML formats. #19016
• Fixed issue with web SSH sessions in proxy recording mode. #19021
• Improved handling of corrupted session recordings. #19040

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Description

This release of Teleport contains two security fixes as well as multiple improvements and bug fixes.

SFTP in moderated sessions

Fixed issue with SFTP connections not being blocked when moderated sessions are
enforced.

#18244

Insecure TOTP MFA seed removal

Fixed issue where an attacker with physical access to user's computer and raw
access to the filesystem could potentially recover the seed QR code.

#18922

Other fixes and improvements

• Fixed issue with RDS discovery failing on unrecognized engine names. #18621
• Fixed issue with teleport-kube-agent Helm chart joining not working with static tokens. #18971
• Fixed compatibility issue trying to list nodes in Teleport 8 leaf clusters. #18262
• Fixed issue with extra question mark being added to application access requests. #17958
• Fixed issue with websocket application access requests intermittently failing in some browsers. #18005
• Fixed issue with cloud labels not being used for RBAC in application access. #18681
• Fixed connection leak in IAM joining. #17741
• Fixed tsh db ls panic. #17781
• Fixed issue with tbot failing to parse some kernel versions. #18301
• Fixed issue with connecting to Redis 7 in cluster mode in database access. #17861
• Fixed issue with tsh aws s3 failing in some scenarios. #18435
• Fixed issue with user's Kubernetes credentials being reused between tsh sessions. #18112
• Fixed issue with reverse tunnel connections not always being properly closed. #18235
• Added LimitNOFILE to all systemd unit files. #17973
• Added trusted clusters support to desktop access. #18665
• Added support for user.spec syntax in moderated session filters. #18456
• Added support for terminating in-flight connections for locked users in TCP application access. #18208
• Added support for new Azure PostgreSQL CA. #18174
• Added ability to disable service account creation in teleport-kube-agent Helm chart. #18201
• Added windows_desktops as a valid resource name for tctl resource commands. #18817
• Added support for arm and arm64 container images. #18279
• Improved etcd backend error reporting. #18830
• Improved tsh play JSON and YAML output. #18827
• Improved tsh performance by reducing number of roundtrips to the cluster. #17804, #18057
• Improved memory usage in clusters with large numbers of concurrent sessions. #18053
• Improved availability during auth server outage. #18442, #18915

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

labels: security-patch=yes

Description

This release of Teleport contains a security fix as well as multiple improvements and bug fixes.

Insecure TOTP MFA seed removal

Fixed issue where an attacker with physical access to user's computer and raw
access to the filesystem could potentially recover the seed QR code.

#18920

Other improvements and fixes

• Fixed error when creating a SAML connector with templated role names. #18767
• Fixed issue with connecting to a Windows desktop in leaf clusters. #18667
• Fixed compatibility issues with OpenSSH 7.x. #18375
• Fixed issue with SSH sessions failing when SELinux is enabled. #18809
• Fixed issue with cloud labels not being considered in app access RBAC. #18680
• Fixed issue with Kubernetes sessions lingering post termination. #18686
• Fixed issue with not being able to create non-moderated sessions when auth is down. #18443
• Added support for user.spec syntax in moderated session filters. #18454
• Updated tctl auth sign --format kubernetes to support merging multiple clusters in the same kubeconfig. #18526
• Updated tctl to support windows_desktop resource name. #18815
• Improved tsh play JSON and YAML output. #18824
• Improved error messaging in case of etcd backend connection issues. #18821
• Improved trusted clusters observability. #18610

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

labels: security-patch=yes