teleport

Description

This release of Teleport contains a security fix as well as multiple improvements and bug fixes.

Insecure TOTP MFA seed removal

Fixed issue where an attacker with physical access to user's computer and raw
access to the filesystem could potentially recover the seed QR code.

#18917

Other improvements and fixes

• Fixed issue with Teleport Connect not working on macOS. #18921
• Added support for Cloud HSM on Google Cloud. #18835
• Added server_hostname to session.* audit events. #18832
• Added ability to specify roles when making access requests in web UI. #18868
• Improved error reporting from etcd backend. #18822
• Improved failed session recording upload logs to include upload and session IDs. #18872

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

---

labels: security-patch=yes

Description

This release of Teleport contains multiple improvements and bug fixes.

• Added support for self-hosted Github Enterprise SSO connectors in Teleport Enterprise edition. #18521, #18687
• Added audit events for DynamoDB via AWS CLI access. #18035
• Added auth connectors support in Kubernetes Operator. #18350
• Added audit events for Desktop Access directory sharing. #18398
• Added trusted clusters support for Desktop Access. #18666
• Added support for user.spec syntax in moderated session filters. #18455
• Added support for GKE auto-discovery to Kubernetes Access. #18396
• Added FIPS support to Desktop Access. #18743
• Added teleport discovery bootstrap command. #18641
• Added windows_desktops as the correct resource for tctl commands. #18816
• Updated tsh db ls JSON and YAML output to include allowed users. #18543
• Updated tctl auth sign --format kubernetes to allow merging multiple clusters in the same kubeconfig. #18525
• Improved web UI SSH performance. #18797, #18839
• Improved tsh play output in JSON and YAML formats. #18825
• Fixed issue with RDS auto-discovery failing to start in some cases. #18590
• Fixed "cannot read properties of null" error when trying to add a new server using web UI. webapps#1356
• Fixed issue with applications list pagination in web UI. #18601
• Fixed issue with MongoDB commands sometimes failing through Database Access. #18738
• Fixed issue with automatically imported cloud labels not being used in RBAC in App Access. #18642
• Fixed issue with Kubernetes sessions lingering after all participants have disconnected. #18684
• Fixed issue with auth server being down affecting ability to establish new non-moderated SSH sessions. #18441
• Fixed issue with launching SSH sessions when SELinux is enabled. #18810
• Fixed issue with not being able to create SAML connectors with templated role names. #18766

Download

Download the current and previous releases of Teleport at https://goteleport.com/download/.

Description

This release of Teleport contains multiple improvements and bug fixes.

• Fixed issue with tsh aws s3 cp returning an error. #18432
• Fixed server-side pagination backwards compatibility issue with v9 leaf clusters. #18532
• Updated user locking to terminate in progress TCP app connections. #18188
• Added arm and arm64 container images. #18272
• Added ability to select specific roles when creating a resource access request. #18538, webapps#1364

Download

Download the current and previous releases of Teleport at https://gravitational.com/teleport/download.

Description

This release of Teleport contains multiple improvements and bug fixes.

• Fixed issue with validation of U2F devices. #17876
• Fixed tsh ssh -J not being able to connect to leaf cluster nodes. #18268
• Fixed issue with failed database connection when client requests GSS encryption. #17811
• Fixed issue with setting Teleport version to v10 in Helm charts resulting in invalid config. #18008
• Fixed issue with Teleport Kubernetes resource name conflicting with builtin resources. #17717
• Fixed issue with invalid MS Teams plugin systemd service file. #18028
• Fixed issue with failing to connect to OpenSSH 7.x servers. #18248
• Fixed issue with extra trailing question mark in application access requests. #17955
• Fixed issue with application access websocket requests sometimes failing in Chrome. #18002
• Fixed issue with multiple tbot's concurrently using the same output directory. #17999
• Fixed issue with tbot failing to parse version on some kernels. #18298
• Fixed panic when v9 node runs against v11 auth server. #18383
• Fixed issue with Kubernetes proxy caching client credentials between sessions. #18109
• Fixed issue with agents not being able to reconnect to proxies in some cases. #18149
• Fixed issue with remote tunnel connections not being closed properly. #18224
• Added CircleCI support to Machine ID. #17996
• Added support for arm and arm64 Docker images for Teleport and Operator. #18222
• Added PostgreSQL and MySQL RDS Proxy support to database access. #18045
• Improved database access denied error messages. #17856
• Improved desktop access errors in case of locked sessions. #17549
• Improved web UI handling of private key policy errors. #17991
• Improved memory usage in clusters with large numbers of active sessions. #18051
• Updated tsh proxy ssh to support HTTPS_PROXY. #18295
• Updated Azure hosted databases to fetch the new CA. #18172
• Updated tsh kube login to support providing default user, group and namespace. #18185
• Updated web UI session listing to include active sessions of all types. #18229
• Updated user locking to terminate in progress TCP application access connections. #18187
• Updated teleport configure command to produce v2 config when auth server is provided. #17914
• Updated all systemd service files to set max open files limit. #17961

Download

Download the current and previous releases of Teleport at https://gravitational.com/teleport/download.

Description

This release of Teleport contains multiple improvements and bug fixes.

• Fixed issue with agent forwarding not working for auto-created Linux users. #17585
• Fixed issue with incorrect exec command in MS Teams plugin systemd unit file. #18029
• Fixed issue with not being able to connect to OpenSSH 7.4. #18247
• Fixed issue with tsh proxy ssh not respecting HTTPS_PROXY. #18294
• Fixed issue with tbot failing to parse certain kernel versions. #18300
• Fixed issue with Kubernetes proxy caching client credentials between sessions. #18110
• Fixed issue with terminated session resources not being freed up quickly enough. #18052
• Fixed issue with agents losing track of proxies they're unable to connect to. #18152
• Fixed issue with sessions spawning excessive amounts of goroutines. #18213
• Fixed issue with invalid tunnel agent connections not being closed. #18225
• Added back button to Access Manager's Test Connection screens. webapps#1326
• Updated CA for Azure-hosted PostgreSQL databases. #18173
• Improved tsh performance by reducing the number of roundtrips to server. #18054

Download

Download the current and previous releases of Teleport at https://gravitational.com/teleport/download.

Description

This release of Teleport contains a bug fix and a performance improvement.

• Fixed issue with Kubernetes proxy caching client credentials between different login sessions. #18114
• Improved performance by reducing number of roundtrips to the cluster by various clients. #17805, #17799

Download

Download the current and previous releases of Teleport at https://gravitational.com/teleport/download.

Description

This release of Teleport contains multiple improvements and bug fixes.

• Fixed issue with U2F devices validation. #17877
• Fixed issue with double question mark appended to application access requests. #17957
• Fixed issue with websocket requests sometimes failing in application access. #18001
• Increased default number of max open files in install scripts and configurations. #17960
• Added active session warning to desktop access. #17936
• Improved access denied user errors when connecting to the database. #17854
• Improved performance by reducing the number of roundtrips to the cluster by various clients. #17802, #16434

Download

Download the current and previous releases of Teleport at https://gravitational.com/teleport/download.

Description

This release of Teleport contains a security fix as well as bug fixes and stability improvements.

Non-interactive SSH commands audit escape

Some non-interactive SSH commands could escape audit log.

#16825

Other fixes

• Fixed issue with terminal not always being cleared in FIPS mode. #10095
• Fixed issue with connection blocking when transport channel fails to open. #16510
• Fixed panic when comparing SSH public keys. #17875
• Improved data consistency when using etcd backend. #17052

Download

Download the current and previous releases of Teleport at https://gravitational.com/teleport/download.

---

labels: security-patch=yes

Description

This release of Teleport contains a security fix as well as multiple improvements and bug fixes.

Non-interactive commands audit log escape

Some non-interactive SSH commands could escape audit log.

#16923

Other fixes

• Fixed issue with X11 forwarding for non-root users. #17132
• Fixed issue with tsh db connect session terminating upon receiving SIGINT. #17066
• Fixed issue with Teleport starting with incorrect configuration when no config file is present. #17345
• Fixed panic when comparing public SSH keys. #17874
• Added support for imagePullSecrets in teleport-kube-agent Helm chart. #16679
• Improved Kubernetes logs formatting. #17478
• Improved consistency when using etcd backend. #17051
• Improved memory usage in large clusters. #16916

Download

Download the current and previous releases of Teleport at https://gravitational.com/teleport/download.

---

labels: security-patch=yes

Description

This release of Teleport contains a security fix as well as multiple improvements and bug fixes.

Non-interactive commands audit escape

Under some circumstances, non-interactive SSH commands could escape audit log.

#16817
#16922

Other fixes

• Fixed issue with client idle timeout ending sessions too early in some cases. #16869
• Fixed issue with X11 forwarding for non-root users. #17131
• Fixed "access denied" error in tctl auth sign. #17559
• Fixed goroutine leak in API client. #17158
• Fixed Postgres connection errors when client requests GSS encryption. #17816
• Fixed issue with tctl rm windows_desktop/<name> removing all desktops. #17730
• Fixed issue where tsh db connect session can be terminated by SIGINT. #17063
• Fixed issue with Teleport starting with incorrect configuration when no config file is present. #17346
• Fixed issue with auto-discovery of global Aurora secondary cluster. #16711
• Fixed Kubernetes logs formatting. #17477
• Fixed panic when comparing SSH public keys. #17873
• Added support for imagePullSecrets in teleport-kube-agent Helm chart. #16680
• Added support for join parameters in teleport-kube-agent Helm chart. #17535
• Updated tsh ls query filter to allow filtering by node names. #17043
• Improved error displayed for locked Windows dekstops. #17547
• Improved desktop access performance. #17072
• Improved consistency when using etcd backend. #17050
• Improved memory utilization in large clusters. #17078

Download

Download the current and previous releases of Teleport at https://gravitational.com/teleport/download.

---

labels: security-patch=yes

Description

This release of Teleport contains several bug fixes.

• Fixed issue with Teleport custom resources conflicting with Kubernetes resources in Helm charts. #17718
• Fixed issue with connecting to Redis 7 running in cluster mode in database access. #17855
• Fixed panic when comparing SSH public keys. #17872
• Improved error reporting from MFA devices. #17581

Download

Download the current and previous releases of Teleport at https://gravitational.com/teleport/download.

Description

This release of Teleport contains a security fix and multiple bug fixes.

Block SFTP in Moderated Sessions

Teleport did not block SFTP protocol in Moderated Sessions.

#17727

Other fixes

• Fixed issue with agent forwarding not working for auto-created users. #17586
• Fixed "traits missing" error in Application Access. #17737
• Fixed connection leak issue in IAM joining. #17737
• Fixed panic in "tsh db ls". #17780
• Fixed issue with "tsh mfa add" not displaying OTP QR code image on Windows. #17703
• Fixed issue with tctl rm windows_desktop/<name> removing all desktops. #17732
• Fixed issue connecting to Redis 7.0 in cluster mode. #17849
• Fixed "failed to open user account database" error after exiting SSH session. #17825
• Improved tctl UX when using hardware-backed private keys. #17681
• Improved tsh mfa add error reporting. #17580

Download

Download the current and previous releases of Teleport at https://gravitational.com/teleport/download.

---

labels: security-patch=yes

Description

This release of Teleport contains a security fix, as well as multiple improvements and bug fixes.

Block SFTP in Moderated Sessions

Teleport did not block SFTP protocol in Moderated Sessions.

#17726

Other fixes

• Fixed tsh proxy ssh -J command not working when root proxy is unavailable. #17633
• Fixed issue with tctl rm windows_desktop/<name> deleting all Windows desktops. #17731
• Fixed connection leak in IAM joining method. #17740
• Fixed panic in tsh db ls. #17779
• Fixed issue with tsh mfa add not showing OTP QR code image on Windows. #17702
• Fixed issue with Postgres connections failing when client requests GSS encryption. #17772
• Fixed issue with tctl auth sign not working for Snowflake in trusted cluster scenario. #17327
• Added load_all_cas auth service option that allows to load all CAs when connecting to a node. #17398
• Updated Helm chart with Azure database auto-discovery settings. #17637
• Updated Access Manager dialog with the new Kubernetes cluster join flow. webapps#1268

Download

Download the current and previous releases of Teleport at https://gravitational.com/teleport/download.

---

labels: security-patch=yes

Teleport 11 brings the following new major features and improvements:

• Hardware-backed private keys support for Server Access (Enterprise only).
• Replacement of obsolete SCP protocol with SFTP for Server Access.
• Removal of persistent storage requirement for Helm charts.
• Automatic discovery and enrollment of EKS/AKS clusters for Kubernetes Access.
• Richer Azure integrations for Server and Database Access.
• Cassandra and Scylla support for Database Access, including AWS Keyspaces.
• GitHub Actions and Terraform support for Machine ID.
• Access Requests and file upload/download support for Teleport Connect.

Hardware-backed private keys (Enterprise Only)

Teleport 11 clients (such as tsh or Connect) support storing their private key
material on Yubikey devices instead of filesystem which helps prevent
credentials exfiltration attacks.

See how to enable it in this guide:

https://goteleport.com/docs/access-controls/guides/hardware-key-support/

Hardware-backed private keys is an enterprise only feature, and is currently
supported for Server Access only.

SFTP protocol

Teleport 11 adds server-side support for SFTP protocol which many IDEs such as
VSCode or JetBrains PyCharm, GoLand and others use for browsing, copying, and
editing files on remote systems.

The following guides explain how to use IDEs to connect to a remote machine via
Teleport:

https://goteleport.com/docs/server-access/guides/vscode/
https://goteleport.com/docs/server-access/guides/jetbrains-sftp/

In addition, Teleport 11 clients will use SFTP protocol for file transfer under
the hood instead of the obsolete scp protocol. Server-side scp is still
supported so existing clients aren’t affected.

Helm charts persistent storage

In Teleport 11 users no longer need to use persistent storage when deploying
Helm charts. When running on Kubernetes, Teleport services will now store their
identities in Kubernetes Secrets which removes the need for using persistent
storage or static join tokens.

For existing deployments, this change involves migration from Deployment to
StatefulSet which is performed automatically during Helm upgrade to Teleport 11.

EKS/AKS discovery

Teleport 11 adds support for automatic discovery and enrollment of AWS Elastic
Kubernetes Service (EKS) and Azure Kubernetes Service (AKS) clusters.

Azure integrations

Teleport 11 improves Azure support in multiple areas.

Teleport agents running on Azure VMs will now automatically import Azure tags to
label resources.

Teleport Database Access now supports auto-discovery for Azure-hosted PostgreSQL
and MySQL databases. See the updated Azure guide for more details:
https://goteleport.com/docs/ver/11.0/database-access/guides/azure-postgres-mysql/.

In addition, Teleport Database Access will now use Azure AD managed identity
authentication for Azure-hosted SQL Server databases.

Cassandra/ScyllaDB

Teleport 11 adds support for Cassandra and ScyllaDB databases in Database
Access. This includes support for AWS Keyspaces.

Machine ID

Teleport 11 adds support for secret-less joining of Machine ID agents in GitHub
Actions workflows. See the guide for more details:

https://goteleport.com/docs/machine-id/guides/github-actions/

We have also released a GitHub Action for setting up the Teleport binaries
within a GitHub workflow environment. More details regarding this can be found
at the Teleport GitHub Actions repository:

https://github.com/gravitational/teleport-actions

In addition, the Teleport Terraform plugin now supports the creation of Machine
ID Bots and Bot Tokens.

tsh MFA on Windows

tsh 11 adds support for MFA and passwordless logins via Windows Hello and
FIDO2 devices.

Teleport Connect

Teleport Connect has added support for Access Requests and file upload/download.

Breaking Changes

Please familiarize yourself with the following potentially disruptive changes in
Teleport 11 before upgrading.

Removed Github external SSO

Beginning in Teleport 11, GitHub SAML SSO will only be available in our
Enterprise Edition. GitHub SSO without SAML will continue to work with OSS
Teleport.

To keep using GitHub SSO with the OSS Teleport, SAML SSO needs to be disabled
for your GitHub organization. OSS Teleport users can continue to use GitHub SSO
if using a Github Free or Team GitHub Plan.

Changed Terraform OIDC connector redirect_url type to array

In Teleport Plugins 11, redirect_url property in OIDC connectors created via
a Terraform module expects an array:

redirect_url = [ "http://example.com" ]

Deprecated Quay.io registry

Starting with Teleport 11, Quay.io as a container registry has been deprecated.
Customers should use the new AWS ECR registry to pull Teleport Docker images:
https://goteleport.com/docs/installation/#docker.

Quay.io registry support will be removed in a future release.

Deprecated old deb/rpm repositories

In Teleport 11, old deb/rpm repositories (deb.releases.teleport.dev and
rpm.releases.teleport.dev) have been deprecated. Customers should use the new
repositories (apt.releases.teleport.dev and yum.releases.teleport.dev) to
install Teleport: https://goteleport.com/docs/installation/#linux.

Support for our old deb/rpm repositories will be removed in a future release.

Changed teleport-kube-agent Helm chart to StatefulSet

Teleport 11 agents will now store their identities in Kubernetes Secrets when
deployed via a Helm chart which eliminates the need for using persistent storage
or static join tokens. Due to this change, Teleport agents are now always
deployed as part of StatefulSet regardless of whether persistent storage is
enabled or not.

Existing agents that were deployed as Kubernetes Deployments (i.e. without
persistent storage) will be automatically converted to StatefulSets during
Teleport 11 Helm upgrade.

Removed PostgreSQL backend

The preview PostgreSQL backend was deleted due to performance and scalability
concerns.

Removed Desktop Access support for 32-bit ARM and 386 architectures

32-bit support for Desktop Access on ARM and 386 architectures has been removed
due to performance issues on these devices.

This also reduces the binary size for these builds, making them slightly more
convenient for smaller resource-constrained devices.

Warning

Pre-releases are not production ready, use at your own risk!

Download

Download the current and previous releases of Teleport at https://gravitational.com/teleport/download.

Description

This release of Teleport contains multiple improvements and bug fixes.

• Fixed issue with EC2 auto-enrollment not working on Ubuntu instances. #17467
• Fixed issue with tctl auth sign producing "access denied" error. #17557
• Fixed issue with agents entering permanent error loop if they had expired join tokens and the cluster had previously undergone host CA rotation. #17599
• Fixed issue with tsh producing auditd errors on some systems. #17495
• Fixed issue with Machine ID bots joined via IAM token not respecting requested certificate TTL. #17371
• Fixed issue with Teleport failing to initialize properly without configuration file. #17343
• Fixed desktop access clipboard sharing with newer versions of Chrome. webapps#1266
• Added license expiration alerts. #17489
• Added support for imagePullSecret in teleport-kube-agent Helm chart. #16678
• Added support for join parameters in teleport-kube-agent Helm chart. #17534
• Improved error when trying to connecto to a Windows desktop that is locked. #17548
• Improved SAML connectors validation upon creation. #16854
• Improved desktop access connection error handling. #17390
• Updated tsh ls --query to allow querying SSH nodes by hostname. #17038
• Updated Machine ID to export user CA when generating SSH host certificate. #17525
• Updated tsh to default to passwordless login if Touch ID is available. #17472

Download

Download the current and previous releases of Teleport at https://gravitational.com/teleport/download.

Warning

Pre-releases are not production ready, use at your own risk!

Download

Download the current and previous releases of Teleport at https://gravitational.com/teleport/download.

Warning

Pre-releases are not production ready, use at your own risk!

Download

Download the current and previous releases of Teleport at https://gravitational.com/teleport/download.

Description

This release of Teleport contains multiple improvements and bug fixes.

• Fixed formatting issues in tctl get installer. #17167
• Fixed issue with client idle timeout sometimes kicking in too early. #16868
• Fixed issue with private key format affecting some 3rd party clients. #17045
• Fixed issue with X11 forwarding not working for non-root users. #17130
• Fixed a goroutine leak in the API client. #17124
• Fixed issue with SIGINT sent to database client terminating tsh db connect connection. #16932
• Fixed compatibility issue preventing connections from 10.2.3 and newer clusters into older versions. #17226
• Fixed issue with fetching desktops using the list resources API. #17117
• Fixed potential integer overflow issue in the desktop access protocol. #17179
• Added ability to specify OIDC username claim using username_claim field. #17070
• Improved curl command produced by tsh app login to avoid TLS errors. #16975
• Improved data consistency when using etcd backend. #17049
• Improved memory usage in large clusters. #17087
• Improved desktop access performance. #17071

Download

Download the current and previous releases of Teleport at https://gravitational.com/teleport/download.

---

labels: security-patch=yes

Warning

Pre-releases are not production ready, use at your own risk!

Download

Download the current and previous releases of Teleport at https://gravitational.com/teleport/download.