teleport

Description

This release of Teleport contains multiple improvements and bug fixes.

• Added ability to set session recording configuration from a resource. #14612
• Fixed an issue where tsh would shell out to ssh. #14222
• Improved error messages for Database Access. #13902 #14476
• Fixed issue with Ctrl-C hanging when the session is paused. #14512

Download

Download the current and previous releases of Teleport at https://gravitational.com/teleport/download.

Description

This release of Teleport contains multiple improvements and bug fixes.

• Fixed issue with tsh proxy ssh command shelling out to ssh in non TLS routing mode. #14522
• Fixed issue with being able to create users with invalid roles via API. #14459
• Fixed issue with tsh login erroring out on non-existent PuTTY key file on Windows. #14572
• Fixed issue with application service not failing correctly with invalid configuration. #14478
• Improved error message when joining with invalid host ID using EC2 join method. #14494
• Include Machine ID's tbot binary in Docker images. #14462

Download

Download the current and previous releases of Teleport at https://gravitational.com/teleport/download.

Description

This release of Teleport contains multiple improvements and bug fixes.

• Fixed issue with SSH and Kubernetes sessions showing duplicate participants. #13989
• Fixed multiple issues with X11 forwarding on Windows and Mac. #14439
• Fixed issue with API not validating roles during user creation. #14460
• Fixed issue with PostgreSQL listener not starting when Proxy runs in --insecure-no-tls mode. #14328
• Fixed issue with blank --ca-pin flag overriding configuration. #14362
• Fixed potential panic in Desktop Access. #14446
• Fixed issue with Application Access agent not failing correctly with invalid configuration. #14479
• Fixed issue with redirect path not being preserved after login in Application Access. #14053
• Fixed issue with Machine ID not respecting configured TTL. #14413
• Fixed --cluster flag for tsh db ls command. #14391
• Fixed issue with labels not being expanded with traits in Desktop Access. #14017
• Fixed issue with resource listings returning different results between CLI and Web UI in some cases. #14477
• Improved tsh login to hint at required --user flag. #14254
• Improved CA rotation stability. #14044
• Improved agents reconnect time after Proxy restart. #14461
• Improved error message when tctl is run before Teleport is started. #14083
• Improved performance when using RBAC for sessions with DynamoDB backend. #13284
• Improved error message during tsh login if Proxy address wasn't configured correctly. #14374
• Improved tsh db ls performance for users with many roles. #14287
• Improved internal cache efficiency. #14306
• Made sure SSH config generated by Teleport includes workaround for SHA1 certificates. #14058
• Include Machine ID's tbot binary in Docker images. #14464

Download

Download the current and previous releases of Teleport at https://gravitational.com/teleport/download.

Description

This release of Teleport contains multiple improvements and bug fixes.

• Fixed "unsupported option" error when using passwordless with some hardware keys. #14198
• Fixed issue with automatic user provisioning creading invalid sudoer files for some usernames. #14364
• Fixed a number of issues with X11 forwarding on Mac and Windows. #14437
• Fixed interoperability issues between newer OpenSSH clients and Teleport. #14442
• Fixed issue causing Teleport instances running both Auth and Node services to emit TeleportDegraded events. #14314
• Fixed issue with HTTP proxy basic auth not being respected. #14322
• Fixed issue with blank --ca-pin flag overriding configuration. #14361
• Fixed potential panic in Desktop Access. #14445
• Fixed issue with App Access redirect to a URL containing "nil". #14393
• Fixed issues with resource request approvals in Web UI. #14444
• Fixed issue with resource request approvals for Windows Desktops. #14452
• Fixed issue with Machine ID ignoring configured certificate TTL. #14338
• Fixed issue with resource list results being different between Web UI and CLI. #14472
• Added TouchID prompt message to tsh. #14186
• Added hint about --user flag to tsh login. #14253
• Added ability to update user principals using tctl users update --set-logins command. #14390
• Added CA rotation support to Machine ID. #14431
• Added --format flag to tsh proxy aws command. #14447
• Improved tsh login error message when Proxy public address is not set. #14338
• Improved tsh db ls performance for users with many roles. #14284
• Start PostgreSQL listener when Proxy runs in --insecure-no-tls mode. #14327
• Create PuTTY compatible key pair on tsh login. #14383
• Display Kubernetes session in the list of active sessions in Web UI. #14360
• Reduced the number of cache reads in healthy clusters. #14304

Download

Download the current and previous releases of Teleport at https://gravitational.com/teleport/download.

Description

Teleport 10 is a major release that brings the following new features.

Platform:

• Passwordless (Preview)
• Resource Access Requests (Preview)
• Proxy Peering (Preview)

Server Access:

• IP-Based Restrictions (Preview)
• Automatic User Provisioning (Preview)

Database Access:

• Audit Logging for Microsoft SQL Server Database Access
• Snowflake Database Access (Preview)
• ElastiCache/MemoryDB Database Access (Preview)

Teleport Connect:

• Teleport Connect for Server and Database Access (Preview)

Machine ID:

• Machine ID Database Access Support (Preview)

Passwordless (Preview)

Teleport 10 introduces passwordless support to your clusters. To use passwordless users may register a security key with resident credentials or use a built-in authenticator, like Touch ID.

See https://goteleport.com/docs/access-controls/guides/passwordless/.

Resource Access Requests (Preview)

Teleport 10 expands just-in-time access requests to allow for requesting access to specific resources. This lets you grant users the least privileged access needed for their workflows.

Just-in-time access requests are only available in Teleport Enterprise Edition.

Proxy Peering (Preview)

Proxy peering enables Teleport deployments to scale without an increase in load from the number of agent connections. This is accomplished by allowing Proxy Services to tunnel client connections to the desired agent through a neighboring proxy and decoupling the number of agent connections from the number of Proxies.

Proxy peering can be enabled with the following configurations:

auth_service:
  tunnel_strategy:
    type: proxy_peering
    agent_connection_count: 1

proxy_service:
  peer_listen_addr: 0.0.0.0:3021

Network connectivity between proxy servers to the peer_listen_addr is required for this feature to work.

Proxy peering is only available in Teleport Enterprise Edition.

IP-Based Restrictions (Preview)

Teleport 10 introduces a new role option to pin the source IP in SSH certificates. When enabled, the source IP that was used to request certificates is embedded in the certificate, and SSH servers will reject connection attempts from other IPs. This protects against attacks where valid credentials are exfiltrated from disk and copied out into other environments.

IP-based restrictions are only available in Teleport Enterprise Edition.

Automatic User Provisioning (Preview)

Teleport 10 can be configured to automatically create Linux host users upon login without having to use Teleport's PAM integration. Users can be added to specific Linux groups and assigned appropriate “sudoer” privileges.

To learn more about configuring automatic user provisioning read the guide: https://goteleport.com/docs/server-access/guides/host-user-creation/.

Audit Logging for Microsoft SQL Server Database Access

Teleport 9 introduced a preview of Database Access support for Microsoft SQL Server which didn’t include audit logging of user queries. Teleport 10 captures users' queries and prepared statements and sends them to the audit log, similarly to other supported database protocols.

Teleport Database Access for SQL Server remains in Preview mode with more UX improvements coming in future releases.

Refer to the guide to set up access to a SQL Server with Active Directory authentication: https://goteleport.com/docs/database-access/guides/sql-server-ad/.

Snowflake Database Access (Preview)

Teleport 10 brings support for Snowflake to Database Access. Administrators can set up access to Snowflake databases through Teleport for their users with standard Database Access features like role-based access control and audit logging, including query activity.

Connect your Snowflake database to Teleport following this guide: https://goteleport.com/docs/database-access/guides/snowflake/.

Elasticache/MemoryDB Database Access (Preview)

Teleport 9 added Redis protocol support to Database Access. Teleport 10 improves this integration by adding native support for AWS-hosted Elasticache and MemoryDB, including auto-discovery and automatic credential management in some deployment configurations.

Learn more about it in this guide: https://goteleport.com/docs/database-access/guides/redis-aws/.

Teleport Connect for Server and Database Access (Preview)

Teleport Connect is a graphical macOS application that simplifies access to your Teleport resources. Teleport Connect 10 supports Server Access and Database Access. Other protocols and Windows support are coming in a future release.

Get Teleport Connect installer from the macOS tab on the downloads page: https://goteleport.com/download/.

Machine ID Database Access Support (Preview)

In Teleport 10 we’ve added Database Access support to Machine ID. Applications can use Machine ID to access databases protected by Teleport.

You can find Machine ID guide for database access in the documentation: https://goteleport.com/docs/machine-id/guides/databases/.

Breaking changes

Please familiarize yourself with the following potentially disruptive changes in Teleport 10 before upgrading.

Auth Service version check

Teleport 10 agents will now refuse to start if they detect that the Auth Service is more than one major version behind them. You can use the --skip-version-check flag to bypass the version check.

Take a look at component compatibility guarantees in the documentation: https://goteleport.com/docs/setup/operations/upgrading/#component-compatibility.

HTTP_PROXY for reverse tunnels

Reverse tunnel connections will now respect HTTP_PROXY environment variables. This may result in reverse tunnel agents not being able to re-establish connections if the HTTP proxy is set in their environment and does not allow connections to the Teleport Proxy Service.

Refer to the following documentation section for more details: https://goteleport.com/docs/setup/reference/networking/#http-connect-proxies.

New APT repos

With Teleport 10 we’ve migrated to new APT repositories that now support multiple release channels, Teleport versions and OS distributions. The new repositories have been backfilled with Teleport versions starting from 6.2.31 and we recommend upgrading to them. The old repositories will be maintained for the foreseeable future.

See updated installation instructions: https://goteleport.com/docs/server-access/getting-started/#step-14-install-teleport-on-your-linux-host.

Removed “tctl access ls”

The tctl access ls command that returned information about user server access within the cluster was removed. Please use a previous tctl version if you’d like to keep using it.

Relaxed session join permissions

In previous versions of Teleport users needed full access to a Node/Kubernetes pod in order to join a session. Teleport 10 relaxes this requirement. Joining sessions remains deny-by-default but now only join_policy statements are checked for session join RBAC.

See the Moderated Sessions guide for more details: https://goteleport.com/docs/access-controls/guides/moderated-sessions/.

GitHub connectors

The GitHub authentication connector’s teams_to_logins field is deprecated in favor of the new teams_to_roles field. The old field will be removed in a future release.

Teleport FIPS AWS endpoints

Teleport 10 will now automatically use FIPS endpoints for AWS S3 and DynamoDB when started with the --fips flag. You can use the use_fips_endpoint=false connection endpoint option to use regular endpoints for Teleport in FIPS mode, for example:

s3://bucket/path?region=us-east-1&use_fips_endpoint=false

See the S3/DynamoDB backends documentation for more information: https://goteleport.com/docs/setup/reference/backends/#s3.

Download

Download the current and previous releases of Teleport at https://gravitational.com/teleport/download.

Warning

Pre-releases are not production ready, use at your own risk!

Download

Download the current and previous releases of Teleport at https://gravitational.com/teleport/download.

Description

This release of Teleport contains a security fix, as well as multiple improvements and bug fixes.

Auth bypass in Moderated Sessions

When checking a user’s roles prior to starting a session, Teleport may have incorrectly allowed a session to proceed without moderation depending on the order roles are received from the backend.

If you're using Moderated Sessions, we recommend upgrading Auth, Proxy, SSH and Kubernetes agents.

Other improvements and fixes

• Fixed issue with per-session MFA swallowing keypresses. #13822
• Fixed issue with tsh db ls -R now showing allowed users. #13626
• Fixed vertical and horizontal scroll in desktop access. #13905
• Fixed issue with invalid query filters forcing tsh relogin. #13747
• Fixed issue with TLS routing and proxy jump. #13928
• Fixed issue with MongoDB connections timing out in certain scenarios. #13859
• Fixed issue with Machine ID certificate renewal with empty requested roles. #13893
• Fixed issue with Windows desktops not being labeled with LDAP attribute labels. #13681
• Fixed issue with desktop access streaming not being terminated properly. #14024
• Added ability to use FIPS endpoints for S3 and DynamoDB using use_fips_endpoint connection option. #13703
• Added ability to specify CA pin as a file path in the config. #13089
• Improved reconnect reliability after root proxy restart. #13967
• Improved error messages for failed auth client connections. #13835

Download

Download the current and previous releases of Teleport at https://gravitational.com/teleport/download.

Description

This release of Teleport contains multiple improvements and bug fixes.

• Improved reliability of dialing auth servers through the proxy. #13310
• Reduced network utilization when using many trusted clusters. #13961
• Fixed issue with dialing remote clusters after proxy restart. #13798
• Fixed backwards compatibility issue with fetching access requests. #13427
• Fixed issue with CA rotation not working when database service has not enabled databases. #13518
• Fixed issue with EC2 metadata options breaking generated Teleport config. #13538
• Added extra troubleshooting tools to Teleport Docker images. #13198

Download

Download the current and previous releases of Teleport at https://gravitational.com/teleport/download.

Warning

Pre-releases are not production ready, use at your own risk!

Download

Download the current and previous releases of Teleport at https://gravitational.com/teleport/download.

Description

This release of Teleport contains multiple improvements and bug fixes.

• Fixed issue with startup delay caused by AWS EC2 check. #13167
• Added tsh ls -R that displays resources across all clusters and profiles. #13313
• Fixed issue with tsh not correctly reporting "address in use" error during port forwarding. #13679
• Fixed two potential panics. #13590, #13655
• Fixed issue with enhanced session recording not working on recent Ubuntu versions. #13650
• Fixed issue with CA rotation when Database Service does not contain any databases. #13517
• Fixed issue with Desktop Access connection failing with "invalid channel name rdpsnd" error. #13450
• Fixed issue with invalid Teleport config when enabling IMDSv2 in Terraform config. #13537

Download

Download the current and previous releases of Teleport at https://gravitational.com/teleport/download.

Description

This release of Teleport contains multiple improvements and bug fixes.

• Added Unicode clipboard support to Desktop Access. #13391
• Fixed backwards compatibility issue with fetch access requests from older servers. #13490
• Fixed issue with Application Access requests periodically failing with 500 errors. #13469
• Fixed issues with pagination when displaying applications. #13451
• Fixed file descriptor leak in Machine ID. #13386

Download

Download the current and previous releases of Teleport at https://gravitational.com/teleport/download.

Description

This release of Teleport contains multiple improvements and bug fixes.

• Fixed backwards compatibility issue with fetching access requests from older servers. #13428
• Fixed issue with using Microsoft SQL Server Management Studio with Database Access. #13337
• Added support for tsh proxy ssh -J to improve interoperability with OpenSSH clients. #13311
• Added ability to provide security context in Helm charts. #13286
• Added Application and Database Access support to reference AWS Terraform deployment. #13383
• Improved reliability of dialing Auth Server through the Proxy. #13399
• Improved kubectl exec auditing by logging access denied attempts. #12831, #13400

Download

Download the current and previous releases of Teleport at https://gravitational.com/teleport/download.

Description

This release of Teleport contains multiple security, bug fixes and improvements.

Escalation attack in agent forwarding

When setting up agent forwarding on the node, Teleport did not handle unix socket creation in a secure manner.

This could have given a potential attacker an opportunity to get Teleport to change arbitrary file permissions to the attacker’s user.

Websockets CSRF

When handling websocket requests, Teleport did not verify that the provided Bearer token was generated for the correct user.

This could have allowed a malicious low privileged Teleport user to use a social engineering attack to gain higher privileged access on the same Teleport cluster.

Denial of service in access requests

When accepting an access request, Teleport did not enforce the maximum request reason size.

This could allow a malicious actor to mount a DoS attack by creating an access request with a very large request reason.

Auth bypass in moderated sessions

When initializing a moderated session, Teleport did not discard participant’s input prior to the moderator joining.

This could prevent a moderator from being able to interrupt a malicious command executed by a participant.

Actions

We recommend upgrading Auth, Proxy, SSH and Kubernetes agents.

Users should backup the Teleport cluster, then follow the standard Teleport upgrade procedure.

Other fixes

• Fixed issue with stdin hijacking when per-session MFA is enabled. #13212
• Added support for automatic tags import when running on AWS EC2. #12593
• Added ability to use multiple redirect URLs in OIDC connectors. #13046
• Fixed issue with ANSI escape sequences being broken when using tsh on Windows. #13221
• Fixed issue with tsh ssh printing extra error upon exit if last command was unsuccessful. #12903
• Added support for Proxy Protocol v2 in MySQL proxy. #12993
• Upgraded to Go v1.17.11. #13104
• Added Windows desktops labeling based on their LDAP attributes. #13238
• Improved performance when listing resources for users with many roles. #13263

Download

Download the current and previous releases of Teleport at https://gravitational.com/teleport/download.

Description

This release of Teleport contains multiple security, bug fixes and improvements.

Escalation attack in agent forwarding

When setting up agent forwarding on the node, Teleport did not handle unix socket creation in a secure manner.

This could have given a potential attacker an opportunity to get Teleport to change arbitrary file permissions to the attacker’s user.

Websockets CSRF

When handling websocket requests, Teleport did not verify that the provided Bearer token was generated for the correct user.

This could have allowed a malicious low privileged Teleport user to use a social engineering attack to gain higher privileged access on the same Teleport cluster.

Denial of service in access requests

When accepting an access request, Teleport did not enforce the maximum request reason size.

This could allow a malicious actor to mount a DoS attack by creating an access request with a very large request reason.

Actions

We recommend upgrading Auth, Proxy, SSH and Kubernetes agents.

Users should backup the Teleport cluster, then follow the standard Teleport upgrade procedure.

Other fixes

• Fixed issue with tsh ssh printing extra error upon exit when last command was unsuccessful. #12904
• Fixed issue with Kubernetes Access not working with clusters using public CAs. #12873
• Upgrade to Go v1.17.11. #13107
• Reduced glibc requirements by removing dependency on OpenSSL. #12411

Download

Download the current and previous releases of Teleport at https://gravitational.com/teleport/download.

Description

This release of Teleport contains multiple security and bug fixes.

Escalation attack in agent forwarding

When setting up agent forwarding on the node, Teleport did not handle unix socket creation in a secure manner.

This could have given a potential attacker an opportunity to get Teleport to change arbitrary file permissions to the attacker’s user.

Websockets CSRF

When handling websocket requests, Teleport did not verify that the provided Bearer token was generated for the correct user.

This could have allowed a malicious low privileged Teleport user to use a social engineering attack to gain higher privileged access on the same Teleport cluster.

Actions

We recommend upgrading Auth, Proxy, SSH and Kubernetes agents.

Users should backup the Teleport cluster, then follow the standard Teleport upgrade procedure.

Other fixes

• Fixed issue with tsh ssh printing extra error upon exit when last command was unsuccessful. #12902

Download

Download the current and previous releases of Teleport at https://gravitational.com/teleport/download.

Description

This release of Teleport contains two bug fixes.

• Fixed issue with Machine ID's tsh version check. #13037
• Fixed AWS related log spam in database agent when not running on AWS. #12984

Download

Download the current and previous releases of Teleport at https://gravitational.com/teleport/download.

Teleport Connect is a developer-friendly browser for cloud infrastructure.

Traditional terminals are optimized for accessing localhost. Teleport Connect offers enhanced user experience and identity-based access for engineers who work in the cloud.

Teleport Connect requires an installation of Teleport. Download Teleport here, and download Teleport Connect below.

The preview of Teleport Connect is available for amd64 Macs only. It also works on M1 Macs with Rosetta. Support for additional platforms and architectures will be added soon.

Changelog

• ⬆️ Update Electron to v19
• ⬆️ bundle tsh v9.3.0
• Increased terminal scrollback to 5000 lines
• Add tooltips with keyboard shortcuts

Notes

• Per-session MFA is not currently supported
• Connecting to databases requires a cluster running Teleport 9.1 or newer
• Shared SSH sessions and SCP are not yet supported.

Description

This release of Teleport contains multiple improvements and bug fixes.

• Fixed issue with tctl not taking TELEPORT_HOME environment variable into account. #12738
• Fixed issue with Redis AUTH command not always authenticating the user in database access. #12754
• Fixed issue with Teleport not starting with deprecated U2F configuration. #12826
• Fixed issue with tsh db ls not showing allowed users for leaf clusters. #12853
• Fixed issue with teleport configure failing when given non-existent data directory. #12806
• Fixed issue with tctl not outputting debug logs. #12920
• Fixed issue with Kubernetes access not working when using default CA pool. #12874
• Fixed issue with Machine ID not working in TLS routing mode. #12990
• Added database access support to Machine ID. #12990
• Improved connection performance in large clusters. #12832
• Improved memory usage in large clusters. #12724

Breaking Changes

Teleport 9.3.0 reduces the minimum GLIBC requirement to 2.18 and enforces more secure cipher suites for desktop access.

As a result of these changes, desktop access users with desktops running Windows Server 2012R2 will need to perform
additional configuration to force Windows to use commpatible cipher suites.

Windows desktops running Windows Server 2016 and newer will continue to operate normally - no additional configuration is required.

Download

Download the current and previous releases of Teleport at https://gravitational.com/teleport/download.

Description

This release of Teleport contains multiple improvements and bug fixes.

• Fixed issue with tctl not respecting TELEPORT_HOME environment variable. #12758
• Fixed issue with tsh db ls not displaying allowed users for databases in leaf clusters. #12854
• Fixed issue with not being able to execute prepared statements through MySQL database access. #12735
• Fixed issue with tctl not outputting debug logs. #12919
• Improved memory usage in large clusters. #12723

Download

Download the current and previous releases of Teleport at https://gravitational.com/teleport/download.

Description

This release of Teleport contains multiple bug fixes and stability improvements.

• Fixed issue with tctl not outputting debug logs. #12918
• Fixed issue with Kubernetes access not working when using system CA pool. #12876
• Improved proxy restart stability. #12694
• Improved memory usage in large clusters. #12722

Download

Download the current and previous releases of Teleport at https://gravitational.com/teleport/download.