teleport

Description

This release of Teleport contains multiple features, improvements and bug fixes.

• Added support for per-user tsh configuration preferences. #10336
• Added support for role bootstrapping in OSS. #11175
• Added HTTP_PROXY support to tsh. #10209
• Improved error messages tsh and tctl show to include usage information on invalid command line invocation. #11174
• Improved tctl <resource> ls output to make it consistent across all resources. #9519
• Fixed multiple issues with CA rotation, graceful restart, and stability. #10706 #11074 #11283
• Fixed issue where MOTD was not always shown. #10735
• Fixed an issue where certificate extension not being included in tctl auth sign. #10949
• Fixed a panic that could occur in the Web UI. #11389

Download

Download the current and previous releases of Teleport at https://gravitational.com/teleport/download.

Description

This release of Teleport contains multiple performance and stability improvements.

• Fixed issue with certificates growing large when repeatedly requesting access. #11036
• Multiple improvements for stability of CA rotation. #11192, #11186, #10902
• Multiple improvements to session uploader. #10796
• Fixed issue with tsh ignoring TELEPORT_HOME environment variable. #11094
• Fixed utmp accounting on some systems. #10618
• Fixed issue with MongoDB access connections not being closed properly. #10729
• Fixed issue with DynamoDB backend not returning results beyond 1MB. #10849
• Fixed issue with Kubernetes service identity missing certain DNS names. #10946
• Fixed issue with deleting certain users from backend. #11133
• Fixed issue with session recording panic. #10876
• Fixed issue with slow session reclaim preventing the use of full max_connections allowance. #10879
• Fixed goroutine and memory leak in certificate authorities watcher. #11122
• Fixed panic caused by ClusterConfig backwards compatibility. #11145

Download

Download the current and previous releases of Teleport at https://gravitational.com/teleport/download.

Description

This release of Teleport contains multiple improvements and bug fixes.

• Fixed issue with Ctrl-C freezing sessions. #11188
• Improved handling of unknown audit events. #11064
• Improved calculation of public addresses for dynamically registered apps. #11139
• Fixed tsh aws ecr returning 500 errors. #11108
• Fixed issue with deleting certain users. #11131
• Fixed issue with Machine ID not detecting token in file config. #11206

Download

Download the current and previous releases of Teleport at https://gravitational.com/teleport/download.

Description

Teleport 9.0 is a major release that brings:

• Teleport Desktop Access GA
• Teleport Machine ID Preview
• Various additions to Teleport Database Access
• Moderated Sessions for Server and Kubernetes Access

Desktop Access adds support for clipboard sharing, session recording, and
per-session MFA.

Teleport Machine ID Preview extends identity-based access to machines. It's the
easiest way to issue, renew, and manage SSH and X.509 certificates for service
accounts, microservices, CI/CD automation and all other forms of
machine-to-machine access.

Database Access brings self-hosted Redis support, RDS MariaDB (10.6 and higher)
support, auto-discovery for Redshift clusters, and auto-IAM configuration
improvements to GA. Additionally, this release also brings Microsoft SQL Server
with AD authentication to Preview.

Moderated Sessions enables the creation of sessions where a moderator has to
be present. This feature can be selectively enabled for specific sessions via
RBAC and can be used in conjunction with per-session MFA.

Desktop Access

Clipboard Support

Desktop Access now supports copying and pasting text between your local
workstation and a remote Windows Desktop. This feature requires a Chromium-based
browser and can be disabled via RBAC.

Session Recording

Desktop sessions are now recorded and stored alongside SSH sessions, and can be
viewed in Teleport's web interface. Desktop session recordings are fully
compatible with the RBAC for sessions feature introduced in Teleport 8.1.

Per-session MFA

Per-session MFA settings now apply to desktop sessions. This allows cluster
administrators to require an additional MFA "tap" prior to opening a desktop
session. This feature requires a WebAuthn device.

Machine ID (Preview)

Machine ID allows the creation of machine / bot / service account users who can
automatically issue, renew, and manage SSH and X.509 certificates to facilitate
machine-to-machine access.

Machine ID is a service that programmatically issues and renews short-lived
certificates to any service account (e.g., a CI/CD server) by retrieving
credentials from the Teleport Auth Service. This enables fine-grained role-based
access controls and audit.

Some of the things you can do with Machine ID:

• Machines can retrieve short-lived SSH certificates for CI/CD pipelines.
• Machines can retrieve short-lived X.509 certificates for use with databases or
  applications.
• Configure role-based access controls and locking for machines.
• Capture access events in the audit log.

Machine ID getting started guide:
https://goteleport.com/docs/ver/9.0/machine-id/getting-started/.

Database Access

Redis

You can now use Database Access to connect to a self-hosted Redis instance or
Redis cluster and view Redis commands in the Teleport audit log. We will be
adding support for AWS Elasticache in the coming weeks.

Self-hosted Redis guide:
https://goteleport.com/docs/ver/9.0/database-access/guides/redis/.

SQL Server (Preview)

Teleport 9 includes a preview release of Microsoft SQL Server with Active
Directory authentication support for Database Access. Audit logging of query
activity is not included in the preview release and will be implemented in a
later 9.x release.

SQL Server guide:
https://goteleport.com/docs/ver/9.0/database-access/guides/sql-server-ad/.

RDS MariaDB

Teleport 9 updates MariaDB support with auto-discovery and connection to AWS RDS
MariaDB databases using IAM authentication. The minimum MariaDB version that
supports IAM authentication is 10.6.

Updated RDS guide:
https://goteleport.com/docs/ver/9.0/database-access/guides/rds/.

Other Improvements

In addition, Teleport 9 expands auto-discovery to support Redshift databases and
2 new commands which simplify the Database Access getting started experience:
"teleport db configure create", which generates Database Service configuration,
and "teleport db configure bootstrap", which configures IAM permissions for the
Database Service when running on AWS.

CLI commands reference:
https://goteleport.com/docs/ver/9.0/database-access/reference/cli/#teleport-db-configure-create
https://goteleport.com/docs/ver/9.0/database-access/reference/cli/#teleport-db-configure-bootstrap

Moderated Sessions

With Moderated Sessions, Teleport administrators can define policies that allow
users to invite other users to participate in SSH or Kubernetes sessions as
observers, moderators or peers.

Moderated Sessions guide:
https://goteleport.com/docs/ver/9.0/access-controls/guides/moderated-sessions/.

Breaking Changes

CentOS 6

CentOS 6 support was deprecated in Teleport 8 and has now been removed.

Desktop Access

Desktop Access now authenticates to LDAP using X.509 client certificates.
Support for the password_file configuration option has been removed.

Download

Download the current and previous releases of Teleport at https://gravitational.com/teleport/download.

Warning

Pre-releases are not production ready, use at your own risk!

Download

Download the current and previous releases of Teleport at https://gravitational.com/teleport/download.

Warning

Pre-releases are not production ready, use at your own risk!

Download

Download the current and previous releases of Teleport at https://gravitational.com/teleport/download.

Warning

Pre-releases are not production ready, use at your own risk!

Download

Download the current and previous releases of Teleport at https://gravitational.com/teleport/download.

Description

This release of Teleport contains multiple improvements and fixes.

• Fixed utmp accounting on some systems. #10617
• Fixed an issue with DynamoDB pagination when result set exceeds 1MB. #10847
• Improved join instructions printed by tctl when using Teleport Cloud. #10749
• Improved HA behavior of database agents in leaf clusters. #10770
• Fixed an issue with .deb packages not being published. #10806
• Fixed an issue with session uploader leaving empty directories behind in some cases. #10793

Download

Download the current and previous releases of Teleport at https://gravitational.com/teleport/download.

Description

This release of Teleport contains a security fix and multiple improvements and fixes.

Trusted Clusters security fix

An attacker in possession of a valid Trusted Cluster join token could inject a
malicious CA into a Teleport cluster that would allow them to bypass root
cluster authorization and potentially connect to any node within the root
cluster.

For customers using Trusted Clusters, we recommend upgrading to one of the
patched releases listed below then revoking and rotating all Trusted Cluster
tokens. As a best practice, make sure that Trusted Cluster tokens have short
time-to-live and ideally are removed after being used once.

Other fixes

• Fixed dynamic labeling for Kubernetes agents. #10464
• Added teleport_audit_emit_event and teleport_connected_resources Prometheus metrics. #10462, #10461
• Fixed an issue with serving multiple concurrent X11 forwarding sessions. #10473
• Fixed a misnaming in the X11 forwarding configuration file options. #10758
• Fixed an issue with MongoDB connections not being properly closed. #10730
• Clear terminal at the end of the session in FIPS mode. #10533

Download

Download the current and previous releases of Teleport at https://gravitational.com/teleport/download.

Description

This release of Teleport contains a security fix and multiple improvements and fixes.

Trusted Clusters security fix

An attacker in possession of a valid Trusted Cluster join token could inject a
malicious CA into a Teleport cluster that would allow them to bypass root
cluster authorization and potentially connect to any node within the root
cluster.

For customers using Trusted Clusters, we recommend upgrading to one of the
patched releases listed below then revoking and rotating all Trusted Cluster
tokens. As a best practice, make sure that Trusted Cluster tokens have short
time-to-live and ideally are removed after being used once.

Other fixes

• Fix potential panic in the audit log writer. #10299
• Introduce cert.create audit event. #10255
• Active node inventory cleanup improvements. #10311
• Improved performance for clusters with >20,000 SSH nodes. #9521
• Fix database proxy reconnect after CA rotation. #10307
• Fix dynamic labeling for Kubernetes agents. #10468
• Reduced network utilization by propagating only necessary CAs when using Trusted Clusters. #10020

Download

Download the current and previous releases of Teleport at https://gravitational.com/teleport/download.

Description

This release of Teleport contains a security fix and an improvement.

Trusted Clusters security fix

An attacker in possession of a valid Trusted Cluster join token could inject a
malicious CA into a Teleport cluster that would allow them to bypass root
cluster authorization and potentially connect to any node within the root
cluster.

For customers using Trusted Clusters, we recommend upgrading to one of the
patched releases listed below then revoking and rotating all Trusted Cluster
tokens. As a best practice, make sure that Trusted Cluster tokens have short
time-to-live and ideally are removed after being used once.

Other fixes

• Introduce cert.create audit event. #10226

Download

Download the current and previous releases of Teleport at https://gravitational.com/teleport/download.

Description

This release of Teleport contains a security fix.

Trusted Clusters security fix

An attacker in possession of a valid Trusted Cluster join token could inject a
malicious CA into a Teleport cluster that would allow them to bypass root
cluster authorization and potentially connect to any node within the root
cluster.

For customers using Trusted Clusters, we recommend upgrading to one of the
patched releases listed below then revoking and rotating all Trusted Cluster
tokens. As a best practice, make sure that Trusted Cluster tokens have short
time-to-live and ideally are removed after being used once.

Download

Download the current and previous releases of Teleport at https://gravitational.com/teleport/download.

Description

This release of Teleport contains a security fix.

Trusted Clusters security fix

An attacker in possession of a valid Trusted Cluster join token could inject a
malicious CA into a Teleport cluster that would allow them to bypass root
cluster authorization and potentially connect to any node within the root
cluster.

For customers using Trusted Clusters, we recommend upgrading to one of the
patched releases listed below then revoking and rotating all Trusted Cluster
tokens. As a best practice, make sure that Trusted Cluster tokens have short
time-to-live and ideally are removed after being used once.

Download

Download the current and previous releases of Teleport at https://gravitational.com/teleport/download.

Warning

Pre-releases are not production ready, use at your own risk!

Download

Download the current and previous releases of Teleport at https://gravitational.com/teleport/download.

Warning

Pre-releases are not production ready, use at your own risk!

Download

Download the current and previous releases of Teleport at https://gravitational.com/teleport/download.

Warning

Pre-releases are not production ready, use at your own risk!

Download

Download the current and previous releases of Teleport at https://gravitational.com/teleport/download.

Description

This release of Teleport contains new features, improvements, and fixes.

• Added additional Prometheus metrics for cache and event monitoring. #9826
• Fixed an issue with user home directory checking. #10321

Download

Download the current and previous releases of Teleport at https://gravitational.com/teleport/download.

Warning

Pre-releases are not production ready, use at your own risk!

Download

Download the current and previous releases of Teleport at https://gravitational.com/teleport/download.

Warning

Pre-releases are not production ready, use at your own risk!

Download

Download the current and previous releases of Teleport at https://gravitational.com/teleport/download.

Description

This release of Teleport contains new features, improvements, and fixes.

• Added IAM support for Joining Nodes and Proxies in AWS. #8690 #10085 #10087
• Added GitHub team information to claims for GitHub SSO. #9604
• Added the cert.create event. #9822
• Updated tsh ls output to truncate labels. #9589
• Updated smart card PIN generation to generate a random PIN for each desktop session, preventing the smart card from being used after the initial login. #9919
• Fixed an issue that could cause the audit logger to crash. #10254
• Fixed an issue with tctl --insecure and TLS routing. #10297
• Fixed an issue where reverse tunnels would not properly reconnect. #10368

Download

Download the current and previous releases of Teleport at https://gravitational.com/teleport/download.