teleport

Warning

Pre-releases are not production ready, use at your own risk!

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Description

This release contains fixes for several high-severity security issues, as well as numerous other bug fixes and improvements.

Security Fixes

[High] Unrestricted redirect in SSO Authentication

Teleport didn’t sufficiently validate the client redirect URL. This could allow an attacker to trick Teleport users into performing an SSO authentication and redirect to an attacker-controlled URL allowing them to steal the credentials. #41836.

Warning: Teleport will now disallow non-localhost callback URLs for SSO logins unless otherwise configured. Users of the tsh login --callback feature should modify their auth connector configuration as follows:

version: vX
kind: (saml|oidc|github)
metadata:
  name: ...
spec:
  ...
  client_redirect_settings:
    allowed_https_hostnames:
      - '*.app.github.dev'
      - '^\d+-[a-zA-Z0-9]+\.foo.internal$'

The allowed_https_hostnames field is an array containing allowed hostnames, supporting glob matching and, if the string begins and ends with ^ and $ respectively, full regular expression syntax. Custom callback URLs are required to be HTTPS on the standard port (443).

[High] CockroachDB authorization bypass

When connecting to CockroachDB using Database Access, Teleport did not properly consider the username case when running RBAC checks. As such, it was possible to establish a connection using an explicitly denied username when using a different case. #41825.

[High] Long-lived connection persistence issue with expired certificates

Teleport did not terminate some long-running mTLS-authenticated connections past the expiry of client certificates for users with the disconnect_expired_cert option. This could allow such users to perform some API actions after their certificate has expired. #41829.

[High] PagerDuty integration privilege escalation

When creating a role access request, Teleport would include PagerDuty annotations from the entire user’s role set rather than a specific role being requested. For users who run multiple PagerDuty access plugins with auto-approval, this could result in a request for a different role being inadvertently auto-approved than the one which corresponds to the user’s active on-call schedule. #41831.

[High] SAML IdP session privilege escalation

When using Teleport as SAML IdP, authorization wasn’t properly enforced on the SAML IdP session creation. As such, authenticated users could use an internal API to escalate their own privileges by crafting a malicious program. #41849.

We strongly recommend all customers upgrade to the latest releases of Teleport.

Other fixes and improvements

• Fixed access request annotations when annotations contain globs, regular
  expressions, trait expansions, or claims_to_roles is used. #41938.
• Fixed session upload completion with large number of simultaneous session
  uploads. #41852.
• Stripped debug symbols from Windows builds, resulting in smaller tsh and
  tctl binaries. #41838.
• Added read-only permissions for cluster maintenance config. #41792.
• Simplified how Bots are shown on the Users list page. #41738.
• Fixed missing variable and script options in Default Agentless Installer
  script. #41721.
• Added remote address to audit log events emitted when a Bot or Instance join
  completes, successfully or otherwise. #41698.
• Upgraded application heartbeat service to support 1000+ dynamic applications. #41628.
• Fixed systemd unit to always restart Teleport on failure unless explicitly
  stopped. #41583.
• Updated Teleport package installers to reload Teleport service config after
  upgrades. #41549.
• Fixed WebUI SSH connection leak when browser tab closed during SSH connection
  establishment. #41520
• Added "login failed" audit events for invalid passwords on password+webauthn
  local authentication. #41435
• Allow setting Kubernetes Cluster name when using non-default addresses. #41356.
• Added support to automatically download CA for MongoDB Atlas databases. #41340.
• Added validation for application URL extracted from the web application
  launcher request route. #41306.
• Allow defining custom database names and users when selecting wildcard during
  test connection when enrolling a database through the web UI. #41303.
• Updated user management to explicitly deny password resets and local logins to
  SSO users. #41272.

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

--

labels: security-patch=yes, security-patch-alts=v15.3.4

Description

• Fixed creating access requests for servers in Teleport Connect that were blocked due to a "no roles configured" error. #41959
• Fixed regression issue with event-handler Linux artifacts not being available. #4237
• Fixed failed startup on GCP if missing permissions. #41985

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Description

This release contains fixes for several high-severity security issues, as well as numerous other bug fixes and improvements.

Security Fixes

[High] Unrestricted redirect in SSO Authentication

Teleport didn’t sufficiently validate the client redirect URL. This could allow
an attacker to trick Teleport users into performing an SSO authentication and
redirect to an attacker-controlled URL allowing them to steal the credentials.
#41834.

Warning: Teleport will now disallow non-localhost callback URLs for SSO logins
unless otherwise configured. Users of the tsh login --callback feature should
modify their auth connector configuration as follows:

version: vX
kind: (saml|oidc|github)
metadata:
  name: ...
spec:
  ...
  client_redirect_settings:
    allowed_https_hostnames:
      - '*.app.github.dev'
      - '^\d+-[a-zA-Z0-9]+\.foo.internal$'

The allowed_https_hostnames field is an array containing allowed hostnames,
supporting glob matching and, if the string begins and ends with ^ and $
respectively, full regular expression syntax. Custom callback URLs are required
to be HTTPS on the standard port (443).

[High] CockroachDB authorization bypass

When connecting to CockroachDB using Database Access, Teleport did not properly
consider the username case when running RBAC checks. As such, it was possible to
establish a connection using an explicitly denied username when using a
different case. #41823.

[High] Long-lived connection persistence issue with expired certificates

Teleport did not terminate some long-running mTLS-authenticated connections past
the expiry of client certificates for users with the disconnect_expired_cert
option. This could allow such users to perform some API actions after their
certificate has expired.
#41827.

[High] PagerDuty integration privilege escalation

When creating a role access request, Teleport would include PagerDuty
annotations from the entire user’s role set rather than a specific role being
requested. For users who run multiple PagerDuty access plugins with
auto-approval, this could result in a request for a different role being
inadvertently auto-approved than the one which corresponds to the user’s active
on-call schedule.
#41837.

[High] SAML IdP session privilege escalation

When using Teleport as SAML IdP, authorization wasn’t properly enforced on the
SAML IdP session creation. As such, authenticated users could use an internal
API to escalate their own privileges by crafting a malicious program.
#41846.

We strongly recommend all customers upgrade to the latest releases of Teleport.

Other fixes and improvements

• Fixed session upload completion in situations where there's a large number of in-flight session uploads. #41853
• Debug symbols are now stripped from Windows builds, resulting in smaller tsh and tctl binaries. #41839
• Fixed an issue that the server version of the registered MySQL databases is not automatically updated upon new connections. #41820
• Add read-only permissions for cluster maintenance config. #41791
• Simplified how Bots are shown on the Users list page. #41739
• Fix missing variable and script options in Default Agentless Installer script. #41722
• Improved reliability of aggregated usage reporting with some cluster state storage backends (Teleport Enterprise only). #41703
• Adds the remote address to audit log events emitted when a join for a Bot or Instance fails or succeeds. #41699
• Allow the application service to heartbeat on behalf of more than 1000 dynamic applications. #41627
• Ensure responses to Kubernetes watch requests are written sequentially. #41625
• Install Script used in discover wizard now supports Ubuntu 24.04. #41588
• Ensured that systemd always restarts Teleport on any failure unless explicitly stopped. #41582
• Teleport service config is now reloaded on upgrades. #41548
• Fix AccessList reconciler comparison causing audit events noise. #41541
• Prevent SSH connections opened in the UI from leaking if the browser tab is closed while the SSH connection is being established. #41519
• Emit login login failed audit events for invalid passwords on password+webauthn local authentication. #41433
• Allow setting Kubernetes Cluster name when using non-default addresses. #41355
• Added support to automatically download CA for MongoDB Atlas databases. #41339
• Fix broken finish web page for SSO user's on auto discover. #41336
• Add fallback on GetAccessList cache miss call. #41327
• Validate application URL extracted from the web application launcher request route. #41305
• Allow defining custom database names and users when selecting wildcard during test connection when enrolling a database through the web UI. #41302
• Updated Go to v1.21.10. #41282
• Forbid SSO users from local logins or password changes. #41271
• Prevents Cloud tenants from updating cluster_networking_config fields keep_alive_count_max, keep_alive_interval, tunnel_strategy, or proxy_listener_mode. #41248

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

--

labels: security-patch=yes, security-patch-alts=v14.3.19

Description

This release contains fixes for several high-severity security issues, as well as numerous other bug fixes and improvements.

Security Fixes

[High] Unrestricted redirect in SSO Authentication

Teleport didn’t sufficiently validate the client redirect URL. This could allow an attacker to trick Teleport users into performing an SSO authentication and redirect to an attacker-controlled URL allowing them to steal the credentials. #41834.

Warning: Teleport will now disallow non-localhost callback URLs for SSO logins unless otherwise configured. Users of the tsh login --callback feature should modify their auth connector configuration as follows:

version: vX
kind: (saml|oidc|github)
metadata:
  name: ...
spec:
  ...
  client_redirect_settings:
    allowed_https_hostnames:
      - '*.app.github.dev'
      - '^\d+-[a-zA-Z0-9]+\.foo.internal$'

The allowed_https_hostnames field is an array containing allowed hostnames, supporting glob matching and, if the string begins and ends with ^ and $ respectively, full regular expression syntax. Custom callback URLs are required to be HTTPS on the standard port (443).

[High] CockroachDB authorization bypass

When connecting to CockroachDB using Database Access, Teleport did not properly consider the username case when running RBAC checks. As such, it was possible to establish a connection using an explicitly denied username when using a different case. #41823.

[High] Long-lived connection persistence issue with expired certificates

Teleport did not terminate some long-running mTLS-authenticated connections past the expiry of client certificates for users with the disconnect_expired_cert option. This could allow such users to perform some API actions after their certificate has expired. #41827.

[High] PagerDuty integration privilege escalation

When creating a role access request, Teleport would include PagerDuty annotations from the entire user’s role set rather than a specific role being requested. For users who run multiple PagerDuty access plugins with auto-approval, this could result in a request for a different role being inadvertently auto-approved than the one which corresponds to the user’s active on-call schedule. #41837.

[High] SAML IdP session privilege escalation

When using Teleport as SAML IdP, authorization wasn’t properly enforced on the SAML IdP session creation. As such, authenticated users could use an internal API to escalate their own privileges by crafting a malicious program. #41846.

We strongly recommend all customers upgrade to the latest releases of Teleport.

Other fixes and improvements

• Fixed access request annotations when annotations contain globs, regular
  expressions, trait expansions, or claims_to_roles is used. #41936.
• Added AWS Management Console as a guided flow using AWS OIDC integration in
  the "Enroll New Resource" view in the web UI. #41864.
• Fixed spurious Windows Desktop sessions screen resize during an MFA ceremony. #41856.
• Fixed session upload completion with large number of simultaneous session
  uploads. #41854.
• Fixed MySQL databases version reporting on new connections. #41819.
• Added read-only permissions for cluster maintenance config. #41790.
• Stripped debug symbols from Windows builds, resulting in smaller tsh and
  tctl binaries. #41787
• Fixed passkey deletion so that a user may now delete their last passkey if
  the have a password and another MFA configured. #41771.
• Changed the default permissions for the Workload Identity Unix socket to 0777
  rather than the default as applied by the umask. This will allow the socket to
  be accessed by workloads running as users other than the user that owns the
  tbot process. #41754
• Added ability for teleport-event-handler to skip certain events type when
  forwarding to an upstream server. #41747.
• Added automatic GCP label importing. #41733.
• Fixed missing variable and script options in Default Agentless Installer
  script. #41723.
• Removed invalid AWS Roles from Web UI picker. #41707.
• Added remote address to audit log events emitted when a Bot or Instance join
  completes, successfully or otherwise. #41700.
• Simplified how Bots are shown on the Users list page. #41697.
• Added improved-performance implementation of ProxyCommand for Machine ID and
  SSH. This will become the default in v16. You can adopt this new mode early by
  setting TBOT_SSH_CONFIG_PROXY_COMMAND_MODE=new. #41694.
• Improved EC2 Auto Discovery by adding the SSM script output and more explicit
  error messages. #41664.
• Added webauthn diagnostics commands to tctl. #41643.
• Upgraded application heartbeat service to support 1000+ dynamic applications. #41626
• Fixed issue where Kubernetes watch requests are written out of order. #41624.
• Fixed a race condition triggered by a reload during Teleport startup. #41592.
• Updated discover wizard Install Script to support Ubuntu 24.04. #41589.
• Fixed systemd unit to always restart Teleport on failure unless explicitly stopped. #41581.
• Updated Teleport package installers to reload Teleport service config after
  upgrades. #41547.
• Fixed file truncation bug in Desktop Directory Sharing. #41540.
• Fixed WebUI SSH connection leak when browser tab closed during SSH connection
  establishment. #41518.
• Fixed AccessList reconciler comparison causing audit events noise. #41517.
• Added tooling to create SCIM integrations in tctl. #41514.
• Fixed Windows Desktop error preventing rendering of the remote session. #41498.
• Fixed issue in the PagerDuty, Opsgenie and ServiceNow access plugins that
  causing duplicate calls on access requests containing duplicate service names.
  Also increases the timeout so slow external API requests are less likely to
  fail. #41488.
• Added basic Unix workload attestation to the tbot SPIFFE workload API. You
  can now restrict the issuance of certain SVIDs to processes running with a
  certain UID, GID or PID. #41450.
• Added "login failed" audit events for invalid passwords on password+webauthn
  local authentication. #41432.
  Fixed Terraform provider issue causing the Provision Token options to default
  to false instead of empty. #41429.
• Added support to automatically download CA for MongoDB Atlas databases. #41338.
• Fixed broken "finish" web page for SSO Users on auto discover. #41335.
• Allow setting Kubernetes Cluster name when using non-default addresses. #41331.
• Added fallback on GetAccessList cache miss call. #41326.
• Fixed DiscoveryService panic when auto-enrolling EKS clusters. #41320.
• Added validation for application URL extracted from the web application launcher request route. #41304.
• Allow defining custom database names and users when selecting wildcard during test connection when enrolling a database through the web UI. #41301.
• Fixed broken link for alternative EC2 installation during EC2 discover flow. #41292
• Updated Go to v1.21.10. #41281.
• Updated user management to explicitly deny password resets and local logins to
  SSO users. #41270.
• Fixed fetching suggested access lists with large IDs in Teleport Connect. #41269.
• Prevents cloud tenants from updating cluster_networking_config fields keep_alive_count_max, keep_alive_interval, tunnel_strategy, or proxy_listener_mode. #41247.
• Added support for creating Okta integrations with tctl #41888.

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

--

labels: security-patch=yes, security-patch-alts=v15.3.5|v15.3.4|v15.3.3|v15.3.2

Description

• Fix a bug that was preventing tsh proxy kube certificate renewal from working when accessing a leaf kubernetes cluster via the root. #41159
• Add lock target to lock deletion audit events. #41110
• Fix user SSO bypass by performing a local passwordless login. #41072
• Enforce allow_passwordless server-side. #41059
• Improved error message when performing an SSO login with a hardware key. #40925

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Description

• Ensure that the active sessions page shows up in the web UI for users with permissions to join sessions. #41222
• Fix a bug that was preventing tsh proxy kube certificate renewal from working when accessing a leaf kubernetes cluster via the root. #41157
• Add lock target to lock deletion audit events. #41111
• Improve the reliability of the upload completer. #41104
• Allows the listener for the tbot database-tunnel service to be set to a unix socket. #41042

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Description

• Fixed screen_size behavior for Windows Desktops, which was being overridden by the new resize feature. #41241
• Ensure that the active sessions page shows up in the web UI for users with permissions to join sessions. #41221
• Added indicators on the account settings page that tell which authentication methods are active. #41169
• Fix a bug that was preventing tsh proxy kube certificate renewal from working when accessing a leaf kubernetes cluster via the root. #41158
• Fixed AccessDeniedException for dynamodb:ConditionCheckItem operations when using AWS DynamoDB for cluster state storage. #41133
• Added lock target to lock deletion audit events. #41112
• Fixed a permissions issue that prevented the teleport-cluster helm chart operator from registering agentless ssh servers. #41108
• Improve the reliability of the upload completer. #41103
• Allows the listener for the tbot database-tunnel service to be set to a unix socket. #41008

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Description

• Fixed user SSO bypass by performing a local passwordless login. #41071
• Enforce allow_passwordless server-side. #41058
• Fixed a memory leak caused by incorrectly passing the offset when paginating all Access Lists' members when there are more than the default pagesize (200) Access Lists. #41044
• Fixed a regression causing roles filtering to not work. #41000
• Allow AWS integration to be used for global services without specifying a valid region. #40990
• Fixed access requests lingering in the UI and tctl after expiry. #40965
• Made podSecurityContext configurable in the teleport-cluster Helm chart. #40950
• Allow mounting extra volumes in the updater pod deployed by the teleport-kube-agentchart. #40949
• Improved error message when performing an SSO login with a hardware key. #40924
• Fixed a bug in the teleport-cluster Helm chart that happened when sessionRecording was off. #40920
• Allows setting additional Kubernetes labels on resources created by the teleport-cluster Helm chart. #40916
• Fixed audit event failures when using DynamoDB event storage. #40912
• Properly enforce session moderation requirements when starting Kubernetes ephemeral containers. #40907
• Introduced the tpm join method, which allows for secure joining in on-prem environments without the need for a shared secret. #40875
• Issue cert.create events during device authentication. #40873
• Add the ability to control ssh_config generation in Machine ID's Identity Outputs. This allows the generation of the ssh_config to be disabled if unnecessary, improving performance and removing the dependency on the Proxy being online. #40862
• Prevented deleting AWS OIDC integration used by External Audit Storage. #40853
• Reduced parallelism when polling AWS resources to prevent API throttling when exporting them to Teleport Access Graph. #40812
• Added hardware key support for agentless connections #40929

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Description

Improved Roles UI

The Roles page of the web UI is now backed by a paginated API, ensuring fast
load times even on clusters with large numbers of roles.

Resizing for Windows desktop sessions

Windows desktop sessions now automatically resize as the size of the browser
window changes.

Hardware key support for agentless nodes

Teleport now supports connecting to agentless OpenSSH nodes even when Teleport
is configured to require hardware key MFA checks.

TPM joining

The new TPM join method enables secure joining for agents and Machine ID bots
that run on-premise. Based on the secure properties of the host's hardware
trusted platform module, this join method removes the need to create and
distribute secret tokens, significantly reducing the risk of exfiltration.

Other improvements and fixes

• Fixed user SSO bypass by performing a local passwordless login. #41067
• Enforce allow_passwordless server-side. #41057
• Fixed a memory leak caused by incorrectly passing the offset when paginating all Access Lists' members when there are more than the default pagesize (200) Access Lists. #41045
• Added resize capability to windows desktop sessions. #41025
• Fixed a regression causing roles filtering to not work. #40999
• Allow AWS integration to be used for global services without specifying a valid region. #40991
• Made account id visible when selecting IAM Role for accessing the AWS Console. #40987

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Description

• Extend proxy templates to allow the target host to be resolved via a predicate expression or fuzzy matching. #40966
• Fix an issue where access requests would linger in UI and tctl after expiry. #40964
• The teleport-cluster Helm chart can configure AccessMonitoring when running in aws mode. #40957
• Make podSecurityContext configurable in the teleport-cluster Helm chart. #40951
• Allow to mount extra volumes in the updater pod deployed by the teleport-kube-agentchart. #40946
• Improve error message when performing an SSO login with a hardware key. #40923
• Fix a bug in the teleport-cluster Helm chart that happened when sessionRecording was off. #40919
• Fix audit event failures when using DynamoDB event storage. #40913
• Allow setting additional Kubernetes labels on resources created by the teleport-cluster Helm chart. #40909
• Fix Windows cursor getting stuck. #40890
• Issue cert.create events during device authentication. #40872
• Add the ability to control ssh_config generation in Machine ID's Identity Outputs. This allows the generation of the ssh_config to be disabled if unnecessary, improving performance and removing the dependency on the Proxy being online. #40861
• Prevent deleting AWS OIDC integration used by External Audit Storage. #40851
• Introduce the tpm join method, which allows for secure joining in on-prem environments without the need for a shared secret. #40823
• Reduce parallelism when polling AWS resources to prevent API throttling when exporting them to Teleport Access Graph. #40811
• Fix spurious deletion of Access List Membership metadata during SCIM push or sync. #40544
• Properly enforce session moderation requirements when starting Kubernetes ephemeral containers. #40906

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Description

• Fixed a bug in the teleport-cluster Helm chart that happened when sessionRecording was off. #40921
• Issue cert.create events during device authentication. #40874
• Added a new Audit log event that is emitted when an Agent or Bot request to join the cluster is denied. #40816
• Fixed an issue that prevented uploading a zip file larger than 10MiB when updating an AWS Lambda function via tsh app access. #40795
• Added a new Prometheus metric to track requests initiated by Teleport against the control plane API. #40757
• Fixed possible data race that could lead to concurrent map read and map write while proxying Kubernetes requests. #40722
• Patch CVE-2023-45288 and CVE-2024-32473. #40698
• Generic "not found" errors are returned whether a remote cluster can't be found or access is denied. #40683
• Fixed a resource leak in the Teleport proxy server when using proxy peering. #40676
• Updated cosign to address CVE-2024-29902 and CVE-2024-29903. #40500
• Prevented accidental passkey "downgrades" to MFA. #40411
• Teleport Connect now hides cluster name in the connection list if there's only a single cluster available. #40358
• Teleport Connect now shows all recent connections instead of capping them at 10. #40252
• Fixed an issue that prevents the teleport service from restarting. #40231
• Include system annotations in audit event entries for access requests. #40216
• Updated Go to 1.21.9. #40178
• Allow diagnostic endpoints to be accessed behind a PROXY protocol enabled loadbalancer/proxy. #40140
• Fixed "Invalid URI" error in Teleport Connect when starting mongosh from database connection tab. #40106
• Fixed a verbosity issue that caused the teleport-kube-agent-updater to output debug logs by default. #39955
• Reduced default Jamf inventory page size, allow custom values to be provided. #39935
• Improved performance of resource filtering via labels and fuzzy search. #39793

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Description

• Fixed a deprecation warning being shown when tbot is used with OpenSSH. #40838
• Added a new Audit log event that is emitted when an Agent or Bot request to join the cluster is denied. #40815
• Added a new Prometheus metric to track requests initiated by Teleport against the control plane API. #40755
• Fixed uploading zip files larger than 10MiB when updating an AWS Lambda function via tsh app access. #40738
• Fixed possible data race that could lead to concurrent map read and map write while proxying Kubernetes requests. #40721
• Fixed access request promotion of windows_desktop resources. #40711
• Fixed spurious ambiguous host errors in ssh routing. #40709
• Patched CVE-2023-45288 and CVE-2024-32473. #40696
• Generic "not found" errors are returned whether a remote cluster can't be found or access is denied. #40682
• Fixed a resource leak in the Teleport proxy server when using proxy peering. #40675
• Allow other issue types when configuring JIRA plugin. #40645
• Added the ability to configure labels that should be set on the Kubernetes secret when using the kubernetes_secret destination in tbot. #40551
• Updated cosign to address CVE-2024-29902 and CVE-2024-29903. #40498
• The Web UI now supports large number of roles by paginating them. #40464

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Description

• Fixed a deprecation warning being shown when tbot is used with OpenSSH. #40837
• Added a new Audit log event that is emitted when an Agent or Bot request to join the cluster is denied. #40814
• Fixed regenerating cloud account recovery codes. #40786
• Changed UI for the sign-up and authentication reset flows. #40773
• Added a new Prometheus metric to track requests initiated by Teleport against the control plane API. #40754
• Fixed an issue that prevented uploading a zip file larger than 10MiB when updating an AWS Lambda function via tsh app access. #40737
• Patched CVE-2024-32650. #40735
• Fixed possible data race that could lead to concurrent map read and map write while proxying Kubernetes requests. #40720
• Fixed access request promotion of windows_desktop resources. #40712
• Fixed spurious ambiguous host errors in ssh routing. #40706
• Patched CVE-2023-45288 and CVE-2024-32473. #40695
• generic "not found" errors are returned whether a remote cluster can't be found or access is denied. #40681
• Fixed a resource leak in the Teleport proxy server when using proxy peering. #40672
• Added Azure CLI access support on AKS with Entra Workload ID. #40660
• Allow other issue types when configuring JIRA plugin. #40644
• Added regexp.match to access request filter and where expressions. #40642
• Notify the requester in slack review request messages. #40624
• Handle passwordless in MFA audit events. #40617
• Added auto discover capability to EC2 enrollment in the web UI. #40605
• Fixes RDP licensing. #40595
• Added support for the ascii variants of smartcard calls. #40566
• Added the ability to configure labels that should be set on the Kubernetes secret when using the kubernetes_secret destination in tbot. #40550
• Updated cosign to address CVE-2024-29902 and CVE-2024-29903. #40497
• The Web UI now supports large number of roles by paginating them. #40463
• Improved the responsiveness of the session player during long periods of idle time. #40442
• Fixed incorrect format for database_object_import_rule resources with non-empty expiry. #40203
• Updated Opsgenie annotations so approve-schedules is used for both alert creation and auto approval if notify schedules is not set. #40121

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Description

• Updated the cluster selector in the UI to now only be visible when more than one cluster is available. #40478
• Fixed accidental passkey "downgrades" to MFA. #40409
• Added tsh proxy kube --exec mode that spawns kube proxy in the background, which re-executes the user shell with the appropriate kubeconfig. #40395
• Made Amazon S3 fields optional when creating or editing AWS OIDC integration on the web UI. #40368
• Fixed a bug that prevented the available logins from being displayed for Windows desktops in leaf clusters that were being accessed via the root cluster web ui. #40367
• Changed Teleport Connect to hide cluster name in the connection list if there is only a single cluster available. #40356
• Fixed invalid session TTL error when creating access request with tsh. #40335
• Added missing discovery AWS matchers fields "Integration" and "KubeAppDiscovery" to the file configuration. #40320
• Added automatic role access requests. #40285
• Redesigned the login UI. #40272
• Added friendly role names for Okta sourced roles. These will be displayed in access list and access request pages in the UI. #40260
• Added Teleport Machine ID Workload Identity support for legacy systems which are not able to parse DNS SANs, and which are not SPIFFE aware. #40180

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Description

• Teleport Connect now shows all recent connections instead of capping them at 10. #40250
• Limit max read size for the tsh device trust DMI cache file on Linux. #40234
• Fix an issue that prevents the teleport service from restarting. #40229
• Add new resource filtering predicates to allow exact matches on a single item of a delimited list stored in a label value. For example, if given the following label containing a string separated list of values foo=bar,baz,bang, it is now possible to match on any resources with a label foo that contains the element bar via contains(split(labels[foo], ","), bar). #40183
• Updated Go to 1.21.9. #40176
• Adds disable_exec_plugin option to the Machine ID Kubernetes Output to remove the dependency on tbot existing in the target environment. #40162
• Adds the database-tunnel service to tbot which allows an authenticated database tunnel to be opened by tbot. This is an improvement over the original technique of using tbot proxy db. #40151
• Allow diagnostic endpoints to be accessed behind a PROXY protocol enabled loadbalancer/proxy. #40138
• Include system annotations in audit event entries for access requests. #40123
• Fixed GitHub Auth Connector update event to show in Audit Log with name and description. #40116
• Re-enabled the show_desktop_wallpaper flag. #40088
• Reduce default Jamf inventory page size, allow custom values to be provided. #3817

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Description

Improved Access Requests UI

The access requests page of the web UI will be backed by a paginated API,
ensuring fast load times even on clusters with many access requests.

Additionally, the UI allows you to search for access requests, sort them based
on various attributes, and includes several new filtering options.

Zero-downtime web asset rollout

Teleport 15.2 changes the way that web assets are served and cached, which will
allow multiple compatible versions of the Teleport Proxy to run behind the same
load balancer.

Workload Identity MVP

With Teleport 15.2, Machine ID can bootstrap and issue identity to services
across multiple computing environments and organizational boundaries. Workload
Identity issues SPIFFE-compatible x509 certificates that can be used for mTLS
between services.

Support for Kubernetes 1.29+

The Kubernetes project is deprecating the SPDY protocol for streaming commands
(kubectl exec, kubectl port-forward, etc) and replacing it with a new
websocket-based subprotocol. Teleport 15.2.0 will support the new protocol to
ensure compatibility with newer Kubernetes clusters.

Automatic database access requests

Both tsh db connect and tsh proxy db will offer the option to submit an access
request if the user attempts to connect to a database that they don't already
have access to.

GCP console access via Workforce Identity Federation

Teleport administrators will be able to setup access to GCP web console through
Workforce Identity Federation using Teleport as a SAML identity provider.

IaC support for OpenSSH nodes

Users will be able to register OpenSSH nodes in the cluster using Terraform and
Kubernetes Operator.

Access requests start time

Users submitting access requests via web UI will be able to request specific
access start time up to a week in advance.

Terraform and Operator support for agentless SSH nodes

The Teleport Terraform provider and Kubernetes operator now support declaring
agentless OpenSSH and OpenSSH EC2 ICE servers. You can follow this
guide
to register OpenSSH agents with infrastructure as code.

Setting up EC2 ICE automatic discovery with IaC will come in a future update.

Operator and CRDs can be deployed separately

The teleport-operator and teleport-cluster charts now support deploying only
the CRD, the CRD and the operator, or only the operator.

From the teleport-cluster Helm chart:

operator:
  enabled: true|false
  installCRDs: always|never|dynamic

From the teleport-operator Helm chart:

enabled: true|false
installCRDs: always|never|dynamic

In dynamic mode (by default), the chart will install CRDs if the operator is
enabled, but will not remove the CRDs if you temporarily disable the operator.

Operator now propagates labels

Kubernetes CR labels are now copied to the Teleport resource when applicable.
This allows you to configure RBAC for operator-created resources, and to filter
Teleport resources more easily.

Terraform provider no longer forces resource re-creation on version change

Teleport v15 introduced two Terraform provider changes:

• setting the resource version is now mandatory
• a resource version change triggers the resource re-creation to ensure defaults
  were correctly set

The second change was too disruptive, especially for roles, as they cannot be
deleted if a user or an access list references them. Teleport 15.2 lifts this
restriction and allows version change without forcing the resource deletion.

Another change to ensure resource defaults are correctly set during version
upgrades will happen in v16.

Other improvements and fixes

• Fixed "Invalid URI" error in Teleport Connect when starting mongosh from database connection tab. #40033
• Adds support for easily exporting the SPIFFE CA using tls auth export --type tls-spiffe and the /webapi/auth/export endpoint. #40007
• Update Rust to 1.77.0, enable RDP font smoothing. #39995
• The role, server and token Teleport operator CRs now display additional information when listed with kubectl get. #39993
• Improve performance of filtering resources via predicate expressions. #39972
• Fixes a bug that prevented CA import when a SPIFFE CA was present. #39958
• Fix a verbosity issue that caused the teleport-kube-agent-updater to output debug logs by default. #39953
• Reduce default Jamf inventory page size, allow custom values to be provided. #39933
• AWS IAM Roles are now filterable in the web UI when launching a console app. #39911
• The teleport-cluster Helm chart now supports using the Amazon Athena event backend. #39907
• Correctly show the users allowed logins when accessing leaf resources via the root cluster web UI. #39887
• Improve performance of resource filtering via labels and fuzzy search. #39791
• Enforce optimistic locking for AuthPreferences, ClusterNetworkingConfig, SessionRecordingConfig. #39785
• Fix potential issue with some resources expiry being set to 01/01/1970 instead of never. #39773
• Update default access request TTLs to 1 week. #39509
• Fixed an issue where creating or updating an access list with Admin MFA would fail in the WebUI. #3827

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Description

• Fixed possible phishing links which could result in code execution with install and join scripts. #39839
• Fixed MFA checks not being prompted when joining a session. #39816
• Fixed broken SSO login landing page on certain versions of Google Chrome. #39721
• Updated Electron to v29 in Teleport Connect. #39659
• Fixed a bug in the discovery script failing when jq was not installed. #39601

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Description

• Fixed possible phishing links which could result in code execution with install and join scripts. #39838
• Fixed MFA checks not being prompted when joining a session. #39815
• Fixed potential issue with some resources expiry being set to 01/01/1970 instead of never. #39774
• Added support for Kubernetes websocket streaming subprotocol v5 connections. #39771
• Fixed broken SSO login landing page on certain versions of Google Chrome. #39722
• Updated Electron to v29 in Teleport Connect. #39658
• Fixed a bug in Teleport Cloud causing the hosted ServiceNow plugin to crash when setting up the integration. #39604
• Fixed Teleport updater metrics for AWS OIDC deployments. #39531
• Fixed allowing invalid access request start time date to be set. #39324

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Description

• Fixed possible phishing links which could result in code execution with install and join scripts. #39837
• Fixed MFA checks not being prompted when joining a session. #39814
• Added support for Kubernetes websocket streaming subprotocol v5 connections. #39770
• Fixed a regression causing MFA prompts to not show up in Teleport Connect. #39739
• Fixed broken SSO login landing page on certain versions of Google Chrome. #39723
• Teleport Connect now shows specific error messages instead of generic "access denied". #39720
• Added audit events for database auto user provisioning. #39665
• Updated Electron to v29 in Teleport Connect. #39657
• Added automatic access request support for tsh db login, tsh db connect and tsh proxy db. #39617
• Fixed a bug in Teleport Cloud causing the hosted ServiceNow plugin to crash when setting up the integration. #39603
• Fixed a bug of the discovery script failing when jq was not installed. #39599
• Ensured that audit events are emitted whenever the authentication preferences, cluster networking config, or session recording config are modified. #39522
• Database object labels will now support templates. #39496

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.