The easiest, and most secure way to access and protect all of your infrastructure.
AGPL-3.0 License
Bot releases are hidden (Show)
Published by camscale about 1 year ago
Teleport 14 brings the following new major features and improvements:
In addition, this release includes several changes that affect existing functionality listed in the “Breaking changes” section below. Users are advised to review them before upgrading.
Teleport 14 includes support for a new audit log powered by Amazon S3 and Athena that supports efficient searching, sorting, and filtering operations. Teleport Cloud customers will have their audit log automatically migrated to this new backend.
See the documentation here.
Teleport 14 introduces foundational support for access lists, an extension to the short-lived access requests system targeted towards longer-term access. Administrators can add users to access lists granting them long-term permissions within the cluster.
As the feature is being developed, future Teleport releases will add support for periodic audit reviews and deeper integration of access lists with Okta.
You can find existing access lists documentation here.
The web UI in Teleport 14 has been updated to show all resources in a single unified view.
This is the first step in a series of changes designed to support a customizable Teleport experience and make it easier to access the resources that are most important to you.
Teleport 14 updates its auto-discovery capabilities with support for web applications in Kubernetes clusters. When connected to a Kubernetes cluster (or deployed as a Helm chart), Teleport discovery service will automatically find and enroll web applications for use with app access.
See documentation here.
Teleport 14 extends resource-based access requests to support more Kubernetes resources than just pods, including custom resources, and verbs. Note that this feature requires role version v7
.
See Kubernetes resources documentation to see a full list of supported resources.
Teleport 14 adds database access support for ClickHouse HTTP and native (TCP) protocols. When using HTTP protocol, the user's query activity is captured in the Teleport audit log.
See how to connect ClickHouse to Teleport here.
In Teleport 14, database access for Oracle integration is updated with query audit logging support.
See documentation on how to configure it in the Oracle guide.
In Teleport 14, access to Windows desktops with local Windows users has been extended to Community Edition. Teleport will permit users to register and connect to up to 5 desktops with local users without an enterprise license.
For more information on using Teleport with local Windows users, see docs.
Teleport 14 includes support for hosted Discord and ServiceNow plugins. Teleport Cloud users can configure Discord and ServiceNow integrations to receive access request notifications.
Discord plugin is available now, ServiceNow is coming in 14.0.1.
tsh on Windows now supports the tsh puttyconfig
command, which can easily configure saved sessions inside the well-known PuTTY client to connect to Teleport SSH services.
For more information, see docs.
The ha-autoscale-cluster and starter-cluster Terraform deployment examples now support a USE_TLS_ROUTING
variable to enable TLS routing inside the deployed Teleport cluster.
In Teleport 14, tbot
can now be configured to write artifacts such as credentials and configuration files directly to a Kubernetes secret rather than a directory on the local file system. This allows other services to more easily consume the credentials output by tbot
.
For more information, see docs.
Please familiarize yourself with the following potentially disruptive changes in Teleport 14 before upgrading.
Teleport 14 no longer allows connecting to OpenSSH servers not registered with the cluster. Follow the updated agentless OpenSSH integration guide to register your OpenSSH nodes in the cluster’s inventory.
You can set TELEPORT_UNSTABLE_UNLISTED_AGENT_DIALING=yes
environment variable on Teleport proxy to temporarily re-enable the open dial functionality. The environment variable will be removed in Teleport 15.
Starting from version 14, Teleport will require users to explicitly enable or disable PROXY protocol in their proxy_service
/auth_service
configuration using proxy_protocol: on|off
option.
Users who run their proxies behind L4 load balancers with PROXY protocol enabled, should set proxy_protocol: on
. Users who don’t run Teleport behind PROXY protocol enabled load balancers, should disable proxy_protocol: off
explicitly for security reasons.
By default, Teleport will accept the PROXY line but will prevent connections with IP pinning enabled. IP pinning users will need to explicitly enable/disable proxy protocol like explained above.
See more details in our documentation.
Teleport 14 will be the last release published to the legacy package repositories at deb.releases.teleport.dev
and rpm.releases.teleport.dev
. Starting with Teleport 15, packages will only be published to the new repositories at apt.releases.teleport.dev
and yum.releases.teleport.dev
.
All users are recommended to switch to apt.releases.teleport.dev
and yum.releases.teleport.dev
repositories as described in installation instructions.
Cf-Access-Token
header no longer included with app access requestsStarting from Teleport 14, the Cf-Access-Token
header containing the signed JWT token will no longer be included by default with all app access requests. All requests will still include Teleport-JWT-Assertion
containing the JWT token.
See documentation for details on how to inject the JWT token into any header using header rewriting.
In Teleport 14 tsh db sub-commands will attempt to select a default value for --db-user
or --db-name
flags if they are not provided by the user by examining their allowed db_users
and db_names
.
The flags --cert-file
and --key-file
for tsh proxy db command were also removed, in favor of the --tunnel
flag that opens an authenticated local database proxy.
Teleport 14 includes an update to the MongoDB driver.
Due to the MongoDB team dropping support for servers prior to version 3.6 (which reached EOL on April 30, 2021), Teleport also will no longer be able to support these old server versions.
~/.tsh/environment
no longer supportedIn order to strengthen the security in Teleport 14, file loading from home directories where the path includes a symlink is no longer allowed. The most common use case for this is loading environment variables from the ~/.tsh/environment
file. This will still work normally as long as the path includes no symlinks.
Teleport 14 deprecates the trusted_cluster_token.create
audit event, replacing it with a new join_token.create
event. The new event is emitted when any join token is created, whether it be for trusted clusters or other Teleport services.
Teleport 14 will emit both events when a trusted cluster join token is created. Starting in Teleport 15, the trusted_cluster_token.create
event will no longer be emitted.
In Teleport 14, when creating new DynamoDB tables, Teleport will now create them with the billing mode set to pay_per_request
instead of being set to provisioned mode.
The old behavior can be restored by setting the billing_mode
option in the storage configuration.
The default role version in Teleport 14 is v7
which enables support for extended Kubernetes per-resource RBAC, and changes the kubernetes_resources
default to wildcard for better getting started user experience.
You can review role versions in the documentation.
In Teleport 14, database discovery via db_service
config enforces the same name validation as for databases created via tctl, static config, and discovery_service
.
As such, database names in AWS, GCP and Azure must start with a letter, contain only letters, digits, and hyphens and end with a letter or digit (no trailing hyphens).
Teleport 14 introduces a new and more secure API for submitting access requests. As a result, tsh users may be prompted to upgrade their clients before submitting an access request.
Desktops discovered via LDAP will have a short suffix appended to their name to ensure uniqueness. Users will notice duplicate desktops (with and without the suffix) for up to an hour after upgrading. Connectivity to desktops will not be affected, and the old record will naturally expire after 1 hour.
Teleport 14 introduces a new configuration schema (v2) for Machine ID’s agent tbot
. The new schema is designed to be simpler, more explicit and more extensible:
version: v2
onboarding:
token: gcp-bot
join_method: gcp
storage:
type: memory
auth_server: example.teleport.sh:443
outputs:
- type: identity
destination:
type: kubernetes_secret
name: my-secret
- type: kubernetes
kubernetes_cluster: my-cluster
destination:
type: directory
path: ./k8s
- type: database
service: my-postgres-service
database: postgres
username: postgres
destination:
type: directory
path: ./db
- type: application
app_name: my-app
destination:
type: directory
path: ./app
tbot
will continue to support the v1 schema for several Teleport versions but it is recommended that you migrate to v2 as soon as possible to benefit from new Machine ID features.
For more details and guidance on how to upgrade to v2, see docs.
Published by camscale about 1 year ago
This release of Teleport contains 4 security fixes as well as multiple improvements and bug fixes.
When using automatic Linux user creation, an attacker could exploit a race condition in the user creation functionality to create arbitrary files on the system as root writable by the created user.
This could allow the attacker to escalate their privileges to root.
Users who aren't using automatic Linux host user creation aren’t affected by this vulnerability.
When signing self-hosted database certificates, Teleport did not sufficiently validate the authorization token type.
This could allow an attacker to sign valid database access certificates using a guessed authorization token name.
Users who aren’t using self-hosted database access aren’t affected by this vulnerability.
When loading the global tsh configuration file tsh.yaml on Windows, Teleport would look for the file in a potentially untrusted directory.
This could allow a malicious user to create harmful command aliases for all tsh users on the system.
Users who aren’t using tsh on Windows aren’t affected by this vulnerability.
When registering a service provider with SAML IdP, Teleport did not sufficiently validate the ACS endpoint.
This could allow an attacker to execute arbitrary code at the client-side leading to privilege escalation.
This issue only affects Teleport Enterprise Edition. Enterprise users who aren’t using Teleport SAML IdP functionality aren’t affected by this vulnerability.
change_feed_conn_string
option to PostgreSQL backend. #31938
pprof
support to Kubernetes Operator to diagnose memory use. #31707
MissingRegion
error that would sometimes occur when running the discovery bootstrap command #31701
tctl sso configure github
now includes default GitHub endpoints #31480
tsh [proxy | db | kube]
subcommands now support --query
and --labels
optional arguments. #32087
tsh
and tctl
can select an auto-discovered database or Kubernetes cluster by its original name instead of the more detailed name generated by the v14+ Teleport Discovery service. #32087
tsh
text-formatted output in non-verbose mode will display auto-discovered resources with original resource names instead of the more detailed names generated by the v14+ Teleport Discovery service. #32084 #32083
labels: security-patch=yes, security-patch-alts=v13.3.9
Published by camscale about 1 year ago
This release of Teleport contains 4 security fixes as well as multiple improvements and bug fixes.
When using automatic Linux user creation, an attacker could exploit a race condition in the user creation functionality to create arbitrary files on the system as root writable by the created user.
This could allow the attacker to escalate their privileges to root.
Users who aren't using automatic Linux host user creation aren’t affected by this vulnerability.
When signing self-hosted database certificates, Teleport did not sufficiently validate the authorization token type.
This could allow an attacker to sign valid database access certificates using a guessed authorization token name.
Users who aren’t using self-hosted database access aren’t affected by this vulnerability.
When loading the global tsh configuration file tsh.yaml on Windows, Teleport would look for the file in a potentially untrusted directory.
This could allow a malicious user to create harmful command aliases for all tsh users on the system.
Users who aren’t using tsh on Windows aren’t affected by this vulnerability.
When registering a service provider with SAML IdP, Teleport did not sufficiently validate the ACS endpoint.
This could allow an attacker to execute arbitrary code at the client-side leading to privilege escalation.
This issue only affects Teleport Enterprise Edition. Enterprise users who aren’t using Teleport SAML IdP functionality aren’t affected by this vulnerability.
labels: security-patch=yes, security-patch-alts=v12.4.17
Published by camscale about 1 year ago
This release of Teleport contains 3 security fixes as well as multiple improvements and bug fixes.
When using automatic Linux user creation, an attacker could exploit a race condition in the user creation functionality to create arbitrary files on the system as root writable by the created user.
This could allow the attacker to escalate their privileges to root.
Users who aren't using automatic Linux host user creation aren’t affected by this vulnerability.
When signing self-hosted database certificates, Teleport did not sufficiently validate the authorization token type.
This could allow an attacker to sign valid database access certificates using a guessed authorization token name.
Users who aren’t using self-hosted database access aren’t affected by this vulnerability.
When loading the global tsh configuration file tsh.yaml on Windows, Teleport would look for the file in a potentially untrusted directory.
This could allow a malicious user to create harmful command aliases for all tsh users on the system.
Users who aren’t using tsh on Windows aren’t affected by this vulnerability.
labels: security-patch=yes, security-patch-alts=v11.3.24
Published by camscale about 1 year ago
Pre-releases are not production ready, use at your own risk!
Download the current and previous releases of Teleport at https://goteleport.com/download.
Pre-releases are not production ready, use at your own risk!
Download the current and previous releases of Teleport at https://goteleport.com/download.
Published by r0mant about 1 year ago
Pre-releases are not production ready, use at your own risk!
Download the current and previous releases of Teleport at https://goteleport.com/download.
Published by r0mant about 1 year ago
v1.20.8
. #31509
Download the current and previous releases of Teleport at https://goteleport.com/download.
Published by r0mant about 1 year ago
Download the current and previous releases of Teleport at https://goteleport.com/download.
Published by r0mant about 1 year ago
tsh db connect
ignoring default user/database names. #31250
Download the current and previous releases of Teleport at https://goteleport.com/download.
Published by fheinecke about 1 year ago
Pre-releases are not production ready, use at your own risk!
Download the current and previous releases of Teleport at https://goteleport.com/download.
Published by fheinecke about 1 year ago
Download the current and previous releases of Teleport at https://goteleport.com/download.
Published by zmb3 about 1 year ago
max_age
parameter. teleport.e#2042
Download the current and previous releases of Teleport at https://goteleport.com/download.
Published by camscale about 1 year ago
tsh mfa add
on Windows. #30217
medium
severity DoS conditions through protocol level attacks. #30854
Download the current and previous releases of Teleport at https://goteleport.com/download.
labels: security-patch=yes
Published by camscale about 1 year ago
tsh
to register and enroll the --current-device
. #30702
tsh aws ssm start-session
. #30668
invalid maxDuration
. teleport.e#2037
medium
severity DoS conditions through protocol level attacks. #30854
Download the current and previous releases of Teleport at https://goteleport.com/download.
labels: security-patch=yes
Published by camscale about 1 year ago
tsh aws ssm start-session
. #30669
tsh login --headless
. #30308
tsh
and tctl
commands that output a text-formatted table will now consistently output resource labels as a comma-separated string, sorted by label namespace. Labels starting with teleport.dev/
, teleport.hidden/
, and teleport.internal/
are omitted unless the --verbose flag is used. #30227 #30224
tsh mfa add
on Windows. #30216
teleport-cluster
chart. #30144
imagePullSecrets
for pre-deploy test pods in the teleport-cluster
chart. #30143
medium
severity DoS conditions through protocol level attacks. #30854
Download the current and previous releases of Teleport at https://goteleport.com/download.
labels: security-patch=yes
Published by r0mant about 1 year ago
tsh db
#30563
aurora
engine identifier #30548
tsh proxy kube
#30477
skipConfirm
option to Teleport Connect headless approval flow #30475
tsh login --headless
#30307
Download the current and previous releases of Teleport at https://goteleport.com/download.
Published by r0mant about 1 year ago
%APPDATA%/Local
instead of %APPDATA%/Roaming
. #30177
tsh kube login --set-context-name
to support templating functions. #30157
Download the current and previous releases of Teleport at https://goteleport.com/download.
Published by fheinecke about 1 year ago
Download the current and previous releases of Teleport at https://goteleport.com/download.
Published by camscale about 1 year ago
tctl
. #29903
tctl
to obey --verbose
when formatting text tables. #29870
Download the current and previous releases of Teleport at https://goteleport.com/download.