teleport

Description

Teleport 14 brings the following new major features and improvements:

• Access lists
• Unified resource view
• ClickHouse support for database access
• Advanced audit log
• Kubernetes apps auto-discovery
• Extended Kubernetes per-resource RBAC
• Oracle database access audit logging support
• Enhanced PuTTY support
• Support for TLS routing in Terraform deployment examples
• Discord and ServiceNow hosted plugins
• Limited passwordless access for local Windows users in OSS Teleport
• Machine ID: Kubernetes Secret destination

In addition, this release includes several changes that affect existing functionality listed in the “Breaking changes” section below. Users are advised to review them before upgrading.

New Features

Advanced audit log

Teleport 14 includes support for a new audit log powered by Amazon S3 and Athena that supports efficient searching, sorting, and filtering operations. Teleport Cloud customers will have their audit log automatically migrated to this new backend.

See the documentation here.

Access lists

Teleport 14 introduces foundational support for access lists, an extension to the short-lived access requests system targeted towards longer-term access. Administrators can add users to access lists granting them long-term permissions within the cluster.

As the feature is being developed, future Teleport releases will add support for periodic audit reviews and deeper integration of access lists with Okta.

You can find existing access lists documentation here.

Unified resources view

The web UI in Teleport 14 has been updated to show all resources in a single unified view.

This is the first step in a series of changes designed to support a customizable Teleport experience and make it easier to access the resources that are most important to you.

Kubernetes apps auto-discovery

Teleport 14 updates its auto-discovery capabilities with support for web applications in Kubernetes clusters. When connected to a Kubernetes cluster (or deployed as a Helm chart), Teleport discovery service will automatically find and enroll web applications for use with app access.

See documentation here.

Extended Kubernetes per-resource RBAC

Teleport 14 extends resource-based access requests to support more Kubernetes resources than just pods, including custom resources, and verbs. Note that this feature requires role version v7.

See Kubernetes resources documentation to see a full list of supported resources.

ClickHouse support for database access

Teleport 14 adds database access support for ClickHouse HTTP and native (TCP) protocols. When using HTTP protocol, the user's query activity is captured in the Teleport audit log.

See how to connect ClickHouse to Teleport here.

Oracle database access audit logging support

In Teleport 14, database access for Oracle integration is updated with query audit logging support.

See documentation on how to configure it in the Oracle guide.

Limited passwordless access for local Windows users in OSS Teleport

In Teleport 14, access to Windows desktops with local Windows users has been extended to Community Edition. Teleport will permit users to register and connect to up to 5 desktops with local users without an enterprise license.

For more information on using Teleport with local Windows users, see docs.

Discord and ServiceNow hosted plugins

Teleport 14 includes support for hosted Discord and ServiceNow plugins. Teleport Cloud users can configure Discord and ServiceNow integrations to receive access request notifications.

Discord plugin is available now, ServiceNow is coming in 14.0.1.

Enhanced PuTTY Support

tsh on Windows now supports the tsh puttyconfig command, which can easily configure saved sessions inside the well-known PuTTY client to connect to Teleport SSH services.

For more information, see docs.

Support for TLS routing in Terraform deployment examples

The ha-autoscale-cluster and starter-cluster Terraform deployment examples now support a USE_TLS_ROUTING variable to enable TLS routing inside the deployed Teleport cluster.

Machine ID: Kubernetes Secret destination

In Teleport 14, tbot can now be configured to write artifacts such as credentials and configuration files directly to a Kubernetes secret rather than a directory on the local file system. This allows other services to more easily consume the credentials output by tbot .

For more information, see docs.

Breaking changes and deprecations

Please familiarize yourself with the following potentially disruptive changes in Teleport 14 before upgrading.

SSH node open dial no longer supported

Teleport 14 no longer allows connecting to OpenSSH servers not registered with the cluster. Follow the updated agentless OpenSSH integration guide to register your OpenSSH nodes in the cluster’s inventory.

You can set TELEPORT_UNSTABLE_UNLISTED_AGENT_DIALING=yes environment variable on Teleport proxy to temporarily re-enable the open dial functionality. The environment variable will be removed in Teleport 15.

Proxy protocol default change

Starting from version 14, Teleport will require users to explicitly enable or disable PROXY protocol in their proxy_service/auth_service configuration using proxy_protocol: on|off option.

Users who run their proxies behind L4 load balancers with PROXY protocol enabled, should set proxy_protocol: on. Users who don’t run Teleport behind PROXY protocol enabled load balancers, should disable proxy_protocol: off explicitly for security reasons.

By default, Teleport will accept the PROXY line but will prevent connections with IP pinning enabled. IP pinning users will need to explicitly enable/disable proxy protocol like explained above.

See more details in our documentation.

Legacy deb/rpm package repositories are deprecated

Teleport 14 will be the last release published to the legacy package repositories at deb.releases.teleport.dev and rpm.releases.teleport.dev. Starting with Teleport 15, packages will only be published to the new repositories at apt.releases.teleport.dev and yum.releases.teleport.dev.

All users are recommended to switch to apt.releases.teleport.dev and yum.releases.teleport.dev repositories as described in installation instructions.

Cf-Access-Token header no longer included with app access requests

Starting from Teleport 14, the Cf-Access-Token header containing the signed JWT token will no longer be included by default with all app access requests. All requests will still include Teleport-JWT-Assertion containing the JWT token.

See documentation for details on how to inject the JWT token into any header using header rewriting.

tsh db CLI commands changes

In Teleport 14 tsh db sub-commands will attempt to select a default value for --db-user or --db-name flags if they are not provided by the user by examining their allowed db_users and db_names.

The flags --cert-file and --key-file for tsh proxy db command were also removed, in favor of the --tunnel flag that opens an authenticated local database proxy.

MongoDB versions prior to 3.6 are no longer supported

Teleport 14 includes an update to the MongoDB driver.

Due to the MongoDB team dropping support for servers prior to version 3.6 (which reached EOL on April 30, 2021), Teleport also will no longer be able to support these old server versions.

Symlinks for ~/.tsh/environment no longer supported

In order to strengthen the security in Teleport 14, file loading from home directories where the path includes a symlink is no longer allowed. The most common use case for this is loading environment variables from the ~/.tsh/environment file. This will still work normally as long as the path includes no symlinks.

Deprecated audit event

Teleport 14 deprecates the trusted_cluster_token.create audit event, replacing it with a new join_token.create event. The new event is emitted when any join token is created, whether it be for trusted clusters or other Teleport services.

Teleport 14 will emit both events when a trusted cluster join token is created. Starting in Teleport 15, the trusted_cluster_token.create event will no longer be emitted.

Other changes

DynamoDB billing mode defaults to on-demand

In Teleport 14, when creating new DynamoDB tables, Teleport will now create them with the billing mode set to pay_per_request instead of being set to provisioned mode.

The old behavior can be restored by setting the billing_mode option in the storage configuration.

Default role version is v7

The default role version in Teleport 14 is v7 which enables support for extended Kubernetes per-resource RBAC, and changes the kubernetes_resources default to wildcard for better getting started user experience.

You can review role versions in the documentation.

Stricter name validation for auto-discovered databases

In Teleport 14, database discovery via db_service config enforces the same name validation as for databases created via tctl, static config, and discovery_service.

As such, database names in AWS, GCP and Azure must start with a letter, contain only letters, digits, and hyphens and end with a letter or digit (no trailing hyphens).

Access Request API changes

Teleport 14 introduces a new and more secure API for submitting access requests. As a result, tsh users may be prompted to upgrade their clients before submitting an access request.

Desktop discovery name change

Desktops discovered via LDAP will have a short suffix appended to their name to ensure uniqueness. Users will notice duplicate desktops (with and without the suffix) for up to an hour after upgrading. Connectivity to desktops will not be affected, and the old record will naturally expire after 1 hour.

Machine ID : New configuration schema

Teleport 14 introduces a new configuration schema (v2) for Machine ID’s agent tbot. The new schema is designed to be simpler, more explicit and more extensible:

version: v2
onboarding:
 token: gcp-bot
 join_method: gcp
storage:
 type: memory
auth_server: example.teleport.sh:443
outputs:
 - type: identity
   destination:
     type: kubernetes_secret
     name: my-secret
​
 - type: kubernetes
   kubernetes_cluster: my-cluster
   destination:
     type: directory
     path: ./k8s
​
 - type: database
   service: my-postgres-service
   database: postgres
   username: postgres
   destination:
     type: directory
     path: ./db
​
 - type: application
   app_name: my-app
   destination:
     type: directory
     path: ./app

tbot will continue to support the v1 schema for several Teleport versions but it is recommended that you migrate to v2 as soon as possible to benefit from new Machine ID features.

For more details and guidance on how to upgrade to v2, see docs.

Description

This release of Teleport contains 4 security fixes as well as multiple improvements and bug fixes.

[Critical] Privilege escalation via host user creation

When using automatic Linux user creation, an attacker could exploit a race condition in the user creation functionality to create arbitrary files on the system as root writable by the created user.

This could allow the attacker to escalate their privileges to root.

Users who aren't using automatic Linux host user creation aren’t affected by this vulnerability.

#32210

[High] Insufficient auth token verification when signing self-hosted database certificates

When signing self-hosted database certificates, Teleport did not sufficiently validate the authorization token type.

This could allow an attacker to sign valid database access certificates using a guessed authorization token name.

Users who aren’t using self-hosted database access aren’t affected by this vulnerability.

#32215

[High] Privilege escalation via untrusted config file on Windows

When loading the global tsh configuration file tsh.yaml on Windows, Teleport would look for the file in a potentially untrusted directory.

This could allow a malicious user to create harmful command aliases for all tsh users on the system.

Users who aren’t using tsh on Windows aren’t affected by this vulnerability.

#32223

[High] XSS in SAML IdP

When registering a service provider with SAML IdP, Teleport did not sufficiently validate the ACS endpoint.

This could allow an attacker to execute arbitrary code at the client-side leading to privilege escalation.

This issue only affects Teleport Enterprise Edition. Enterprise users who aren’t using Teleport SAML IdP functionality aren’t affected by this vulnerability.

#32220

Other fixes and improvements

• Added change_feed_conn_string option to PostgreSQL backend. #31938
• Added single-command AWS OIDC integration. #31790
• Added pprof support to Kubernetes Operator to diagnose memory use. #31707
• Added support for bot and agent joining from external Kubernetes Clusters. #31703
• Extend EC2 joining to Discovery, MDM and Okta services. #31894
• Support discovery for new AWS region il-central-1. #31830 #31840
• Fails with an error if desktops are created with invalid names. #31766
• Fixed directory sharing in Desktop Access for non-ascii directory names. #31924
• Fixed a MissingRegion error that would sometimes occur when running the discovery bootstrap command #31701
• Fixed incorrect autofill in Safari. #31611
• Fixed terminal resizing bug in web terminal. #31586
• Fixed Session & Identity search bar. #31581
• Fixed desktop sessions' viewport size to the size of browser window at session start. #31524
• Fixed database and k8s cluster resource names to avoid name collisions. #30456
• tctl sso configure github now includes default GitHub endpoints #31480
• tsh [proxy | db | kube] subcommands now support --query and --labels optional arguments. #32087
• tsh and tctl can select an auto-discovered database or Kubernetes cluster by its original name instead of the more detailed name generated by the v14+ Teleport Discovery service. #32087
• tsh text-formatted output in non-verbose mode will display auto-discovered resources with original resource names instead of the more detailed names generated by the v14+ Teleport Discovery service. #32084 #32083
• Updated discovery installers to work with SUSE zypper package manager. #31428
• Updated Go to v1.20.8 #31506
• Updated OpenSSL to 3.0.11 #32160

labels: security-patch=yes, security-patch-alts=v13.3.9

Description

This release of Teleport contains 4 security fixes as well as multiple improvements and bug fixes.

[Critical] Privilege escalation via host user creation

When using automatic Linux user creation, an attacker could exploit a race condition in the user creation functionality to create arbitrary files on the system as root writable by the created user.

This could allow the attacker to escalate their privileges to root.

Users who aren't using automatic Linux host user creation aren’t affected by this vulnerability.

#32209

[High] Insufficient auth token verification when signing self-hosted database certificates

When signing self-hosted database certificates, Teleport did not sufficiently validate the authorization token type.

This could allow an attacker to sign valid database access certificates using a guessed authorization token name.

Users who aren’t using self-hosted database access aren’t affected by this vulnerability.

#32216

[High] Privilege escalation via untrusted config file on Windows

When loading the global tsh configuration file tsh.yaml on Windows, Teleport would look for the file in a potentially untrusted directory.

This could allow a malicious user to create harmful command aliases for all tsh users on the system.

Users who aren’t using tsh on Windows aren’t affected by this vulnerability.

#32224

[High] XSS in SAML IdP

When registering a service provider with SAML IdP, Teleport did not sufficiently validate the ACS endpoint.

This could allow an attacker to execute arbitrary code at the client-side leading to privilege escalation.

This issue only affects Teleport Enterprise Edition. Enterprise users who aren’t using Teleport SAML IdP functionality aren’t affected by this vulnerability.

#32251

Other fixes and improvements

• Fixed directory sharing in Desktop Access for non-ascii directory names. #31923
• Extended EC2 joining to Discovery, MDM and Okta services. #31895
• Added il-central-1 AWS region to discovery selector. #31841
• Validates unknown AWS regions from discovery matchers. #31829
• Fails with an error if desktops are created with invalid names. #31765
• Added support for bot and agent joining from external Kubernetes Clusters. #31704
• Fixed incorrect autofill in Safari. #31592 #31610
• Fixed desktop sessions' viewport size to the size of browser window at session start. #31523
• Updated Go to v1.20.8. #31508
• Updated OpenSSL to 3.0.11. #32166

labels: security-patch=yes, security-patch-alts=v12.4.17

Description

This release of Teleport contains 3 security fixes as well as multiple improvements and bug fixes.

[Critical] Privilege escalation via host user creation

When using automatic Linux user creation, an attacker could exploit a race condition in the user creation functionality to create arbitrary files on the system as root writable by the created user.

This could allow the attacker to escalate their privileges to root.

Users who aren't using automatic Linux host user creation aren’t affected by this vulnerability.

#32208

[High] Insufficient auth token verification when signing self-hosted database certificates

When signing self-hosted database certificates, Teleport did not sufficiently validate the authorization token type.

This could allow an attacker to sign valid database access certificates using a guessed authorization token name.

Users who aren’t using self-hosted database access aren’t affected by this vulnerability.

#32217

[High] Privilege escalation via untrusted config file on Windows

When loading the global tsh configuration file tsh.yaml on Windows, Teleport would look for the file in a potentially untrusted directory.

This could allow a malicious user to create harmful command aliases for all tsh users on the system.

Users who aren’t using tsh on Windows aren’t affected by this vulnerability.

#32225

Other fixes and improvements

• Fixed directory sharing in Desktop Access for non-ascii directory names. #31922
• Fixed desktop sessions' viewport size to the size of browser window at session start. #31522
• Updated OpenSSL to 3.0.11 #32167

labels: security-patch=yes, security-patch-alts=v11.3.24

Warning

Pre-releases are not production ready, use at your own risk!

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Warning

Pre-releases are not production ready, use at your own risk!

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Warning

Pre-releases are not production ready, use at your own risk!

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Description

• Updated Go to v1.20.8. #31509
• Desktop discovery: avoid mapping IPv6 addresses. #31432
• Fixed issue with query params not being preserved in cross-cluster app redirect. #31377
• Ensure that DNS errors in desktop discovery fail fast. #31034

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Description

• Fixed an issue in desktop discovery that unmapped IPv6 addresses. #31433
• Improved MySQL performance in read-heavy scenarios by avoiding tiny writes. #31403
• Preserve query parameters in cross-cluster app redirects. #31378
• Fixed the plugin screen not wrapping tiles. #31364
• Added a known STS endpoint for il-central-1. #31284
• Introduced an optional PodMonitor to the teleport-kube-agent chart. #31248
• Skip MOTD in the UI if the request was initiated from tsh headless auth. #31206
• Fixed issue with spawning shell on macOS in some scenarios. #31153
• Fixed leaking connection monitor instances and expanded comments with a warning. #31041
• Ensured that DNS errors in desktop discovery fail fast. #31033
• Added additional safety with X-Forwarded-Host handling. #31026
• Improved proxy address sourcing for VM auto-discovery. #31002
• Fixed the connection to the desktop access service when session MFA is required. #30965

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Description

• Fix WebAuthn Windows registration breakage. #31420
• Fix issue with App access on leaf cluster trimming query parameters on rewrite redirects. #31379
• Fix issue with web UI integrations screen not wrapping tiles correctly. #31365
• Fix issue with tsh db connect ignoring default user/database names. #31250
• Fix issue with Azure auto-discovery not picking up updated credentials. #31164
• Fix issue with failing to start shell on macOS in some scenarios. #31152
• Desktop discovery: avoid mapping IPv6 addresses. #31434
• MySQL: improve performance in read-heavy scenarios. #31402
• Add known STS endpoint for il-central-1. #31282
• Add support for configurable Okta service synchronization duration. #31251
• Add an optional PodMonitor to the teleport-kube-agent chart. #31247
• Update web UI to skip MOTD in UI if request was initiated from tsh headless auth. #31205
• Update Okta service to slow down API calls to avoid throttling. teleport.e#2134

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Warning

Pre-releases are not production ready, use at your own risk!

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Description

• Fixed regression issue causing OIDC authentication to fail with some identity providers. teleport.e#2076
• Updated headless modal to show both Reject and Cancel. #31135
• Added support for proxy environment variables when dialing directly to the Kubernetes Cluster. #31133
• Fixed the Oracle Database GUI Access flow on Windows Platform. #31129
• Added dynamic identity file reloading support for API Client. #31076
• Fixed leaking connection monitor instances. #31042
• Added support for IAM joining over reverse tunnel port #31000

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Description

• Fixed regression in 13.3.5 causing bot locking when using the Kubernetes Operator. #30996
• Fixed connection to desktop access service when session MFA is required. #30963
• Fixed a regression with desktop discovery that could cause desktops to expire in environments with large numbers of desktops. #31032
• Added support for forcing reauthentication in OIDC connectors via max_age parameter. teleport.e#2042
• Added Discord hosted plugin support for Teleport Cloud. teleport.e#2035
• Helm: Use cert-manager secret or tls.existingSecretName for ingress when enabled. #30984
• Added preset device trust roles. #30908
• Machine ID: Added support for JSON log formatting. #30763
• Reduced alert log spam. #30904

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Description

• Fixed S3 metric name for completed multipart uploads. #30712
• Ensure that SSH session errors are reported to the terminal. #30694
• Fixed Review Requests to disallow reviews after request is resolved. #30688
• Fixed Discovery service panics on GKE clusters without labels. #30648
• Fixed memory leak using PAM libraries. #30519
• Fixed "user is not managed" error when accessing ElastiCache and MemoryDB. #30358
• Fixed resources being deleted from Firestore on update. #30289
• Updated LDAP desktop discovery to handle slow DNS queries better. #30465
• Updated SAML certificate parsing to allow leading/trailing spaces. #30452
• Improved audit logging support for large SQL Server queries. #30245
• Explicitly mention registered and new device when running tsh mfa add on Windows. #30217
• Tighten discovery service permissions. #29996
• helm: Add support for custom annotations in the teleport-kube-agent Secret. #30840

Security fixes

• Security improvements with possible medium severity DoS conditions through protocol level attacks. #30854

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

---

labels: security-patch=yes

Description

• Fixed a bug in teleport-cluster Helm chart causing Teleport to crash when AWS DynamoDB autoscaling is enabled. #30841
• Added Teleport Assist to Web Terminal. #30811
• Fixed S3 metric name for completed multipart uploads. #30710
• Added the ability for tsh to register and enroll the --current-device. #30702
• Fixed Review Requests to disallow reviews after request is resolved. #30690
• Ensure that SSH session errors are reported to the terminal. #30684
• Fixed an issue with tsh aws ssm start-session. #30668
• Fixed an issue with the access request failing with invalid maxDuration. teleport.e#2037

Security fix

• Security improvements with possible medium severity DoS conditions through protocol level attacks. #30854

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

---

labels: security-patch=yes

Description

• Fixed S3 metric name for completed multipart uploads. #30697
• Ensure that SSH session errors are reported to the terminal. #30695
• Fixed Review Requests to disallow reviews after request is resolved. #30689
• Fixed an issue with tsh aws ssm start-session. #30669
• Fixed Discovery service panics on GKE clusters without labels. #30646
• Fixed forwarding of SSH agent in a Cygwin environment. #30581
• Removed legacy AWS "aurora" engine type from discovery. #30547
• Fixed memory leak using PAM libraries. #30520
• Updated LDAP desktop discovery to handle slow DNS queries better. #30463
• Updated SAML certificate parsing to allow leading/trailing spaces. #30451
• Fixed "user is not managed" error when accessing ElastiCache and MemoryDB. #30354
• Show error if users attempt to do tsh login --headless. #30308
• Fixed resources being deleted from Firestore on update. #30288
• Fixed desktop access connecting to direct dial nodes. #30276
• Improved audit logging support for large SQL Server queries. #30244
• Fixed infinite retry in generic app access plugin. #30232
• tsh and tctl commands that output a text-formatted table will now consistently output resource labels as a comma-separated string, sorted by label namespace. Labels starting with teleport.dev/, teleport.hidden/, and teleport.internal/ are omitted unless the --verbose flag is used. #30227 #30224
• Explicitly mention registered and new device when running tsh mfa add on Windows. #30216
• helm: Allow setting storage class name for auth component in the teleport-cluster chart. #30144
• helm: Use imagePullSecrets for pre-deploy test pods in the teleport-cluster chart. #30143
• Improved logging of Teleport Connect child processes. #30026
• Added IP pinning support for TLS routing behind ALB mode. #30004
• Tighten discovery service permissions. #29995

Security fix

• Security improvements with possible medium severity DoS conditions through protocol level attacks. #30854

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

---

labels: security-patch=yes

Description

• Allow host users to be created with specific UID/GIDs #30178
• Fixed SSH agent forwarding under Cygwin #30582
• Fixed resource name resolution issues in tsh db #30563
• Retired obsolete AWS aurora engine identifier #30548
• Fixed issues with tsh proxy kube #30477
• Added skipConfirm option to Teleport Connect headless approval flow #30475
• Added increased validation of Database URLs discovered by Discovery Service #30462
• Fixed decoding of SAML certificates with whitespace padding #30450
• Fixed OTP prompt on Windows #30444
• Improved LDAP desktop discovery #30383
• Fixed desktop connection issues #30275
• Fixed "user is not managed" error when accessing ElastiCache and MemoryDB #30353
• Fixed spurious resource deletion in Firestore backend during update #30287
• Added JWT claim rewriting configuration #30280
• Fixed issue with tsh login --headless #30307
• EKS and AKS discovery are now considered Generally Available #30209
• Fixed a panic when importing GKE clusters without labels #30647
• Added support for auditing chunked SQL Server packets #30243
• Plugins now exit when the connection breaks in Kubernetes #30039

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Description

• Fixed regression issue with excessive backend reads for nodes. #30198
• Save device keys on %APPDATA%/Local instead of %APPDATA%/Roaming. #30177
• Improved "tsh kube login" message for proxy behind L7 load balancer. #30174
• Added auto-approval flow for Opsgenie plugin. #30161
• Extend tsh kube login --set-context-name to support templating functions. #30157
• Allow setting storage class name for auth component. #30145
• Added hosted Jira integration. #30117, #30040
• Added AWS configurator support for OpenSearch. #30085
• Tightened discovery service permissions. #29994
• Fixed authorization rules to the Assistant and UserPreferences service #29961
• Fixed Teleport Kubernetes Operator Token CRDs to support Rules fields #30179

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Description

• Updated Go to 1.20.7. #29907
• Reduced logging level in PostgreSQL backend for improved performance. #29845
• Fixed Kubernetes Legacy Proxy heartbeats. #29736
• Fixed auth locking issue. #29710
• Fixed issue where proxy_service.public_addr was not included in self-signed certs. #29599

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Description

• Added new Prometheus metric for created access requests. #29991
• Added support for the web UI for automatically deploying a database service with ECS Fargate container when enrolling a new database. #29978
• Added new Prometheus metrics to Kubernetes Access. #29970
• Added ability to delete proxy resources with tctl. #29903
• Added headless approval UI to Teleport Connect. #28975
• Removed requiring team/channel inputs for mattermost plugin. #30009
• Fixed change feed with PostgreSQL backend #29911 #29975
• Fixed tctl to obey --verbose when formatting text tables. #29870
• Updated OpenSSL to 3.0.10. #29908
• Updated Go to 1.20.7. #29904
• Reduced logging level in PostgreSQL access for improved performance. #29847

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.