Skip to content

Releases: gravitational/teleport

Teleport 17.0.3

04 Dec 01:11
1bcff22
Compare
Choose a tag to compare

Description

  • Restore ability to disable multi-factor authentication for local users. #49692
  • Bumping one of our dependencies to a more secure version to address CVE-2024-53259. #49662
  • Add ability to configure resource labels in teleport-cluster's operator sub-chart. #49647
  • Fixed proxy peering listener not using the exact address specified in peer_listen_addr. #49589
  • Teleport Connect now shows whether it is being used on a trusted device or if enrollment is required for full access. #49577
  • Kubernetes in-cluster joining now also accepts tokens whose audience is the Teleport cluster name (before it only allowed the default Kubernetes audience). Kubernetes JWKS joining is unchanged and still requires tokens with the cluster name in the audience. #49556
  • Session recording playback in the web UI is now searchable. #49506
  • Fixed an incorrect warning indicating that tsh v17.0.2 was incompatible with cluster v17.0.1, despite full compatibility. #49491
  • Increase CockroachDB setup timeout from 5 to 30 seconds. This mitigates the Auth Service not being able to configure TTL on slow CockroachDB event backends. #49469
  • Fixed a potential panic in login rule and SAML IdP expression parser. #49429
  • Support for long-running kube exec/port-forward, respect client_idle_timeout config. #49421
  • Fixed a permissions error with Postgres database user auto-provisioning that occurs when the database admin is not a superuser and the database is upgraded to Postgres v16 or higher. #49390

Enterprise:

  • Jamf Service sync audit events are attributed to "Jamf Service".
  • Users can now see a list of their enrolled devices on their Account page.
  • Add support for Entra ID groups being members of other groups using Nested Access Lists.

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Plugins

Download the current release of Teleport plugins from the links below.

Teleport 16.4.9

03 Dec 20:54
7cd07ee
Compare
Choose a tag to compare

Description

  • Add ability to configure resource labels in teleport-cluster's operator sub-chart. #49648
  • Fixed proxy peering listener not using the exact address specified in peer_listen_addr. #49590
  • Teleport Connect now shows whether it is being used on a trusted device or if enrollment is required for full access. #49578
  • Kubernetes in-cluster joining now also accepts tokens whose audience is the Teleport cluster name (before it only allowed the default Kubernetes audience). Kubernetes JWKS joining is unchanged and still requires tokens with the cluster name in the audience. #49557
  • Restore interactive PAM authentication functionality when use_pam_auth is applied. #49519
  • Session recording playback in the web UI is now searchable. #49507
  • Increase CockroachDB setup timeout from 5 to 30 seconds. This mitigates the Auth Service not being able to configure TTL on slow CockroachDB event backends. #49470
  • Fixed a potential panic in login rule and SAML IdP expression parser. #49431
  • Support for long-running kube exec/port-forward, respect client_idle_timeout config. #49423
  • Fixed a permissions error with Postgres database user auto-provisioning that occurs when the database admin is not a superuser and the database is upgraded to Postgres v16 or higher. #49389
  • Teleport Connect now refreshes the resources view after dropping an Access Request. #49348
  • Fixed missing user participants in session recordings listing for non-interactive Kubernetes recordings. #49344
  • Support delegated joining for Bitbucket Pipelines in Machine ID. #49337
  • Fix a bug in the Teleport Operator chart that causes the operator to not be able to watch secrets during secret injection. #49326
  • You can now search text within ssh sessions in the Web UI and Teleport Connect. #49270
  • Fixed an issue where teleport park processes could be leaked causing runaway resource usage. #49261
  • Update tsh scp to respect proxy templates when resolving the remote host. #49227
  • The tsh puttyconfig command now disables GSSAPI auth settings to avoid a "Not Responding" condition in PuTTY. #49190
  • Resolved an issue that caused false positive errors incorrectly indicating that the YubiKey was in use by another application, while only tsh was accessing it. #47952

Enterprise:

  • Jamf Service sync audit events are attributed to "Jamf Service".
  • Fixed a bug where Access Lists imported from Microsoft Entra ID fail to be created if their display names include special characters.

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Plugins

Download the current release of Teleport plugins from the links below.

Teleport 14.3.34

02 Dec 18:36
a12edb9
Compare
Choose a tag to compare

Description

  • Fixed a bug in the teleport-cluster Helm chart that can cause token mount to fail when using ArgoCD. #49071
  • Allow overriding Teleport license secret name when using teleport-cluster Helm chart. #48981
  • Fixed a bug in Kubernetes session recordings where both root and leaf cluster recorded the same Kubernetes session. Recordings of leaf resources are only available in leaf clusters. #48740
  • Updated Go to 1.22.9. #48583
  • The teleport-cluster Helm chart now uses the configured serviceAccount.name from chart values for its pre-deploy configuration check Jobs. #48577
  • Fixed a Teleport Kubernetes Operator bug that happened for OIDCConnector resources with non-nil max_age. #48378
  • Updated host user creation to prevent local password expiration policies from affecting Teleport managed users. #48161
  • Resolved an issue that caused false positive errors incorrectly indicating that the YubiKey was in use by another application, while only tsh was accessing it. #47954
  • Updated tsh ssh to support the -- delimiter similar to openssh. It is now possible to execute a command via tsh ssh user@host -- echo test or tsh ssh -- host uptime. #47495

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Plugins

Download the current release of Teleport plugins from the links below.

Teleport 17.0.2

25 Nov 21:06
a5c84e4
Compare
Choose a tag to compare

Description

  • Fixed missing user participants in session recordings listing for non-interactive Kubernetes recordings. #49343
  • Support delegated joining for Bitbucket Pipelines in Machine ID. #49335
  • Fix a bug in the Teleport Operator chart that causes the operator to not be able to watch secrets during secret injection. #49327
  • You can now search text within SSH sessions in the Web UI and Teleport Connect. #49269
  • Teleport Connect now refreshes the resources view after dropping an access request. #49264
  • Fixed an issue where teleport park processes could be leaked causing runaway resource usage. #49260
  • Fixed VNet not being able to connect to the daemon. #49199
  • The tsh puttyconfig command now disables GSSAPI auth settings to avoid a "Not Responding" condition in PuTTY. #49189
  • Allow Azure VMs to join from a different subscription than their managed identity. #49156
  • Fix an issue loading the license file when Teleport is started without a configuration file. #49150
  • Added support for directly configuring JWKS for GitHub joining for circumstances where the GHES is not reachable by the Teleport Auth Service. #49049
  • Fixed a bug where Access Lists imported from Microsoft Entra ID fail to be created if their display names include special characters. #5551

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Plugins

Download the current release of Teleport plugins from the links below.

Teleport 16.4.8

20 Nov 16:53
54d391f
Compare
Choose a tag to compare
  • Allow Azure VMs to join from a different subscription than their managed identity. #49157
  • Fix an issue loading the license file when Teleport is started without a configuration file. #49149
  • Fixed a bug in the teleport-cluster Helm chart that can cause token mount to fail when using ArgoCD. #49069
  • Fixed app access regression to apps on leaf clusters. #49056
  • Added support for directly configuring JWKS for GitHub joining for circumstances where the GHES is not reachable by the Teleport Auth Service. #49052
  • Fixed issue resulting in excess CPU usage and connection resets when teleport-event-handler is under moderate to high load. #49036
  • Fixed OpenSSH remote port forwarding not working for localhost. #49020
  • Fixed tsh app login prompting for user login when multiple AWS roles are present. #48997
  • Fixed incorrect cluster name when querying for Kubernetes namespaces on a leaf cluster for Connect UI. #48990
  • Allow to override Teleport license secret name when using teleport-cluster Helm chart. #48979
  • Added periodic health checks between proxies in proxy peering. #48929
  • Fixed users not being able to connect to SQL server instances with PKINIT integration when the cluster is configured with different CAs for database access. #48924
  • Fix a bug in the Teleport Operator chart that causes the operator to not be able to list secrets during secret injection. #48901
  • The access graph poll interval is now configurable with the discovery_service.poll_interval field, whereas before it was fixed to a 15 minute interval. #48861
  • The web terminal now supports SIXEL and IIP image protocols. #48842
  • Ensure that agentless server information is provided in all audit events. #48833
  • Fixed missing access request metadata in app.session.start audit events. #48804
  • Fixed missing GetDatabaseFunc error when tsh connects MongoDB databases in cluster with a separate MongoDB port. #48129
  • Ensure that Teleport can re-establish broken LDAP connections. #48008
  • Improved handling of scoped token when setting up Okta integration. #5503
  • Fixed access request deletion reconciliation race condition in Okta integration HA setup. #5385
  • Extend support for group claim setting in Entra ID integration. #5493

Teleport 17

16 Nov 16:11
dc58371
Compare
Choose a tag to compare

Teleport 17 brings the following new features and improvements:

  • Refreshed web UI
  • Modern signature algorithms
  • (Preview) AWS IAM Identity Center integration
  • Hardware key support for Teleport Connect
  • Nested access lists
  • Access lists UI/UX improvements
  • Signed and notarized macOS assets
  • Datadog Incident Management plugin for access requests
  • Hosted Microsoft Teams plugin for access requests
  • Dynamic registration for Windows desktops
  • Support for images in web SSH sessions
  • tbot CLI updates

Description

Refreshed Web UI

We have updated and improved designs and added a new navigation menu to Teleport
17’s web UI to enhance its usability and scalability.

Modern signature algorithms

Teleport 17 admins have the option to use elliptic curve cryptography for the
majority of user, host, and certificate authority key material.

This includes Ed25519 SSH keys and ECDSA TLS keys, replacing the RSA keys used
today.

New clusters will leverage modern signature algorithms by default. Existing
Teleport clusters will continue to use RSA2048 until a CA rotation is performed.

(Preview) AWS IAM Identity Center integration

Teleport 17 integrates with AWS IAM Identity Center to allow users to sync and
manage AWS IC group members via Access Lists.

See documentation guide.

Hardware key support for Teleport Connect

We have extended Teleport 17’s support for hardware-backed private keys to
Teleport Connect.

Nested access lists

Teleport 17 admins and access list owners can add access lists as members in
other access lists.

See details in the documentation.

Access lists UI/UX improvements

Teleport 17 web UI has an updated access lists page that will include the new
table view, improved search and filtering capabilities.

Signed and notarized macOS assets

Starting from Teleport 17 macOS teleport.pkg installer includes signed and
notarized tsh.app and tctl.app so downloading a separate tsh.pkg to use
Touch ID is no longer necessary.

In addition, Teleport 17 event handler and Terraform provider for macOS are also
signed and notarized.

Datadog Incident Management plugin for access requests

Teleport 17 supports PagerDuty-like integration with Datadog's on-call
and incident management
APIs for access request notifications.

See the configuration guide.

Hosted Microsoft Teams plugin for access requests

Teleport 17 adds support for Microsoft Teams integration for access request
notifications using Teleport web UI without needing to self-host the plugin.

Dynamic registration for Windows desktops

Dynamic registration allows Teleport administrators to register new Windows
desktops without having to update the static configuration files read by
Teleport Windows Desktop Service instances.

Support for images in web SSH sessions

The SSH console in Teleport’s web UI includes support for rendering images via
both the SIXEL and iTerm Inline Image Protocol (IIP).

tbot CLI updates

The tbot client now supports starting most outputs and services directly from
the command line with no need for a configuration file using the new
tbot start <mode> family of commands. If desired, a given command can be
converted to a YAML configuration file with tbot configure <mode>.

Additionally, tctl now supports inspection and management of bot instances using
the tctl bots instances family of commands. This allows onboarding of new
instances for existing bots with tctl bots instances add, and inspection of
existing instances with tctl bots instances list.

Breaking changes and deprecations

macOS assets

Starting with version 17, Teleport no longer provides a separate tsh.pkg macOS
package.

Instead, teleport.pkg and all macOS tarballs include signed and notarized
tsh.app and tctl.app.

Enforced stricter requirements for SSH hostnames

Hostnames are only allowed if they are less than 257 characters and consist of
only alphanumeric characters and the symbols . and -.

Any hostname that violates the new restrictions will be changed, the original
hostname will be moved to the teleport.internal/invalid-hostname label for
discoverability.

Any Teleport agents with an invalid hostname will be replaced with the host UUID.
Any Agentless OpenSSH Servers with an invalid hostname will be replaced with
the host of the address, if it is valid, or a randomly generated identifier.
Any hosts with invalid hostnames should be updated to comply with the new
requirements to avoid Teleport renaming them.

TELEPORT_ALLOW_NO_SECOND_FACTOR removed

As of Teleport 16, multi-factor authentication is required for local users. To
assist with upgrades, Teleport 16 included a temporary opt-out mechanism via the
TELEPORT_ALLOW_NO_SECOND_FACTOR environment variable. This opt-out mechanism
has been removed.

TOTP for per-session MFA

Teleport 17 is the last release where tsh will allow for using TOTP with
per-session MFA. Starting with Teleport 18, tsh will require a strong webauthn
credential for per-session MFA.

TOTP will continue to be accepted for the initial login.

Teleport 17.0.0-rc.3

15 Nov 21:59
af5b777
Compare
Choose a tag to compare
Teleport 17.0.0-rc.3 Pre-release
Pre-release

Warning

Pre-releases are not production ready, use at your own risk!

Download

Download the current and previous stable releases of Teleport at https://goteleport.com/download.

Teleport 17.0.0-beta.2

13 Nov 23:35
e11848c
Compare
Choose a tag to compare
Pre-release

Warning

Pre-releases are not production ready, use at your own risk!

Download

Download the current and previous stable releases of Teleport at https://goteleport.com/download.

Teleport 16.4.7

12 Nov 03:36
15dfef1
Compare
Choose a tag to compare

Description

  • Fixed bug in Kubernetes session recordings where both root and leaf cluster recorded the same Kubernetes session. Recordings of leaf resources are only available in leaf clusters. #48738
  • Machine ID can now be forced to use the explicitly configured proxy address using the TBOT_USE_PROXY_ADDR environment variable. This should better support split proxy address operation. #48675
  • Fixed undefined error in open source version when clicking on Add Application tile in the Enroll Resources page in the Web UI. #48616
  • Updated Go to 1.22.9. #48581
  • The teleport-cluster Helm chart now uses the configured serviceAccount.name from chart values for its pre-deploy configuration check Jobs. #48579
  • Fixed a bug that prevented the Teleport UI from properly displaying Plugin Audit log details. #48462
  • Fixed an issue preventing migration of unmanaged users to Teleport host users when including teleport-keep in a role's host_groups. #48455
  • Fixed showing the list of access requests in Teleport Connect when a leaf cluster is selected in the cluster selector. #48441
  • Added Connect support for selecting Kubernetes namespaces during access requests. #48413
  • Fixed a rare "internal error" on older U2F authenticators when using tsh. #48402
  • Fixed tsh play not skipping idle time when --skip-idle-time was provided. #48397
  • Added a warning to tctl edit about dynamic edits to statically configured resources. #48392
  • Define a new role.allow.request field called kubernetes_resources that allows admins to define what kinds of Kubernetes resources a requester can make. #48387
  • Fixed a Teleport Kubernetes Operator bug that happened for OIDCConnector resources with non-nil max_age. #48376
  • Updated host user creation to prevent local password expiration policies from affecting Teleport managed users. #48163
  • Added support for Entra ID directory synchronization for clusters without public internet access. #48089
  • Fixed "Missing Region" error for teleport bootstrap commands. #47995
  • Fixed a bug that prevented selecting security groups during the Aurora database enrollment wizard in the web UI. #47975
  • During the Set Up Access of the Enroll New Resource flows, Okta users will be asked to change the role instead of entering the principals and getting an error afterwards. #47957
  • Fixed teleport_connected_resource metric overshooting after keepalive errors. #47949
  • Fixed an issue preventing connections with users whose configured home directories were inaccessible. #47916
  • Added a resolve command to tsh that may be used as the target for a Match exec condition in an SSH config. #47868
  • Respect HTTP_PROXY environment variables for Access Request integrations. #47738
  • Updated tsh ssh to support the -- delimiter similar to openssh. It is now possible to execute a command via tsh ssh user@host -- echo test or tsh ssh -- host uptime. #47493

Enterprise:

  • Jamf requests from Teleport set "teleport/$version" as the User-Agent.
  • Add Web UI support for selecting Kubernetes namespaces during access requests.
  • Import user roles and traits when using the EntraID directory sync.

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Plugins

Download the current release of Teleport plugins from the links below.

Teleport 15.4.22

13 Nov 02:02
8966656
Compare
Choose a tag to compare

Description

  • Added a search input to the cluster dropdown in the Web UI when there's more than five clusters to show. #48800
  • Fixed bug in Kubernetes session recordings where both root and leaf cluster recorded the same Kubernetes session. Recordings of leaf resources are only available in leaf clusters. #48739
  • Machine ID can now be forced to use the explicitly configured proxy address using the TBOT_USE_PROXY_ADDR environment variable. This should better support split proxy address operation. #48677
  • Fixed undefined error in open source version when clicking on Add Application tile in the Enroll Resources page in the Web UI. #48617
  • Updated Go to 1.22.9. #48582
  • The teleport-cluster Helm chart now uses the configured serviceAccount.name from chart values for its pre-deploy configuration check Jobs. #48578
  • Fixed a bug that prevented the Teleport UI from properly displaying Plugin Audit log details. #48463
  • Fixed showing the list of access requests in Teleport Connect when a leaf cluster is selected in the cluster selector. #48442
  • Fixed a rare "internal error" on older U2F authenticators when using tsh. #48403
  • Fixed tsh play not skipping idle time when --skip-idle-time was provided. #48398
  • Added a warning to tctl edit about dynamic edits to statically configured resources. #48393
  • Fixed a Teleport Kubernetes Operator bug that happened for OIDCConnector resources with non-nil max_age. #48377
  • Updated host user creation to prevent local password expiration policies from affecting Teleport managed users. #48162
  • During the Set Up Access of the Enroll New Resource flows, Okta users will be asked to change the role instead of entering the principals and getting an error afterwards. #47958
  • Fixed teleport_connected_resource metric overshooting after keepalive errors. #47950
  • Fixed an issue preventing connections with users whose configured home directories were inaccessible. #47917
  • Added a resolve command to tsh that may be used as the target for a Match exec condition in an SSH config. #47867
  • Postgres database session start events now include the Postgres backend PID for the session. #47644
  • Updated tsh ssh to support the -- delimiter similar to openssh. It is now possible to execute a command via tsh ssh user@host -- echo test or tsh ssh -- host uptime. #47494

Enterprise:

  • Jamf requests from Teleport set "teleport/$version" as the User-Agent.

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Plugins

Download the current release of Teleport plugins from the links below.