Skip to content

Releases: gravitational/teleport

Teleport 16.4.8

20 Nov 16:53
54d391f
Compare
Choose a tag to compare
  • Allow Azure VMs to join from a different subscription than their managed identity. #49157
  • Fix an issue loading the license file when Teleport is started without a configuration file. #49149
  • Fixed a bug in the teleport-cluster Helm chart that can cause token mount to fail when using ArgoCD. #49069
  • Fixed app access regression to apps on leaf clusters. #49056
  • Added support for directly configuring JWKS for GitHub joining for circumstances where the GHES is not reachable by the Teleport Auth Service. #49052
  • Fixed issue resulting in excess CPU usage and connection resets when teleport-event-handler is under moderate to high load. #49036
  • Fixed OpenSSH remote port forwarding not working for localhost. #49020
  • Fixed tsh app login prompting for user login when multiple AWS roles are present. #48997
  • Fixed incorrect cluster name when querying for Kubernetes namespaces on a leaf cluster for Connect UI. #48990
  • Allow to override Teleport license secret name when using teleport-cluster Helm chart. #48979
  • Added periodic health checks between proxies in proxy peering. #48929
  • Fixed users not being able to connect to SQL server instances with PKINIT integration when the cluster is configured with different CAs for database access. #48924
  • Fix a bug in the Teleport Operator chart that causes the operator to not be able to list secrets during secret injection. #48901
  • The access graph poll interval is now configurable with the discovery_service.poll_interval field, whereas before it was fixed to a 15 minute interval. #48861
  • The web terminal now supports SIXEL and IIP image protocols. #48842
  • Ensure that agentless server information is provided in all audit events. #48833
  • Fixed missing access request metadata in app.session.start audit events. #48804
  • Fixed missing GetDatabaseFunc error when tsh connects MongoDB databases in cluster with a separate MongoDB port. #48129
  • Ensure that Teleport can re-establish broken LDAP connections. #48008
  • Improved handling of scoped token when setting up Okta integration. #5503
  • Fixed access request deletion reconciliation race condition in Okta integration HA setup. #5385
  • Extend support for group claim setting in Entra ID integration. #5493

Teleport 17

16 Nov 16:11
dc58371
Compare
Choose a tag to compare

Teleport 17 brings the following new features and improvements:

  • Refreshed web UI
  • Modern signature algorithms
  • (Preview) AWS IAM Identity Center integration
  • Hardware key support for Teleport Connect
  • Nested access lists
  • Access lists UI/UX improvements
  • Signed and notarized macOS assets
  • Datadog Incident Management plugin for access requests
  • Hosted Microsoft Teams plugin for access requests
  • Dynamic registration for Windows desktops
  • Support for images in web SSH sessions
  • tbot CLI updates

Description

Refreshed Web UI

We have updated and improved designs and added a new navigation menu to Teleport
17’s web UI to enhance its usability and scalability.

Modern signature algorithms

Teleport 17 admins have the option to use elliptic curve cryptography for the
majority of user, host, and certificate authority key material.

This includes Ed25519 SSH keys and ECDSA TLS keys, replacing the RSA keys used
today.

New clusters will leverage modern signature algorithms by default. Existing
Teleport clusters will continue to use RSA2048 until a CA rotation is performed.

(Preview) AWS IAM Identity Center integration

Teleport 17 integrates with AWS IAM Identity Center to allow users to sync and
manage AWS IC group members via Access Lists.

See documentation guide.

Hardware key support for Teleport Connect

We have extended Teleport 17’s support for hardware-backed private keys to
Teleport Connect.

Nested access lists

Teleport 17 admins and access list owners can add access lists as members in
other access lists.

See details in the documentation.

Access lists UI/UX improvements

Teleport 17 web UI has an updated access lists page that will include the new
table view, improved search and filtering capabilities.

Signed and notarized macOS assets

Starting from Teleport 17 macOS teleport.pkg installer includes signed and
notarized tsh.app and tctl.app so downloading a separate tsh.pkg to use
Touch ID is no longer necessary.

In addition, Teleport 17 event handler and Terraform provider for macOS are also
signed and notarized.

Datadog Incident Management plugin for access requests

Teleport 17 supports PagerDuty-like integration with Datadog's on-call
and incident management
APIs for access request notifications.

See the configuration guide.

Hosted Microsoft Teams plugin for access requests

Teleport 17 adds support for Microsoft Teams integration for access request
notifications using Teleport web UI without needing to self-host the plugin.

Dynamic registration for Windows desktops

Dynamic registration allows Teleport administrators to register new Windows
desktops without having to update the static configuration files read by
Teleport Windows Desktop Service instances.

Support for images in web SSH sessions

The SSH console in Teleport’s web UI includes support for rendering images via
both the SIXEL and iTerm Inline Image Protocol (IIP).

tbot CLI updates

The tbot client now supports starting most outputs and services directly from
the command line with no need for a configuration file using the new
tbot start <mode> family of commands. If desired, a given command can be
converted to a YAML configuration file with tbot configure <mode>.

Additionally, tctl now supports inspection and management of bot instances using
the tctl bots instances family of commands. This allows onboarding of new
instances for existing bots with tctl bots instances add, and inspection of
existing instances with tctl bots instances list.

Breaking changes and deprecations

macOS assets

Starting with version 17, Teleport no longer provides a separate tsh.pkg macOS
package.

Instead, teleport.pkg and all macOS tarballs include signed and notarized
tsh.app and tctl.app.

Enforced stricter requirements for SSH hostnames

Hostnames are only allowed if they are less than 257 characters and consist of
only alphanumeric characters and the symbols . and -.

Any hostname that violates the new restrictions will be changed, the original
hostname will be moved to the teleport.internal/invalid-hostname label for
discoverability.

Any Teleport agents with an invalid hostname will be replaced with the host UUID.
Any Agentless OpenSSH Servers with an invalid hostname will be replaced with
the host of the address, if it is valid, or a randomly generated identifier.
Any hosts with invalid hostnames should be updated to comply with the new
requirements to avoid Teleport renaming them.

TELEPORT_ALLOW_NO_SECOND_FACTOR removed

As of Teleport 16, multi-factor authentication is required for local users. To
assist with upgrades, Teleport 16 included a temporary opt-out mechanism via the
TELEPORT_ALLOW_NO_SECOND_FACTOR environment variable. This opt-out mechanism
has been removed.

TOTP for per-session MFA

Teleport 17 is the last release where tsh will allow for using TOTP with
per-session MFA. Starting with Teleport 18, tsh will require a strong webauthn
credential for per-session MFA.

TOTP will continue to be accepted for the initial login.

Teleport 17.0.0-rc.3

15 Nov 21:59
af5b777
Compare
Choose a tag to compare
Teleport 17.0.0-rc.3 Pre-release
Pre-release

Warning

Pre-releases are not production ready, use at your own risk!

Download

Download the current and previous stable releases of Teleport at https://goteleport.com/download.

Teleport 17.0.0-beta.2

13 Nov 23:35
e11848c
Compare
Choose a tag to compare
Pre-release

Warning

Pre-releases are not production ready, use at your own risk!

Download

Download the current and previous stable releases of Teleport at https://goteleport.com/download.

Teleport 16.4.7

12 Nov 03:36
15dfef1
Compare
Choose a tag to compare

Description

  • Fixed bug in Kubernetes session recordings where both root and leaf cluster recorded the same Kubernetes session. Recordings of leaf resources are only available in leaf clusters. #48738
  • Machine ID can now be forced to use the explicitly configured proxy address using the TBOT_USE_PROXY_ADDR environment variable. This should better support split proxy address operation. #48675
  • Fixed undefined error in open source version when clicking on Add Application tile in the Enroll Resources page in the Web UI. #48616
  • Updated Go to 1.22.9. #48581
  • The teleport-cluster Helm chart now uses the configured serviceAccount.name from chart values for its pre-deploy configuration check Jobs. #48579
  • Fixed a bug that prevented the Teleport UI from properly displaying Plugin Audit log details. #48462
  • Fixed an issue preventing migration of unmanaged users to Teleport host users when including teleport-keep in a role's host_groups. #48455
  • Fixed showing the list of access requests in Teleport Connect when a leaf cluster is selected in the cluster selector. #48441
  • Added Connect support for selecting Kubernetes namespaces during access requests. #48413
  • Fixed a rare "internal error" on older U2F authenticators when using tsh. #48402
  • Fixed tsh play not skipping idle time when --skip-idle-time was provided. #48397
  • Added a warning to tctl edit about dynamic edits to statically configured resources. #48392
  • Define a new role.allow.request field called kubernetes_resources that allows admins to define what kinds of Kubernetes resources a requester can make. #48387
  • Fixed a Teleport Kubernetes Operator bug that happened for OIDCConnector resources with non-nil max_age. #48376
  • Updated host user creation to prevent local password expiration policies from affecting Teleport managed users. #48163
  • Added support for Entra ID directory synchronization for clusters without public internet access. #48089
  • Fixed "Missing Region" error for teleport bootstrap commands. #47995
  • Fixed a bug that prevented selecting security groups during the Aurora database enrollment wizard in the web UI. #47975
  • During the Set Up Access of the Enroll New Resource flows, Okta users will be asked to change the role instead of entering the principals and getting an error afterwards. #47957
  • Fixed teleport_connected_resource metric overshooting after keepalive errors. #47949
  • Fixed an issue preventing connections with users whose configured home directories were inaccessible. #47916
  • Added a resolve command to tsh that may be used as the target for a Match exec condition in an SSH config. #47868
  • Respect HTTP_PROXY environment variables for Access Request integrations. #47738
  • Updated tsh ssh to support the -- delimiter similar to openssh. It is now possible to execute a command via tsh ssh user@host -- echo test or tsh ssh -- host uptime. #47493

Enterprise:

  • Jamf requests from Teleport set "teleport/$version" as the User-Agent.
  • Add Web UI support for selecting Kubernetes namespaces during access requests.
  • Import user roles and traits when using the EntraID directory sync.

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Plugins

Download the current release of Teleport plugins from the links below.

Teleport 15.4.22

13 Nov 02:02
8966656
Compare
Choose a tag to compare

Description

  • Added a search input to the cluster dropdown in the Web UI when there's more than five clusters to show. #48800
  • Fixed bug in Kubernetes session recordings where both root and leaf cluster recorded the same Kubernetes session. Recordings of leaf resources are only available in leaf clusters. #48739
  • Machine ID can now be forced to use the explicitly configured proxy address using the TBOT_USE_PROXY_ADDR environment variable. This should better support split proxy address operation. #48677
  • Fixed undefined error in open source version when clicking on Add Application tile in the Enroll Resources page in the Web UI. #48617
  • Updated Go to 1.22.9. #48582
  • The teleport-cluster Helm chart now uses the configured serviceAccount.name from chart values for its pre-deploy configuration check Jobs. #48578
  • Fixed a bug that prevented the Teleport UI from properly displaying Plugin Audit log details. #48463
  • Fixed showing the list of access requests in Teleport Connect when a leaf cluster is selected in the cluster selector. #48442
  • Fixed a rare "internal error" on older U2F authenticators when using tsh. #48403
  • Fixed tsh play not skipping idle time when --skip-idle-time was provided. #48398
  • Added a warning to tctl edit about dynamic edits to statically configured resources. #48393
  • Fixed a Teleport Kubernetes Operator bug that happened for OIDCConnector resources with non-nil max_age. #48377
  • Updated host user creation to prevent local password expiration policies from affecting Teleport managed users. #48162
  • During the Set Up Access of the Enroll New Resource flows, Okta users will be asked to change the role instead of entering the principals and getting an error afterwards. #47958
  • Fixed teleport_connected_resource metric overshooting after keepalive errors. #47950
  • Fixed an issue preventing connections with users whose configured home directories were inaccessible. #47917
  • Added a resolve command to tsh that may be used as the target for a Match exec condition in an SSH config. #47867
  • Postgres database session start events now include the Postgres backend PID for the session. #47644
  • Updated tsh ssh to support the -- delimiter similar to openssh. It is now possible to execute a command via tsh ssh user@host -- echo test or tsh ssh -- host uptime. #47494

Enterprise:

  • Jamf requests from Teleport set "teleport/$version" as the User-Agent.

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Plugins

Download the current release of Teleport plugins from the links below.

Teleport 17.0.0-beta.1

09 Nov 00:46
5151b35
Compare
Choose a tag to compare
Pre-release

Warning

Pre-releases are not production ready, use at your own risk!

Download

Download the current and previous stable releases of Teleport at https://goteleport.com/download.

Teleport 17.0.0-alpha.5

06 Nov 19:03
7a3f9d8
Compare
Choose a tag to compare
Pre-release

Warning

Pre-releases are not production ready, use at your own risk!

Download

Download the current and previous stable releases of Teleport at https://goteleport.com/download.

Teleport 17.0.0-alpha.4

05 Nov 04:46
e351001
Compare
Choose a tag to compare
Pre-release

Warning

Pre-releases are not production ready, use at your own risk!

Download

Download the current and previous stable releases of Teleport at https://goteleport.com/download.

Teleport 14.3.33

31 Oct 00:29
24f3e89
Compare
Choose a tag to compare

Description

  • Fixed a bug in the External Audit Storage bootstrap script that broke S3 bucket creation. #48179
  • During the Set Up Access of the Enroll New Resource flows, Okta users will be asked to change the role instead of entering the principals and getting an error afterwards. #47959
  • Fixed teleport_connected_resource metric overshooting after keepalive errors. #47951
  • Fixed an issue preventing connections with users whose configured home directories were inaccessible. #47918
  • Auto-enroll may be locally disabled using the TELEPORT_DEVICE_AUTO_ENROLL_DISABLED=1 environment variable. #47718
  • Alter ServiceAccounts in the teleport-cluster Helm chart to automatically disable mounting of service account tokens on newer Kubernetes distributions, helping satisfy security linters. #47701
  • Avoid tsh auto-enroll escalation in machines without a TPM. #47697
  • Postgres database session start events now include the Postgres backend PID for the session. #47645
  • Fixes a bug where Let's Encrypt certificate renewal failed in AMI and HA deployments due to insufficient disk space caused by syncing audit logs. #47623
  • Adds support for custom SQS consumer lock name and disabling a consumer. #47612
  • Include host name instead of host uuid in error messages when SSH connections are prevented due to an invalid login. #47603
  • Allow using a custom database for Firestore backends. #47585
  • Extended Teleport Discovery Service to support resource discovery across all projects accessible by the service account. #47566
  • Fixed a bug that could allow users to list active sessions even when prohibited by RBAC. #47562
  • The tctl tokens ls command redacts secret join tokens by default. To include the token values, provide the new --with-secrets flag. #47547
  • Fixed an issue with the Microsoft license negotiation for RDP sessions. #47544
  • Fixed a bug where tsh logout failed to parse flags passed with spaces. #47461
  • Added kubeconfig context name to the output table of tsh proxy kube command for enhanced clarity. #47381
  • Improve error messaging when connections to offline agents are attempted. #47363
  • Teleport Connect for Linux now requires glibc 2.31 or later. #47264
  • Updates self-hosted db discover flow to generate 2190h TTL certs, not 12h. #47128

Enterprise:

  • Device auto-enroll failures are now recorded in the audit log.

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Plugins

Download the current release of Teleport plugins from the links below.