Releases: gravitational/teleport
Teleport 16.4.8
- Allow Azure VMs to join from a different subscription than their managed identity. #49157
- Fix an issue loading the license file when Teleport is started without a configuration file. #49149
- Fixed a bug in the
teleport-cluster
Helm chart that can cause token mount to fail when using ArgoCD. #49069 - Fixed app access regression to apps on leaf clusters. #49056
- Added support for directly configuring JWKS for GitHub joining for circumstances where the GHES is not reachable by the Teleport Auth Service. #49052
- Fixed issue resulting in excess CPU usage and connection resets when
teleport-event-handler
is under moderate to high load. #49036 - Fixed OpenSSH remote port forwarding not working for localhost. #49020
- Fixed
tsh app login
prompting for user login when multiple AWS roles are present. #48997 - Fixed incorrect cluster name when querying for Kubernetes namespaces on a leaf cluster for Connect UI. #48990
- Allow to override Teleport license secret name when using
teleport-cluster
Helm chart. #48979 - Added periodic health checks between proxies in proxy peering. #48929
- Fixed users not being able to connect to SQL server instances with PKINIT integration when the cluster is configured with different CAs for database access. #48924
- Fix a bug in the Teleport Operator chart that causes the operator to not be able to list secrets during secret injection. #48901
- The access graph poll interval is now configurable with the
discovery_service.poll_interval
field, whereas before it was fixed to a 15 minute interval. #48861 - The web terminal now supports SIXEL and IIP image protocols. #48842
- Ensure that agentless server information is provided in all audit events. #48833
- Fixed missing access request metadata in
app.session.start
audit events. #48804 - Fixed
missing GetDatabaseFunc
error whentsh
connects MongoDB databases in cluster with a separate MongoDB port. #48129 - Ensure that Teleport can re-establish broken LDAP connections. #48008
- Improved handling of scoped token when setting up Okta integration. #5503
- Fixed access request deletion reconciliation race condition in Okta integration HA setup. #5385
- Extend support for
group
claim setting in Entra ID integration. #5493
Teleport 17
Teleport 17 brings the following new features and improvements:
- Refreshed web UI
- Modern signature algorithms
- (Preview) AWS IAM Identity Center integration
- Hardware key support for Teleport Connect
- Nested access lists
- Access lists UI/UX improvements
- Signed and notarized macOS assets
- Datadog Incident Management plugin for access requests
- Hosted Microsoft Teams plugin for access requests
- Dynamic registration for Windows desktops
- Support for images in web SSH sessions
tbot
CLI updates
Description
Refreshed Web UI
We have updated and improved designs and added a new navigation menu to Teleport
17’s web UI to enhance its usability and scalability.
Modern signature algorithms
Teleport 17 admins have the option to use elliptic curve cryptography for the
majority of user, host, and certificate authority key material.
This includes Ed25519 SSH keys and ECDSA TLS keys, replacing the RSA keys used
today.
New clusters will leverage modern signature algorithms by default. Existing
Teleport clusters will continue to use RSA2048 until a CA rotation is performed.
(Preview) AWS IAM Identity Center integration
Teleport 17 integrates with AWS IAM Identity Center to allow users to sync and
manage AWS IC group members via Access Lists.
See documentation guide.
Hardware key support for Teleport Connect
We have extended Teleport 17’s support for hardware-backed private keys to
Teleport Connect.
Nested access lists
Teleport 17 admins and access list owners can add access lists as members in
other access lists.
See details in the documentation.
Access lists UI/UX improvements
Teleport 17 web UI has an updated access lists page that will include the new
table view, improved search and filtering capabilities.
Signed and notarized macOS assets
Starting from Teleport 17 macOS teleport.pkg
installer includes signed and
notarized tsh.app
and tctl.app
so downloading a separate tsh.pkg to use
Touch ID is no longer necessary.
In addition, Teleport 17 event handler and Terraform provider for macOS are also
signed and notarized.
Datadog Incident Management plugin for access requests
Teleport 17 supports PagerDuty-like integration with Datadog's on-call
and incident management
APIs for access request notifications.
See the configuration guide.
Hosted Microsoft Teams plugin for access requests
Teleport 17 adds support for Microsoft Teams integration for access request
notifications using Teleport web UI without needing to self-host the plugin.
Dynamic registration for Windows desktops
Dynamic registration allows Teleport administrators to register new Windows
desktops without having to update the static configuration files read by
Teleport Windows Desktop Service instances.
Support for images in web SSH sessions
The SSH console in Teleport’s web UI includes support for rendering images via
both the SIXEL and iTerm Inline Image Protocol (IIP).
tbot CLI updates
The tbot
client now supports starting most outputs and services directly from
the command line with no need for a configuration file using the new
tbot start <mode>
family of commands. If desired, a given command can be
converted to a YAML configuration file with tbot configure <mode>
.
Additionally, tctl
now supports inspection and management of bot instances using
the tctl bots instances
family of commands. This allows onboarding of new
instances for existing bots with tctl bots instances add
, and inspection of
existing instances with tctl bots instances list
.
Breaking changes and deprecations
macOS assets
Starting with version 17, Teleport no longer provides a separate tsh.pkg
macOS
package.
Instead, teleport.pkg
and all macOS tarballs include signed and notarized
tsh.app
and tctl.app
.
Enforced stricter requirements for SSH hostnames
Hostnames are only allowed if they are less than 257 characters and consist of
only alphanumeric characters and the symbols .
and -
.
Any hostname that violates the new restrictions will be changed, the original
hostname will be moved to the teleport.internal/invalid-hostname
label for
discoverability.
Any Teleport agents with an invalid hostname will be replaced with the host UUID.
Any Agentless OpenSSH Servers with an invalid hostname will be replaced with
the host of the address, if it is valid, or a randomly generated identifier.
Any hosts with invalid hostnames should be updated to comply with the new
requirements to avoid Teleport renaming them.
TELEPORT_ALLOW_NO_SECOND_FACTOR
removed
As of Teleport 16, multi-factor authentication is required for local users. To
assist with upgrades, Teleport 16 included a temporary opt-out mechanism via the
TELEPORT_ALLOW_NO_SECOND_FACTOR
environment variable. This opt-out mechanism
has been removed.
TOTP for per-session MFA
Teleport 17 is the last release where tsh
will allow for using TOTP with
per-session MFA. Starting with Teleport 18, tsh
will require a strong webauthn
credential for per-session MFA.
TOTP will continue to be accepted for the initial login.
Teleport 17.0.0-rc.3
Warning
Pre-releases are not production ready, use at your own risk!
Download
Download the current and previous stable releases of Teleport at https://goteleport.com/download.
Teleport 17.0.0-beta.2
Warning
Pre-releases are not production ready, use at your own risk!
Download
Download the current and previous stable releases of Teleport at https://goteleport.com/download.
Teleport 16.4.7
Description
- Fixed bug in Kubernetes session recordings where both root and leaf cluster recorded the same Kubernetes session. Recordings of leaf resources are only available in leaf clusters. #48738
- Machine ID can now be forced to use the explicitly configured proxy address using the
TBOT_USE_PROXY_ADDR
environment variable. This should better support split proxy address operation. #48675 - Fixed undefined error in open source version when clicking on
Add Application
tile in the Enroll Resources page in the Web UI. #48616 - Updated Go to 1.22.9. #48581
- The teleport-cluster Helm chart now uses the configured
serviceAccount.name
from chart values for its pre-deploy configuration check Jobs. #48579 - Fixed a bug that prevented the Teleport UI from properly displaying Plugin Audit log details. #48462
- Fixed an issue preventing migration of unmanaged users to Teleport host users when including
teleport-keep
in a role'shost_groups
. #48455 - Fixed showing the list of access requests in Teleport Connect when a leaf cluster is selected in the cluster selector. #48441
- Added Connect support for selecting Kubernetes namespaces during access requests. #48413
- Fixed a rare "internal error" on older U2F authenticators when using tsh. #48402
- Fixed
tsh play
not skipping idle time when--skip-idle-time
was provided. #48397 - Added a warning to
tctl edit
about dynamic edits to statically configured resources. #48392 - Define a new
role.allow.request
field calledkubernetes_resources
that allows admins to define what kinds of Kubernetes resources a requester can make. #48387 - Fixed a Teleport Kubernetes Operator bug that happened for OIDCConnector resources with non-nil
max_age
. #48376 - Updated host user creation to prevent local password expiration policies from affecting Teleport managed users. #48163
- Added support for Entra ID directory synchronization for clusters without public internet access. #48089
- Fixed "Missing Region" error for teleport bootstrap commands. #47995
- Fixed a bug that prevented selecting security groups during the Aurora database enrollment wizard in the web UI. #47975
- During the Set Up Access of the Enroll New Resource flows, Okta users will be asked to change the role instead of entering the principals and getting an error afterwards. #47957
- Fixed
teleport_connected_resource
metric overshooting after keepalive errors. #47949 - Fixed an issue preventing connections with users whose configured home directories were inaccessible. #47916
- Added a
resolve
command to tsh that may be used as the target for a Match exec condition in an SSH config. #47868 - Respect
HTTP_PROXY
environment variables for Access Request integrations. #47738 - Updated tsh ssh to support the
--
delimiter similar to openssh. It is now possible to execute a command viatsh ssh user@host -- echo test
ortsh ssh -- host uptime
. #47493
Enterprise:
- Jamf requests from Teleport set "teleport/$version" as the User-Agent.
- Add Web UI support for selecting Kubernetes namespaces during access requests.
- Import user roles and traits when using the EntraID directory sync.
Download
Download the current and previous releases of Teleport at https://goteleport.com/download.
Plugins
Download the current release of Teleport plugins from the links below.
- Slack Linux amd64 | Linux arm64
- Mattermost Linux amd64 | Linux arm64
- Discord Linux amd64 | Linux arm64
- Terraform Provider Linux amd64 | Linux arm64 | macOS amd64 | macOS arm64 | macOS universal
- Event Handler Linux amd64 | Linux arm64 | macOS amd64
- PagerDuty Linux amd64 | Linux arm64
- Jira Linux amd64 | Linux arm64
- Email Linux amd64 | Linux arm64
- Microsoft Teams Linux amd64 | Linux arm64
Teleport 15.4.22
Description
- Added a search input to the cluster dropdown in the Web UI when there's more than five clusters to show. #48800
- Fixed bug in Kubernetes session recordings where both root and leaf cluster recorded the same Kubernetes session. Recordings of leaf resources are only available in leaf clusters. #48739
- Machine ID can now be forced to use the explicitly configured proxy address using the
TBOT_USE_PROXY_ADDR
environment variable. This should better support split proxy address operation. #48677 - Fixed undefined error in open source version when clicking on
Add Application
tile in the Enroll Resources page in the Web UI. #48617 - Updated Go to 1.22.9. #48582
- The teleport-cluster Helm chart now uses the configured
serviceAccount.name
from chart values for its pre-deploy configuration check Jobs. #48578 - Fixed a bug that prevented the Teleport UI from properly displaying Plugin Audit log details. #48463
- Fixed showing the list of access requests in Teleport Connect when a leaf cluster is selected in the cluster selector. #48442
- Fixed a rare "internal error" on older U2F authenticators when using tsh. #48403
- Fixed
tsh play
not skipping idle time when--skip-idle-time
was provided. #48398 - Added a warning to
tctl edit
about dynamic edits to statically configured resources. #48393 - Fixed a Teleport Kubernetes Operator bug that happened for OIDCConnector resources with non-nil
max_age
. #48377 - Updated host user creation to prevent local password expiration policies from affecting Teleport managed users. #48162
- During the Set Up Access of the Enroll New Resource flows, Okta users will be asked to change the role instead of entering the principals and getting an error afterwards. #47958
- Fixed
teleport_connected_resource
metric overshooting after keepalive errors. #47950 - Fixed an issue preventing connections with users whose configured home directories were inaccessible. #47917
- Added a
resolve
command to tsh that may be used as the target for a Match exec condition in an SSH config. #47867 - Postgres database session start events now include the Postgres backend PID for the session. #47644
- Updated
tsh ssh
to support the--
delimiter similar to openssh. It is now possible to execute a command viatsh ssh user@host -- echo test
ortsh ssh -- host uptime
. #47494
Enterprise:
- Jamf requests from Teleport set "teleport/$version" as the User-Agent.
Download
Download the current and previous releases of Teleport at https://goteleport.com/download.
Plugins
Download the current release of Teleport plugins from the links below.
- Slack Linux amd64 | Linux arm64
- Mattermost Linux amd64 | Linux arm64
- Discord Linux amd64 | Linux arm64
- Terraform Provider Linux amd64 | Linux arm64 | macOS amd64 | macOS arm64 | macOS universal
- Event Handler Linux amd64 | Linux arm64 | macOS amd64
- PagerDuty Linux amd64 | Linux arm64
- Jira Linux amd64 | Linux arm64
- Email Linux amd64 | Linux arm64
- Microsoft Teams Linux amd64 | Linux arm64
Teleport 17.0.0-beta.1
Warning
Pre-releases are not production ready, use at your own risk!
Download
Download the current and previous stable releases of Teleport at https://goteleport.com/download.
Teleport 17.0.0-alpha.5
Warning
Pre-releases are not production ready, use at your own risk!
Download
Download the current and previous stable releases of Teleport at https://goteleport.com/download.
Teleport 17.0.0-alpha.4
Warning
Pre-releases are not production ready, use at your own risk!
Download
Download the current and previous stable releases of Teleport at https://goteleport.com/download.
Teleport 14.3.33
Description
- Fixed a bug in the External Audit Storage bootstrap script that broke S3 bucket creation. #48179
- During the Set Up Access of the Enroll New Resource flows, Okta users will be asked to change the role instead of entering the principals and getting an error afterwards. #47959
- Fixed
teleport_connected_resource
metric overshooting after keepalive errors. #47951 - Fixed an issue preventing connections with users whose configured home directories were inaccessible. #47918
- Auto-enroll may be locally disabled using the
TELEPORT_DEVICE_AUTO_ENROLL_DISABLED=1
environment variable. #47718 - Alter ServiceAccounts in the teleport-cluster Helm chart to automatically disable mounting of service account tokens on newer Kubernetes distributions, helping satisfy security linters. #47701
- Avoid tsh auto-enroll escalation in machines without a TPM. #47697
- Postgres database session start events now include the Postgres backend PID for the session. #47645
- Fixes a bug where Let's Encrypt certificate renewal failed in AMI and HA deployments due to insufficient disk space caused by syncing audit logs. #47623
- Adds support for custom SQS consumer lock name and disabling a consumer. #47612
- Include host name instead of host uuid in error messages when SSH connections are prevented due to an invalid login. #47603
- Allow using a custom database for Firestore backends. #47585
- Extended Teleport Discovery Service to support resource discovery across all projects accessible by the service account. #47566
- Fixed a bug that could allow users to list active sessions even when prohibited by RBAC. #47562
- The
tctl tokens ls
command redacts secret join tokens by default. To include the token values, provide the new--with-secrets
flag. #47547 - Fixed an issue with the Microsoft license negotiation for RDP sessions. #47544
- Fixed a bug where tsh logout failed to parse flags passed with spaces. #47461
- Added kubeconfig context name to the output table of
tsh proxy kube
command for enhanced clarity. #47381 - Improve error messaging when connections to offline agents are attempted. #47363
- Teleport Connect for Linux now requires glibc 2.31 or later. #47264
- Updates self-hosted db discover flow to generate 2190h TTL certs, not 12h. #47128
Enterprise:
- Device auto-enroll failures are now recorded in the audit log.
Download
Download the current and previous releases of Teleport at https://goteleport.com/download.
Plugins
Download the current release of Teleport plugins from the links below.
- Slack Linux amd64 | Linux arm64
- Mattermost Linux amd64 | Linux arm64
- Discord Linux amd64 | Linux arm64
- Terraform Provider Linux amd64 | Linux arm64 | macOS amd64 | macOS arm64 | macOS universal
- Event Handler Linux amd64 | Linux arm64 | macOS amd64
- PagerDuty Linux amd64 | Linux arm64
- Jira Linux amd64 | Linux arm64
- Email Linux amd64 | Linux arm64
- Microsoft Teams Linux amd64 | Linux arm64