Releases: gravitational/teleport
Teleport 17.0.3
Description
- Restore ability to disable multi-factor authentication for local users. #49692
- Bumping one of our dependencies to a more secure version to address CVE-2024-53259. #49662
- Add ability to configure resource labels in
teleport-cluster
's operator sub-chart. #49647 - Fixed proxy peering listener not using the exact address specified in
peer_listen_addr
. #49589 - Teleport Connect now shows whether it is being used on a trusted device or if enrollment is required for full access. #49577
- Kubernetes in-cluster joining now also accepts tokens whose audience is the Teleport cluster name (before it only allowed the default Kubernetes audience). Kubernetes JWKS joining is unchanged and still requires tokens with the cluster name in the audience. #49556
- Session recording playback in the web UI is now searchable. #49506
- Fixed an incorrect warning indicating that tsh v17.0.2 was incompatible with cluster v17.0.1, despite full compatibility. #49491
- Increase CockroachDB setup timeout from 5 to 30 seconds. This mitigates the Auth Service not being able to configure TTL on slow CockroachDB event backends. #49469
- Fixed a potential panic in login rule and SAML IdP expression parser. #49429
- Support for long-running kube exec/port-forward, respect client_idle_timeout config. #49421
- Fixed a permissions error with Postgres database user auto-provisioning that occurs when the database admin is not a superuser and the database is upgraded to Postgres v16 or higher. #49390
Enterprise:
- Jamf Service sync audit events are attributed to "Jamf Service".
- Users can now see a list of their enrolled devices on their Account page.
- Add support for Entra ID groups being members of other groups using Nested Access Lists.
Download
Download the current and previous releases of Teleport at https://goteleport.com/download.
Plugins
Download the current release of Teleport plugins from the links below.
- Slack Linux amd64 | Linux arm64
- Mattermost Linux amd64 | Linux arm64
- Discord Linux amd64 | Linux arm64
- Terraform Provider Linux amd64 | Linux arm64 | macOS amd64 | macOS arm64 | macOS universal
- Event Handler Linux amd64 | Linux arm64 | macOS amd64
- PagerDuty Linux amd64 | Linux arm64
- Jira Linux amd64 | Linux arm64
- Email Linux amd64 | Linux arm64
- Microsoft Teams Linux amd64 | Linux arm64
Teleport 16.4.9
Description
- Add ability to configure resource labels in
teleport-cluster
's operator sub-chart. #49648 - Fixed proxy peering listener not using the exact address specified in
peer_listen_addr
. #49590 - Teleport Connect now shows whether it is being used on a trusted device or if enrollment is required for full access. #49578
- Kubernetes in-cluster joining now also accepts tokens whose audience is the Teleport cluster name (before it only allowed the default Kubernetes audience). Kubernetes JWKS joining is unchanged and still requires tokens with the cluster name in the audience. #49557
- Restore interactive PAM authentication functionality when use_pam_auth is applied. #49519
- Session recording playback in the web UI is now searchable. #49507
- Increase CockroachDB setup timeout from 5 to 30 seconds. This mitigates the Auth Service not being able to configure TTL on slow CockroachDB event backends. #49470
- Fixed a potential panic in login rule and SAML IdP expression parser. #49431
- Support for long-running kube exec/port-forward, respect client_idle_timeout config. #49423
- Fixed a permissions error with Postgres database user auto-provisioning that occurs when the database admin is not a superuser and the database is upgraded to Postgres v16 or higher. #49389
- Teleport Connect now refreshes the resources view after dropping an Access Request. #49348
- Fixed missing user participants in session recordings listing for non-interactive Kubernetes recordings. #49344
- Support delegated joining for Bitbucket Pipelines in Machine ID. #49337
- Fix a bug in the Teleport Operator chart that causes the operator to not be able to watch secrets during secret injection. #49326
- You can now search text within ssh sessions in the Web UI and Teleport Connect. #49270
- Fixed an issue where
teleport park
processes could be leaked causing runaway resource usage. #49261 - Update tsh scp to respect proxy templates when resolving the remote host. #49227
- The
tsh puttyconfig
command now disables GSSAPI auth settings to avoid a "Not Responding" condition in PuTTY. #49190 - Resolved an issue that caused false positive errors incorrectly indicating that the YubiKey was in use by another application, while only tsh was accessing it. #47952
Enterprise:
- Jamf Service sync audit events are attributed to "Jamf Service".
- Fixed a bug where Access Lists imported from Microsoft Entra ID fail to be created if their display names include special characters.
Download
Download the current and previous releases of Teleport at https://goteleport.com/download.
Plugins
Download the current release of Teleport plugins from the links below.
- Slack Linux amd64 | Linux arm64
- Mattermost Linux amd64 | Linux arm64
- Discord Linux amd64 | Linux arm64
- Terraform Provider Linux amd64 | Linux arm64 | macOS amd64 | macOS arm64 | macOS universal
- Event Handler Linux amd64 | Linux arm64 | macOS amd64
- PagerDuty Linux amd64 | Linux arm64
- Jira Linux amd64 | Linux arm64
- Email Linux amd64 | Linux arm64
- Microsoft Teams Linux amd64 | Linux arm64
Teleport 14.3.34
Description
- Fixed a bug in the
teleport-cluster
Helm chart that can cause token mount to fail when using ArgoCD. #49071 - Allow overriding Teleport license secret name when using
teleport-cluster
Helm chart. #48981 - Fixed a bug in Kubernetes session recordings where both root and leaf cluster recorded the same Kubernetes session. Recordings of leaf resources are only available in leaf clusters. #48740
- Updated Go to 1.22.9. #48583
- The teleport-cluster Helm chart now uses the configured
serviceAccount.name
from chart values for its pre-deploy configuration check Jobs. #48577 - Fixed a Teleport Kubernetes Operator bug that happened for OIDCConnector resources with non-nil
max_age
. #48378 - Updated host user creation to prevent local password expiration policies from affecting Teleport managed users. #48161
- Resolved an issue that caused false positive errors incorrectly indicating that the YubiKey was in use by another application, while only tsh was accessing it. #47954
- Updated
tsh ssh
to support the--
delimiter similar to openssh. It is now possible to execute a command viatsh ssh user@host -- echo test
ortsh ssh -- host uptime
. #47495
Download
Download the current and previous releases of Teleport at https://goteleport.com/download.
Plugins
Download the current release of Teleport plugins from the links below.
- Slack Linux amd64 | Linux arm64
- Mattermost Linux amd64 | Linux arm64
- Discord Linux amd64 | Linux arm64
- Terraform Provider Linux amd64 | Linux arm64 | macOS amd64 | macOS arm64 | macOS universal
- Event Handler Linux amd64 | Linux arm64 | macOS amd64
- PagerDuty Linux amd64 | Linux arm64
- Jira Linux amd64 | Linux arm64
- Email Linux amd64 | Linux arm64
- Microsoft Teams Linux amd64 | Linux arm64
Teleport 17.0.2
Description
- Fixed missing user participants in session recordings listing for non-interactive Kubernetes recordings. #49343
- Support delegated joining for Bitbucket Pipelines in Machine ID. #49335
- Fix a bug in the Teleport Operator chart that causes the operator to not be able to watch secrets during secret injection. #49327
- You can now search text within SSH sessions in the Web UI and Teleport Connect. #49269
- Teleport Connect now refreshes the resources view after dropping an access request. #49264
- Fixed an issue where
teleport park
processes could be leaked causing runaway resource usage. #49260 - Fixed VNet not being able to connect to the daemon. #49199
- The
tsh puttyconfig
command now disables GSSAPI auth settings to avoid a "Not Responding" condition in PuTTY. #49189 - Allow Azure VMs to join from a different subscription than their managed identity. #49156
- Fix an issue loading the license file when Teleport is started without a configuration file. #49150
- Added support for directly configuring JWKS for GitHub joining for circumstances where the GHES is not reachable by the Teleport Auth Service. #49049
- Fixed a bug where Access Lists imported from Microsoft Entra ID fail to be created if their display names include special characters. #5551
Download
Download the current and previous releases of Teleport at https://goteleport.com/download.
Plugins
Download the current release of Teleport plugins from the links below.
- Slack Linux amd64 | Linux arm64
- Mattermost Linux amd64 | Linux arm64
- Discord Linux amd64 | Linux arm64
- Terraform Provider Linux amd64 | Linux arm64 | macOS amd64 | macOS arm64 | macOS universal
- Event Handler Linux amd64 | Linux arm64 | macOS amd64
- PagerDuty Linux amd64 | Linux arm64
- Jira Linux amd64 | Linux arm64
- Email Linux amd64 | Linux arm64
- Microsoft Teams Linux amd64 | Linux arm64
Teleport 16.4.8
- Allow Azure VMs to join from a different subscription than their managed identity. #49157
- Fix an issue loading the license file when Teleport is started without a configuration file. #49149
- Fixed a bug in the
teleport-cluster
Helm chart that can cause token mount to fail when using ArgoCD. #49069 - Fixed app access regression to apps on leaf clusters. #49056
- Added support for directly configuring JWKS for GitHub joining for circumstances where the GHES is not reachable by the Teleport Auth Service. #49052
- Fixed issue resulting in excess CPU usage and connection resets when
teleport-event-handler
is under moderate to high load. #49036 - Fixed OpenSSH remote port forwarding not working for localhost. #49020
- Fixed
tsh app login
prompting for user login when multiple AWS roles are present. #48997 - Fixed incorrect cluster name when querying for Kubernetes namespaces on a leaf cluster for Connect UI. #48990
- Allow to override Teleport license secret name when using
teleport-cluster
Helm chart. #48979 - Added periodic health checks between proxies in proxy peering. #48929
- Fixed users not being able to connect to SQL server instances with PKINIT integration when the cluster is configured with different CAs for database access. #48924
- Fix a bug in the Teleport Operator chart that causes the operator to not be able to list secrets during secret injection. #48901
- The access graph poll interval is now configurable with the
discovery_service.poll_interval
field, whereas before it was fixed to a 15 minute interval. #48861 - The web terminal now supports SIXEL and IIP image protocols. #48842
- Ensure that agentless server information is provided in all audit events. #48833
- Fixed missing access request metadata in
app.session.start
audit events. #48804 - Fixed
missing GetDatabaseFunc
error whentsh
connects MongoDB databases in cluster with a separate MongoDB port. #48129 - Ensure that Teleport can re-establish broken LDAP connections. #48008
- Improved handling of scoped token when setting up Okta integration. #5503
- Fixed access request deletion reconciliation race condition in Okta integration HA setup. #5385
- Extend support for
group
claim setting in Entra ID integration. #5493
Teleport 17
Teleport 17 brings the following new features and improvements:
- Refreshed web UI
- Modern signature algorithms
- (Preview) AWS IAM Identity Center integration
- Hardware key support for Teleport Connect
- Nested access lists
- Access lists UI/UX improvements
- Signed and notarized macOS assets
- Datadog Incident Management plugin for access requests
- Hosted Microsoft Teams plugin for access requests
- Dynamic registration for Windows desktops
- Support for images in web SSH sessions
tbot
CLI updates
Description
Refreshed Web UI
We have updated and improved designs and added a new navigation menu to Teleport
17’s web UI to enhance its usability and scalability.
Modern signature algorithms
Teleport 17 admins have the option to use elliptic curve cryptography for the
majority of user, host, and certificate authority key material.
This includes Ed25519 SSH keys and ECDSA TLS keys, replacing the RSA keys used
today.
New clusters will leverage modern signature algorithms by default. Existing
Teleport clusters will continue to use RSA2048 until a CA rotation is performed.
(Preview) AWS IAM Identity Center integration
Teleport 17 integrates with AWS IAM Identity Center to allow users to sync and
manage AWS IC group members via Access Lists.
See documentation guide.
Hardware key support for Teleport Connect
We have extended Teleport 17’s support for hardware-backed private keys to
Teleport Connect.
Nested access lists
Teleport 17 admins and access list owners can add access lists as members in
other access lists.
See details in the documentation.
Access lists UI/UX improvements
Teleport 17 web UI has an updated access lists page that will include the new
table view, improved search and filtering capabilities.
Signed and notarized macOS assets
Starting from Teleport 17 macOS teleport.pkg
installer includes signed and
notarized tsh.app
and tctl.app
so downloading a separate tsh.pkg to use
Touch ID is no longer necessary.
In addition, Teleport 17 event handler and Terraform provider for macOS are also
signed and notarized.
Datadog Incident Management plugin for access requests
Teleport 17 supports PagerDuty-like integration with Datadog's on-call
and incident management
APIs for access request notifications.
See the configuration guide.
Hosted Microsoft Teams plugin for access requests
Teleport 17 adds support for Microsoft Teams integration for access request
notifications using Teleport web UI without needing to self-host the plugin.
Dynamic registration for Windows desktops
Dynamic registration allows Teleport administrators to register new Windows
desktops without having to update the static configuration files read by
Teleport Windows Desktop Service instances.
Support for images in web SSH sessions
The SSH console in Teleport’s web UI includes support for rendering images via
both the SIXEL and iTerm Inline Image Protocol (IIP).
tbot CLI updates
The tbot
client now supports starting most outputs and services directly from
the command line with no need for a configuration file using the new
tbot start <mode>
family of commands. If desired, a given command can be
converted to a YAML configuration file with tbot configure <mode>
.
Additionally, tctl
now supports inspection and management of bot instances using
the tctl bots instances
family of commands. This allows onboarding of new
instances for existing bots with tctl bots instances add
, and inspection of
existing instances with tctl bots instances list
.
Breaking changes and deprecations
macOS assets
Starting with version 17, Teleport no longer provides a separate tsh.pkg
macOS
package.
Instead, teleport.pkg
and all macOS tarballs include signed and notarized
tsh.app
and tctl.app
.
Enforced stricter requirements for SSH hostnames
Hostnames are only allowed if they are less than 257 characters and consist of
only alphanumeric characters and the symbols .
and -
.
Any hostname that violates the new restrictions will be changed, the original
hostname will be moved to the teleport.internal/invalid-hostname
label for
discoverability.
Any Teleport agents with an invalid hostname will be replaced with the host UUID.
Any Agentless OpenSSH Servers with an invalid hostname will be replaced with
the host of the address, if it is valid, or a randomly generated identifier.
Any hosts with invalid hostnames should be updated to comply with the new
requirements to avoid Teleport renaming them.
TELEPORT_ALLOW_NO_SECOND_FACTOR
removed
As of Teleport 16, multi-factor authentication is required for local users. To
assist with upgrades, Teleport 16 included a temporary opt-out mechanism via the
TELEPORT_ALLOW_NO_SECOND_FACTOR
environment variable. This opt-out mechanism
has been removed.
TOTP for per-session MFA
Teleport 17 is the last release where tsh
will allow for using TOTP with
per-session MFA. Starting with Teleport 18, tsh
will require a strong webauthn
credential for per-session MFA.
TOTP will continue to be accepted for the initial login.
Teleport 17.0.0-rc.3
Warning
Pre-releases are not production ready, use at your own risk!
Download
Download the current and previous stable releases of Teleport at https://goteleport.com/download.
Teleport 17.0.0-beta.2
Warning
Pre-releases are not production ready, use at your own risk!
Download
Download the current and previous stable releases of Teleport at https://goteleport.com/download.
Teleport 16.4.7
Description
- Fixed bug in Kubernetes session recordings where both root and leaf cluster recorded the same Kubernetes session. Recordings of leaf resources are only available in leaf clusters. #48738
- Machine ID can now be forced to use the explicitly configured proxy address using the
TBOT_USE_PROXY_ADDR
environment variable. This should better support split proxy address operation. #48675 - Fixed undefined error in open source version when clicking on
Add Application
tile in the Enroll Resources page in the Web UI. #48616 - Updated Go to 1.22.9. #48581
- The teleport-cluster Helm chart now uses the configured
serviceAccount.name
from chart values for its pre-deploy configuration check Jobs. #48579 - Fixed a bug that prevented the Teleport UI from properly displaying Plugin Audit log details. #48462
- Fixed an issue preventing migration of unmanaged users to Teleport host users when including
teleport-keep
in a role'shost_groups
. #48455 - Fixed showing the list of access requests in Teleport Connect when a leaf cluster is selected in the cluster selector. #48441
- Added Connect support for selecting Kubernetes namespaces during access requests. #48413
- Fixed a rare "internal error" on older U2F authenticators when using tsh. #48402
- Fixed
tsh play
not skipping idle time when--skip-idle-time
was provided. #48397 - Added a warning to
tctl edit
about dynamic edits to statically configured resources. #48392 - Define a new
role.allow.request
field calledkubernetes_resources
that allows admins to define what kinds of Kubernetes resources a requester can make. #48387 - Fixed a Teleport Kubernetes Operator bug that happened for OIDCConnector resources with non-nil
max_age
. #48376 - Updated host user creation to prevent local password expiration policies from affecting Teleport managed users. #48163
- Added support for Entra ID directory synchronization for clusters without public internet access. #48089
- Fixed "Missing Region" error for teleport bootstrap commands. #47995
- Fixed a bug that prevented selecting security groups during the Aurora database enrollment wizard in the web UI. #47975
- During the Set Up Access of the Enroll New Resource flows, Okta users will be asked to change the role instead of entering the principals and getting an error afterwards. #47957
- Fixed
teleport_connected_resource
metric overshooting after keepalive errors. #47949 - Fixed an issue preventing connections with users whose configured home directories were inaccessible. #47916
- Added a
resolve
command to tsh that may be used as the target for a Match exec condition in an SSH config. #47868 - Respect
HTTP_PROXY
environment variables for Access Request integrations. #47738 - Updated tsh ssh to support the
--
delimiter similar to openssh. It is now possible to execute a command viatsh ssh user@host -- echo test
ortsh ssh -- host uptime
. #47493
Enterprise:
- Jamf requests from Teleport set "teleport/$version" as the User-Agent.
- Add Web UI support for selecting Kubernetes namespaces during access requests.
- Import user roles and traits when using the EntraID directory sync.
Download
Download the current and previous releases of Teleport at https://goteleport.com/download.
Plugins
Download the current release of Teleport plugins from the links below.
- Slack Linux amd64 | Linux arm64
- Mattermost Linux amd64 | Linux arm64
- Discord Linux amd64 | Linux arm64
- Terraform Provider Linux amd64 | Linux arm64 | macOS amd64 | macOS arm64 | macOS universal
- Event Handler Linux amd64 | Linux arm64 | macOS amd64
- PagerDuty Linux amd64 | Linux arm64
- Jira Linux amd64 | Linux arm64
- Email Linux amd64 | Linux arm64
- Microsoft Teams Linux amd64 | Linux arm64
Teleport 15.4.22
Description
- Added a search input to the cluster dropdown in the Web UI when there's more than five clusters to show. #48800
- Fixed bug in Kubernetes session recordings where both root and leaf cluster recorded the same Kubernetes session. Recordings of leaf resources are only available in leaf clusters. #48739
- Machine ID can now be forced to use the explicitly configured proxy address using the
TBOT_USE_PROXY_ADDR
environment variable. This should better support split proxy address operation. #48677 - Fixed undefined error in open source version when clicking on
Add Application
tile in the Enroll Resources page in the Web UI. #48617 - Updated Go to 1.22.9. #48582
- The teleport-cluster Helm chart now uses the configured
serviceAccount.name
from chart values for its pre-deploy configuration check Jobs. #48578 - Fixed a bug that prevented the Teleport UI from properly displaying Plugin Audit log details. #48463
- Fixed showing the list of access requests in Teleport Connect when a leaf cluster is selected in the cluster selector. #48442
- Fixed a rare "internal error" on older U2F authenticators when using tsh. #48403
- Fixed
tsh play
not skipping idle time when--skip-idle-time
was provided. #48398 - Added a warning to
tctl edit
about dynamic edits to statically configured resources. #48393 - Fixed a Teleport Kubernetes Operator bug that happened for OIDCConnector resources with non-nil
max_age
. #48377 - Updated host user creation to prevent local password expiration policies from affecting Teleport managed users. #48162
- During the Set Up Access of the Enroll New Resource flows, Okta users will be asked to change the role instead of entering the principals and getting an error afterwards. #47958
- Fixed
teleport_connected_resource
metric overshooting after keepalive errors. #47950 - Fixed an issue preventing connections with users whose configured home directories were inaccessible. #47917
- Added a
resolve
command to tsh that may be used as the target for a Match exec condition in an SSH config. #47867 - Postgres database session start events now include the Postgres backend PID for the session. #47644
- Updated
tsh ssh
to support the--
delimiter similar to openssh. It is now possible to execute a command viatsh ssh user@host -- echo test
ortsh ssh -- host uptime
. #47494
Enterprise:
- Jamf requests from Teleport set "teleport/$version" as the User-Agent.
Download
Download the current and previous releases of Teleport at https://goteleport.com/download.
Plugins
Download the current release of Teleport plugins from the links below.
- Slack Linux amd64 | Linux arm64
- Mattermost Linux amd64 | Linux arm64
- Discord Linux amd64 | Linux arm64
- Terraform Provider Linux amd64 | Linux arm64 | macOS amd64 | macOS arm64 | macOS universal
- Event Handler Linux amd64 | Linux arm64 | macOS amd64
- PagerDuty Linux amd64 | Linux arm64
- Jira Linux amd64 | Linux arm64
- Email Linux amd64 | Linux arm64
- Microsoft Teams Linux amd64 | Linux arm64