Skip to content

Teleport 17

Compare
Choose a tag to compare
@r0mant r0mant released this 16 Nov 16:11
· 553 commits to master since this release
dc58371

Teleport 17 brings the following new features and improvements:

  • Refreshed web UI
  • Modern signature algorithms
  • (Preview) AWS IAM Identity Center integration
  • Hardware key support for Teleport Connect
  • Nested access lists
  • Access lists UI/UX improvements
  • Signed and notarized macOS assets
  • Datadog Incident Management plugin for access requests
  • Hosted Microsoft Teams plugin for access requests
  • Dynamic registration for Windows desktops
  • Support for images in web SSH sessions
  • tbot CLI updates

Description

Refreshed Web UI

We have updated and improved designs and added a new navigation menu to Teleport
17’s web UI to enhance its usability and scalability.

Modern signature algorithms

Teleport 17 admins have the option to use elliptic curve cryptography for the
majority of user, host, and certificate authority key material.

This includes Ed25519 SSH keys and ECDSA TLS keys, replacing the RSA keys used
today.

New clusters will leverage modern signature algorithms by default. Existing
Teleport clusters will continue to use RSA2048 until a CA rotation is performed.

(Preview) AWS IAM Identity Center integration

Teleport 17 integrates with AWS IAM Identity Center to allow users to sync and
manage AWS IC group members via Access Lists.

See documentation guide.

Hardware key support for Teleport Connect

We have extended Teleport 17’s support for hardware-backed private keys to
Teleport Connect.

Nested access lists

Teleport 17 admins and access list owners can add access lists as members in
other access lists.

See details in the documentation.

Access lists UI/UX improvements

Teleport 17 web UI has an updated access lists page that will include the new
table view, improved search and filtering capabilities.

Signed and notarized macOS assets

Starting from Teleport 17 macOS teleport.pkg installer includes signed and
notarized tsh.app and tctl.app so downloading a separate tsh.pkg to use
Touch ID is no longer necessary.

In addition, Teleport 17 event handler and Terraform provider for macOS are also
signed and notarized.

Datadog Incident Management plugin for access requests

Teleport 17 supports PagerDuty-like integration with Datadog's on-call
and incident management
APIs for access request notifications.

See the configuration guide.

Hosted Microsoft Teams plugin for access requests

Teleport 17 adds support for Microsoft Teams integration for access request
notifications using Teleport web UI without needing to self-host the plugin.

Dynamic registration for Windows desktops

Dynamic registration allows Teleport administrators to register new Windows
desktops without having to update the static configuration files read by
Teleport Windows Desktop Service instances.

Support for images in web SSH sessions

The SSH console in Teleport’s web UI includes support for rendering images via
both the SIXEL and iTerm Inline Image Protocol (IIP).

tbot CLI updates

The tbot client now supports starting most outputs and services directly from
the command line with no need for a configuration file using the new
tbot start <mode> family of commands. If desired, a given command can be
converted to a YAML configuration file with tbot configure <mode>.

Additionally, tctl now supports inspection and management of bot instances using
the tctl bots instances family of commands. This allows onboarding of new
instances for existing bots with tctl bots instances add, and inspection of
existing instances with tctl bots instances list.

Breaking changes and deprecations

macOS assets

Starting with version 17, Teleport no longer provides a separate tsh.pkg macOS
package.

Instead, teleport.pkg and all macOS tarballs include signed and notarized
tsh.app and tctl.app.

Enforced stricter requirements for SSH hostnames

Hostnames are only allowed if they are less than 257 characters and consist of
only alphanumeric characters and the symbols . and -.

Any hostname that violates the new restrictions will be changed, the original
hostname will be moved to the teleport.internal/invalid-hostname label for
discoverability.

Any Teleport agents with an invalid hostname will be replaced with the host UUID.
Any Agentless OpenSSH Servers with an invalid hostname will be replaced with
the host of the address, if it is valid, or a randomly generated identifier.
Any hosts with invalid hostnames should be updated to comply with the new
requirements to avoid Teleport renaming them.

TELEPORT_ALLOW_NO_SECOND_FACTOR removed

As of Teleport 16, multi-factor authentication is required for local users. To
assist with upgrades, Teleport 16 included a temporary opt-out mechanism via the
TELEPORT_ALLOW_NO_SECOND_FACTOR environment variable. This opt-out mechanism
has been removed.

TOTP for per-session MFA

Teleport 17 is the last release where tsh will allow for using TOTP with
per-session MFA. Starting with Teleport 18, tsh will require a strong webauthn
credential for per-session MFA.

TOTP will continue to be accepted for the initial login.