Teleport 16.0.0

Description

Teleport 16 brings the following new features and improvements:

• Teleport VNet
• Device Trust for the Web UI
• Increased support for per-session MFA
• Web UI notification system
• Access requests from the resources view
• tctl for Windows
• Teleport plugins improvements

Description

Teleport VNet

Teleport 16 introduces Teleport VNet, a new feature that provides a virtual IP subnet and DNS server which automatically proxies TCP connections to Teleport apps over mutually authenticated tunnels.

This allows scripts and software applications to connect to any Teleport-protected application as if they were connected to a VPN, without the need to manage local tunnels.

Teleport VNet is powered by the Teleport Connect client and is available for macOS. Support for other operating systems will come in a future release.

Device Trust for the Web UI

Teleport Device Trust can now be enforced for browser-based workflows like remote desktop and web application access. The Teleport Connect client must be installed in order to satisfy device locality checks.

Increased support for per-session MFA

Teleport 16 now supports per-session MFA checks when accessing both web and TCP applications via all supported clients (Web UI, tsh, and Teleport Connect).

Additionally, Teleport Connect now includes support for per-session MFA when accessing database resources.

Web UI notification system

Teleport’s Web UI includes a new notifications system that notifies users of items requiring attention (for example, access requests needing review).

Access requests from the resources view

The resources view in the web UI now shows both resources you currently have access to and resources you can request access to. This allows users to request access to resources without navigating to a separate page.

Cluster administrators who prefer the previous behavior of hiding requestable resources from the main view can set show_resources: accessible_only in their UI config:

For dynamic configuration, run tctl edit ui_config:

kind: ui_config
version: v1
metadata:
  name: ui-config
spec:
  show_resources: accessible_only

Alternatively, self-hosted Teleport users can update the ui section of their proxy configuration:

proxy_service:
  enabled: yes
  ui:
    show_resources: accessible_only

tctl for Windows

Teleport 16 includes Windows builds of the tctl administrative tool, allowing Windows users to administer their cluster without the need for a macOS or Linux workstation.

Additionally, there are no longer enterprise-specific versions of tctl. All Teleport clients (tsh, tctl, and Teleport Connect) are available in a single distribution that works on both Enterprise and Community Edition clusters.

Teleport plugins improvements

Teleport 16 includes major improvements to the plugins. All plugins now have:

• amd64 and arm64 binaries available
• amd64 and arm64 multi-arch images
• Major and minor version rolling tags (ie
  public.ecr.aws/gravitational/teleport-plugin-email:16)
• Image signatures for all images
• Additional debug images with all of the above features

In addition, we now support plugins for each supported major version, starting with v15. This means that if we fix a bug or security issue in a v16 plugin version, we will also apply and release the change for the v15 plugin version.

Other

The Jamf plugin now authenticates with Jamf API credentials instead of username and password.

🚨 Breaking changes and deprecations 🚨

Community Edition license

Starting with this release, Teleport Community Edition restricts commercial usage.

https://goteleport.com/blog/teleport-community-license/

License file validation on startup

Teleport 16 introduces license file validation on startup. This only applies to customers running Teleport Enterprise Self-Hosted. No action is required for customers running Teleport Enterprise Cloud or Teleport Community Edition.

If, after updating to Teleport 16, you receive an error message regarding an outdated license file, follow our step-by-step guide to update your license file.

Multi-factor authentication is now required for local users

Support for disabling second factor authentication has been removed. Teleport will refuse to start until the second_factor setting is set to on, webauthn or otp.

This change only affects self-hosted Teleport users, as Teleport Cloud has always required second factor authentication.

⚠️ Important: To avoid locking users out, we recommend the following steps:

1. Ensure that all cluster administrators have second factor devices registered in Teleport so that they will be able to reset any other users.
2. Announce to the user base that all users must register an MFA device. Consider creating a cluster alert with tctl alerts create to help spread the word.
3. While you are still on Teleport 15, set second_factor: on. This will help identify any users who have not registered MFA devices and allow you to quickly revert to second_factor: optional if necessary.
4. Upgrade to Teleport 16.

Any users who do not register MFA devices prior to the Teleport 16 upgrade will be unable to log in and must be reset by an administrator (tctl users reset).

Incompatible clients are rejected

In accordance with our component compatibility
guidelines, Teleport 16 will start rejecting connections from clients and agents running incompatible (ie too old) versions.

If Teleport detects connection attempts from outdated clients, it will show an alert to cluster administrators in both the web UI and tsh.

To disable this behavior and run in an unsupported configuration that allows incompatible agents to connect to your cluster, start your auth server with the TELEPORT_UNSTABLE_ALLOW_OLD_CLIENTS=yes environment variable.

Opsgenie plugin annotations

Prior to Teleport 16, when using an Opsgenie plugin, the teleport.dev/schedules role annotation was used to specify both schedules for access request notifications as well as schedules to check for the request auto-approval.

Starting with Teleport 16, the annotations were split to provide behavior consistent with other access request plugins: a role must now contain the teleport.dev/notify-services to receive notifications on Opsgenie and the teleport.dev/schedules to check for auto-approval.

Detailed setup instructions are available in the documentation.

New required permissions for DynamoDB

Teleport clusters using the DynamoDB backend on AWS now require the dynamodb:ConditionCheckItem permissions. For a full list of required permissions, see the IAM policy example.

Updated keyboard shortcuts in Teleport connect

On Windows and Linux, some of Teleport Connect’s keyboard shortcuts conflicted with the default bash or nano shortcuts (Ctrl+E, Ctrl+K, etc). On those platforms, the default shortcuts have been changed to a combination of Ctrl+Shift+*.

On macOS, the default shortcut to open a new terminal has been changed to Ctrl+Shift+`.

See the configuration guide for a list of updated keyboard shortcuts.

Machine ID and OpenSSH client config changes

Users with custom ssh_config should modify their ProxyCommand to use the new, more performant tbot ssh-proxy command. See the v16 upgrade guide for more details.

Removal of Active Directory configuration flow

The Active Directory installation and configuration wizard has been removed. Users who don’t already have Active Directory should leverage Teleport’s local user support, and users with existing Active Directory environments should follow the manual setup guide.

Teleport Assist is removed

All Teleport Assist functionality and OpenAI integration has been removed from Teleport. auth_service.assist and proxy_service.assistoptions have been removed from the configuration. Teleport will not start if these options are present.

During the migration from v15 to v16, the options mentioned above should be removed from the configuration.

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Plugins

Download the current release of Teleport plugins from the links below.

• Slack (Linux amd64)
• Mattermost (Linux amd64)
• Discord (Linux amd64)
• Terraform Provider (Linux amd64 | Linux arm64 | macOS amd64 | macOS arm64 | macOS universal)
• Event Handler ([Linux amd64]...

Teleport 15.4.4

Description

• Improve search and predicate/label based dialing performance in large clusters under very high load. #42941
• Fix an issue Oracle access failed through trusted cluster. #42928
• Fix errors caused by dynamoevents query StartKey not being within the [From, To] window. #42915
• Fix Jira Issue creation when Summary exceeds the max allowed size. #42862
• Fix editing reviewers from being ignored/overwritten when creating an access request from the web UI. #4397

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Plugins

Download the current release of Teleport plugins from the links below.

• Slack (Linux amd64)
• Mattermost (Linux amd64)
• Discord (Linux amd64)
• Terraform Provider (Linux amd64 | Linux arm64 | macOS amd64 | macOS arm64 | macOS universal)
• Event Handler (Linux amd64 | macOS amd64)
• PagerDuty (Linux amd64)
• Jira (Linux amd64)
• Email (Linux amd64)
• Microsoft Teams (Linux amd64)

Teleport 15.4.3

Description

Note: This release includes a new binary, fdpass-teleport, that can be optionally used by Machine ID to significantly reduce resource consumption in use-cases that create large numbers of SSH connections (e.g. Ansible). Refer to the documentation for more details.

• Update azidentity to v1.6.0 (patches CVE-2024-35255). #42859
• Remote rate limits on endpoints used extensively to connect to the cluster. #42835
• Machine ID SSH multiplexer now only writes artifacts if they have not changed, resolving a potential race condition with the OpenSSH client. #42830
• Use more efficient API when querying SSH nodes to resolve Proxy Templates in tbot. #42829
• Improve the performance of the Athena audit log and S3 session storage backends. #42795
• Prevent a panic in the Proxy when accessing an offline application. #42786
• Improve backoff of session recording uploads by teleport agents. #42776
• Introduce the new Machine ID ssh-multiplexer service for significant improvements in SSH performance. #42761
• Reduce backend writes incurred by tracking status of non-recorded sessions. #42694
• Fix not being able to logout from the web UI when session invalidation errors. #42648
• Fix access list listing not updating when creating or deleting an access list in the web UI. #4383
• Fix crashes related to importing GCP labels. #42871

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Plugins

Download the current release of Teleport plugins from the links below.

• Slack (Linux amd64)
• Mattermost (Linux amd64)
• Discord (Linux amd64)
• Terraform Provider (Linux amd64 | Linux arm64 | macOS amd64 | macOS arm64 | macOS universal)
• Event Handler (Linux amd64 | macOS amd64)
• PagerDuty (Linux amd64)
• Jira (Linux amd64)
• Email (Linux amd64)
• Microsoft Teams (Linux amd64)

Teleport 16.0.0-rc.1

Warning

Pre-releases are not production ready, use at your own risk!

Teleport 15.4.2

Description

• Fixed a Desktop Access resize bug which occurs when window was resized during MFA. #42705
• Fixed listing available db users in Teleport Connect for databases from leaf clusters obtained through access requests. #42679
• Fixed file upload/download for Teleport-created users in insecure-drop mode. #42660
• Updated OpenSSL to 3.0.14. #42642
• Fixed fetching resources with tons of metadata (such as labels or description) in Teleport Connect. #42627
• Added support for Microsoft Entra ID directory synchronization (Teleport Enterprise only, preview). #42555
• Added experimental support for storing audit events in cockroach. #42549
• Teleport Connect binaries for Windows are now signed. #42472
• Updated Go to 1.21.11. #42404
• Added GCP Cloud SQL for PostgreSQL backend support. #42399
• Added Prometheus metrics for the Postgres event backend. #42384
• Fixed the event-handler Helm chart causing stuck rollouts when using a PVC. #42363
• Fixed web UI notification dropdown menu height from growing too long from many notifications. #42336
• Disabled session recordings for non-interactive sessions when enhanced recording is disabled. There is no loss of auditing or impact on data fidelity because these recordings only contained session.start, session.end, and session.leave events which were already captured in the audit log. This will cause all teleport components to consume less resources and reduce storage costs. #42320
• Fixed an issue where removing an app could make teleport app agents incorrectly report as unhealthy for a short time. #42270
• Fixed a panic in the DynamoDB audit log backend when the cursor fell outside of the [From,To] interval. #42267
• The teleport configure command now supports a --node-name flag for overriding the node's hostname. #42250
• Added support plugin resource in tctl tool. #42224

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Plugins

Download the current release of Teleport plugins from the links below.

• Slack (Linux amd64)
• Mattermost (Linux amd64)
• Discord (Linux amd64)
• Terraform Provider (Linux amd64 | Linux arm64 | macOS amd64 | macOS arm64 | macOS universal)
• Event Handler (Linux amd64 | macOS amd64)
• PagerDuty (Linux amd64)
• Jira (Linux amd64)
• Email (Linux amd64)
• Microsoft Teams (Linux amd64)

Teleport 15.4.0

Description

Access requests notification routing rules

Hosted Slack plugin users can now configure notification routing rules for role-based access requests.

Database access for Spanner

Database access users can now connect to GCP Spanner.

Unix Workload Attestation

Teleport Workload ID now supports basic workload attestation on Unix systems, allowing cluster administrators to restrict the issuance of SVIDs to specific workloads based on UID/PID/GID.

Other improvements and fixes

• Fixed an issue where mix-and-match of join tokens could interfere with some services appearing correctly in heartbeats. #42189
• Added an alternate EC2 auto discover flow using AWS Systems Manager as a more scalable method than EICE in the "Enroll New Resource" view in the web UI. #42205
• Fixed kubectl exec functionality when Teleport is running behind L7 load balancer. #42192
• Fixed the plugins AMR cache to be updated when Access requests are removed from the subject of an existing rule. #42186
• Improved temporary disk space usage for session recording processing. #42174
• Fixed a regression where Kubernetes Exec audit events were not properly populated and lacked error details. #42145
• Fixed Azure join method when using Resource Groups in the allow section. #42141
• Added new teleport debug set-log-level / profile commands changing instance log level without a restart and collecting pprof profiles. #42122
• Added ability to manage access monitoring rules via tctl. #42092
• Added access monitoring rule routing for slack access plugin. #42087
• Extended Discovery Service to self-bootstrap necessary permissions for Kubernetes Service to interact with the Kubernetes API on behalf of users. #42075
• Fixed resource leak in session recording cleanup. #42066
• Reduced memory and CPU usage after control plane restarts in clusters with a high number of roles. #42062
• Added an option to send a Ctrl+Alt+Del sequence to remote desktops. #41720
• Added support for GCP Spanner to Teleport Database Service. #41349

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Teleport 16.0.0-alpha.3

Warning

Pre-releases are not production ready, use at your own risk!

Download

Download the current and previous stable releases of Teleport at https://goteleport.com/download.

Teleport 13.4.26

Description

This release contains fixes for several high-severity security issues, as well as numerous other bug fixes and improvements.

Security Fixes

[High] Unrestricted redirect in SSO Authentication

Teleport didn’t sufficiently validate the client redirect URL. This could allow an attacker to trick Teleport users into performing an SSO authentication and redirect to an attacker-controlled URL allowing them to steal the credentials. #41836.

Warning: Teleport will now disallow non-localhost callback URLs for SSO logins unless otherwise configured. Users of the tsh login --callback feature should modify their auth connector configuration as follows:

version: vX
kind: (saml|oidc|github)
metadata:
  name: ...
spec:
  ...
  client_redirect_settings:
    allowed_https_hostnames:
      - '*.app.github.dev'
      - '^\d+-[a-zA-Z0-9]+\.foo.internal$'

The allowed_https_hostnames field is an array containing allowed hostnames, supporting glob matching and, if the string begins and ends with ^ and $ respectively, full regular expression syntax. Custom callback URLs are required to be HTTPS on the standard port (443).

[High] CockroachDB authorization bypass

When connecting to CockroachDB using Database Access, Teleport did not properly consider the username case when running RBAC checks. As such, it was possible to establish a connection using an explicitly denied username when using a different case. #41825.

[High] Long-lived connection persistence issue with expired certificates

Teleport did not terminate some long-running mTLS-authenticated connections past the expiry of client certificates for users with the disconnect_expired_cert option. This could allow such users to perform some API actions after their certificate has expired. #41829.

[High] PagerDuty integration privilege escalation

When creating a role access request, Teleport would include PagerDuty annotations from the entire user’s role set rather than a specific role being requested. For users who run multiple PagerDuty access plugins with auto-approval, this could result in a request for a different role being inadvertently auto-approved than the one which corresponds to the user’s active on-call schedule. #41831.

[High] SAML IdP session privilege escalation

When using Teleport as SAML IdP, authorization wasn’t properly enforced on the SAML IdP session creation. As such, authenticated users could use an internal API to escalate their own privileges by crafting a malicious program. #41849.

We strongly recommend all customers upgrade to the latest releases of Teleport.

Other fixes and improvements

• Fixed access request annotations when annotations contain globs, regular
  expressions, trait expansions, or claims_to_roles is used. #41938.
• Fixed session upload completion with large number of simultaneous session
  uploads. #41852.
• Stripped debug symbols from Windows builds, resulting in smaller tsh and
  tctl binaries. #41838.
• Added read-only permissions for cluster maintenance config. #41792.
• Simplified how Bots are shown on the Users list page. #41738.
• Fixed missing variable and script options in Default Agentless Installer
  script. #41721.
• Added remote address to audit log events emitted when a Bot or Instance join
  completes, successfully or otherwise. #41698.
• Upgraded application heartbeat service to support 1000+ dynamic applications. #41628.
• Fixed systemd unit to always restart Teleport on failure unless explicitly
  stopped. #41583.
• Updated Teleport package installers to reload Teleport service config after
  upgrades. #41549.
• Fixed WebUI SSH connection leak when browser tab closed during SSH connection
  establishment. #41520
• Added "login failed" audit events for invalid passwords on password+webauthn
  local authentication. #41435
• Allow setting Kubernetes Cluster name when using non-default addresses. #41356.
• Added support to automatically download CA for MongoDB Atlas databases. #41340.
• Added validation for application URL extracted from the web application
  launcher request route. #41306.
• Allow defining custom database names and users when selecting wildcard during
  test connection when enrolling a database through the web UI. #41303.
• Updated user management to explicitly deny password resets and local logins to
  SSO users. #41272.

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

--

labels: security-patch=yes, security-patch-alts=v15.3.4

Teleport 15.3.7

Description

• Fixed creating access requests for servers in Teleport Connect that were blocked due to a "no roles configured" error. #41959
• Fixed regression issue with event-handler Linux artifacts not being available. #4237
• Fixed failed startup on GCP if missing permissions. #41985

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Teleport 15.3.6

Description

This release contains fixes for several high-severity security issues, as well as numerous other bug fixes and improvements.

Security Fixes

[High] Unrestricted redirect in SSO Authentication

Teleport didn’t sufficiently validate the client redirect URL. This could allow an attacker to trick Teleport users into performing an SSO authentication and redirect to an attacker-controlled URL allowing them to steal the credentials. #41834.

Warning: Teleport will now disallow non-localhost callback URLs for SSO logins unless otherwise configured. Users of the tsh login --callback feature should modify their auth connector configuration as follows:

version: vX
kind: (saml|oidc|github)
metadata:
  name: ...
spec:
  ...
  client_redirect_settings:
    allowed_https_hostnames:
      - '*.app.github.dev'
      - '^\d+-[a-zA-Z0-9]+\.foo.internal$'

The allowed_https_hostnames field is an array containing allowed hostnames, supporting glob matching and, if the string begins and ends with ^ and $ respectively, full regular expression syntax. Custom callback URLs are required to be HTTPS on the standard port (443).

[High] CockroachDB authorization bypass

When connecting to CockroachDB using Database Access, Teleport did not properly consider the username case when running RBAC checks. As such, it was possible to establish a connection using an explicitly denied username when using a different case. #41823.

[High] Long-lived connection persistence issue with expired certificates

Teleport did not terminate some long-running mTLS-authenticated connections past the expiry of client certificates for users with the disconnect_expired_cert option. This could allow such users to perform some API actions after their certificate has expired. #41827.

[High] PagerDuty integration privilege escalation

When creating a role access request, Teleport would include PagerDuty annotations from the entire user’s role set rather than a specific role being requested. For users who run multiple PagerDuty access plugins with auto-approval, this could result in a request for a different role being inadvertently auto-approved than the one which corresponds to the user’s active on-call schedule. #41837.

[High] SAML IdP session privilege escalation

When using Teleport as SAML IdP, authorization wasn’t properly enforced on the SAML IdP session creation. As such, authenticated users could use an internal API to escalate their own privileges by crafting a malicious program. #41846.

We strongly recommend all customers upgrade to the latest releases of Teleport.

Other fixes and improvements

• Fixed access request annotations when annotations contain globs, regular
  expressions, trait expansions, or claims_to_roles is used. #41936.
• Added AWS Management Console as a guided flow using AWS OIDC integration in
  the "Enroll New Resource" view in the web UI. #41864.
• Fixed spurious Windows Desktop sessions screen resize during an MFA ceremony. #41856.
• Fixed session upload completion with large number of simultaneous session
  uploads. #41854.
• Fixed MySQL databases version reporting on new connections. #41819.
• Added read-only permissions for cluster maintenance config. #41790.
• Stripped debug symbols from Windows builds, resulting in smaller tsh and
  tctl binaries. #41787
• Fixed passkey deletion so that a user may now delete their last passkey if
  the have a password and another MFA configured. #41771.
• Changed the default permissions for the Workload Identity Unix socket to 0777
  rather than the default as applied by the umask. This will allow the socket to
  be accessed by workloads running as users other than the user that owns the
  tbot process. #41754
• Added ability for teleport-event-handler to skip certain events type when
  forwarding to an upstream server. #41747.
• Added automatic GCP label importing. #41733.
• Fixed missing variable and script options in Default Agentless Installer
  script. #41723.
• Removed invalid AWS Roles from Web UI picker. #41707.
• Added remote address to audit log events emitted when a Bot or Instance join
  completes, successfully or otherwise. #41700.
• Simplified how Bots are shown on the Users list page. #41697.
• Added improved-performance implementation of ProxyCommand for Machine ID and
  SSH. This will become the default in v16. You can adopt this new mode early by
  setting TBOT_SSH_CONFIG_PROXY_COMMAND_MODE=new. #41694.
• Improved EC2 Auto Discovery by adding the SSM script output and more explicit
  error messages. #41664.
• Added webauthn diagnostics commands to tctl. #41643.
• Upgraded application heartbeat service to support 1000+ dynamic applications. #41626
• Fixed issue where Kubernetes watch requests are written out of order. #41624.
• Fixed a race condition triggered by a reload during Teleport startup. #41592.
• Updated discover wizard Install Script to support Ubuntu 24.04. #41589.
• Fixed systemd unit to always restart Teleport on failure unless explicitly stopped. #41581.
• Updated Teleport package installers to reload Teleport service config after
  upgrades. #41547.
• Fixed file truncation bug in Desktop Directory Sharing. #41540.
• Fixed WebUI SSH connection leak when browser tab closed during SSH connection
  establishment. #41518.
• Fixed AccessList reconciler comparison causing audit events noise. #41517.
• Added tooling to create SCIM integrations in tctl. #41514.
• Fixed Windows Desktop error preventing rendering of the remote session. #41498.
• Fixed issue in the PagerDuty, Opsgenie and ServiceNow access plugins that
  causing duplicate calls on access requests containing duplicate service names.
  Also increases the timeout so slow external API requests are less likely to
  fail. #41488.
• Added basic Unix workload attestation to the tbot SPIFFE workload API. You
  can now restrict the issuance of certain SVIDs to processes running with a
  certain UID, GID or PID. #41450.
• Added "login failed" audit events for invalid passwords on password+webauthn
  local authentication. #41432.
  Fixed Terraform provider issue causing the Provision Token options to default
  to false instead of empty. #41429.
• Added support to automatically download CA for MongoDB Atlas databases. #41338.
• Fixed broken "finish" web page for SSO Users on auto discover. #41335.
• Allow setting Kubernetes Cluster name when using non-default addresses. #41331.
• Added fallback on GetAccessList cache miss call. #41326.
• Fixed DiscoveryService panic when auto-enrolling EKS clusters. #41320.
• Added validation for application URL extracted from the web application launcher request route. #41304.
• Allow defining custom database names and users when selecting wildcard during test connection when enrolling a database through the web UI. #41301.
• Fixed broken link for alternative EC2 installation during EC2 discover flow. #41292
• Updated Go to v1.21.10. #41281.
• Updated user management to explicitly deny password resets and local logins to
  SSO users. #41270.
• Fixed fetching suggested access lists with large IDs in Tel...