Teleport 17.0.0-beta.2

Warning

Pre-releases are not production ready, use at your own risk!

Download

Download the current and previous stable releases of Teleport at https://goteleport.com/download.

Teleport 16.4.7

Description

• Fixed bug in Kubernetes session recordings where both root and leaf cluster recorded the same Kubernetes session. Recordings of leaf resources are only available in leaf clusters. #48738
• Machine ID can now be forced to use the explicitly configured proxy address using the TBOT_USE_PROXY_ADDR environment variable. This should better support split proxy address operation. #48675
• Fixed undefined error in open source version when clicking on Add Application tile in the Enroll Resources page in the Web UI. #48616
• Updated Go to 1.22.9. #48581
• The teleport-cluster Helm chart now uses the configured serviceAccount.name from chart values for its pre-deploy configuration check Jobs. #48579
• Fixed a bug that prevented the Teleport UI from properly displaying Plugin Audit log details. #48462
• Fixed an issue preventing migration of unmanaged users to Teleport host users when including teleport-keep in a role's host_groups. #48455
• Fixed showing the list of access requests in Teleport Connect when a leaf cluster is selected in the cluster selector. #48441
• Added Connect support for selecting Kubernetes namespaces during access requests. #48413
• Fixed a rare "internal error" on older U2F authenticators when using tsh. #48402
• Fixed tsh play not skipping idle time when --skip-idle-time was provided. #48397
• Added a warning to tctl edit about dynamic edits to statically configured resources. #48392
• Define a new role.allow.request field called kubernetes_resources that allows admins to define what kinds of Kubernetes resources a requester can make. #48387
• Fixed a Teleport Kubernetes Operator bug that happened for OIDCConnector resources with non-nil max_age. #48376
• Updated host user creation to prevent local password expiration policies from affecting Teleport managed users. #48163
• Added support for Entra ID directory synchronization for clusters without public internet access. #48089
• Fixed "Missing Region" error for teleport bootstrap commands. #47995
• Fixed a bug that prevented selecting security groups during the Aurora database enrollment wizard in the web UI. #47975
• During the Set Up Access of the Enroll New Resource flows, Okta users will be asked to change the role instead of entering the principals and getting an error afterwards. #47957
• Fixed teleport_connected_resource metric overshooting after keepalive errors. #47949
• Fixed an issue preventing connections with users whose configured home directories were inaccessible. #47916
• Added a resolve command to tsh that may be used as the target for a Match exec condition in an SSH config. #47868
• Respect HTTP_PROXY environment variables for Access Request integrations. #47738
• Updated tsh ssh to support the -- delimiter similar to openssh. It is now possible to execute a command via tsh ssh user@host -- echo test or tsh ssh -- host uptime. #47493

Enterprise:

• Jamf requests from Teleport set "teleport/$version" as the User-Agent.
• Add Web UI support for selecting Kubernetes namespaces during access requests.
• Import user roles and traits when using the EntraID directory sync.

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Plugins

Download the current release of Teleport plugins from the links below.

• Slack Linux amd64 | Linux arm64
• Mattermost Linux amd64 | Linux arm64
• Discord Linux amd64 | Linux arm64
• Terraform Provider Linux amd64 | Linux arm64 | macOS amd64 | macOS arm64 | macOS universal
• Event Handler Linux amd64 | Linux arm64 | macOS amd64
• PagerDuty Linux amd64 | Linux arm64
• Jira Linux amd64 | Linux arm64
• Email Linux amd64 | Linux arm64
• Microsoft Teams Linux amd64 | Linux arm64

Teleport 15.4.22

Description

• Added a search input to the cluster dropdown in the Web UI when there's more than five clusters to show. #48800
• Fixed bug in Kubernetes session recordings where both root and leaf cluster recorded the same Kubernetes session. Recordings of leaf resources are only available in leaf clusters. #48739
• Machine ID can now be forced to use the explicitly configured proxy address using the TBOT_USE_PROXY_ADDR environment variable. This should better support split proxy address operation. #48677
• Fixed undefined error in open source version when clicking on Add Application tile in the Enroll Resources page in the Web UI. #48617
• Updated Go to 1.22.9. #48582
• The teleport-cluster Helm chart now uses the configured serviceAccount.name from chart values for its pre-deploy configuration check Jobs. #48578
• Fixed a bug that prevented the Teleport UI from properly displaying Plugin Audit log details. #48463
• Fixed showing the list of access requests in Teleport Connect when a leaf cluster is selected in the cluster selector. #48442
• Fixed a rare "internal error" on older U2F authenticators when using tsh. #48403
• Fixed tsh play not skipping idle time when --skip-idle-time was provided. #48398
• Added a warning to tctl edit about dynamic edits to statically configured resources. #48393
• Fixed a Teleport Kubernetes Operator bug that happened for OIDCConnector resources with non-nil max_age. #48377
• Updated host user creation to prevent local password expiration policies from affecting Teleport managed users. #48162
• During the Set Up Access of the Enroll New Resource flows, Okta users will be asked to change the role instead of entering the principals and getting an error afterwards. #47958
• Fixed teleport_connected_resource metric overshooting after keepalive errors. #47950
• Fixed an issue preventing connections with users whose configured home directories were inaccessible. #47917
• Added a resolve command to tsh that may be used as the target for a Match exec condition in an SSH config. #47867
• Postgres database session start events now include the Postgres backend PID for the session. #47644
• Updated tsh ssh to support the -- delimiter similar to openssh. It is now possible to execute a command via tsh ssh user@host -- echo test or tsh ssh -- host uptime. #47494

Enterprise:

• Jamf requests from Teleport set "teleport/$version" as the User-Agent.

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Plugins

Download the current release of Teleport plugins from the links below.

• Slack Linux amd64 | Linux arm64
• Mattermost Linux amd64 | Linux arm64
• Discord Linux amd64 | Linux arm64
• Terraform Provider Linux amd64 | Linux arm64 | macOS amd64 | macOS arm64 | macOS universal
• Event Handler Linux amd64 | Linux arm64 | macOS amd64
• PagerDuty Linux amd64 | Linux arm64
• Jira Linux amd64 | Linux arm64
• Email Linux amd64 | Linux arm64
• Microsoft Teams Linux amd64 | Linux arm64

Teleport 17.0.0-beta.1

Warning

Pre-releases are not production ready, use at your own risk!

Download

Download the current and previous stable releases of Teleport at https://goteleport.com/download.

Teleport 17.0.0-alpha.5

Warning

Pre-releases are not production ready, use at your own risk!

Download

Download the current and previous stable releases of Teleport at https://goteleport.com/download.

Teleport 17.0.0-alpha.4

Warning

Pre-releases are not production ready, use at your own risk!

Download

Download the current and previous stable releases of Teleport at https://goteleport.com/download.

Teleport 14.3.33

Description

• Fixed a bug in the External Audit Storage bootstrap script that broke S3 bucket creation. #48179
• During the Set Up Access of the Enroll New Resource flows, Okta users will be asked to change the role instead of entering the principals and getting an error afterwards. #47959
• Fixed teleport_connected_resource metric overshooting after keepalive errors. #47951
• Fixed an issue preventing connections with users whose configured home directories were inaccessible. #47918
• Auto-enroll may be locally disabled using the TELEPORT_DEVICE_AUTO_ENROLL_DISABLED=1 environment variable. #47718
• Alter ServiceAccounts in the teleport-cluster Helm chart to automatically disable mounting of service account tokens on newer Kubernetes distributions, helping satisfy security linters. #47701
• Avoid tsh auto-enroll escalation in machines without a TPM. #47697
• Postgres database session start events now include the Postgres backend PID for the session. #47645
• Fixes a bug where Let's Encrypt certificate renewal failed in AMI and HA deployments due to insufficient disk space caused by syncing audit logs. #47623
• Adds support for custom SQS consumer lock name and disabling a consumer. #47612
• Include host name instead of host uuid in error messages when SSH connections are prevented due to an invalid login. #47603
• Allow using a custom database for Firestore backends. #47585
• Extended Teleport Discovery Service to support resource discovery across all projects accessible by the service account. #47566
• Fixed a bug that could allow users to list active sessions even when prohibited by RBAC. #47562
• The tctl tokens ls command redacts secret join tokens by default. To include the token values, provide the new --with-secrets flag. #47547
• Fixed an issue with the Microsoft license negotiation for RDP sessions. #47544
• Fixed a bug where tsh logout failed to parse flags passed with spaces. #47461
• Added kubeconfig context name to the output table of tsh proxy kube command for enhanced clarity. #47381
• Improve error messaging when connections to offline agents are attempted. #47363
• Teleport Connect for Linux now requires glibc 2.31 or later. #47264
• Updates self-hosted db discover flow to generate 2190h TTL certs, not 12h. #47128

Enterprise:

• Device auto-enroll failures are now recorded in the audit log.

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Plugins

Download the current release of Teleport plugins from the links below.

• Slack Linux amd64 | Linux arm64
• Mattermost Linux amd64 | Linux arm64
• Discord Linux amd64 | Linux arm64
• Terraform Provider Linux amd64 | Linux arm64 | macOS amd64 | macOS arm64 | macOS universal
• Event Handler Linux amd64 | Linux arm64 | macOS amd64
• PagerDuty Linux amd64 | Linux arm64
• Jira Linux amd64 | Linux arm64
• Email Linux amd64 | Linux arm64
• Microsoft Teams Linux amd64 | Linux arm64

Teleport 17.0.0-alpha.2

Warning

Pre-releases are not production ready, use at your own risk!

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Teleport 16.4.6

Description

Security Fixes

[High] Privilege persistence in Okta SCIM-only integration

When Okta SCIM-only integration is enabled, in certain cases Teleport could
calculate the effective set of permission based on SSO user's stale traits. This
could allow a user who was unassigned from an Okta group to log into a Teleport
cluster once with a role granted by the unassigned group being present in their
effective role set.

Note: This issue only affects Teleport clusters that have installed a SCIM-only
Okta integration as described in this guide. If you have an Okta integration
with user sync enabled or only using Okta SSO auth connector to log into your
Teleport cluster without SCIM integration configured, you're unaffected. To
verify your configuration:

• Use tctl get plugins/okta --format=json | jq ".[].spec.Settings.okta.sync_settings.sync_users"
  command to check if you have Okta integration with user sync enabled. If it
  outputs null or false, you may be affected and should upgrade.
• Check SCIM provisioning settings for the Okta application you created or
  updated while following the SCIM-only setup guide. If SCIM provisioning is
  enabled, you may be affected and should upgrade.

We strongly recommend customers who use Okta SCIM integration to upgrade their
auth servers to version 16.3.0 or later. Teleport services other than auth
(proxy, SSH, Kubernetes, desktop, application, database and discovery) are not
impacted and do not need to be updated.

Other improvements and fixes

• Added a new teleport_roles_total metric that exposes the number of roles which exist in a cluster. #47812
• Teleport's Windows Desktop Service now filters domain-joined Linux hosts out during LDAP discovery. #47773
• The join_token.create audit event has been enriched with additional metadata. #47765
• Propagate resources configured in teleport-kube-agent chart values to post-install and post-delete hooks. #47743
• Add support for the Datadog Incident Management plugin helm chart. #47727
• Automatic device enrollment may be locally disabled using the TELEPORT_DEVICE_AUTO_ENROLL_DISABLED=1 environment variable. #47720
• Fixed the Machine ID and GitHub Actions wizard. #47708
• Added migration to update the old import_all_objects database object import rule to the new preset. #47707
• Alter ServiceAccounts in the teleport-cluster Helm chart to automatically disable mounting of service account tokens on newer Kubernetes distributions, helping satisfy security linters. #47703
• Avoid tsh auto-enroll escalation in machines without a TPM. #47695
• Fixed a bug that prevented users from canceling tsh scan keys executions. #47658
• Postgres database session start events now include the Postgres backend PID for the session. #47643
• Reworked the teleport-event-handler integration to significantly improve performance, especially when running with larger --concurrency values. #47633
• Fixes a bug where Let's Encrypt certificate renewal failed in AMI and HA deployments due to insufficient disk space caused by syncing audit logs. #47622
• Adds support for custom SQS consumer lock name and disabling a consumer. #47614
• Fixed an issue that prevented RDS Aurora discovery configuration in the AWS OIDC enrollment wizard when any cluster existed without member instances. #47605
• Extend the Datadog plugin to support automatic approvals. #47602
• Allow using a custom database for Firestore backends. #47583
• Include host name instead of host uuid in error messages when SSH connections are prevented due to an invalid login. #47578
• Fix the example Terraform code to support the new larger Teleport Enterprise licenses and updates output of web address to use fqdn when ACM is disabled. #47512
• Add new tctl subcommands to manage bot instances. #47225

Enterprise:

• Device auto-enroll failures are now recorded in the audit log.
• Fixed possible panic when processing Okta assignments.

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Plugins

Download the current release of Teleport plugins from the links below.

• Slack Linux amd64 | Linux arm64
• Mattermost Linux amd64 | Linux arm64
• Discord Linux amd64 | Linux arm64
• Terraform Provider Linux amd64 | Linux arm64 | macOS amd64 | macOS arm64 | macOS universal
• Event Handler Linux amd64 | Linux arm64 | macOS amd64
• PagerDuty Linux amd64 | Linux arm64
• Jira Linux amd64 | Linux arm64
• Email Linux amd64 | Linux arm64
• Microsoft Teams Linux amd64 | Linux arm64

Teleport 15.4.21

Description

Security fixes

[High] Privilege persistence in Okta SCIM-only integration

When Okta SCIM-only integration is enabled, in certain cases Teleport could
calculate the effective set of permission based on SSO user's stale traits. This
could allow a user who was unassigned from an Okta group to log into a Teleport
cluster once with a role granted by the unassigned group being present in their
effective role set.

Note: This issue only affects Teleport clusters that have installed a SCIM-only
Okta integration as described in this guide. If you have an Okta integration
with user sync enabled or only using Okta SSO auth connector to log into your
Teleport cluster without SCIM integration configured, you're unaffected. To
verify your configuration:

• Use tctl get plugins/okta --format=json | jq ".[].spec.Settings.okta.sync_settings.sync_users"
  command to check if you have Okta integration with user sync enabled. If it
  outputs null or false, you may be affected and should upgrade.
• Check SCIM provisioning settings for the Okta application you created or
  updated while following the SCIM-only setup guide. If SCIM provisioning is
  enabled, you may be affected and should upgrade.

We strongly recommend customers who use Okta SCIM integration to upgrade their
auth servers to version 15.4.19 or later. Teleport services other than auth
(proxy, SSH, Kubernetes, desktop, application, database and discovery) are not
impacted and do not need to be updated.

Other improvements and fixes

• Added a new teleport_roles_total metric that exposes the number of roles which exist in a cluster. #47811
• The join_token.create audit event has been enriched with additional metadata. #47766
• Automatic device enrollment may be locally disabled using the TELEPORT_DEVICE_AUTO_ENROLL_DISABLED=1 environment variable. #47719
• Fixed the Machine ID and GitHub Actions wizard. #47709
• Alter ServiceAccounts in the teleport-cluster Helm chart to automatically disable mounting of service account tokens on newer Kubernetes distributions, helping satisfy security linters. #47702
• Avoid tsh auto-enroll escalation in machines without a TPM. #47696
• Fixed a bug that prevented users from canceling tsh scan keys executions. #47657
• Reworked the teleport-event-handler integration to significantly improve performance, especially when running with larger --concurrency values. #47632
• Fixes a bug where Let's Encrypt certificate renewal failed in AMI and HA deployments due to insufficient disk space caused by syncing audit logs. #47624
• Adds support for custom SQS consumer lock name and disabling a consumer. #47613
• Allow using a custom database for Firestore backends. #47584
• Include host name instead of host uuid in error messages when SSH connections are prevented due to an invalid login. #47579
• Extended Teleport Discovery Service to support resource discovery across all projects accessible by the service account. #47567
• Fixed a bug that could allow users to list active sessions even when prohibited by RBAC. #47563
• The tctl tokens ls command redacts secret join tokens by default. To include the token values, provide the new --with-secrets flag. #47546
• Fix the example Terraform code to support the new larger Teleport Enterprise licenses and updates output of web address to use fqdn when ACM is disabled. #47511
• Added missing field-level documentation to the terraform provider reference. #47470
• Fixed a bug where tsh logout failed to parse flags passed with spaces. #47462
• Fixed the resource-based labels handler crashing without restarting. #47453
• Fix possibly missing rules when using large amount of Access Monitoring Rules. #47429

Enterprise:

• Device auto-enroll failures are now recorded in the audit log.
• Fixed possible panic when processing Okta assignments.

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Plugins

Download the current release of Teleport plugins from the links below.

• Slack Linux amd64 | Linux arm64
• Mattermost Linux amd64 | Linux arm64
• Discord Linux amd64 | Linux arm64
• Terraform Provider Linux amd64 | Linux arm64 | macOS amd64 | macOS arm64 | macOS universal
• Event Handler Linux amd64 | Linux arm64 | macOS amd64
• PagerDuty Linux amd64 | Linux arm64
• Jira Linux amd64 | Linux arm64
• Email Linux amd64 | Linux arm64
• Microsoft Teams Linux amd64 | Linux arm64