Skip to content

Releases: gravitational/teleport

Teleport 16.4.6

23 Oct 17:58
@doggydogworld doggydogworld
v16.4.6
3104d1a
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Learn about vigilant mode.
Compare
Choose a tag to compare
Teleport 16.4.6

Description

Security Fixes

[High] Privilege persistence in Okta SCIM-only integration

When Okta SCIM-only integration is enabled, in certain cases Teleport could
calculate the effective set of permission based on SSO user's stale traits. This
could allow a user who was unassigned from an Okta group to log into a Teleport
cluster once with a role granted by the unassigned group being present in their
effective role set.

Note: This issue only affects Teleport clusters that have installed a SCIM-only
Okta integration as described in this guide. If you have an Okta integration
with user sync enabled or only using Okta SSO auth connector to log into your
Teleport cluster without SCIM integration configured, you're unaffected. To
verify your configuration:

  • Use tctl get plugins/okta --format=json | jq ".[].spec.Settings.okta.sync_settings.sync_users"
    command to check if you have Okta integration with user sync enabled. If it
    outputs null or false, you may be affected and should upgrade.
  • Check SCIM provisioning settings for the Okta application you created or
    updated while following the SCIM-only setup guide. If SCIM provisioning is
    enabled, you may be affected and should upgrade.

We strongly recommend customers who use Okta SCIM integration to upgrade their
auth servers to version 16.3.0 or later. Teleport services other than auth
(proxy, SSH, Kubernetes, desktop, application, database and discovery) are not
impacted and do not need to be updated.

Other improvements and fixes

  • Added a new teleport_roles_total metric that exposes the number of roles which exist in a cluster. #47812
  • Teleport's Windows Desktop Service now filters domain-joined Linux hosts out during LDAP discovery. #47773
  • The join_token.create audit event has been enriched with additional metadata. #47765
  • Propagate resources configured in teleport-kube-agent chart values to post-install and post-delete hooks. #47743
  • Add support for the Datadog Incident Management plugin helm chart. #47727
  • Automatic device enrollment may be locally disabled using the TELEPORT_DEVICE_AUTO_ENROLL_DISABLED=1 environment variable. #47720
  • Fixed the Machine ID and GitHub Actions wizard. #47708
  • Added migration to update the old import_all_objects database object import rule to the new preset. #47707
  • Alter ServiceAccounts in the teleport-cluster Helm chart to automatically disable mounting of service account tokens on newer Kubernetes distributions, helping satisfy security linters. #47703
  • Avoid tsh auto-enroll escalation in machines without a TPM. #47695
  • Fixed a bug that prevented users from canceling tsh scan keys executions. #47658
  • Postgres database session start events now include the Postgres backend PID for the session. #47643
  • Reworked the teleport-event-handler integration to significantly improve performance, especially when running with larger --concurrency values. #47633
  • Fixes a bug where Let's Encrypt certificate renewal failed in AMI and HA deployments due to insufficient disk space caused by syncing audit logs. #47622
  • Adds support for custom SQS consumer lock name and disabling a consumer. #47614
  • Fixed an issue that prevented RDS Aurora discovery configuration in the AWS OIDC enrollment wizard when any cluster existed without member instances. #47605
  • Extend the Datadog plugin to support automatic approvals. #47602
  • Allow using a custom database for Firestore backends. #47583
  • Include host name instead of host uuid in error messages when SSH connections are prevented due to an invalid login. #47578
  • Fix the example Terraform code to support the new larger Teleport Enterprise licenses and updates output of web address to use fqdn when ACM is disabled. #47512
  • Add new tctl subcommands to manage bot instances. #47225

Enterprise:

  • Device auto-enroll failures are now recorded in the audit log.
  • Fixed possible panic when processing Okta assignments.

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Plugins

Download the current release of Teleport plugins from the links below.

Assets 2
Loading

Teleport 15.4.21

23 Oct 15:29
@doggydogworld doggydogworld
v15.4.21
bf81f0c
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Learn about vigilant mode.
Compare
Choose a tag to compare
Teleport 15.4.21

Description

Security fixes

[High] Privilege persistence in Okta SCIM-only integration

When Okta SCIM-only integration is enabled, in certain cases Teleport could
calculate the effective set of permission based on SSO user's stale traits. This
could allow a user who was unassigned from an Okta group to log into a Teleport
cluster once with a role granted by the unassigned group being present in their
effective role set.

Note: This issue only affects Teleport clusters that have installed a SCIM-only
Okta integration as described in this guide. If you have an Okta integration
with user sync enabled or only using Okta SSO auth connector to log into your
Teleport cluster without SCIM integration configured, you're unaffected. To
verify your configuration:

  • Use tctl get plugins/okta --format=json | jq ".[].spec.Settings.okta.sync_settings.sync_users"
    command to check if you have Okta integration with user sync enabled. If it
    outputs null or false, you may be affected and should upgrade.
  • Check SCIM provisioning settings for the Okta application you created or
    updated while following the SCIM-only setup guide. If SCIM provisioning is
    enabled, you may be affected and should upgrade.

We strongly recommend customers who use Okta SCIM integration to upgrade their
auth servers to version 15.4.19 or later. Teleport services other than auth
(proxy, SSH, Kubernetes, desktop, application, database and discovery) are not
impacted and do not need to be updated.

Other improvements and fixes

  • Added a new teleport_roles_total metric that exposes the number of roles which exist in a cluster. #47811
  • The join_token.create audit event has been enriched with additional metadata. #47766
  • Automatic device enrollment may be locally disabled using the TELEPORT_DEVICE_AUTO_ENROLL_DISABLED=1 environment variable. #47719
  • Fixed the Machine ID and GitHub Actions wizard. #47709
  • Alter ServiceAccounts in the teleport-cluster Helm chart to automatically disable mounting of service account tokens on newer Kubernetes distributions, helping satisfy security linters. #47702
  • Avoid tsh auto-enroll escalation in machines without a TPM. #47696
  • Fixed a bug that prevented users from canceling tsh scan keys executions. #47657
  • Reworked the teleport-event-handler integration to significantly improve performance, especially when running with larger --concurrency values. #47632
  • Fixes a bug where Let's Encrypt certificate renewal failed in AMI and HA deployments due to insufficient disk space caused by syncing audit logs. #47624
  • Adds support for custom SQS consumer lock name and disabling a consumer. #47613
  • Allow using a custom database for Firestore backends. #47584
  • Include host name instead of host uuid in error messages when SSH connections are prevented due to an invalid login. #47579
  • Extended Teleport Discovery Service to support resource discovery across all projects accessible by the service account. #47567
  • Fixed a bug that could allow users to list active sessions even when prohibited by RBAC. #47563
  • The tctl tokens ls command redacts secret join tokens by default. To include the token values, provide the new --with-secrets flag. #47546
  • Fix the example Terraform code to support the new larger Teleport Enterprise licenses and updates output of web address to use fqdn when ACM is disabled. #47511
  • Added missing field-level documentation to the terraform provider reference. #47470
  • Fixed a bug where tsh logout failed to parse flags passed with spaces. #47462
  • Fixed the resource-based labels handler crashing without restarting. #47453
  • Fix possibly missing rules when using large amount of Access Monitoring Rules. #47429

Enterprise:

  • Device auto-enroll failures are now recorded in the audit log.
  • Fixed possible panic when processing Okta assignments.

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Plugins

Download the current release of Teleport plugins from the links below.

Assets 2
Loading

Teleport 16.4.3

16 Oct 16:54
@doggydogworld doggydogworld
v16.4.3
d506b62
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Learn about vigilant mode.
Compare
Choose a tag to compare
Teleport 16.4.3

Description

  • Extended Teleport Discovery Service to support resource discovery across all projects accessible by the service account. #47568
  • Fixed a bug that could allow users to list active sessions even when prohibited by RBAC. #47564
  • The tctl tokens ls command redacts secret join tokens by default. To include the token values, provide the new --with-secrets flag. #47545
  • Added missing field-level documentation to the terraform provider reference. #47469
  • Fixed a bug where tsh logout failed to parse flags passed with spaces. #47460
  • Fixed the resource-based labels handler crashing without restarting. #47452
  • Install teleport FIPS binary in FIPS environments during Server Auto Discover. #47437
  • Fix possibly missing rules when using large amount of Access Monitoring Rules. #47430
  • Added ability to list/get AccessMonitoringRule resources with tctl. #47401
  • Include JWK header in JWTs issued by Teleport Application Access. #47393
  • Teleport Workload ID now supports issuing JWT SVIDs via the Workload API. #47389
  • Added kubeconfig context name to the output table of tsh proxy kube command for enhanced clarity. #47383
  • Improve error messaging when connections to offline agents are attempted. #47361
  • Allow specifying the instance type of AWS HA Terraform bastion instance. #47338
  • Added a config option to Teleport Connect to control how it interacts with the local SSH agent (sshAgent.addKeysToAgent). #47324
  • Teleport Workload ID issued JWT SVIDs are now compatible with OIDC federation with a number of platforms. #47317
  • The "ha-autoscale-cluster" terraform module now support default AWS resource tags and ASG instance refresh on configuration or launch template changes. #47299
  • Fixed error in Workload ID in cases where the process ID cannot be resolved. #47274
  • Teleport Connect for Linux now requires glibc 2.31 or later. #47262
  • Fixed a bug where security group rules that refer to another security group by ID were not displayed in web UI enrollment wizards when viewing security group rules. #47246
  • Improve the msteams access plugin debug logging. #47158
  • Fix missing tsh MFA prompt in certain OTP+WebAuthn scenarios. #47154
  • Updates self-hosted db discover flow to generate 2190h TTL certs, not 12h. #47125
  • Fixes an issue preventing access requests from displaying user friendly resource names. #47112
  • Fixed a bug where only one IP CIDR block security group rule for a port range was displayed in the web UI RDS enrollment wizard when viewing a security group. #47077
  • The tsh play command now supports a text output format. #47073
  • Updated Go to 1.22.8. #47050
  • Fixed the "source path is empty" error when attempting to upload a file in Teleport Connect. #47011
  • Added static host users to Terraform provider. #46974
  • Enforce a global device_trust.mode=required on OSS processes paired with an Enterprise Auth. #46947
  • Added a new config option in Teleport Connect to control SSH agent forwarding (ssh.forwardAgent); starting in Teleport Connect v17, this option will be disabled by default. #46895
  • Correctly display available allowed logins of leaf AWS Console Apps on tsh app login. #46806
  • Allow all audit events to be trimmed if necessary. #46499

Enterprise:

  • Fixed possible panic when processing Okta assignments.
  • Fixed bug where an unknown device aborts device web authentication.
  • Add the Datadog Incident Management Plugin as a hosted plugin.
  • Permit bootstrapping enterprise clusters with state from an open source cluster.

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Plugins

Download the current release of Teleport plugins from the links below.

Assets 2
Loading

Teleport 15.4.20

10 Oct 19:45
@r0mant r0mant
v15.4.20
db3053a
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Learn about vigilant mode.
Compare
Choose a tag to compare
Teleport 15.4.20

Description

  • Added ability to list/get access monitoring rules resources with tctl. #47402
  • Include JWK header in JWTs issued by Teleport Application Access. #47394
  • Added kubeconfig context name to the output table of tsh proxy kube command for enhanced clarity. #47382
  • Improve error messaging when connections to offline agents are attempted. #47362
  • Allow specifying the instance type of AWS HA Terraform bastion instance. #47339
  • Added a config option to Teleport Connect to control how it interacts with the local SSH agent (sshAgent.addKeysToAgent). #47325
  • Fixed error in Workload ID in cases where the process ID cannot be resolved. #47275
  • Teleport Connect for Linux now requires glibc 2.31 or later. #47263
  • Fix missing tsh MFA prompt in certain OTP+WebAuthn scenarios. #47155
  • Updates self-hosted db discover flow to generate 2190h TTL certs, not 12h. #47127
  • Fixes an issue preventing access requests from displaying user friendly resource names. #47111
  • Updated Go to 1.22.8. #47052
  • Fixed the "source path is empty" error when attempting to upload a file in Teleport Connect. #47013
  • Enforce a global device_trust.mode=required on OSS processes paired with an Enterprise Auth. #46946
  • A user joining a session will now see available controls for terminating & leaving the session. #46910
  • Added a new config option in Teleport Connect to control SSH agent forwarding (ssh.forwardAgent); starting in Teleport Connect v17, this option will be disabled by default. #46897
  • Teleport no longer creates invalid SAML Connectors when calling tctl get saml/<connector-name> | tctl create -f without the --with-secrets flag. #46864
  • Fixed a regression in the SAML IdP service which prevented cache from initializing in a cluster that may have a service provider configured with unsupported acs_url and relay_state values. #46846
  • Machine ID now generates cluster-specific ssh_config and known_host files which will always direct SSH connections made using them via Teleport. #46685
  • Added new empty state to Devices list in web UI. #5119
  • Permit bootstrapping enterprise clusters with state from an open source cluster. #5094
  • Fixes a possible crash when using Teleport Policy's GitLab integration. #5071
  • Emit audit logs when creating, updating or deleting Teleport Plugins. #5056

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Plugins

Download the current release of Teleport plugins from the links below.

Assets 2
Loading

Teleport 14.3.32

03 Oct 18:54
@r0mant r0mant
v14.3.32
eac25fd
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Learn about vigilant mode.
Compare
Choose a tag to compare
Teleport 14.3.32

Description

  • Fixes an issue preventing access requests from displaying user friendly resource names. #47110
  • Updated Go to 1.22.8. #47053
  • Fixed the "source path is empty" error when attempting to upload a file in Teleport Connect. #47014
  • Enforce a global device_trust.mode=required on OSS processes paired with an Enterprise Auth. #46945
  • A user joining a session will now see available controls for terminating & leaving the session. #46923
  • Teleport no longer creates invalid SAML Connectors when calling tctl get saml/<connector-name> | tctl create -f without the --with-secrets flag. #46887
  • Fixed a regression in the SAML IdP service which prevented cache from initializing in a cluster that may have a service provider configured with unsupported acs_url and relay_state values. #46847
  • Fixes a bug in Kubernetes access that causes the error expected *metav1.PartialObjectMetadata object when trying to list resources. #46696
  • Fixed an issue that prevented host user creation when the username was also listed in host_groups. #46639
  • Allow all audit events to be trimmed if necessary. #46505
  • Fixed an issue preventing session joining while host user creation was in use. #46503
  • Fixed an issue that prevented the Firestore backend from reading existing data. #46435
  • The teleport-kube-agent chart now correctly propagates configured annotations when deploying a StatefulSet. #46423
  • Ensure that additional pod labels are carried over to post-upgrade and post-delete hook job pods when using the teleport-kube-agent Helm chart. #46236

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Plugins

Download the current release of Teleport plugins from the links below.

Assets 2
Loading

Teleport 16.4.2

26 Sep 01:55
@camscale camscale
v16.4.2
e414b8f
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Learn about vigilant mode.
Compare
Choose a tag to compare
Teleport 16.4.2

Description

  • Fixed a panic when using the self-hosted PagerDuty plugin. #46925
  • A user joining a session will now see available controls for terminating & leaving the session. #46901
  • Fixed a regression in the SAML IdP service which prevented cache from initializing in a cluster that may have a service provider configured with unsupported acs_url and relay_state values. #46845

Enterprise:

  • Fixed a possible crash when using Teleport Policy's GitLab integration.

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Plugins

Download the current release of Teleport plugins from the links below.

Assets 2
Loading

Teleport 16.4.1

25 Sep 04:36
@camscale camscale
v16.4.1
03a20fd
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Learn about vigilant mode.
Compare
Choose a tag to compare
Teleport 16.4.1

Description

Secrets support for Kubernetes Operator

Kubernetes Operator is now able to lookup values from Kubernetes secrets for GithubConnector.ClientSecret and OIDCConnector.ClientSecret.

Other improvements and fixes

  • Fixed a regression that made it impossible to read the Teleport Audit Log after creating a plugin if the audit event is present. #46831
  • Added a new flag to static host users spec that allows teleport to automatically take ownership across matching hosts of any users with the same name as the static host user. #46828
  • Added support for Kubernetes SPDY over Websocket Protocols for PortForward. #46815
  • Fixed a regression where Teleport swallowed Kubernetes API errors when using kubectl exec with a Kubernetes cluster newer than v1.30.0. #46811
  • Added support for Access Request Datadog plugin. #46740

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Plugins

Download the current release of Teleport plugins from the links below.

Assets 2
Loading

Teleport 16.4.0

19 Sep 01:10
@r0mant r0mant
v16.4.0
e08d4e0
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Learn about vigilant mode.
Compare
Choose a tag to compare
Teleport 16.4.0

Description

Machine ID for HCP Terraform and Terraform Enterprise

Teleport now supports secure joining via Terraform Cloud, allowing Machine ID
workflows to run on Terraform Cloud without shared secrets.

SPIFFE Federation for Workload Identity

Teleport Workload Identity now supports SPIFFE Federation, allowing trust
relationships to be established between a Teleport cluster's trust domain and
trust domains managed by other SPIFFE compatible platforms. Establishing a
relationship between the trust domains enables workloads belonging to one trust
domain to validate the identity of workloads in the other trust domain, and vice
versa.

Multi-domain support for web applications

Teleport now supports web application access where one application depends on
another. For example, you may have a web application that depends on a backend
API service, both of which are separate apps protected by Teleport.

Okta integration status dashboard

Cluster admins are now able to get a detailed overview of the Okta integration
status in the Teleport web UI.

Other improvements and fixes

  • Fixed the web favicon not displaying on specific builds. #46736
  • Fixed regression in private key parser to handle mismatched PEM headers. #46727
  • Removed TXT record validation from custom DNS zones in VNet; VNet now supports any custom DNS zone, as long as it's included in vnet_config. #46722
  • Fixed audit log not recognizing static host user events. #46697
  • Fixes a bug in Kubernetes access that causes the error expected *metav1.PartialObjectMetadata object when trying to list resources. #46694
  • Added a new default_shell configuration for the static host users resource that works exactly the same as the create_host_user_default_shell configuration added for roles. #46688
  • Machine ID now generates cluster-specific ssh_config and known_hosts files which will always direct SSH connections made using them via Teleport. #46684
  • Fixed a regression that prevented the fish shell from starting in Teleport Connect. #46662
  • Added a new create_host_user_default_shell configuration under role options that changes the default shell of auto provisioned host users. #46648
  • Fixed an issue that prevented host user creation when the username was also listed in host_groups. #46635
  • Fixed tsh scp showing a login prompt when attempting to transfer a folder without the recursive option. #46603
  • The Teleport Terraform provider now supports AccessMonitoringRule resources. #46582
  • The teleport-plugin-slack chart can now deploy tbot to obtain and renew the Slack plugin credentials automatically. This setup is easier and more secure than signing long-lived credentials. #46581
  • Always show the device trust green shield for authenticated devices. #46565
  • Add new terraform_cloud joining method to enable secretless authentication on HCP Terraform jobs for the Teleport Terraform provider. #46049
  • Emit audit logs when creating, updating or deleting Teleport Plugins. #4939

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Plugins

Download the current release of Teleport plugins from the links below.

Assets 2
Loading

Teleport 15.4.19

18 Sep 10:15
@camscale camscale
v15.4.19
8c1398e
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Learn about vigilant mode.
Compare
Choose a tag to compare
Teleport 15.4.19

Description

  • Fixed a bug in Kubernetes access that causes the error expected *metav1.PartialObjectMetadata object when trying to list resources. #46695
  • Fixed an issue that prevented host user creation when the username was also listed in host_groups. #46638
  • Allow the cluster wide ssh dial timeout to be set via auth_service.ssh_dial_timeout in the Teleport config file. #46508
  • Allow all audit events to be trimmed if necessary. #46504
  • Fixed an issue preventing session joining while host user creation was in use. #46502
  • Fixed an issue that prevented the Firestore backend from reading existing data. #46436
  • The teleport-kube-agent chart now correctly propagates configured annotations when deploying a StatefulSet. #46422
  • Updated tsh puttyconfig to respect any defined proxy templates. #46385
  • Added tbot Helm chart for deploying a Machine ID Bot into a Teleport cluster. #46374
  • Ensure that additional pod labels are carried over to post-upgrade and post-delete hook job pods when using the teleport-kube-agent Helm chart. #46231

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Plugins

Download the current release of Teleport plugins from the links below.

Assets 2
Loading

Teleport 16.3.0

12 Sep 05:56
@camscale camscale
v16.3.0
5cf82cc
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Learn about vigilant mode.
Compare
Choose a tag to compare
Teleport 16.3.0

Description

Out-of-band user creation

Cluster administrators are now able to configure Teleport's ssh_service to
ensure that certain host users exist on the machine without the need to start
an SSH session. #46498

Other improvements and fixes

  • Allow the cluster wide ssh dial timeout to be set via auth_service.ssh_dial_timeout in the Teleport config file. #46507
  • Fixed an issue preventing session joining while host user creation was in use. #46501
  • Added tbot Helm chart for deploying a Machine ID Bot into a Teleport cluster. #46373

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Plugins

Download the current release of Teleport plugins from the links below.

Assets 2
Loading