Releases: gravitational/teleport
Teleport 17.0.0-beta.1
Warning
Pre-releases are not production ready, use at your own risk!
Download
Download the current and previous stable releases of Teleport at https://goteleport.com/download.
Teleport 17.0.0-alpha.5
Warning
Pre-releases are not production ready, use at your own risk!
Download
Download the current and previous stable releases of Teleport at https://goteleport.com/download.
Teleport 17.0.0-alpha.4
Warning
Pre-releases are not production ready, use at your own risk!
Download
Download the current and previous stable releases of Teleport at https://goteleport.com/download.
Teleport 14.3.33
Description
- Fixed a bug in the External Audit Storage bootstrap script that broke S3 bucket creation. #48179
- During the Set Up Access of the Enroll New Resource flows, Okta users will be asked to change the role instead of entering the principals and getting an error afterwards. #47959
- Fixed
teleport_connected_resource
metric overshooting after keepalive errors. #47951 - Fixed an issue preventing connections with users whose configured home directories were inaccessible. #47918
- Auto-enroll may be locally disabled using the
TELEPORT_DEVICE_AUTO_ENROLL_DISABLED=1
environment variable. #47718 - Alter ServiceAccounts in the teleport-cluster Helm chart to automatically disable mounting of service account tokens on newer Kubernetes distributions, helping satisfy security linters. #47701
- Avoid tsh auto-enroll escalation in machines without a TPM. #47697
- Postgres database session start events now include the Postgres backend PID for the session. #47645
- Fixes a bug where Let's Encrypt certificate renewal failed in AMI and HA deployments due to insufficient disk space caused by syncing audit logs. #47623
- Adds support for custom SQS consumer lock name and disabling a consumer. #47612
- Include host name instead of host uuid in error messages when SSH connections are prevented due to an invalid login. #47603
- Allow using a custom database for Firestore backends. #47585
- Extended Teleport Discovery Service to support resource discovery across all projects accessible by the service account. #47566
- Fixed a bug that could allow users to list active sessions even when prohibited by RBAC. #47562
- The
tctl tokens ls
command redacts secret join tokens by default. To include the token values, provide the new--with-secrets
flag. #47547 - Fixed an issue with the Microsoft license negotiation for RDP sessions. #47544
- Fixed a bug where tsh logout failed to parse flags passed with spaces. #47461
- Added kubeconfig context name to the output table of
tsh proxy kube
command for enhanced clarity. #47381 - Improve error messaging when connections to offline agents are attempted. #47363
- Teleport Connect for Linux now requires glibc 2.31 or later. #47264
- Updates self-hosted db discover flow to generate 2190h TTL certs, not 12h. #47128
Enterprise:
- Device auto-enroll failures are now recorded in the audit log.
Download
Download the current and previous releases of Teleport at https://goteleport.com/download.
Plugins
Download the current release of Teleport plugins from the links below.
- Slack Linux amd64 | Linux arm64
- Mattermost Linux amd64 | Linux arm64
- Discord Linux amd64 | Linux arm64
- Terraform Provider Linux amd64 | Linux arm64 | macOS amd64 | macOS arm64 | macOS universal
- Event Handler Linux amd64 | Linux arm64 | macOS amd64
- PagerDuty Linux amd64 | Linux arm64
- Jira Linux amd64 | Linux arm64
- Email Linux amd64 | Linux arm64
- Microsoft Teams Linux amd64 | Linux arm64
Teleport 17.0.0-alpha.2
Warning
Pre-releases are not production ready, use at your own risk!
Download
Download the current and previous releases of Teleport at https://goteleport.com/download.
Teleport 16.4.6
Description
Security Fixes
[High] Privilege persistence in Okta SCIM-only integration
When Okta SCIM-only integration is enabled, in certain cases Teleport could
calculate the effective set of permission based on SSO user's stale traits. This
could allow a user who was unassigned from an Okta group to log into a Teleport
cluster once with a role granted by the unassigned group being present in their
effective role set.
Note: This issue only affects Teleport clusters that have installed a SCIM-only
Okta integration as described in this guide. If you have an Okta integration
with user sync enabled or only using Okta SSO auth connector to log into your
Teleport cluster without SCIM integration configured, you're unaffected. To
verify your configuration:
- Use
tctl get plugins/okta --format=json | jq ".[].spec.Settings.okta.sync_settings.sync_users"
command to check if you have Okta integration with user sync enabled. If it
outputs null or false, you may be affected and should upgrade. - Check SCIM provisioning settings for the Okta application you created or
updated while following the SCIM-only setup guide. If SCIM provisioning is
enabled, you may be affected and should upgrade.
We strongly recommend customers who use Okta SCIM integration to upgrade their
auth servers to version 16.3.0 or later. Teleport services other than auth
(proxy, SSH, Kubernetes, desktop, application, database and discovery) are not
impacted and do not need to be updated.
Other improvements and fixes
- Added a new teleport_roles_total metric that exposes the number of roles which exist in a cluster. #47812
- Teleport's Windows Desktop Service now filters domain-joined Linux hosts out during LDAP discovery. #47773
- The
join_token.create
audit event has been enriched with additional metadata. #47765 - Propagate resources configured in teleport-kube-agent chart values to post-install and post-delete hooks. #47743
- Add support for the Datadog Incident Management plugin helm chart. #47727
- Automatic device enrollment may be locally disabled using the TELEPORT_DEVICE_AUTO_ENROLL_DISABLED=1 environment variable. #47720
- Fixed the Machine ID and GitHub Actions wizard. #47708
- Added migration to update the old import_all_objects database object import rule to the new preset. #47707
- Alter ServiceAccounts in the teleport-cluster Helm chart to automatically disable mounting of service account tokens on newer Kubernetes distributions, helping satisfy security linters. #47703
- Avoid tsh auto-enroll escalation in machines without a TPM. #47695
- Fixed a bug that prevented users from canceling
tsh scan keys
executions. #47658 - Postgres database session start events now include the Postgres backend PID for the session. #47643
- Reworked the
teleport-event-handler
integration to significantly improve performance, especially when running with larger--concurrency
values. #47633 - Fixes a bug where Let's Encrypt certificate renewal failed in AMI and HA deployments due to insufficient disk space caused by syncing audit logs. #47622
- Adds support for custom SQS consumer lock name and disabling a consumer. #47614
- Fixed an issue that prevented RDS Aurora discovery configuration in the AWS OIDC enrollment wizard when any cluster existed without member instances. #47605
- Extend the Datadog plugin to support automatic approvals. #47602
- Allow using a custom database for Firestore backends. #47583
- Include host name instead of host uuid in error messages when SSH connections are prevented due to an invalid login. #47578
- Fix the example Terraform code to support the new larger Teleport Enterprise licenses and updates output of web address to use fqdn when ACM is disabled. #47512
- Add new
tctl
subcommands to manage bot instances. #47225
Enterprise:
- Device auto-enroll failures are now recorded in the audit log.
- Fixed possible panic when processing Okta assignments.
Download
Download the current and previous releases of Teleport at https://goteleport.com/download.
Plugins
Download the current release of Teleport plugins from the links below.
- Slack Linux amd64 | Linux arm64
- Mattermost Linux amd64 | Linux arm64
- Discord Linux amd64 | Linux arm64
- Terraform Provider Linux amd64 | Linux arm64 | macOS amd64 | macOS arm64 | macOS universal
- Event Handler Linux amd64 | Linux arm64 | macOS amd64
- PagerDuty Linux amd64 | Linux arm64
- Jira Linux amd64 | Linux arm64
- Email Linux amd64 | Linux arm64
- Microsoft Teams Linux amd64 | Linux arm64
Teleport 15.4.21
Description
Security fixes
[High] Privilege persistence in Okta SCIM-only integration
When Okta SCIM-only integration is enabled, in certain cases Teleport could
calculate the effective set of permission based on SSO user's stale traits. This
could allow a user who was unassigned from an Okta group to log into a Teleport
cluster once with a role granted by the unassigned group being present in their
effective role set.
Note: This issue only affects Teleport clusters that have installed a SCIM-only
Okta integration as described in this guide. If you have an Okta integration
with user sync enabled or only using Okta SSO auth connector to log into your
Teleport cluster without SCIM integration configured, you're unaffected. To
verify your configuration:
- Use
tctl get plugins/okta --format=json | jq ".[].spec.Settings.okta.sync_settings.sync_users"
command to check if you have Okta integration with user sync enabled. If it
outputs null or false, you may be affected and should upgrade. - Check SCIM provisioning settings for the Okta application you created or
updated while following the SCIM-only setup guide. If SCIM provisioning is
enabled, you may be affected and should upgrade.
We strongly recommend customers who use Okta SCIM integration to upgrade their
auth servers to version 15.4.19 or later. Teleport services other than auth
(proxy, SSH, Kubernetes, desktop, application, database and discovery) are not
impacted and do not need to be updated.
Other improvements and fixes
- Added a new teleport_roles_total metric that exposes the number of roles which exist in a cluster. #47811
- The
join_token.create
audit event has been enriched with additional metadata. #47766 - Automatic device enrollment may be locally disabled using the TELEPORT_DEVICE_AUTO_ENROLL_DISABLED=1 environment variable. #47719
- Fixed the Machine ID and GitHub Actions wizard. #47709
- Alter ServiceAccounts in the teleport-cluster Helm chart to automatically disable mounting of service account tokens on newer Kubernetes distributions, helping satisfy security linters. #47702
- Avoid tsh auto-enroll escalation in machines without a TPM. #47696
- Fixed a bug that prevented users from canceling
tsh scan keys
executions. #47657 - Reworked the
teleport-event-handler
integration to significantly improve performance, especially when running with larger--concurrency
values. #47632 - Fixes a bug where Let's Encrypt certificate renewal failed in AMI and HA deployments due to insufficient disk space caused by syncing audit logs. #47624
- Adds support for custom SQS consumer lock name and disabling a consumer. #47613
- Allow using a custom database for Firestore backends. #47584
- Include host name instead of host uuid in error messages when SSH connections are prevented due to an invalid login. #47579
- Extended Teleport Discovery Service to support resource discovery across all projects accessible by the service account. #47567
- Fixed a bug that could allow users to list active sessions even when prohibited by RBAC. #47563
- The tctl tokens ls command redacts secret join tokens by default. To include the token values, provide the new --with-secrets flag. #47546
- Fix the example Terraform code to support the new larger Teleport Enterprise licenses and updates output of web address to use fqdn when ACM is disabled. #47511
- Added missing field-level documentation to the terraform provider reference. #47470
- Fixed a bug where tsh logout failed to parse flags passed with spaces. #47462
- Fixed the resource-based labels handler crashing without restarting. #47453
- Fix possibly missing rules when using large amount of Access Monitoring Rules. #47429
Enterprise:
- Device auto-enroll failures are now recorded in the audit log.
- Fixed possible panic when processing Okta assignments.
Download
Download the current and previous releases of Teleport at https://goteleport.com/download.
Plugins
Download the current release of Teleport plugins from the links below.
- Slack Linux amd64 | Linux arm64
- Mattermost Linux amd64 | Linux arm64
- Discord Linux amd64 | Linux arm64
- Terraform Provider Linux amd64 | Linux arm64 | macOS amd64 | macOS arm64 | macOS universal
- Event Handler Linux amd64 | Linux arm64 | macOS amd64
- PagerDuty Linux amd64 | Linux arm64
- Jira Linux amd64 | Linux arm64
- Email Linux amd64 | Linux arm64
- Microsoft Teams Linux amd64 | Linux arm64
Teleport 16.4.3
Description
- Extended Teleport Discovery Service to support resource discovery across all projects accessible by the service account. #47568
- Fixed a bug that could allow users to list active sessions even when prohibited by RBAC. #47564
- The
tctl tokens ls
command redacts secret join tokens by default. To include the token values, provide the new--with-secrets flag
. #47545 - Added missing field-level documentation to the terraform provider reference. #47469
- Fixed a bug where
tsh logout
failed to parse flags passed with spaces. #47460 - Fixed the resource-based labels handler crashing without restarting. #47452
- Install teleport FIPS binary in FIPS environments during Server Auto Discover. #47437
- Fix possibly missing rules when using large amount of Access Monitoring Rules. #47430
- Added ability to list/get AccessMonitoringRule resources with
tctl
. #47401 - Include JWK header in JWTs issued by Teleport Application Access. #47393
- Teleport Workload ID now supports issuing JWT SVIDs via the Workload API. #47389
- Added kubeconfig context name to the output table of
tsh proxy kube
command for enhanced clarity. #47383 - Improve error messaging when connections to offline agents are attempted. #47361
- Allow specifying the instance type of AWS HA Terraform bastion instance. #47338
- Added a config option to Teleport Connect to control how it interacts with the local SSH agent (
sshAgent.addKeysToAgent
). #47324 - Teleport Workload ID issued JWT SVIDs are now compatible with OIDC federation with a number of platforms. #47317
- The "ha-autoscale-cluster" terraform module now support default AWS resource tags and ASG instance refresh on configuration or launch template changes. #47299
- Fixed error in Workload ID in cases where the process ID cannot be resolved. #47274
- Teleport Connect for Linux now requires glibc 2.31 or later. #47262
- Fixed a bug where security group rules that refer to another security group by ID were not displayed in web UI enrollment wizards when viewing security group rules. #47246
- Improve the msteams access plugin debug logging. #47158
- Fix missing tsh MFA prompt in certain OTP+WebAuthn scenarios. #47154
- Updates self-hosted db discover flow to generate 2190h TTL certs, not 12h. #47125
- Fixes an issue preventing access requests from displaying user friendly resource names. #47112
- Fixed a bug where only one IP CIDR block security group rule for a port range was displayed in the web UI RDS enrollment wizard when viewing a security group. #47077
- The
tsh play
command now supports a text output format. #47073 - Updated Go to 1.22.8. #47050
- Fixed the "source path is empty" error when attempting to upload a file in Teleport Connect. #47011
- Added static host users to Terraform provider. #46974
- Enforce a global
device_trust.mode=required
on OSS processes paired with an Enterprise Auth. #46947 - Added a new config option in Teleport Connect to control SSH agent forwarding (
ssh.forwardAgent
); starting in Teleport Connect v17, this option will be disabled by default. #46895 - Correctly display available allowed logins of leaf AWS Console Apps on
tsh app login
. #46806 - Allow all audit events to be trimmed if necessary. #46499
Enterprise:
- Fixed possible panic when processing Okta assignments.
- Fixed bug where an unknown device aborts device web authentication.
- Add the Datadog Incident Management Plugin as a hosted plugin.
- Permit bootstrapping enterprise clusters with state from an open source cluster.
Download
Download the current and previous releases of Teleport at https://goteleport.com/download.
Plugins
Download the current release of Teleport plugins from the links below.
- Slack Linux amd64 | Linux arm64
- Mattermost Linux amd64 | Linux arm64
- Discord Linux amd64 | Linux arm64
- Terraform Provider Linux amd64 | Linux arm64 | macOS amd64 | macOS arm64 | macOS universal
- Event Handler Linux amd64 | Linux arm64 | macOS amd64
- PagerDuty Linux amd64 | Linux arm64
- Jira Linux amd64 | Linux arm64
- Email Linux amd64 | Linux arm64
- Microsoft Teams Linux amd64 | Linux arm64
Teleport 15.4.20
Description
- Added ability to list/get access monitoring rules resources with
tctl
. #47402 - Include JWK header in JWTs issued by Teleport Application Access. #47394
- Added kubeconfig context name to the output table of
tsh proxy kube
command for enhanced clarity. #47382 - Improve error messaging when connections to offline agents are attempted. #47362
- Allow specifying the instance type of AWS HA Terraform bastion instance. #47339
- Added a config option to Teleport Connect to control how it interacts with the local SSH agent (
sshAgent.addKeysToAgent
). #47325 - Fixed error in Workload ID in cases where the process ID cannot be resolved. #47275
- Teleport Connect for Linux now requires glibc 2.31 or later. #47263
- Fix missing
tsh
MFA prompt in certain OTP+WebAuthn scenarios. #47155 - Updates self-hosted db discover flow to generate 2190h TTL certs, not 12h. #47127
- Fixes an issue preventing access requests from displaying user friendly resource names. #47111
- Updated Go to
1.22.8
. #47052 - Fixed the "source path is empty" error when attempting to upload a file in Teleport Connect. #47013
- Enforce a global
device_trust.mode=required
on OSS processes paired with an Enterprise Auth. #46946 - A user joining a session will now see available controls for terminating & leaving the session. #46910
- Added a new config option in Teleport Connect to control SSH agent forwarding (
ssh.forwardAgent
); starting in Teleport Connect v17, this option will be disabled by default. #46897 - Teleport no longer creates invalid SAML Connectors when calling
tctl get saml/<connector-name> | tctl create -f
without the--with-secrets
flag. #46864 - Fixed a regression in the SAML IdP service which prevented cache from initializing in a cluster that may have a service provider configured with unsupported
acs_url
andrelay_state
values. #46846 - Machine ID now generates cluster-specific ssh_config and known_host files which will always direct SSH connections made using them via Teleport. #46685
- Added new empty state to Devices list in web UI. #5119
- Permit bootstrapping enterprise clusters with state from an open source cluster. #5094
- Fixes a possible crash when using Teleport Policy's GitLab integration. #5071
- Emit audit logs when creating, updating or deleting Teleport Plugins. #5056
Download
Download the current and previous releases of Teleport at https://goteleport.com/download.
Plugins
Download the current release of Teleport plugins from the links below.
- Slack Linux amd64 | Linux arm64
- Mattermost Linux amd64 | Linux arm64
- Discord Linux amd64 | Linux arm64
- Terraform Provider Linux amd64 | Linux arm64 | macOS amd64 | macOS arm64 | macOS universal
- Event Handler Linux amd64 | Linux arm64 | macOS amd64
- PagerDuty Linux amd64 | Linux arm64
- Jira Linux amd64 | Linux arm64
- Email Linux amd64 | Linux arm64
- Microsoft Teams Linux amd64 | Linux arm64
Teleport 14.3.32
Description
- Fixes an issue preventing access requests from displaying user friendly resource names. #47110
- Updated Go to
1.22.8
. #47053 - Fixed the "source path is empty" error when attempting to upload a file in Teleport Connect. #47014
- Enforce a global
device_trust.mode=required
on OSS processes paired with an Enterprise Auth. #46945 - A user joining a session will now see available controls for terminating & leaving the session. #46923
- Teleport no longer creates invalid SAML Connectors when calling
tctl get saml/<connector-name> | tctl create -f
without the--with-secrets
flag. #46887 - Fixed a regression in the SAML IdP service which prevented cache from initializing in a cluster that may have a service provider configured with unsupported
acs_url
andrelay_state
values. #46847 - Fixes a bug in Kubernetes access that causes the error
expected *metav1.PartialObjectMetadata object
when trying to list resources. #46696 - Fixed an issue that prevented host user creation when the username was also listed in
host_groups
. #46639 - Allow all audit events to be trimmed if necessary. #46505
- Fixed an issue preventing session joining while host user creation was in use. #46503
- Fixed an issue that prevented the Firestore backend from reading existing data. #46435
- The
teleport-kube-agent
chart now correctly propagates configured annotations when deploying a StatefulSet. #46423 - Ensure that additional pod labels are carried over to post-upgrade and post-delete hook job pods when using the
teleport-kube-agent
Helm chart. #46236
Download
Download the current and previous releases of Teleport at https://goteleport.com/download.
Plugins
Download the current release of Teleport plugins from the links below.
- Slack Linux amd64 | Linux arm64
- Mattermost Linux amd64 | Linux arm64
- Discord Linux amd64 | Linux arm64
- Terraform Provider Linux amd64 | Linux arm64 | macOS amd64 | macOS arm64 | macOS universal
- Event Handler Linux amd64 | Linux arm64 | macOS amd64
- PagerDuty Linux amd64 | Linux arm64
- Jira Linux amd64 | Linux arm64
- Email Linux amd64 | Linux arm64
- Microsoft Teams Linux amd64 | Linux arm64