Certificate authority and access plane for SSH, Kubernetes, web applications, and databases

Overview

Teleport

Teleport is an identity-aware, multi-protocol access proxy which understands SSH, HTTPS, Kubernetes API, MySQL and PostgreSQL wire protocols.

On a server side, Teleport is a single binary which enables convenient secure access to behind-NAT resources such as:

Teleport is trivial to setup as a Linux daemon or in a Kubernetes pod and it's rapidly replacing legacy sshd based setups at organizations who need:

  • Developer convenience of having instant secure access to everything they need across many environments and cloud providers.
  • Audit log with session recording/replay for multiple protocols
  • Easily manage trust between teams, organizations and data centers.
  • Role-based access control (RBAC) and flexible access workflows (one-time access requests)

In addition to its hallmark features, Teleport is interesting for smaller teams because it facilitates easy adoption of the best infrastructure security practices like:

  • No need to manage shared secrets such as SSH keys: Teleport uses certificate-based access with automatic certificate expiration time for all protocols.
  • 2nd factor authentication (2FA) for everything.
  • Collaboratively troubleshoot issues through session sharing.
  • Single sign-on (SSO) for everything via Github Auth, OpenID Connect or SAML with endpoints like Okta or Active Directory.
  • Infrastructure introspection: every SSH node, database instance, Kubernetes cluster or an internal web app and its status can be queried via CLI and Web UI.

Teleport is built on top of the high-quality Golang SSH implementation and it is fully compatible with OpenSSH and can be used with sshd servers and ssh clients.

Project Links Description
Teleport Website The official website of the project.
Documentation Admin guide, user manual and more.
Demo Video 5-minute video overview of the UI.
Teleconsole The free service to "invite" SSH clients behind NAT, built on top of Teleport.
Blog Our blog where we publish Teleport news.
Forum Ask us a setup question, post your tutorial, feedback or idea on our forum.
Slack Need help with set-up? Ping us in Slack channel.

Teleport 6.0 - 4:00m Demo Video

Installing and Running

Download the latest binary release, unpack the .tar.gz and run sudo ./install. This will copy Teleport binaries into /usr/local/bin.

Then you can run Teleport as a single-node cluster:

$ sudo teleport start

In a production environment Teleport must run as root. But to play, just do chown $USER /var/lib/teleport and run it under $USER, in this case you will not be able to login as someone else though.

Docker

Deploy Teleport

If you wish to deploy Teleport inside a Docker container:

# This command will pull the Teleport container image for version 6
$ docker pull quay.io/gravitational/teleport:6

View latest tags on Quay.io | gravitational/teleport

For Local Testing and Development

Follow instructions at docker/README

Building Teleport

Teleport source code consists of the actual Teleport daemon binary written in Golang, and also of a web UI (a git submodule located in /webassets directory) written in Javascript.

Make sure you have Golang v1.15 or newer, then run:

# get the source & build:
$ git clone https://github.com/gravitational/teleport.git
$ cd teleport
$ make full

# create the default data directory before starting:
$ sudo mkdir -p -m0700 /var/lib/teleport
$ sudo chown $USER /var/lib/teleport

If the build succeeds the binaries will be placed in $GOPATH/src/github.com/gravitational/teleport/build

NOTE: The Go compiler is somewhat sensitive to amount of memory: you will need at least 1GB of virtual memory to compile Teleport. 512MB instance without swap will not work.

NOTE: This will build the latest version of Teleport, regardless of whether it is stable. If you want to build the latest stable release, git checkout to that tag (e.g. git checkout v6.0.0) before running make full.

Web UI

Teleport Web UI is located in the Gravitational Webapps repo.

Rebuilding Web UI for development

You can clone that repository and rebuild teleport UI package with:

$ git clone [email protected]:gravitational/webapps.git
$ cd webapps
$ make build-teleport

Then you can replace Teleport Web UI files with the one found in the generated /dist folder.

To enable speedy iterations on the Web UI, you can run a local web-dev server.

You can also tell teleport to load the Web UI assets from the source directory. To enable this behavior, set the environment variable DEBUG=1 and rebuild with the default target:

# Run Teleport as a single-node cluster in development mode:
$ DEBUG=1 ./build/teleport start -d

Keep the server running in this mode, and make your UI changes in /dist directory. Refer to the webapps README for instructions on how to update the Web UI.

Updating Web UI assets

After you commit a change to the webapps repo, you need to update the Web UI assets in the webassets/ git submodule.

Use make update-webassets to update the webassets repo and create a PR for teleport to update its git submodule.

You will need to have the gh utility installed on your system for the script to work. You can download it from https://github.com/cli/cli/releases/latest

Updating Documentation

TL;DR version:

make docs
make run-docs

For more details, take a look at docs/README

Managing dependencies

Dependencies are managed using Go modules. Here are instructions for some common tasks:

Add a new dependency

Latest version:

go get github.com/new/dependency
# Update the source to actually use this dependency, then run:
make update-vendor

Specific version:

go get github.com/new/[email protected]
# Update the source to actually use this dependency, then run:
make update-vendor

Set dependency to a specific version

go get github.com/new/[email protected]
make update-vendor

Update dependency to the latest version

go get -u github.com/new/dependency
make update-vendor

Update all dependencies

go get -u all
make update-vendor

Debugging dependencies

Why is a specific package imported: go mod why $pkgname.

Why is a specific module imported: go mod why -m $modname.

Why is a specific version of a module imported: go mod graph | grep $modname.

Why did We Build Teleport?

The Teleport creators used to work together at Rackspace. We noticed that most cloud computing users struggle with setting up and configuring infrastructure security because popular tools, while flexible, are complex to understand and expensive to maintain. Additionally, most organizations use multiple infrastructure form factors such as several cloud providers, multiple cloud accounts, servers in colocation, and even smart devices. Some of those devices run on untrusted networks, behind third party firewalls. This only magnifies complexity and increases operational overhead.

We had a choice, either to start a security consulting business or build a solution that’s dead-easy to use and understand, something that creates an illusion of all of your servers being in the same room as you as if they were magically teleported. And Teleport was born!

More Information

Support and Contributing

We offer a few different options for support. First of all, we try to provide clear and comprehensive documentation. The docs are also in Github, so feel free to create a PR or file an issue if you think improvements can be made. If you still have questions after reviewing our docs, you can also:

  • Join Teleport Discussions to ask questions. Our engineers are available there to help you.
  • If you want to contribute to Teleport or file a bug report/issue, you can do so by creating an issue here in Github.
  • If you are interested in Teleport Enterprise or more responsive support during a POC, we can also create a dedicated Slack channel for you during your POC. You can reach out to us through our website to arrange for a POC.

Is Teleport Secure and Production Ready?

Teleport has completed several security audits from the nationally recognized technology security companies. Some of them have been made public. We are comfortable with the use of Teleport from a security perspective.

You can see the list of companies who use Teleport in production on the Teleport product page.

However, Teleport is still a relatively young product so you may experience usability issues. We are actively supporting Teleport and addressing any issues that are submitted to this repo. Ask questions, send pull requests, report issues and don't be shy! :)

The latest stable Teleport build can be found in Releases

Who Built Teleport?

Teleport was created by Gravitational Inc. We have built Teleport by borrowing from our previous experiences at Rackspace. It has been extracted from Gravity, our Kubernetes distribution optimized for deploying and remotely controlling complex applications into multiple environments at the same time:

  • Multiple cloud regions
  • Colocation
  • Private enterprise clouds located behind firewalls
Issues
  • Idiomatic helm chart for Teleport

    Idiomatic helm chart for Teleport

    Hey, thanks a lot for maintaining the awesome project!

    Here is an (hopefully) idiomatic helm chart for Teleport, with instructions to test it locally using minikube + ngrok.

    I was just trying to run Teleport on Kubernetes for #1986 and thought a more idiomatic helm chart would be helpful as a foundation towards the upcoming 2.7.0 release. I'm sending this PR because I was unable to just wait for it :)

    Please feel free to leave questions, comments, requests, etc.

    opened by mumoshu 39
  • Reverse tunnels for individual nodes?

    Reverse tunnels for individual nodes?

    Are there any plans for support of individual nodes creating reverse tunnels to a proxy server without creating a new cluster? We have a case where we would like to have a single node setup at multiple different sites, but currently it looks like we would need to configure a cluster for each site just for a single node to use a reverse tunnel.

    feature-request 
    opened by zbuttram 38
  • 2.0.6 to 2.2 alpha upgrade issue with DynamoDB backend

    2.0.6 to 2.2 alpha upgrade issue with DynamoDB backend

    Originally reported by @ekristen in #896 (in comments at the bottom):

    Well I upgraded to alpha8 and now I cannot add anymore nodes. Getting the cluster has no signing keys. There seems to be something with upgrading to a new version using dynamodb that breaks everything.

    Logs:

    level=warning 
    msg="[AUTH] Node \"server-001\" [11fbfa42-17b9-4cfe-a863-65e791663838] can not join:
          certificate generation error: my-cluster has no signing keys" 
    
    file="auth/auth.go:464" func="auth.(*AuthServer).GenerateServerKeys"
    

    I cannot since I've already upgraded. However I was on 2.0.6 and now I am on Teleport v2.2.0-alpha.8 git:v2.1.0-alpha.6-43-g14cf169d-dirty

    I can tell you that I've now seen this happen multiple times across multiple versions. I am using dynamodb as a backend. I attempted to replicate it using dir mode only and a single auth server and was unable to.

    After that I went back to using dynamodb with mulitple auth servers however I only use 1 when registering nodes, so while the other 2 are running the auth service nothing is talking to them.

    Everything seemed great for a while, I was able to add nodes and this bug seemed to not be present anymore until I upgraded to alpha8 and I completely lost the ability to register nodes again.

    bug 
    opened by kontsevoy 33
  • Package the Installer for Common OS's

    Package the Installer for Common OS's

    It would make my life easier if the Installer were packaged for various Linux Distro's, but I am actually after it being added to Homebrew so that it'd be easier for my end users to install. It's something that I can tackle, but would prefer that it was integrated by you guys so that it doesn't fall out of date if I miss a release a cycle.

    feature-request 
    opened by andrewl3wis 31
  • teleport unable to bind to 3025

    teleport unable to bind to 3025

    It seems that when you start teleport it expects the auth_service to be running -

    ip-10-0-0-115 teleport # ./teleport start --roles=node --token=e66bdb3a03946a8f66347941f7196b6f --auth-server=publicip:3025
    dial tcp 10.0.0.115:3025: getsockopt: connection refused
    
    documentation 
    opened by jchauncey 30
  • gpg-agent does not support SSH certificates, tsh should be aware of this

    gpg-agent does not support SSH certificates, tsh should be aware of this

    What happened:

    • Yubikeys use gpg-agent to hold keys/certificates
    • gpg-agent does not support SSH certificates (https://dev.gnupg.org/T1756)
    • When gpg-agent is running and you log into a Teleport cluster, tsh adds stuff to the agent that it doesn't understand
    • This causes issues for people using Yubikeys

    What you expected to happen: 1)tsh should have a command-line flag which disables any attempt to write to a running agent 2) Ideally, tsh would be able to detect when gpg-agent is running rather than ssh-agent and deliberately avoid writing its keys there.

    This would enable much smoother Teleport operations for Yubikey users. tsh still writes its certificates to ~/.tsh/keys/<cluster>, which means that people can use these for their Teleport operations instead.

    How to reproduce it (as minimally and precisely as possible): Run gpg-agent, log into a Teleport cluster using tsh then observe that what's in the agent is not a valid certificate (error fetching identities: Invalid key length)

    Environment:

    • Teleport version (use teleport version): Teleport Enterprise v4.1.4git:v4.1.4-0-gc487a75c go1.13.2
    • Tsh version (use tsh version): Teleport v4.1.4 git:v4.1.4-0-gc487a75c go1.13.2
    • OS (e.g. from /etc/os-release): Fedora 30
    bug tsh R1 c-sh 
    opened by webvictim 25
  • Windows tsh binary

    Windows tsh binary

    Is there any plan to make a tsh binary, or at least have some way of using the client on windows?

    [EDIT by @ekontsevoy] the discussion below suggests to implement only agent mode for Windows. Read the comments.

    [EDIT by @webvictim] Anyone interested can download our WIndows tsh binary (which allows you to run tsh login to get a certificate) from our download portal: https://gravitational.com/teleport/download

    feature-request 
    opened by jaxxstorm 24
  • [WIP] Implement Consul Backend

    [WIP] Implement Consul Backend

    This is an initial attempt at a consul backend for Teleport.

    It's heavily based off of the existing etcd backend, with the main difference of borrowing the TTL logic of the boltdb backend.

    Initial Questions:

    1. In the etcd backend, there is stopC and cancelC but they don't seem to do anything. What is there purpose? Is this something I should add to the Consul backend?
    2. Can I get some guidance on how to test this? I have very little experience with Teleport, as this PR is really needed before my company can even consider Teleport.
    3. ~~I haven't used godeps in a while, how do I properly add github.com/hashicorp/consul/api to it?~~

    Fixes #423

    opened by ajvb 23
  • RFD 43: Kubernetes Access Multiparty Sessions

    RFD 43: Kubernetes Access Multiparty Sessions

    This RFD proposes a design for Kubernetes Access multiparty sessions and a feature for requiring certain viewers to be present for a session to begin.

    rfd 
    opened by xacrimon 22
  • Teleport 6.2 Test Plan

    Teleport 6.2 Test Plan

    Manual Testing Plan

    Below are the items that should be manually tested with each release of Teleport. These tests should be run on both a fresh install of the version to be released as well as an upgrade of the previous version of Teleport.

    • [x] Adding nodes to a cluster @webvictim @tcsc

      • [x] Adding Nodes via Valid Static Token
      • [x] Adding Nodes via Valid Short-lived Tokens
      • [x] Adding Nodes via Invalid Token Fails
      • [x] Adding Nodes via Expired Token Fails
      • [x] Adding Nodes with No Token Fails
      • [x] Adding Nodes with Invalid Roles Fails
      • [x] Revoking Node Invitation
    • [x] Trusted Clusters @nklaassen @awly

      • [x] Adding Trusted Cluster Valid Static Token
      • [x] Adding Trusted Cluster Valid Short-lived Token
      • [x] Adding Trusted Cluster Invalid Token
      • [x] Removing Trusted Cluster
    • [x] RBAC @Joerger @andrejtokarcik

      Make sure that invalid and valid attempts are reflected in audit log.

      • [x] Successfully connect to node with correct role
      • [x] Unsuccessfully connect to a node in a role restricting access by label
      • [x] Unsuccessfully connect to a node in a role restricting access by invalid SSH login
      • [x] Allow/deny role option: SSH agent forwarding
      • [x] Allow/deny role option: Port forwarding
    • [x] Users @fspmarshall @quinqu With every user combination, try to login and signup with invalid second factor, invalid password to see how the system reacts.

      • [x] Adding Users Password Only
      • [x] Adding Users OTP
      • [x] Adding Users U2F
      • [x] Managing MFA devices
        • [x] Add an OTP device with tsh mfa add
        • [x] Add a U2F device with tsh mfa add
        • [x] List MFA devices with tsh mfa ls
        • [x] Remove an OTP device with tsh mfa rm
        • [x] Remove a U2F device with tsh mfa rm
        • [x] Attempt removing the last MFA device on the user
          • [x] with second_factor: on in auth_service, should fail
          • [x] with second_factor: optional in auth_service, should succeed
      • [x] Login Password Only
      • [x] Login with MFA
        • [x] Add 2 OTP and 2 U2F devices with tsh mfa add
        • [x] Login via OTP
        • [x] Login via U2F
      • [x] Login OIDC
      • [x] Login SAML
      • [x] Login GitHub
      • [x] Deleting Users
    • [x] Audit Log @r0mant @xacrimon

      • [x] Failed login attempts are recorded
      • [x] Interactive sessions have the correct Server ID
        • [x] Server ID is the ID of the node in regular mode
        • [x] Server ID is randomly generated for proxy node
      • [x] Exec commands are recorded
      • [x] scp commands are recorded
      • [x] Subsystem results are recorded
    • [x] Interact with a cluster using tsh @webvictim @tcsc

      These commands should ideally be tested for recording and non-recording modes as they are implemented in a different ways.

      • [x] tsh ssh <regular-node>
      • [x] tsh ssh <node-remote-cluster>
      • [x] tsh ssh -A <regular-node>
      • [x] tsh ssh -A <node-remote-cluster>
      • [x] tsh ssh <regular-node> ls
      • [x] tsh ssh <node-remote-cluster> ls
      • [x] tsh join <regular-node>
      • [x] tsh join <node-remote-cluster>
      • [x] tsh play <regular-node>
      • [x] tsh play <node-remote-cluster>
      • [x] tsh scp <regular-node>
      • [x] tsh scp <node-remote-cluster>
      • [x] tsh ssh -L <regular-node>
      • [x] tsh ssh -L <node-remote-cluster>
      • [x] tsh ls
      • [x] tsh clusters
    • [x] Interact with a cluster using ssh @nklaassen @awly Make sure to test both recording and regular proxy modes.

      • [x] ssh <regular-node>
      • [x] ssh <node-remote-cluster>
      • [x] ssh -A <regular-node>
      • [x] ssh -A <node-remote-cluster>
      • [x] ssh <regular-node> ls
      • [x] ssh <node-remote-cluster> ls
      • [x] scp <regular-node>
      • [x] scp <node-remote-cluster>
      • [x] ssh -L <regular-node>
      • [x] ssh -L <node-remote-cluster>
    • [x] Interact with a cluster using the Web UI @Joerger @andrejtokarcik

      • [x] Connect to a Teleport node
      • [x] Connect to a OpenSSH node
      • [x] Check agent forwarding is correct based on role and proxy mode.

    Combinations @fspmarshall @quinqu

    For some manual testing, many combinations need to be tested. For example, for interactive sessions the 12 combinations are below.

    • [x] Connect to a OpenSSH node in a local cluster using OpenSSH.
    • [x] Connect to a OpenSSH node in a local cluster using Teleport.
    • [x] Connect to a OpenSSH node in a local cluster using the Web UI.
    • [x] Connect to a Teleport node in a local cluster using OpenSSH.
    • [x] Connect to a Teleport node in a local cluster using Teleport.
    • [x] Connect to a Teleport node in a local cluster using the Web UI.
    • [x] Connect to a OpenSSH node in a remote cluster using OpenSSH.
    • [x] Connect to a OpenSSH node in a remote cluster using Teleport.
    • [x] Connect to a OpenSSH node in a remote cluster using the Web UI.
    • [x] Connect to a Teleport node in a remote cluster using OpenSSH.
    • [x] Connect to a Teleport node in a remote cluster using Teleport.
    • [x] Connect to a Teleport node in a remote cluster using the Web UI.

    Teleport with multiple Kubernetes clusters @xacrimon @webvictim

    Note: you can use GKE or EKS or minikube to run Kubernetes clusters. Minikube is the only caveat - it's not reachable publicly so don't run a proxy there.

    • [x] Deploy combo auth/proxy/kubernetes_service outside of a Kubernetes cluster, using a kubeconfig
      • [x] Login with tsh login, check that tsh kube ls has your cluster
      • [x] Run kubectl get nodes, kubectl exec -it $SOME_POD -- sh
      • [x] Verify that the audit log recorded the above request and session
    • [ ] Deploy combo auth/proxy/kubernetes_service inside of a Kubernetes cluster
      • [x] Login with tsh login, check that tsh kube ls has your cluster
      • [x] Run kubectl get nodes, kubectl exec -it $SOME_POD -- sh
      • [ ] Verify that the audit log recorded the above request and session
    • [ ] Deploy combo auth/proxy_service outside of the Kubernetes cluster and kubernetes_service inside of a Kubernetes cluster, connected over a reverse tunnel
      • [x] Login with tsh login, check that tsh kube ls has your cluster
      • [x] Run kubectl get nodes, kubectl exec -it $SOME_POD -- sh
      • [ ] Verify that the audit log recorded the above request and session
    • [ ] Deploy a second kubernetes_service inside of another Kubernetes cluster, connected over a reverse tunnel
      • [x] Login with tsh login, check that tsh kube ls has both clusters
      • [x] Switch to a second cluster using tsh kube login
      • [x] Run kubectl get nodes, kubectl exec -it $SOME_POD -- sh on the new cluster
      • [ ] Verify that the audit log recorded the above request and session
    • [x] Deploy combo auth/proxy/kubernetes_service outside of a Kubernetes cluster, using a kubeconfig with multiple clusters in it
      • [x] Login with tsh login, check that tsh kube ls has all clusters
    • [x] Test Kubernetes screen in the web UI (tab is located on left side nav on dashboard):
      • [x] Verify that all kubes registered are shown with correct name and labels
      • [x] Verify that clicking on a rows connect button renders a dialogue on manual instructions with Step 2 login value matching the rows name column
      • [x] Verify searching for name or labels in the search bar works
      • [x] Verify you can sort by name colum

    Helm charts

    • [ ] Deploy teleport-cluster Helm chart to an EKS cluster in HA mode by following the AWS guide
      • [ ] Verify that web UI works with no TLS warnings and you can create a user with tctl users add
      • [ ] Log in with tsh login
      • [ ] Display Kubernetes clusters with tsh kube ls, log in with tsh kube login
      • [ ] Run kubectl get nodes and kubectl -n kube-system get pods
    • [ ] Deploy teleport-cluster Helm chart to a GKE cluster in HA mode by following the GKE guide
      • [ ] Verify that web UI works with no TLS warnings and you can create a user with tctl users add
      • [ ] Log in with tsh login
      • [ ] Display Kubernetes clusters with tsh kube ls, log in with tsh kube login
      • [ ] Run kubectl get nodes and kubectl -n kube-system get pods
    • [ ] Deploy teleport-kube-agent Helm chart to an EKS cluster following instructions in the README
      • [ ] Verify that the remote Kubernetes cluster appears in tsh kube ls, log in with tsh kube login
      • [ ] Run kubectl get nodes and kubectl get pods, verify no errors
    • [ ] Deploy teleport-kube-agent Helm chart to a GKE cluster following instructions in the README
      • [ ] Verify that the remote Kubernetes cluster appears in tsh kube ls, log in with tsh kube login
      • [ ] Run kubectl get nodes and kubectl get pods, verify no errors

    Migrations @tcsc @nklaassen

    • [x] Migrate trusted clusters from 6.1.0 to 6.2.0
      • [x] Migrate auth server on main cluster, then rest of the servers on main cluster SSH should work for both main and old clusters
      • [x] Migrate auth server on remote cluster, then rest of the remote cluster SSH should work

    Command Templates

    When interacting with a cluster, the following command templates are useful:

    OpenSSH

    # when connecting to the recording proxy, `-o 'ForwardAgent yes'` is required.
    ssh -o "ProxyCommand ssh -o 'ForwardAgent yes' -p 3023 %[email protected] -s proxy:%h:%p" \
      node.example.com
    
    # the above command only forwards the agent to the proxy, to forward the agent
    # to the target node, `-o 'ForwardAgent yes'` needs to be passed twice.
    ssh -o "ForwardAgent yes" \
      -o "ProxyCommand ssh -o 'ForwardAgent yes' -p 3023 %[email protected] -s proxy:%h:%p" \
      node.example.com
    
    # when connecting to a remote cluster using OpenSSH, the subsystem request is
    # updated with the name of the remote cluster.
    ssh -o "ProxyCommand ssh -o 'ForwardAgent yes' -p 3023 %[email protected] -s proxy:%h:%[email protected]" \
      node.foo.com
    

    Teleport

    # when connecting to a OpenSSH node, remember `-p 22` needs to be passed.
    tsh --proxy=proxy.example.com --user=<username> --insecure ssh -p 22 node.example.com
    
    # an agent can be forwarded to the target node with `-A`
    tsh --proxy=proxy.example.com --user=<username> --insecure ssh -A -p 22 node.example.com
    
    # the --cluster flag is used to connect to a node in a remote cluster.
    tsh --proxy=proxy.example.com --user=<username> --insecure ssh --cluster=foo.com -p 22 node.foo.com
    

    Teleport Plugins @awly @Joerger

    • [x] Test receiving a message via Teleport Slackbot
    • [x] Test receiving a new Jira Ticket via Teleport Jira

    WEB UI @kimlisa @alex-kovoy

    Main

    For main, test with admin role that has access to all resources.

    Top Nav

    • [x] Verify that cluster selector displays all (root + leaf) clusters
    • [x] Verify that user name is displayed
    • [x] Verify that user menu shows logout, help&support, and account settings (for local users)

    Side Nav

    • [x] Verify that each item has an icon
    • [x] Verify that Collapse/Expand works and collapsed has icon >, and expand has icon v
    • [x] Verify that it automatically expands and highlights the item on page refresh

    Servers aka Nodes

    • [x] Verify that "Servers" table shows all joined nodes
    • [x] Verify that "Connect" button shows a list of available logins
    • [x] Verify that "Hostname", "Address" and "Labels" columns show the current values
    • [x] Verify that "Search" by hostname, address, labels works
    • [x] Verify that terminal opens when clicking on one of the available logins
    • [x] Verify that clicking on Add Server button renders dialogue set to Automatically view
      • [x] Verify clicking on Regenerate Script regenerates token value in the bash command
      • [x] Verify using the bash command successfully adds the server (refresh server list)
      • [x] Verify that clicking on Manually tab renders manual steps
      • [x] Verify that clicking back to Automatically tab renders bash command

    Applications

    • [x] Verify that clicking on Add Application button renders dialogue
      • [x] Verify input validation (prevent empty value and invalid url)
      • [x] Verify after input and clicking on Generate Script, bash command is rendered
      • [x] Verify clicking on Regenerate button regenerates token value in bash command

    Databases

    • [x] Verify that clicking on Add Database button renders dialogue for manual instructions:
      • [x] Verify selecting different options on Step 4 changes Step 5 commands

    Active Sessions

    • [x] Verify that "empty" state is handled
    • [x] Verify that it displays the session when session is active
    • [x] Verify that "Description", "Session ID", "Users", "Nodes" and "Duration" columns show correct values
    • [x] Verify that "OPTIONS" button allows to join a session

    Audit log

    • [x] Verify that time range button is shown and works
    • [x] Verify that clicking on Session Ended event icon, takes user to session player
    • [x] Verify event detail dialogue renders when clicking on events details button
    • [x] Verify searching by type, description, created works

    Users

    • [x] Verify that users are shown
    • [x] Verify that creating a new user works
    • [x] Verify that editing user roles works
    • [x] Verify that removing a user works
    • [x] Verify resetting a user's password works
    • [x] Verify search by username, roles, and type works

    Auth Connectors

    • [x] Verify that creating OIDC/SAML/GITHUB connectors works
    • [x] Verify that editing OIDC/SAML/GITHUB connectors works
    • [x] Verify that error is shown when saving an invalid YAML
    • [x] Verify that correct hint text is shown on the right side
    • [x] Verify that encrypted SAML assertions work with an identity provider that supports it (Azure).

    Auth Connectors Card Icons

    • [x] Verify that GITHUB card has github icon
    • [x] Verify that SAML card has SAML icon
    • [x] Verify that OIDC card has OIDC icon
    • [x] Verify when there are no connectors, empty state renders

    Roles

    • [x] Verify that roles are shown
    • [x] Verify that "Create New Role" dialog works
    • [x] Verify that deleting and editing works
    • [x] Verify that error is shown when saving an invalid YAML
    • [x] Verify that correct hint text is shown on the right side

    Managed Clusters

    • [x] Verify that it displays a list of clusters (root + leaf)
    • [x] Verify that every menu item works: nodes, apps, audit events, session recordings.

    Help & Support

    • [x] Verify that all URLs work and correct (no 404)

    Access Requests

    Creating Access Rquests

    1. Create a role with limited permissions (defined below as allow-roles). This role allows you to see the Role screen and ssh into all nodes.
    2. Create another role with limited permissions (defined below as allow-users). This role session expires in 4 minutes, allows you to see Users screen, and denies access to all nodes.
    3. Create another role with no permissions other than being able to create requests (defined below as default)
    4. Create a user with role default assigned
    5. Create a few requests under this user to test pending/approved/denied state.
    kind: role
    metadata:
      name: allow-roles
    spec:
      allow:
        logins:
        - root
        node_labels:
          '*': '*'
        rules:
        - resources:
          - role
          verbs:
          - list
          - read
      options:
        max_session_ttl: 8h0m0s
    version: v3
    
    kind: role
    metadata:
      name: allow-users
    spec:
      allow:
        rules:
        - resources:
          - user
          verbs:
          - list
          - read
      deny:
        node_labels:
          '*': '*'
      options:
        max_session_ttl: 4m0s
    version: v3
    
    kind: role
    metadata:
      name: default
    spec:
      allow:
        request:
          roles:
          - allow-roles
          - allow-users
          suggested_reviewers:
          - random-user-1
          - random-user-2
      options:
        max_session_ttl: 8h0m0s
    version: v3
    
    • [x] Verify that creating a new request works
    • [x] Verify that under requestable roles, only allow-roles and allow-users are listed
    • [x] Verify input validation requires at least one role to be selected
    • [x] Verify you can select/input/modify reviewers
    • [x] Verify after creating, requests are listed in pending states
    • [x] Verify you can't review own requests

    Viewing & Approving/Denying Requests

    Create a user with the role reviewer that allows you to review all requests, and delete them.

    kind: role
    version: v3
    metadata:
      name: reviewer
    spec:
      allow:
        review_requests:
          roles: ['*']
    
    • [x] Verify you can view access request from request list
    • [x] Verify there is list of reviewers you selected (empty list if none selected AND none wasn't defined in roles)
    • [x] Verify threshold name is there (it will be default if thresholds weren't defined in role, or blank if not named)
    • [x] Verify you can approve a request with message, and immediately see updated state with your review stamp (green checkmark) and message box
    • [x] Verify you can deny a request, and immediately see updated state with your review stamp (red cross)
    • [x] Verify deleting the denied request is removed from list

    Assuming Approved Requests

    • [x] Verify assume buttons are only present for approved request and for logged in user
    • [x] Verify that assuming allow-roles allows you to see roles screen and ssh into nodes
    • [x] Verify that after clicking on the assume button, it is disabled in both the list and in viewing
    • [x] After assuming allow-roles, verify that assuming allow-users allows you to see users screen, and denies access to nodes
      • [x] Verify a switchback banner is rendered with roles assumed, and count down of when it expires
      • [x] Verify switching back goes back to your default static role
      • [x] Verify after re-assuming this role, the user is automatically logged out after the expiry is met (4 minutes)
    • [x] Verify that after logging out (or getting logged out automatically) and relogging in, permissions are reset to default, and requests that are not expired and are approved are assumable again

    Access Request Waiting Room

    Strategy Reason

    Create the following role:

    kind: role
    metadata:
      name: restrict
    spec:
      allow:
        request:
          roles:
          - <some other role to assign user after approval>
      options:
        max_session_ttl: 8h0m0s
        request_access: reason
        request_prompt: <some custom prompt to show in reason dialogue>
    version: v3
    
    • [x] Verify after login, reason dialogue is rendered with prompt set to request_prompt setting
    • [x] Verify after clicking send request, pending dialogue renders
    • [x] Verify after approving a request, dashboard is rendered
    • [x] Verify the correct role was assigned

    Strategy Always

    With the previous role you created from Strategy Reason, change request_access to always:

    • [x] Verify after login, pending dialogue is rendered
    • [x] Verify after approving a request, dashboard is rendered
    • [x] Verify after denying a request, access denied dialogue is rendered

    Strategy Optional

    With the previous role you created from Strategy Reason, change request_access to optional:

    • [x] Verify after login, dashboard is rendered
    • [x] Verify a switchback banner is rendered with roles assumed, and count down of when it expires
      • [x] Verify switchback button says Switch Back and clicking goes back to the login screen

    Account

    • [x] Verify that Account screen is accessibly from the user menu for local users.
    • [x] Verify that changing a local password works (OTP, U2F)

    Terminal

    • [x] Verify that top nav has a user menu (Main and Logout)
    • [x] Verify that switching between tabs works on alt+[1...9]

    Node List Tab

    • [x] Verify that Cluster selector works (URL should change too)
    • [x] Verify that Quick launcher input works
    • [x] Verify that Quick launcher input handles input errors
    • [x] Verify that "Connect" button shows a list of available logins
    • [x] Verify that "Hostname", "Address" and "Labels" columns show the current values
    • [x] Verify that "Search" by hostname, address, labels work
    • [x] Verify that new tab is created when starting a session

    Session Tab

    • [x] Verify that session and browser tabs both show the title with login and node name
    • [x] Verify that terminal resize works
      • Install midnight commander on the node you ssh into: $ sudo apt-get install mc
      • Run the program: $ mc
      • Resize the terminal to see if panels resize with it
    • [x] Verify that session tab shows/updates number of participants when a new user joins the session
    • [x] Verify that tab automatically closes on "$ exit" command
    • [ ] Verify that SCP Upload works
    • [x] Verify that SCP Upload handles invalid paths and network errors
    • [ ] Verify that SCP Download works
    • [x] Verify that SCP Download handles invalid paths and network errors

    Session Player

    • [x] Verify that it can replay a session
    • [x] Verify that when playing, scroller auto scrolls to bottom most content
    • [x] Verify when resizing player to a small screen, scroller appears and is working
    • [x] Verify that error message is displayed (enter a invalid SID in the URL)

    Invite Form

    • [x] Verify that input validates
    • [x] Verify that invite works with 2FA disabled
    • [x] Verify that invite works with OTP enabled
    • [x] Verify that invite works with U2F enabled
    • [x] Verify that error message is shown if an invite is expired/invalid

    Login Form

    • [x] Verify that input validates
    • [x] Verify that login works with 2FA disabled
    • [x] Verify that login works with OTP enabled
    • [x] Verify that login works with U2F enabled
    • [x] Verify that login works for Github/SAML/OIDC
    • [x] Verify that account is locked after several unsuccessful attempts
    • [x] Verify that redirect to original URL works after successful login

    Multi-factor Authentication (mfa)

    Create/modify teleport.yaml and set the following authentication settings under auth_service

    authentication:
      type: local
      second_factor: optional
      require_session_mfa: yes
      u2f:
        app_id: https://example.com:443
        facets:
        - https://example.com:443
        - https://example.com
        - example.com:443
        - example.com
    

    MFA create, login, password reset

    • [x] Verify when creating a user, and setting password, required 2nd factor is totp (TODO: temporary hack, ideally want to allow user to select)
    • [x] Verify at login page, there is a mfa dropdown menu (none, u2f, otp), and can login with otp
    • [x] Verify at reset password page, there is the same dropdown to select your mfa, and can reset with otp

    MFA require auth

    Through the CLI, tsh login and register a u2f key with tsh mfa add (not supported in UI yet).

    Using the same user as above:

    • [x] Verify logging in with registered u2f key works
    • [x] Verify connecting to a ssh node prompts you to tap your registered u2f key

    RBAC

    Create a role, with no allow.rules defined:

    kind: role
    metadata:
      name: test
    spec:
      allow:
        app_labels:
          '*': '*'
        logins:
        - root
        node_labels:
          '*': '*'
      options:
        max_session_ttl: 8h0m0s
    version: v3
    
    • [x] Verify that a user has access only to: "Servers", "Applications", "Databases", "Kubernetes", "Active Sessions", "Access Requests" and "Manage Clusters"
    • [x] Verify there is no Add Server button in Server view
    • [x] Verify there is no Add Application button in Applications view
    • [x] Verify only Nodes and Apps are listed under options button in Manage Clusters

    Note: User has read/create access_request access to their own requests, despite resource settings

    Add the following under spec.allow.rules to enable read access to the audit log:

      - resources:
          - event
          verbs:
          - list
    
    • [x] Verify that the Audit Log and Session Recordings is accessible
    • [x] Verify that playing a recorded session is denied

    Add the following to enable read access to recorded sessions

      - resources:
          - session
          verbs:
          - read
    
    • [x] Verify that a user can re-play a session (session.end)

    Add the following to enable read access to the roles

    - resources:
          - role
          verbs:
          - list
          - read
    
    • [x] Verify that a user can see the roles
    • [x] Verify that a user cannot reset password and create/delete/update a role

    Add the following to enable read access to the auth connectors

    - resources:
          - auth_connector
          verbs:
          - list
          - read
    
    • [x] Verify that a user can see the list of auth connectors.
    • [x] Verify that a user cannot create/delete/update the connectors

    Add the following to enable read access to users

      - resources:
          - user
          verbs:
          - list
          - read
    
    • [x] Verify that a user can access the "Users" screen
    • [x] Verify that a user cannot create/delete/update a user

    Add the following to enable read access to trusted clusters

      - resources:
          - trusted_cluster
          verbs:
          - list
          - read
    
    • [x] Verify that a user can access the "Trust" screen
    • [x] Verify that a user cannot create/delete/update a trusted cluster.

    Performance/Soak Test @xacrimon @fspmarshall

    Using tsh bench tool, perform the soak tests and benchmark tests on the following configurations:

    • Cluster with 10K nodes in normal (non-IOT) node mode with ETCD

    • Cluster with 10K nodes in normal (non-IOT) mode with DynamoDB

    • Cluster with 1K IOT nodes with ETCD

    • Cluster with 1K IOT nodes with DynamoDB

    • Cluster with 500 trusted clusters with ETCD

    • Cluster with 500 trusted clusters with DynamoDB

    Soak Tests

    Run 4hour soak test with a mix of interactive/non-interactive sessions:

    tsh bench --duration=4h [email protected] ls
    tsh bench -i --duration=4h [email protected] ps uax
    

    Observe prometheus metrics for goroutines, open files, RAM, CPU, Timers and make sure there are no leaks

    • [ ] Verify that prometheus metrics are accurate.

    Breaking load tests

    Load system with tsh bench to the capacity and publish maximum numbers of concurrent sessions with interactive and non interactive tsh bench loads.

    Application Access @r0mant @smallinsky

    • [x] Run an application within local cluster.
      • [x] Verify the debug application debug_app: true works.
      • [x] Verify an application can be configured with command line flags.
      • [x] Verify an application can be configured from file configuration.
      • [x] Verify that applications are available at auto-generated addresses name.rootProxyPublicAddr and well as publicAddr.
    • [x] Run an application within a trusted cluster.
      • [x] Verify that applications are available at auto-generated addresses name.rootProxyPublicAddr.
    • [x] Verify Audit Records.
      • [x] app.session.start and app.session.chunk events are created in the Audit Log.
      • [x] app.session.chunk points to a 5 minute session archive with multiple app.session.request events inside.
      • [x] tsh play <chunk-id> can fetch and print a session chunk archive.
    • [x] Verify JWT using verify-jwt.go.
    • [x] Verify RBAC.
    • [x] Verify CLI access with tsh app login.
    • [x] Test Applications screen in the web UI (tab is located on left side nav on dashboard):
      • [x] Verify that all apps registered are shown
      • [x] Verify that clicking on the app icon takes you to another tab
      • [x] Verify using the bash command produced from Add Application dialogue works (refresh app screen to see it registered)

    Database Access @r0mant @smallinsky

    • [x] Connect to a database within a local cluster.
      • [x] Self-hosted Postgres.
      • [x] Self-hosted MySQL.
      • [x] AWS Aurora Postgres.
      • [x] AWS Aurora MySQL.
      • [x] AWS Redshift.
      • [x] GCP Cloud SQL Postgres.
    • [x] Connect to a database within a remote cluster via a trusted cluster.
      • [x] Self-hosted Postgres.
      • [x] Self-hosted MySQL.
      • [x] AWS Aurora Postgres.
      • [x] AWS Aurora MySQL.
      • [x] AWS Redshift.
      • [x] GCP Cloud SQL Postgres.
    • [x] Verify audit events.
      • [x] db.session.start is emitted when you connect.
      • [x] db.session.end is emitted when you disconnect.
      • [x] db.session.query is emitted when you execute a SQL query.
    • [x] Verify RBAC.
      • [x] tsh db ls shows only databases matching role's db_labels.
      • [x] Can only connect as users from db_users.
      • [x] (Postgres only) Can only connect to databases from db_names.
      • [x] db.session.start is emitted when connection attempt is denied.
    • [x] Test Databases screen in the web UI (tab is located on left side nav on dashboard):
      • [x] Verify that all dbs registered are shown with correct name, description, type, and labels
      • [x] Verify that clicking on a rows connect button renders a dialogue on manual instructions with Step 2 login value matching the rows name column
      • [x] Verify searching for all columns in the search bar works
      • [x] Verify you can sort by all columns except labels
    testplan 
    opened by russjones 22
  • PAM integration and loginuid

    PAM integration and loginuid

    What happened:

    Cannot open a teleport session with PAM enabled and loginuid.

    Tsh output:

    error: Cannot make/remove an entry for the specified sessionerror: ssh: could not start shell
    

    Teleport logs:

    Jan 10 10:20:32 myhost teleport[21659]: [NODE]    Service is starting on 0.0.0.0:3022.
    Jan 10 10:20:45 myhost teleport[21659]: pam_loginuid(sshd:session): Error writing /proc/self/loginuid: Operation not permitted
    Jan 10 10:20:45 myhost teleport[21659]: pam_loginuid(sshd:session): set_loginuid failed
    Jan 10 10:20:45 myhost teleport[21659]: pam_unix(sshd:session): session opened for user ubuntu by (uid=0)
    Jan 10 10:20:45 myhost teleport[21659]: ERRO             Cannot make/remove an entry for the specified session regular/sshserver.go:1117
    

    How to reproduce it (as minimally and precisely as possible):

    Relevant teleport.yml:

    ssh_service:
      enabled: "yes"
      listen_addr: 0.0.0.0:3022
      pam:
        enabled: "yes"
    
    $ grep loginuid /etc/pam.d/sshd 
    # Set the loginuid process attribute.
    session    required     pam_loginuid.so
    

    A simple workaround is to comment out the loginuid line.

    Environment:

    • Teleport version (use teleport version): Teleport v3.0.1 git:v3.0.1-0-g4ff9a7b0
    • Tsh version (use tsh version): Teleport v3.0.1 git:v3.0.1-0-g4ff9a7b0
    • OS (e.g. from /etc/os-release): Ubuntu 18.04.1 LTS
    PAM 
    opened by vad 22
  • [v.9.0] /docs/pages/enterprise/sso/azuread.mdx

    [v.9.0] /docs/pages/enterprise/sso/azuread.mdx

    Details

    Add comments to acs to make it clear that /v1/webapi/saml/acs should be added to the end of proxy address. So comments should look something like

      # acs is the Assertion Consumer Service URL. `https://teleport.example.com:3080` should be replace with your proxy address 
      # acs value should be `https://<TELEPORT_PROXY_ADRR>:port/v1/webapi/saml/acs`
      acs: https://teleport.example.com:3080/v1/webapi/saml/acs
    

    in below config.

    kind: saml
    version: v2
    metadata:
      # the name of the connector
      name: azure-saml
    spec:
      display: "Microsoft"
      # acs is the Assertion Consumer Service URL. This should be the address of
      # the Teleport proxy that your identity provider will communicate with.
      acs: https://teleport.example.com:3080/v1/webapi/saml/acs
      attributes_to_roles:
        - {name: "http://schemas.microsoft.com/ws/2008/06/identity/claims/groups", value: "<group id 930210...>", roles: ["editor"]}
        - {name: "http://schemas.microsoft.com/ws/2008/06/identity/claims/groups", value: "<group id 93b110...>", roles: ["dev"]}
      entity_descriptor: |
        <federationmedata.xml contents>
    

    Category

    • Improve Existing
    documentation 
    opened by ArunNadda 0
  • [v8] Backport build features to work with teleport.e and teleport-private

    [v8] Backport build features to work with teleport.e and teleport-private

    Backports

    1. the use of an optional deployment key, and
    2. the ability to optionally disable the unshallowing action

    ...when checking out teleport

    See-Also: https://github.com/gravitational/teleport/pull/10506 See-Also: https://github.com/gravitational/teleport/pull/12590 See-Also: https://github.com/gravitational/teleport/pull/12624

    backport 
    opened by tcsc 0
  • Remove non-https facets from documentation

    Remove non-https facets from documentation

    Non-https facets aren't allowed since #12208.

    I'm doing this on master just for consistency, but it only applies to v9. We are sunsetting U2F mode in v10, so some of those docs/functionality are actually due a cleanup on my part. See #10375.

    documentation backport-required 
    opened by codingllama 1
  • Add hostlogin to proxy config for windows desktop

    Add hostlogin to proxy config for windows desktop

    Resolves https://github.com/gravitational/cloud/issues/1635 and #12706

    When HostLogin is not set, it attempts to default to the username of the current linux user. This fails when running containers as an arbitrary UID and there is no matching user in /etc/passwd. This value doesn't appear to be used by Windows Desktop Services so it just needs to be set to something to avoid the issue.

    desktop-access backport/branch/v9 
    opened by rcanderson23 0
  • Remove log spam in db session tracker

    Remove log spam in db session tracker

    Fixes the following unnecessary log, since we are expecting the db session ctx to be cancelled.

    2022-05-19T16:21:16-04:00 DEBU [DB:SERVIC] Failed to update session tracker expiration for session 9f49a416-253c-44c3-ab39-9c1fbc6aab97 error:[
    ERROR REPORT:
    Original Error: *errors.errorString context canceled
    Stack Trace:
            /Users/jnyckowski/projects/teleport/lib/srv/sessiontracker.go:96 github.com/gravitational/teleport/lib/srv.(*SessionTracker).updateExpirationLoop
            /Users/jnyckowski/projects/teleport/lib/srv/sessiontracker.go:83 github.com/gravitational/teleport/lib/srv.(*SessionTracker).UpdateExpirationLoop
            /Users/jnyckowski/projects/teleport/lib/srv/db/server.go:908 github.com/gravitational/teleport/lib/srv/db.(*Server).trackSession.func1
            /Users/jnyckowski/go/go1.18.2/src/runtime/asm_arm64.s:1263 runtime.goexit
    User Message: context canceled] db/server.go:909
    
    database-access 
    opened by Joerger 0
  • Make Docs Scope more obvious

    Make Docs Scope more obvious

    Details

    The scope dropdown is rather difficult to notice. Many folks say they don't even notice it. The landing pages could perhaps have a way of saying "I'm a cloud user", "I'm a OSS user"... that drives them to to the scope.

    image

    Category

    • Improve Existing
    documentation 
    opened by stevenGravy 0
Releases(v8.3.11)
  • v8.3.11(May 19, 2022)

    Description

    This release of Teleport contains multiple improvements and bug fixes.

    • Fixed issue with Teleport inadvertently respecting HTTP_PROXY for reverse tunnel connections. #12335
    • Fixed issue with tctl users rm treating provided username as a prefix instead of full username. #12726
    • Fixed issue with TLS routing endpoint advertising http/1.1 preference instead of h2. #12752
    • Implemented multiple proxy restart stability improvements. #12633, #12545, #12693
    • Added support for global tsh config file /etc/tsh.yaml. #12625
    • Upgraded Go to v1.17.10. #12601
    • Improved proxy memory usage in large clusters. #12571

    Download

    Download the current and previous releases of Teleport at https://gravitational.com/teleport/download.

    Source code(tar.gz)
    Source code(zip)
  • v7.3.20(May 16, 2022)

    Description

    This release of Teleport contains multiple performance and stability improvements.

    • Fixed issue with broken SSH connectivity after CA rotation. #12334
    • Fixed issues with bulk deletions when using Firestore backend. #12175
    • Improved reliability of auth/proxy services restart. #12546, #12634, #12561
    • Improved reliability of the internal cache system. #12245, #12249
    • Improved proxy service memory usage in large clusters. #12562

    Download

    Download the current and previous releases of Teleport at https://gravitational.com/teleport/download.

    Source code(tar.gz)
    Source code(zip)
  • v9.2.3(May 13, 2022)

    Description

    This release of Teleport contains multiple improvements and bug fixes.

    • Fixed issue with HTTP_PROXY being inadvertently respected in reverse tunnel connections. #12335
    • Added --format flag to tctl token add command. #12588
    • Fixed backwards compatibility issues with session upload. #12535
    • Added support for persistency in custom mode in Helm charts. #12218
    • Fixed issue with PostgreSQL backend not respecting username from certificate. #12553
    • Fixed issues with kubectl cp and kubectl exec not working through Kubernetes Access. #12541
    • Fixed issues with dynamic registration logic for cloud databases. #12451
    • Fixed issue with automatic Add Application script failing to join the cluster. #12539
    • Fixed issue with tctl crashing when PAM is enabled. #12572
    • Added support for setting priority class and extra labels in Helm charts. #12568
    • Fixed issue with App Access JWT tokens not including iat claim. #12589
    • Added ability to inject App Access JWT tokens in rewritten headers. #12589
    • Desktop Access automatically adds a teleport.dev/ou label for desktops discovered via LDAP. #12502
    • Updated Machine ID to generates identity files compatible with tctl and tsh. #12500
    • Updated internal build infrastructure to Go 1.17.10. #12607
    • Improved proxy memory usage in clusters with large number of nodes. #12573

    Download

    Download the current and previous releases of Teleport at https://gravitational.com/teleport/download.

    Source code(tar.gz)
    Source code(zip)
  • v8.3.10(May 10, 2022)

    Description

    This release of Teleport contains multiple bug fixes and stability improvements.

    • Fixed issue with broken SSH connectivity after CA rotation. #12332
    • Fixed issue with tsh db ls not working for leaf clusters. #12319
    • Fixed issue with labels matching for dynamic databases. #12452
    • Fixed issue with resource listing not respecting limit. #12501
    • Improved DynamoDB pay-per-request mode support. #12460
    • Improved expiration handling in the internal caching system. #12246
    • Improved reliability of restart/shutdown in certain scenarios. #12394

    Download

    Download the current and previous releases of Teleport at https://gravitational.com/teleport/download.

    Source code(tar.gz)
    Source code(zip)
  • v9.2.1(May 5, 2022)

    Description

    This release of Teleport contains multiple improvements, security and bug fixes.

    • Updated tctl rm command to support removing tokens. #12439
    • Fixed issue with Teleport failing to start when using DynamoDB backend in pay-per-request mode. #12461
    • Fixed issue with Kubernetes port forwarding not working. #12468
    • Fixed issue with IAM policy limit when using database auto-discovery on Kubernetes. #12457
    • Fixed issue with U2F facets not being properly validated. #12208
    • Hardened SQLite permissions. #12360
    • Fixed issue with OIDC callback not checking email_verified claim. #12360
    • Added max_kubernetes_connections role option for limiting simultaneous Kubernetes connections. #12360
    • Fixed issue with Teleport failing to start with pay-per-request DynamoDB mode. #12360
    • Reduced Machine ID verbosity in case of missing secure symlink kernel support. #12423
    • Fixed tsh proxy db tunnel mode not working for CockroachDB connections. #12400
    • Added support for database access certificates in Machine ID. #12195
    • Improved shutdown/restart stability in certain scenarios. #12393
    • Added support for clickable labels in web UI. #12422

    Download

    Download the current and previous releases of Teleport at https://gravitational.com/teleport/download.

    Source code(tar.gz)
    Source code(zip)
  • teleport-connect-preview-1.0.1(May 6, 2022)

    Teleport Connect is a developer-friendly browser for cloud infrastructure.

    Traditional terminals are optimized for accessing localhost. Teleport Connect offers enhanced user experience and identity-based access for engineers who work in the cloud.

    Teleport Connect requires an installation of Teleport. Download Teleport here, and download Teleport Connect below.

    The preview of Teleport Connect is available for amd64 Macs only. It also works on M1 Macs with Rosetta. Support for additional platforms and architectures will be added soon.

    Changelog

    • 🐛 fix for TOTP authenticators
    • ⬆️ bundle tsh v9.2.1

    Notes

    • Per-session MFA is not currently supported
    • Connecting to databases requires a cluster running Teleport 9.1 or newer
    • Shared SSH sessions and SCP are not yet supported.
    Source code(tar.gz)
    Source code(zip)
    Teleport.Connect.Preview-1.0.1.dmg(99.10 MB)
  • v9.1.3(May 2, 2022)

    Description

    This release of Teleport contains multiple improvements and bug fixes.

    • Fixed issue with some MySQL clients not being able to connect to MySQL 8.0 servers. #12340
    • Fixed multiple conditions that could lead to SSH sessions freezing. #12286
    • Fixed issue with tsh db ls failing for leaf clusters. #12320
    • Fixed a scenario in which Teleport's internal cache could potentially become unhealthy. #12251, #12002
    • Improved performance when opening new Application Access sessions. #12300
    • Added flags to the teleport configure command. #12267
    • Improved CA rotation stability. #12333
    • Fixed issue with mongosh certificate verification when using TLS routing. #12363

    Download

    Download the current and previous releases of Teleport at https://gravitational.com/teleport/download.

    Source code(tar.gz)
    Source code(zip)
  • teleport-connect-preview-1.0.0(Apr 29, 2022)

    Teleport Connect is a developer-friendly browser for cloud infrastructure.

    Traditional terminals are optimized for accessing localhost. Teleport Connect offers enhanced user experience and identity-based access for engineers who work in the cloud.

    Teleport Connect requires an installation of Teleport. Download Teleport here, and download Teleport Connect below.

    The preview of Teleport Connect is available for amd64 Macs only. It also works on M1 Macs with Rosetta. Support for additional platforms and architectures will be added soon.

    Known Issues

    • Multi-factor authentication with time-based OTP codes does not work in this release.
    • TouchID is not yet supported.
    • Shared SSH sessions and SCP are not yet supported.
    Source code(tar.gz)
    Source code(zip)
    Teleport.Connect.Preview-1.0.0.dmg(99.04 MB)
  • v8.3.9(Apr 28, 2022)

    Description

    This release of Teleport contains several improvements and bug fixes.

    • Fixed issue with Teleport failing to restart after failed UUID generation. #12223
    • Fixed regression issue with Teleport inadvertently starting to respect HTTP_PROXY for reverse tunnel connections. #11990
    • Added extra flags to the teleport configure command. #12265
    • Fixed issue with Teleport pods not becoming ready when running in Kubernetes. #12242
    • Fixed issue with deleting many expired audit events when using Firestore backend. #12176
    • Fixed issue where remote cluster cache could become unhealthy in certain situations. #12250

    Download

    Download the current and previous releases of Teleport at https://gravitational.com/teleport/download.

    Source code(tar.gz)
    Source code(zip)
  • v9.1.2(Apr 27, 2022)

    Description

    This release of Teleport contains two bug fixes.

    • Fixed issue with Teleport pods not becoming ready on Kubernetes. #12243
    • Fixed issue with Teleport processes crashing upon restart after failed host UUID generation. #12222

    Download

    Download the current and previous releases of Teleport at https://gravitational.com/teleport/download.

    Source code(tar.gz)
    Source code(zip)
  • v9.1.1(Apr 25, 2022)

    Description

    This release of Teleport contains multiple bug fixes and improvements.

    • Fixed regression issue where reverse tunnel connections inadvertently started respecting HTTP_PROXY. #12035
    • Fixed potential deadlock in SSH server. #12122
    • Fixed issue with Kubernetes service not reporting its readiness. #12152
    • Fixed issue with JumpCloud identity provider. #11936
    • Fixed issue with deleting many records from Firestore backend. #12177

    Download

    Download the current and previous releases of Teleport at https://gravitational.com/teleport/download.

    Source code(tar.gz)
    Source code(zip)
  • v8.3.8(Apr 22, 2022)

    Description

    This release of Teleport contains multiple bug fixes and stability improvements.

    • Made relogin attempts use strongest auth method. #11848
    • Fixed issue with key principals not being used when using identity files. #11792
    • Added gRPC latency metrics for auth and proxy services. #11776
    • Fixed potential panic in CA rotation. #12107
    • Fixed issue with Kubernetes services not reporting its readiness. #12153
    • Added ability to sign database credentials with tctl auth sign. #12044
    • Fixed issue with Database service not reporting readiness when using dynamic registration. #12041
    • Fixed issue with connecting to self-hosted databases in insecure mode. #11759
    • Updated tsh db ls to display available users. #11941
    • Fixed issue with deleting MFA devices with / in names. #12081
    • Updated Go to v1.17.9. #11933
    • Fixed Okta OIDC connector. #11718
    • Fixed goroutine leak in Okta OIDC client. #12077

    Download

    Download the current and previous releases of Teleport at https://gravitational.com/teleport/download.

    Source code(tar.gz)
    Source code(zip)
  • v7.3.19(Apr 22, 2022)

    Description

    This release of Teleport contains multiple bug fixes and stability improvements.

    • Fixed issue with message of the day not showing up in all scenarios. #11372
    • Fixed issue with Kubernetes Access panicking in some cases. #12143
    • Improved Teleport process reload reliability when sending SIGHUP. #11455
    • Improved in-memory and SQLite cache reliability. #11660
    • Fixed potential panic during CA rotation. #12108
    • Fixed console player Ctrl-C and Ctrl-D functionality. #11559
    • Improved error message when joining to cluster with another cluster's state. #11753
    • Improved error message when using incorrect auth connector. #11886
    • Fixed issue with not being able to delete MFA devices with / in names. #12109
    • Fixed race condition in tsh player. #11491
    • Fixed Okta OIDC support. #11718
    • Multiple reverse tunnel stability improvements. #11201
    • Improved network utilization with session uploader. #11696
    • Improved remote clusters bookkeeping. #11705
    • Fixed goroutine leak in OIDC client. #12076

    Download

    Download the current and previous releases of Teleport at https://gravitational.com/teleport/download.

    Source code(tar.gz)
    Source code(zip)
  • v9.1.0(Apr 21, 2022)

    Description

    Teleport 9.1 is a minor release that brings several new features, security and bug fixes.

    Security

    Teleport build infrastructure was updated to use Go v1.17.9 to fix CVE-2022-24675, CVE-2022-28327 and CVE-2022-27536.

    SQL backend (preview)

    Teleport users can now use PostgreSQL or CockroachDB for storing auth server data.

    See the documentation for more information:

    https://goteleport.com/docs/setup/reference/backends/#postgresqlcockroachdb-preview

    Server-side filtering and pagination

    Searching and filtering resources is now handled on the server, improving the efficiency of queries with tsh, tctl, or the web UI.

    The web UI loads resources faster by leveraging server-side pagination. Additionally, the web UI supports bookmarking searches by including the query in the URL.

    Other improvements and fixes

    • Fixed issue with stdin being ignored after refreshing expired credentials. #11847
    • Fixed issue with tsh requiring host login when using identity files for some commands. #11793
    • Added support for calling proxy over plain HTTP in insecure mode. #11403
    • Fixed multiple issues that could lead to sessions output freezing. #11853
    • Added optional gRPC client/server latency metrics. #11773
    • Fixed issue with connecting to self-hosted databases in TLS insecure mode. #11758
    • Improved error message when incorrect auth connector name is used. #11884
    • Implemented multiple moderated session stability improvements. #11803, #11890
    • Added authenticated tunnel mode to tsh proxy db command. #11808
    • Fixed issue with application sessions not being deleted upon web logout. #11956
    • Improved MySQL audit logging to include support for additional commands. #11949
    • Improved reliability of Teleport services restart. #11795
    • Fixed issue with Okta OIDC auth connector not working. #11718
    • Added support for json and yaml formatting to all tsh commands. #12050
    • Added support for setting kubernetes_users, kubernetes_groups, db_names, db_users and aws_role_arns traits when creating users. #12133
    • Fixed potential CA rotation panic. #12004
    • Updated tsh db ls to display allowed database usernames. #11942
    • Fixed goroutine leak in OIDC client. #12078

    Download

    Download the current and previous releases of Teleport at https://gravitational.com/teleport/download.

    Source code(tar.gz)
    Source code(zip)
  • v9.0.4(Apr 7, 2022)

    Description

    This release of Teleport contains multiple improvements and fixes.

    • Fixed issue with : not being allowed in label keys. #11563
    • Fixed potential panic in Kubernetes Access. #11614
    • Added teleport_connect_to_node_attempts_total Prometheus metric. #11629
    • Multiple CA rotation stability improvements. #11658
    • Fixed console player Ctrl-C and Ctrl-D functionality. #11559
    • Improved logging in case of node with existing state joining an new cluster. #11751
    • Added preview of PostgreSQL/CockroachDB backend. #11667
    • Fixed compatibility issues with CA loading between old and new tsh versions. #11663
    • Fixed loggers not respecting JSON configuration. #11655
    • Added support for Proxy Protocol v2. #11722
    • Fixed a number of tsh player stability issues. #11491
    • Improved network utilization caused by session uploader. #11698
    • Improved remote clusters inventory bookkeeping. #11707

    Download

    Download the current and previous releases of Teleport at https://gravitational.com/teleport/download.

    Source code(tar.gz)
    Source code(zip)
  • v8.3.7(Apr 5, 2022)

    Description

    This release of Teleport contains multiple fixes and improvements.

    • Fixed issue with tctl not respecting TELEPORT_HOME environment variable. #11560
    • Fixed issue with : not being allowed in label keys. #11562
    • Fixed issue with panic in Kubernetes access in certain cases. #11611
    • Added connect_to_node_attempts_total metric that tracks number of connection attempts to SSH nodes. #11630
    • Multiple CA rotation stability improvements. #11659
    • Fixed multiple session player issues. #11559, #11491
    • Fixed issue with tsh version exiting with error when no tsh config is present. #11727
    • Fixed issue with the logger not respecting JSON config. #11602
    • Fixed issue with stale Auth Service entries causing connection issues. #11597
    • Fixed issue with remote cluster without reverse tunnels not being cleaned up. #11435

    Download

    Download the current and previous releases of Teleport at https://gravitational.com/teleport/download.

    Source code(tar.gz)
    Source code(zip)
  • v9.0.3(Apr 1, 2022)

    Description

    This release of Teleport contains multiple fixes.

    • Fixed issue with tctl ignoring TELEPORT_HOME environment variable. #11561
    • Fixed multiple moderated sessions stability issues. #11494
    • Fixed issue with tsh version exiting with error when tsh config file is not present. #11571
    • Fixed issue with tsh not respecting proxy hosts. #11496
    • Fixed issue with Kubernetes forwarder taking HTTP proxies into account. #11462
    • Fixed issue with stale DynamoDB Auth Services disrupting agent reconnect attempts. #11598

    Download

    Download the current and previous releases of Teleport at https://gravitational.com/teleport/download.

    Source code(tar.gz)
    Source code(zip)
  • v8.3.6(Mar 31, 2022)

    Description

    This release of Teleport contains multiple fixes.

    • Fixed issue with message of the day not being displayed in some cases. #11371
    • Fixed issue with automatic node join script returning 404 in web UI. #11572
    • Fixed issue with tsh proxy jump not connecting to leaf proxy. #11497

    Download

    Download the current and previous releases of Teleport at https://gravitational.com/teleport/download.

    Source code(tar.gz)
    Source code(zip)
  • v9.0.2(Mar 26, 2022)

    Description

    This release of Teleport contains multiple features, improvements and bug fixes.

    • Added support for per-user tsh configuration preferences. #10336
    • Added support for role bootstrapping in OSS. #11175
    • Added HTTP_PROXY support to tsh. #10209
    • Improved error messages tsh and tctl show to include usage information on invalid command line invocation. #11174
    • Improved tctl <resource> ls output to make it consistent across all resources. #9519
    • Fixed multiple issues with CA rotation, graceful restart, and stability. #10706 #11074 #11283
    • Fixed issue where MOTD was not always shown. #10735
    • Fixed an issue where certificate extension not being included in tctl auth sign. #10949
    • Fixed a panic that could occur in the Web UI. #11389

    Download

    Download the current and previous releases of Teleport at https://gravitational.com/teleport/download.

    Source code(tar.gz)
    Source code(zip)
  • v8.3.5(Mar 28, 2022)

    Description

    This release of Teleport contains multiple features, improvements and fixes.

    • Added HTTP_PROXY support to tsh. #10209
    • Added support for per-user tsh configuration preferences. #10336
    • Added automatic node joining wizard to OSS. #10288
    • Improved Desktop Access performance by fixing memory leaks and bitmap optimizations. #10915
    • Improved Desktop Access to support proxying to different desktops. #10101
    • Improved Application Access HA behavior when accessing applications within a leaf cluster. #10734
    • Improved Database Access log spam and automatic discovery. #11020 #10699
    • Improved error messages when host is missing in tctl auth sign. #10588
    • Improved X11 forwarding support on macOS. #10719
    • Fixed multiple issues with CA rotation, graceful restart, and stability. #10706 #11074 #11283
    • Fixed an issue where users could create system roles. #8924
    • Fixed an issue where an invalid event could lead to the Audit Log being inaccessible to view. #10665
    • Fixed an issue with lease contention and concurrent session control. #10666
    • Fixed an issue where Teleport could panic during a session recording. #10792
    • Fixed an issue where tctl auth sign was creating a kubeconfig file incompatible with Teleport Cloud. #10844
    • Fixed an issue where Teleport would not regenerate server identity for Kubernetes Access. #10904
    • Fixed an issue where tsh would not deduplicate Access Request IDs. #9453
    • Fixed an issue where tsh would not respect TELEPORT_HOME #11087
    • Fixed an issue where tsh aws ecr could return Internal Server. #10475
    • Fixed an memory leak in the Teleport watcher system. #10871
    • Fixed an issue where certain resources could not be deleted. #11124

    Download

    Download the current and previous releases of Teleport at https://gravitational.com/teleport/download.

    Source code(tar.gz)
    Source code(zip)
  • v7.3.18(Mar 18, 2022)

    Description

    This release of Teleport contains multiple performance and stability improvements.

    • Fixed issue with certificates growing large when repeatedly requesting access. #11036
    • Multiple improvements for stability of CA rotation. #11192, #11186, #10902
    • Multiple improvements to session uploader. #10796
    • Fixed issue with tsh ignoring TELEPORT_HOME environment variable. #11094
    • Fixed utmp accounting on some systems. #10618
    • Fixed issue with MongoDB access connections not being closed properly. #10729
    • Fixed issue with DynamoDB backend not returning results beyond 1MB. #10849
    • Fixed issue with Kubernetes service identity missing certain DNS names. #10946
    • Fixed issue with deleting certain users from backend. #11133
    • Fixed issue with session recording panic. #10876
    • Fixed issue with slow session reclaim preventing the use of full max_connections allowance. #10879
    • Fixed goroutine and memory leak in certificate authorities watcher. #11122
    • Fixed panic caused by ClusterConfig backwards compatibility. #11145

    Download

    Download the current and previous releases of Teleport at https://gravitational.com/teleport/download.

    Source code(tar.gz)
    Source code(zip)
  • v9.0.1(Mar 17, 2022)

    Description

    This release of Teleport contains multiple improvements and bug fixes.

    • Fixed issue with Ctrl-C freezing sessions. #11188
    • Improved handling of unknown audit events. #11064
    • Improved calculation of public addresses for dynamically registered apps. #11139
    • Fixed tsh aws ecr returning 500 errors. #11108
    • Fixed issue with deleting certain users. #11131
    • Fixed issue with Machine ID not detecting token in file config. #11206

    Download

    Download the current and previous releases of Teleport at https://gravitational.com/teleport/download.

    Source code(tar.gz)
    Source code(zip)
  • v9.0.0(Mar 11, 2022)

    Description

    Teleport 9.0 is a major release that brings:

    • Teleport Desktop Access GA
    • Teleport Machine ID Preview
    • Various additions to Teleport Database Access
    • Moderated Sessions for Server and Kubernetes Access

    Desktop Access adds support for clipboard sharing, session recording, and per-session MFA.

    Teleport Machine ID Preview extends identity-based access to machines. It's the easiest way to issue, renew, and manage SSH and X.509 certificates for service accounts, microservices, CI/CD automation and all other forms of machine-to-machine access.

    Database Access brings self-hosted Redis support, RDS MariaDB (10.6 and higher) support, auto-discovery for Redshift clusters, and auto-IAM configuration improvements to GA. Additionally, this release also brings Microsoft SQL Server with AD authentication to Preview.

    Moderated Sessions enables the creation of sessions where a moderator has to be present. This feature can be selectively enabled for specific sessions via RBAC and can be used in conjunction with per-session MFA.

    Desktop Access

    Clipboard Support

    Desktop Access now supports copying and pasting text between your local workstation and a remote Windows Desktop. This feature requires a Chromium-based browser and can be disabled via RBAC.

    Session Recording

    Desktop sessions are now recorded and stored alongside SSH sessions, and can be viewed in Teleport's web interface. Desktop session recordings are fully compatible with the RBAC for sessions feature introduced in Teleport 8.1.

    Per-session MFA

    Per-session MFA settings now apply to desktop sessions. This allows cluster administrators to require an additional MFA "tap" prior to opening a desktop session. This feature requires a WebAuthn device.

    Machine ID (Preview)

    Machine ID allows the creation of machine / bot / service account users who can automatically issue, renew, and manage SSH and X.509 certificates to facilitate machine-to-machine access.

    Machine ID is a service that programmatically issues and renews short-lived certificates to any service account (e.g., a CI/CD server) by retrieving credentials from the Teleport Auth Service. This enables fine-grained role-based access controls and audit.

    Some of the things you can do with Machine ID:

    • Machines can retrieve short-lived SSH certificates for CI/CD pipelines.
    • Machines can retrieve short-lived X.509 certificates for use with databases or applications.
    • Configure role-based access controls and locking for machines.
    • Capture access events in the audit log.

    Machine ID getting started guide: https://goteleport.com/docs/ver/9.0/machine-id/getting-started/.

    Database Access

    Redis

    You can now use Database Access to connect to a self-hosted Redis instance or Redis cluster and view Redis commands in the Teleport audit log. We will be adding support for AWS Elasticache in the coming weeks.

    Self-hosted Redis guide: https://goteleport.com/docs/ver/9.0/database-access/guides/redis/.

    SQL Server (Preview)

    Teleport 9 includes a preview release of Microsoft SQL Server with Active Directory authentication support for Database Access. Audit logging of query activity is not included in the preview release and will be implemented in a later 9.x release.

    SQL Server guide: https://goteleport.com/docs/ver/9.0/database-access/guides/sql-server-ad/.

    RDS MariaDB

    Teleport 9 updates MariaDB support with auto-discovery and connection to AWS RDS MariaDB databases using IAM authentication. The minimum MariaDB version that supports IAM authentication is 10.6.

    Updated RDS guide: https://goteleport.com/docs/ver/9.0/database-access/guides/rds/.

    Other Improvements

    In addition, Teleport 9 expands auto-discovery to support Redshift databases and 2 new commands which simplify the Database Access getting started experience: "teleport db configure create", which generates Database Service configuration, and "teleport db configure bootstrap", which configures IAM permissions for the Database Service when running on AWS.

    CLI commands reference: https://goteleport.com/docs/ver/9.0/database-access/reference/cli/#teleport-db-configure-create https://goteleport.com/docs/ver/9.0/database-access/reference/cli/#teleport-db-configure-bootstrap

    Moderated Sessions

    With Moderated Sessions, Teleport administrators can define policies that allow users to invite other users to participate in SSH or Kubernetes sessions as observers, moderators or peers.

    Moderated Sessions guide: https://goteleport.com/docs/ver/9.0/access-controls/guides/moderated-sessions/.

    Breaking Changes

    CentOS 6

    CentOS 6 support was deprecated in Teleport 8 and has now been removed.

    Desktop Access

    Desktop Access now authenticates to LDAP using X.509 client certificates. Support for the password_file configuration option has been removed.

    Download

    Download the current and previous releases of Teleport at https://gravitational.com/teleport/download.

    Source code(tar.gz)
    Source code(zip)
  • v9.0.0-rc.2(Mar 11, 2022)

    Warning

    Pre-releases are not production ready, use at your own risk!

    Download

    Download the current and previous releases of Teleport at https://gravitational.com/teleport/download.

    Source code(tar.gz)
    Source code(zip)
  • v9.0.0-rc.1(Mar 10, 2022)

    Warning

    Pre-releases are not production ready, use at your own risk!

    Download

    Download the current and previous releases of Teleport at https://gravitational.com/teleport/download.

    Source code(tar.gz)
    Source code(zip)
  • v9.0.0-beta.2(Mar 9, 2022)

    Warning

    Pre-releases are not production ready, use at your own risk!

    Download

    Download the current and previous releases of Teleport at https://gravitational.com/teleport/download.

    Source code(tar.gz)
    Source code(zip)
  • v8.3.4(Mar 4, 2022)

    Description

    This release of Teleport contains multiple improvements and fixes.

    • Fixed utmp accounting on some systems. #10617
    • Fixed an issue with DynamoDB pagination when result set exceeds 1MB. #10847
    • Improved join instructions printed by tctl when using Teleport Cloud. #10749
    • Improved HA behavior of database agents in leaf clusters. #10770
    • Fixed an issue with .deb packages not being published. #10806
    • Fixed an issue with session uploader leaving empty directories behind in some cases. #10793

    Download

    Download the current and previous releases of Teleport at https://gravitational.com/teleport/download.

    Source code(tar.gz)
    Source code(zip)
  • v8.3.3(Mar 3, 2022)

    Description

    This release of Teleport contains a security fix and multiple improvements and fixes.

    Trusted Clusters security fix

    An attacker in possession of a valid Trusted Cluster join token could inject a malicious CA into a Teleport cluster that would allow them to bypass root cluster authorization and potentially connect to any node within the root cluster.

    For customers using Trusted Clusters, we recommend upgrading to one of the patched releases listed below then revoking and rotating all Trusted Cluster tokens. As a best practice, make sure that Trusted Cluster tokens have short time-to-live and ideally are removed after being used once.

    Other fixes

    • Fixed dynamic labeling for Kubernetes agents. #10464
    • Added teleport_audit_emit_event and teleport_connected_resources Prometheus metrics. #10462, #10461
    • Fixed an issue with serving multiple concurrent X11 forwarding sessions. #10473
    • Fixed a misnaming in the X11 forwarding configuration file options. #10758
    • Fixed an issue with MongoDB connections not being properly closed. #10730
    • Clear terminal at the end of the session in FIPS mode. #10533

    Download

    Download the current and previous releases of Teleport at https://gravitational.com/teleport/download.

    Source code(tar.gz)
    Source code(zip)
  • v7.3.17(Mar 3, 2022)

    Description

    This release of Teleport contains a security fix and multiple improvements and fixes.

    Trusted Clusters security fix

    An attacker in possession of a valid Trusted Cluster join token could inject a malicious CA into a Teleport cluster that would allow them to bypass root cluster authorization and potentially connect to any node within the root cluster.

    For customers using Trusted Clusters, we recommend upgrading to one of the patched releases listed below then revoking and rotating all Trusted Cluster tokens. As a best practice, make sure that Trusted Cluster tokens have short time-to-live and ideally are removed after being used once.

    Other fixes

    • Fix potential panic in the audit log writer. #10299
    • Introduce cert.create audit event. #10255
    • Active node inventory cleanup improvements. #10311
    • Improved performance for clusters with >20,000 SSH nodes. #9521
    • Fix database proxy reconnect after CA rotation. #10307
    • Fix dynamic labeling for Kubernetes agents. #10468
    • Reduced network utilization by propagating only necessary CAs when using Trusted Clusters. #10020

    Download

    Download the current and previous releases of Teleport at https://gravitational.com/teleport/download.

    Source code(tar.gz)
    Source code(zip)
  • v6.2.31(Mar 3, 2022)

    Description

    This release of Teleport contains a security fix and an improvement.

    Trusted Clusters security fix

    An attacker in possession of a valid Trusted Cluster join token could inject a malicious CA into a Teleport cluster that would allow them to bypass root cluster authorization and potentially connect to any node within the root cluster.

    For customers using Trusted Clusters, we recommend upgrading to one of the patched releases listed below then revoking and rotating all Trusted Cluster tokens. As a best practice, make sure that Trusted Cluster tokens have short time-to-live and ideally are removed after being used once.

    Other fixes

    • Introduce cert.create audit event. #10226

    Download

    Download the current and previous releases of Teleport at https://gravitational.com/teleport/download.

    Source code(tar.gz)
    Source code(zip)
Owner
Teleport
Unify access for SSH servers, Kubernetes clusters, web applications, and databases.
Teleport
fido-ident: a cli tool for getting the attestation certificate from a fido token.

fido-ident fido-ident is a cli tool for getting the attestation certificate from a fido token. fido-ident will print the raw certificate and the human

Peter Sanford 0 Jan 28, 2022
Microservice generates pair of access and refresh JSON web tokens signed by user identifier.

go-jwt-issuer Microservice generates pair access and refresh JSON web tokens signed by user identifier. ?? Deployed on Heroku Run tests: export SECRET

Oleksii Velychko 27 Apr 14, 2022
An authentication proxy for Google Cloud managed databases

db-auth-gateway An authentication proxy for Google Cloud managed databases. Based on the ideas of cloudsql-proxy but intended to be run as a standalon

null 24 Apr 6, 2022
Package gorilla/securecookie encodes and decodes authenticated and optionally encrypted cookie values for Go web applications.

securecookie securecookie encodes and decodes authenticated and optionally encrypted cookie values. Secure cookies can't be forged, because their valu

Gorilla Web Toolkit 570 May 9, 2022
Package goth provides a simple, clean, and idiomatic way to write authentication packages for Go web applications.

Goth: Multi-Provider Authentication for Go Package goth provides a simple, clean, and idiomatic way to write authentication packages for Go web applic

Mark Bates 3.7k May 16, 2022
🔑 Authz0 is an automated authorization test tool. Unauthorized access can be identified based on URL and Role.

Authz0 is an automated authorization test tool. Unauthorized access can be identified based on URL and Role. URLs and Roles are managed as YAML-based

HAHWUL 255 May 13, 2022
Christopher Wilcox 4 Mar 29, 2022
An authorization library that supports access control models like ACL, RBAC, ABAC in Golang

Casbin News: still worry about how to write the correct Casbin policy? Casbin online editor is coming to help! Try it at: https://casbin.org/editor/ C

Casbin 11.9k May 13, 2022
goRBAC provides a lightweight role-based access control (RBAC) implementation in Golang.

goRBAC goRBAC provides a lightweight role-based access control implementation in Golang. For the purposes of this package: * an identity has one or mo

Xing 1.3k May 18, 2022
An authorization library that supports access control models like ACL, RBAC, ABAC in Golang

Casbin News: still worry about how to write the correct Casbin policy? Casbin online editor is coming to help! Try it at: https://casbin.org/editor/ C

Casbin 11.9k May 11, 2022
Role Based Access Control (RBAC) with database persistence

Authority Role Based Access Control (RBAC) Go package with database persistence Install First get authority go get github.com/harranali/authority Next

null 218 May 2, 2022
Key-Checker - Go scripts for checking API key / access token validity

Key-Checker Go scripts for checking API key / access token validity Update V1.0.0 ?? Added 37 checkers! Screenshoot ?? How to Install go get github.co

Muhammad Daffa 184 May 11, 2022
Prevent unauthorised access of public endpoints by for example bots or bad clients.

Anonymus API Auth Provider Inspired by: https://hackernoon.com/improve-the-security-of-api-keys-v5kp3wdu Architecture The basic idea is, to prevent un

Tobias Meinhardt 1 Nov 28, 2021
Prevent unauthorised access of public endpoints by for example bots or bad clients.

Anonymous API Auth Provider Inspired by: https://hackernoon.com/improve-the-security-of-api-keys-v5kp3wdu Architecture The basic idea is, to prevent u

Tobias Meinhardt 1 Nov 28, 2021
An example module for k6.io to get a cognito access token using USER_SRP_AUTH flow.

xk6-cognito An example module for k6.io to get a cognito access token using USER_SRP_AUTH flow. See: to create k6 extension: https://github.c

null 1 Feb 10, 2022
SSH Manager - manage authorized_keys file on remote servers

SSH Manager - manage authorized_key file on remote servers This is a simple tool that I came up after having to on-boarding and off-boarding developer

Sam Ban 29 Mar 8, 2022
Minimalistic RBAC package for Go applications

RBAC Overview RBAC is a package that makes it easy to implement Role Based Access Control (RBAC) models in Go applications. Download To download this

Zack Patrick 95 Apr 22, 2022
The mep-agent module provides proxy services for 3rd applications to MEP.

Mep-Agent Introduction Mep-Agent is a middleware that provides proxy services for third-party apps. It can help apps, which do not implement the ETSI

EdgeGallery 21 Mar 9, 2022
jwt package for gin go applications

gin-jwt jwt package for gin go applications Usage Download using go module: go get github.com/ennaque/gin-jwt Import it in your code: import gwt "gith

Igor Volkov 2 Apr 21, 2022