Gravitational Teleport v10.0.0 Release Notes
-
π Teleport 10 is a major release that brings the following new features.
Platform:
- Passwordless (Preview)
- Resource Access Requests (Preview)
- Proxy Peering (Preview)
Server Access:
- IP-Based Restrictions (Preview)
- Automatic User Provisioning (Preview)
Database Access:
- π² Audit Logging for Microsoft SQL Server Database Access
- Snowflake Database Access (Preview)
- ElastiCache/MemoryDB Database Access (Preview)
Teleport Connect:
- Teleport Connect for Server and Database Access (Preview)
Machine ID:
- π Machine ID Database Access Support (Preview)
Passwordless (Preview)
π Teleport 10 introduces passwordless support to your clusters. To use passwordless π users may register a security key with resident credentials or use a built-in authenticator, like Touch ID.
π See https://goteleport.com/docs/access-controls/guides/passwordless/.
Resource Access Requests (Preview)
Teleport 10 expands just-in-time access requests to allow for requesting access to specific resources. This lets you grant users the least privileged access needed for their workflows.
Just-in-time access requests are only available in Teleport Enterprise Edition.
Proxy Peering (Preview)
π Proxy peering enables Teleport deployments to scale without an increase in load from the number of agent connections. This is accomplished by allowing Proxy Services to tunnel client connections to the desired agent through a neighboring proxy and decoupling the number of agent connections from the number of Proxies.
π§ Proxy peering can be enabled with the following configurations:
auth_service: tunnel_strategy: type: proxy_peering agent_connection_count: 1
proxy_service: peer_listen_addr: 0.0.0.0:3021
Network connectivity between proxy servers to the
peer_listen_addr
is required for this feature to work.Proxy peering is only available in Teleport Enterprise Edition.
IP-Based Restrictions (Preview)
π Teleport 10 introduces a new role option to pin the source IP in SSH certificates. When enabled, the source IP that was used to request certificates is embedded in the certificate, and SSH servers will reject connection attempts from other IPs. This protects against attacks where valid credentials are exfiltrated from disk and copied out into other environments.
IP-based restrictions are only available in Teleport Enterprise Edition.
Automatic User Provisioning (Preview)
π§ Teleport 10 can be configured to automatically create Linux host users upon login without having to use Teleport's PAM integration. Users can be added to specific π§ Linux groups and assigned appropriate βsudoerβ privileges.
π§ To learn more about configuring automatic user provisioning read the guide: π https://goteleport.com/docs/server-access/guides/host-user-creation/.
π² Audit Logging for Microsoft SQL Server Database Access
π Teleport 9 introduced a preview of Database Access support for Microsoft SQL π² Server which didnβt include audit logging of user queries. Teleport 10 captures π² users' queries and prepared statements and sends them to the audit log, similarly π to other supported database protocols.
Teleport Database Access for SQL Server remains in Preview mode with more UX π improvements coming in future releases.
Refer to the guide to set up access to a SQL Server with Active Directory π authentication: https://goteleport.com/docs/database-access/guides/sql-server-ad/.
Snowflake Database Access (Preview)
π Teleport 10 brings support for Snowflake to Database Access. Administrators can set up access to Snowflake databases through Teleport for their users with standard Database Access features like role-based access control and audit π² logging, including query activity.
Connect your Snowflake database to Teleport following this guide: π https://goteleport.com/docs/database-access/guides/snowflake/.
Elasticache/MemoryDB Database Access (Preview)
π Teleport 9 added Redis protocol support to Database Access. Teleport 10 improves π this integration by adding native support for AWS-hosted Elasticache and MemoryDB, including auto-discovery and automatic credential management in some π deployment configurations.
Learn more about it in this guide: π https://goteleport.com/docs/database-access/guides/redis-aws/.
Teleport Connect for Server and Database Access (Preview)
π Teleport Connect is a graphical macOS application that simplifies access to your π Teleport resources. Teleport Connect 10 supports Server Access and Database Access. π Other protocols and Windows support are coming in a future release.
π Get Teleport Connect installer from the macOS tab on the downloads page: https://goteleport.com/download/.
π Machine ID Database Access Support (Preview)
π In Teleport 10 weβve added Database Access support to Machine ID. Applications can use Machine ID to access databases protected by Teleport.
π You can find Machine ID guide for database access in the documentation: π https://goteleport.com/docs/machine-id/guides/databases/.
π₯ Breaking changes
Please familiarize yourself with the following potentially disruptive changes in β¬οΈ Teleport 10 before upgrading.
Auth Service version check
Teleport 10 agents will now refuse to start if they detect that the Auth Service is more than one major version behind them. You can use the
--skip-version-check
flag to bypass the version check.π Take a look at component compatibility guarantees in the documentation: β¬οΈ https://goteleport.com/docs/setup/operations/upgrading/#component-compatibility.
HTTP_PROXY for reverse tunnels
Reverse tunnel connections will now respect
HTTP_PROXY
environment variables. This may result in reverse tunnel agents not being able to re-establish connections if the HTTP proxy is set in their environment and does not allow connections to the Teleport Proxy Service.π Refer to the following documentation section for more details: π https://goteleport.com/docs/setup/reference/networking/#http-connect-proxies.
π New APT repos
π With Teleport 10 weβve migrated to new APT repositories that now support π multiple release channels, Teleport versions and OS distributions. The new repositories have been backfilled with Teleport versions starting from 6.2.31 β¬οΈ and we recommend upgrading to them. The old repositories will be maintained for π the foreseeable future.
β‘οΈ See updated installation instructions: π§ https://goteleport.com/docs/server-access/getting-started/#step-14-install-teleport-on-your-linux-host.
β Removed βtctl access lsβ
The
tctl access ls
command that returned information about user server access π within the cluster was removed. Please use a previoustctl
version if youβd like to keep using it.π Relaxed session join permissions
In previous versions of Teleport users needed full access to a Node/Kubernetes pod in order to join a session. Teleport 10 relaxes this requirement. Joining 0οΈβ£ sessions remains deny-by-default but now only
join_sessions
statements are checked for session join RBAC.π See the Moderated Sessions guide for more details: π https://goteleport.com/docs/access-controls/guides/moderated-sessions/.
GitHub connectors
The GitHub authentication connectorβs
teams_to_logins
field is deprecated in favor of the newteams_to_roles
field. The old field will be removed in a future release.Teleport FIPS AWS endpoints
Teleport 10 will now automatically use FIPS endpoints for AWS S3 and DynamoDB when started with the
--fips
flag. You can use theuse_fips_endpoint=false
connection endpoint option to use regular endpoints for Teleport in FIPS mode, for example:s3://bucket/path?region=us-east-1&use_fips_endpoint=false
π See the S3/DynamoDB backends documentation for more information: π https://goteleport.com/docs/setup/reference/backends/#s3.