Gravitational Teleport v10.0.0 Release Notes

  • πŸš€ Teleport 10 is a major release that brings the following new features.


    • Passwordless (Preview)
    • Resource Access Requests (Preview)
    • Proxy Peering (Preview)

    Server Access:

    • IP-Based Restrictions (Preview)
    • Automatic User Provisioning (Preview)

    Database Access:

    • 🌲 Audit Logging for Microsoft SQL Server Database Access
    • Snowflake Database Access (Preview)
    • ElastiCache/MemoryDB Database Access (Preview)

    Teleport Connect:

    • Teleport Connect for Server and Database Access (Preview)

    Machine ID:

    • πŸ‘ Machine ID Database Access Support (Preview)

    Passwordless (Preview)

    πŸ‘ Teleport 10 introduces passwordless support to your clusters. To use passwordless πŸ”’ users may register a security key with resident credentials or use a built-in authenticator, like Touch ID.

    πŸ‘€ See

    Resource Access Requests (Preview)

    Teleport 10 expands just-in-time access requests to allow for requesting access to specific resources. This lets you grant users the least privileged access needed for their workflows.

    Just-in-time access requests are only available in Teleport Enterprise Edition.

    Proxy Peering (Preview)

    πŸš€ Proxy peering enables Teleport deployments to scale without an increase in load from the number of agent connections. This is accomplished by allowing Proxy Services to tunnel client connections to the desired agent through a neighboring proxy and decoupling the number of agent connections from the number of Proxies.

    πŸ”§ Proxy peering can be enabled with the following configurations:

        type: proxy_peering
        agent_connection_count: 1

    Network connectivity between proxy servers to the peer_listen_addr is required for this feature to work.

    Proxy peering is only available in Teleport Enterprise Edition.

    IP-Based Restrictions (Preview)

    πŸ“Œ Teleport 10 introduces a new role option to pin the source IP in SSH certificates. When enabled, the source IP that was used to request certificates is embedded in the certificate, and SSH servers will reject connection attempts from other IPs. This protects against attacks where valid credentials are exfiltrated from disk and copied out into other environments.

    IP-based restrictions are only available in Teleport Enterprise Edition.

    Automatic User Provisioning (Preview)

    🐧 Teleport 10 can be configured to automatically create Linux host users upon login without having to use Teleport's PAM integration. Users can be added to specific 🐧 Linux groups and assigned appropriate β€œsudoer” privileges.

    πŸ”§ To learn more about configuring automatic user provisioning read the guide: πŸ“„

    🌲 Audit Logging for Microsoft SQL Server Database Access

    πŸ‘ Teleport 9 introduced a preview of Database Access support for Microsoft SQL 🌲 Server which didn’t include audit logging of user queries. Teleport 10 captures 🌲 users' queries and prepared statements and sends them to the audit log, similarly πŸ‘ to other supported database protocols.

    Teleport Database Access for SQL Server remains in Preview mode with more UX πŸ‘Œ improvements coming in future releases.

    Refer to the guide to set up access to a SQL Server with Active Directory πŸ“„ authentication:

    Snowflake Database Access (Preview)

    πŸ‘ Teleport 10 brings support for Snowflake to Database Access. Administrators can set up access to Snowflake databases through Teleport for their users with standard Database Access features like role-based access control and audit 🌲 logging, including query activity.

    Connect your Snowflake database to Teleport following this guide: πŸ“„

    Elasticache/MemoryDB Database Access (Preview)

    πŸ‘ Teleport 9 added Redis protocol support to Database Access. Teleport 10 improves πŸ‘ this integration by adding native support for AWS-hosted Elasticache and MemoryDB, including auto-discovery and automatic credential management in some πŸš€ deployment configurations.

    Learn more about it in this guide: πŸ“„

    Teleport Connect for Server and Database Access (Preview)

    🍎 Teleport Connect is a graphical macOS application that simplifies access to your πŸ‘ Teleport resources. Teleport Connect 10 supports Server Access and Database Access. πŸš€ Other protocols and Windows support are coming in a future release.

    🍎 Get Teleport Connect installer from the macOS tab on the downloads page:

    πŸ‘ Machine ID Database Access Support (Preview)

    πŸ‘ In Teleport 10 we’ve added Database Access support to Machine ID. Applications can use Machine ID to access databases protected by Teleport.

    πŸ“š You can find Machine ID guide for database access in the documentation: πŸ“„

    πŸ’₯ Breaking changes

    Please familiarize yourself with the following potentially disruptive changes in ⬆️ Teleport 10 before upgrading.

    Auth Service version check

    Teleport 10 agents will now refuse to start if they detect that the Auth Service is more than one major version behind them. You can use the --skip-version-check flag to bypass the version check.

    πŸ“š Take a look at component compatibility guarantees in the documentation: ⬆️

    HTTP_PROXY for reverse tunnels

    Reverse tunnel connections will now respect HTTP_PROXY environment variables. This may result in reverse tunnel agents not being able to re-establish connections if the HTTP proxy is set in their environment and does not allow connections to the Teleport Proxy Service.

    πŸ“š Refer to the following documentation section for more details: πŸ“„

    πŸ†• New APT repos

    πŸ‘ With Teleport 10 we’ve migrated to new APT repositories that now support πŸš€ multiple release channels, Teleport versions and OS distributions. The new repositories have been backfilled with Teleport versions starting from 6.2.31 ⬆️ and we recommend upgrading to them. The old repositories will be maintained for πŸ‘€ the foreseeable future.

    ⚑️ See updated installation instructions: 🐧

    βœ‚ Removed β€œtctl access ls”

    The tctl access ls command that returned information about user server access 🚚 within the cluster was removed. Please use a previous tctl version if you’d like to keep using it.

    😌 Relaxed session join permissions

    In previous versions of Teleport users needed full access to a Node/Kubernetes pod in order to join a session. Teleport 10 relaxes this requirement. Joining 0️⃣ sessions remains deny-by-default but now only join_sessions statements are checked for session join RBAC.

    πŸ‘€ See the Moderated Sessions guide for more details: πŸ“„

    GitHub connectors

    The GitHub authentication connector’s teams_to_logins field is deprecated in favor of the new teams_to_roles field. The old field will be removed in a future release.

    Teleport FIPS AWS endpoints

    Teleport 10 will now automatically use FIPS endpoints for AWS S3 and DynamoDB when started with the --fips flag. You can use the use_fips_endpoint=false connection endpoint option to use regular endpoints for Teleport in FIPS mode, for example:


    πŸ“š See the S3/DynamoDB backends documentation for more information: πŸ“„