Skip to content

Releases: gravitational/teleport

Teleport 17.3.0

28 Feb 22:35
@doggydogworld doggydogworld
v17.3.0
91d71bd
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.
Compare
Choose a tag to compare
Teleport 17.3.0 Latest
Latest

Description

Automatic Updates

17.3 introduces a new automatic update mechanism for system administrators to
control which Teleport version their agents are running. You can now configure
the agent update schedule and desired agent version via the autoupdate_config
and autoupdate_version resources.

Updates are performed by the new teleport-update binary. This new system is
package manager-agnostic and opt-in. Existing agents won't be automatically
enrolled, you can enroll existing 17.3+ agents by running teleport-update enable.

teleport-update will become the new standard way of installing Teleport as it
always picks the appropriate Teleport edition (Community vs Enterprise), the
cluster's desired version, and the correct Teleport variant (e.g. FIPS-compliant
cryptography).

Package layout changes

Starting with 17.3.0, the Teleport DEB and RPM packages, notably used by the
apt, yum, dnf and zypper package managers, will place the Teleport
binaries in /opt/teleport instead of /usr/local/bin.

The binaries will be symlinked to their previous location, no change should be
required in your scripts or systemd units.

This change allows us to do automatic updates without conflicting with the
package manager.

Delegated joining for Oracle Cloud Infrastructure

Teleport agents running on Oracle Cloud Infrastructure (OCI) are now able to
join the Teleport cluster without a static join token.

Stable UIDs for host-user creation

Teleport now provides the ability to create host users with stable UIDs across
the entire Teleport cluster.

VNet for Windows

Teleport's VNet feature are now available for Windows, allowing users to access
TCP applications protected by Teleport as if they were on the same network.

Improved GitHub Proxy enrollment flow

Teleport web UI now provides wizard-like guided enrollment flow for the new
GitHub Proxy integration.

AWS Identity Center integration improvements

AWS Identity Center integration now supports using IAM authentication instead of
OIDC (useful for private clusters) and a hybrid setup that allows to use another
IdP as external identity source.

Okta integration improvements

Teleport Okta integration now provides updated guided enrollment flow and will
allow updating integration settings (such as sync configuration or group
filters) without having to recreate the integration.

Note that the new enrollment flow uses OAuth authentication method instead of
API tokens. If the Okta integration is installed on v17.3 and the cluster is
downgraded the Okta plugin must be reinstalled to ensure proper functionality.

Readiness endpoint changes

The Auth Service readiness now reflects the connectivity from the instance to
the backend storage, and the Proxy Service readiness reflects the connectivity
to the Auth Service API. In case of Auth or backend storage failure, the
instances will now turn unready. This change ensures that control plane
components can be excluded from their relevant load-balancing pools. If you want
to preserve the old behaviour (the Auth Service or Proxy Service instance stays
ready and runs in degraded mode) in the teleport-cluster Helm chart, you can
now tune the readiness setting to have the pods become unready after a high
number of failed probes.

Other fixes and improvements

  • Added tctl edit support for Identity Center plugin resources. #52605
  • Added Oracle join method to web UI provision token editor. #52599
  • Added warnings to VNet on macOS about other software that might conflict with VNet, based on inspecting network routes on the system. #52552
  • Added auto-importing of Oracle Cloud tags. #52543
  • Added support for X509 revocations to Workload Identity. #52503
  • Git proxy commands executed in terminals now support interactive login prompts when the tsh session expires. #52475
  • Connect is now installed per-machine instead of per-user on Windows. #52453
  • Added teleport-update for default build. #52361

Enterprise:

  • Improved sync performance in Identity Center integration.
  • Delete related Git servers when deleting GitHub integration in the web UI.

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Plugins

Download the current release of Teleport plugins from the links below.

Assets 2
Loading

Teleport 17.2.9

25 Feb 20:47
@fheinecke fheinecke
v17.2.9
6b86200
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.
Compare
Choose a tag to compare
Teleport 17.2.9

Description

  • Updated go-jose/v4 to v4.0.5 (addresses CVE-2025-27144). #52467
  • Updated /x/crypto and /x/oauth2 (addresses CVE-2025-22869 and CVE-2025-22868). #52437
  • Fixed missing audit event on GitHub proxy RBAC failure. #52427
  • Allow to provide tbot configurations via environment variables. Update tbot-distroless image to run start command by default. #52351
  • Logging out from a cluster no longer clears the client autoupdate binaries. #52337
  • Added tctl installer for Identity Center integration. #52336
  • Added JSON response support to the /webapi/auth/export public certificate API endpoint. #52325
  • Resolves an issue with tbot where the web proxy port would be used instead of the SSH proxy port when ports separate mode is in use. #52291
  • Fix Azure SQL Servers connect failures when the database agent runs on a VM scale set. #52267
  • Add filter drop-downs and pinning support for the "Enroll a New Resource" page in the web UI. #52176
  • Improve latency and reduce resource consumption of generating Kubernetes certificates via tctl auth sign and tsh kube login. #52146

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Plugins

Download the current release of Teleport plugins from the links below.

Loading

Teleport 17.2.8

20 Feb 07:02
@doggydogworld doggydogworld
v17.2.8
4504397
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.
Compare
Choose a tag to compare
Teleport 17.2.8

Description

  • Fixed broken Download Metadata File button from the SAML enrolling resource flow in the web UI. #52276
  • Fixed broken Refresh button in the Access Monitoring reports page in the web UI. #52276
  • Fixed broken Download app.zip menu item in the Integrations list dropdown menu for Microsoft Teams in the web UI. #52276
  • Fixed Unexpected end of JSON input error in an otherwise successful web API call. #52276
  • Teleport Connect now features a new menu for quick access request management. #52217
  • Remove the ability of tctl to load the default configuration file on Windows. #52188
  • Tbot: support overriding credential_ttl and renewal_interval on most outputs and services. #52185
  • Fix an issue that GitHub integration CA gets deleted during Auth restart for non-software key stores like KMS. For broken GitHub integrations, the integration resource must be deleted and recreated. #52149
  • Added support for non-FIPS AWS endpoints for IAM and STS on FIPS binaries (TELEPORT_UNSTABLE_DISABLE_AWS_FIPS=yes) #52127
  • Introduced the allow_reissue property to the tbot identity output for compatibility with tsh based reissuance. #52116

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Plugins

Download the current release of Teleport plugins from the links below.

Loading

Teleport 15.4.29

15 Feb 00:52
@camscale camscale
v15.4.29
8ff49d6
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.
Compare
Choose a tag to compare
Teleport 15.4.29

Description

Security Fixes

  • Fixed security issue with arbitrary file reads on SSH nodes. #52138
  • Verify that cluster name of TLS peer certs matches the cluster name of the CA that issued it to prevent Auth bypasses. #52132

Other fixes and improvements

  • Removed the ability of tctl to load the default configuration file on Windows. #52190
  • Moved PostgreSQL auto provisioning users procedures to pg_temp schema. #52150
  • Applied TELEPORT_UNSTABLE_DISABLE_AWS_FIPS to IAM and STS credentials. #52134
  • Fixed graceful closing of networking subprocesses when the Teleport parent process is gracefully closed (SIGQUIT). #52117
  • Updated Go to 1.23.6. #52087
  • Updated OpenSSL to 3.0.16. #52039
  • Reduced CPU consumption required to map roles between clusters and perform trait to role resolution. #51941
  • Client tools managed updates require a base URL for the open-source build type. #51934
  • Added an escape hatch to allow non-FIPS AWS endpoints on FIPS binaries (TELEPORT_UNSTABLE_DISABLE_AWS_FIPS=yes). #51932
  • Added securityContext value to the tbot Helm chart. #51909
  • Teleport agents always create the debug.sock UNIX socket. The configuration field debug_service.enabled now controls if the debug and metrics endpoints are available via the UNIX socket. #51890
  • Updated Go to 1.22.12. #51837
  • Improved instance.join event error messaging. #51781
  • Added support for caching Microsoft Remote Desktop Services licenses. #51686
  • Added Audit Log statistics to tctl top. #51656
  • Fixed an issue where the Postgres backend would drop App Access events. #51645
  • Fixed a rare crash that can happen with malformed SAML connector. #51636
  • Fixed occasional Web UI session renewal issues (reverts "Avoid tight renewals for sessions with short TTL"). #51604
  • Quoted the KUBECONFIG environment variable output by the tsh proxy kube command. #51525
  • Added support for customizing the base URL for downloading Teleport packages used in client tools managed updates. #51482
  • Added support for continuous profile collection with Pyroscope. #51480
  • Improved handling of client session termination during Kubernetes Exec sessions. The disconnection reason is now accurately returned for cases such as certificate expiration, forced lock activation, or idle timeout. #51456
  • Fixed an issue that prevented IPs provided in the X-Forwarded-For header from being honored in some scenarios when TrustXForwardedFor is enabled. #51425
  • Added support for multiple active CAs in the /auth/export endpoint. #51420
  • Fixed a bug in GKE auto-discovery where the process failed to discover any clusters if the identity lacked permissions for one or more detected GCP project IDs. #51401
  • Added support for multiple active CAs in tctl auth export. #51377
  • Added more granular audit logging surrounding SSH port forwarding. #51327

Enterprise:

  • Removed Desktop Access support in arm64 FIPS builds.

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Plugins

Download the current release of Teleport plugins from the links below.

labels: security-patch=yes,security-patch-alts=v15.4.27

Loading

Teleport 17.2.7

14 Feb 03:36
@camscale camscale
v17.2.7
0f26fcd
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.
Compare
Choose a tag to compare
Teleport 17.2.7

Description

Security Fixes

  • Fixed security issue with arbitrary file reads on SSH nodes. #52136
  • Verify that cluster name of TLS peer certs matches the cluster name of the CA that issued it to prevent Auth bypasses. #52130
  • Reject authentication attempts from remote identities in the git forwarder. #52126

Other fixes and improvements

  • Added an escape hatch to allow non-FIPS AWS endpoints on FIPS binaries (TELEPORT_UNSTABLE_DISABLE_AWS_FIPS=yes). #52069
  • Fixed Postgres database access control privileges auto-provisioning to grant USAGE on schemas as needed for table privileges and fixed an issue that prevented user privileges from being revoked at the end of their session in some cases. #52047
  • Updated OpenSSL to 3.0.16. #52037
  • Added ability to disable path-style S3 access for third-party endpoints. #52009
  • Fixed displaying Access List form when request reason is required. #51998
  • Fixed a bug in the WebUI where file transfers would always prompt for MFA, even when not required. #51962
  • Reduced CPU consumption required to map roles between clusters and perform trait to role resolution. #51935
  • Client tools managed updates require a base URL for the open-source build type. #51931
  • Fixed an issue leaf AWS console app shows "not found" error when root cluster has an app of the same name. #51928
  • Added securityContext value to the tbot Helm chart. #51907
  • Fixed an issue where required apps wouldn't be authenticated when launching an application from outside the Teleport Web UI. #51873
  • Prevent Teleport proxy failing to initialize when listener address's host component is empty. #51864
  • Fixed connecting to Apps in a leaf cluster when Per-session MFA is enabled. #51853
  • Updated Go to 1.23.6. #51835
  • Fixed bug where role max_duration is not respected unless request max_duration is set. #51821
  • Improved instance.join event error messaging. #51779
  • Teleport agents always create the debug.sock UNIX socket. The configuration field debug_service.enabled now controls if the debug and metrics endpoints are available via the UNIX socket. #51771
  • Backport new Azure integration functionality to v17, which allows the Discovery Service to fetch Azure resources and send them to the Access Graph. #51725
  • Added support for caching Microsoft Remote Desktop Services licenses. #51684
  • Added Audit Log statistics to tctl top. #51655
  • Redesigned the profile switcher in Teleport Connect for a more intuitive experience. Clusters now have distinct colors for easier identification, and readability is improved by preventing truncation of long user and cluster names. #51654
  • Fixed a regression that caused the Kubernetes Service to reuse expired tokens when accessing EKS, GKE and AKS clusters using dynamic credentials. #51652
  • Fixes issue where the Postgres backend would drop App Access events. #51643
  • Fixed a rare crash that can happen with malformed SAML connector. #51634
  • Fixed occasional Web UI session renewal issues (reverts "Avoid tight renewals for sessions with short TTL"). #51601
  • Introduced tsh workload-identity issue-x509 as the replacement to tsh svid issue and which is compatible with the new WorkloadIdentity resource. #51597
  • Machine ID's new kubernetes/v2 service supports access to multiple Kubernetes clusters by name or label without needing to issue new identities. #51535
  • Quoted the KUBECONFIG environment variable output by the tsh proxy kube command. #51523
  • Fixed a bug where performing an admin action in the WebUI would hang indefinitely instead of getting an actionable error if the user has no MFA devices registered. #51513
  • Added support for continuous profile collection with Pyroscope. #51477
  • Added support for customizing the base URL for downloading Teleport packages used in client tools managed updates. #51476
  • Improved handling of client session termination during Kubernetes Exec sessions. The disconnection reason is now accurately returned for cases such as certificate expiration, forced lock activation, or idle timeout. #51454
  • Fixed an issue that prevented IPs provided in the X-Forwarded-For header from being honored in some scenarios when TrustXForwardedFor is enabled. #51416
  • Added support for multiple active CAs in the /auth/export endpoint. #51415
  • Fixed integrations status page in WebUI. #51404
  • Fixed a bug in GKE auto-discovery where the process failed to discover any clusters if the identity lacked permissions for one or more detected GCP project IDs. #51399
  • Introduced the new workload_identity resource for configuring Teleport Workload Identity. #51288

Enterprise:

  • Fixed a regression in the Web UI that prevented Access List members to view the Access List's they are member of.
  • Fixed an issue with recreating Teleport resources for Okta applications with multiple embed links.
  • Fixed an issue in the Identity Center principal assignment service that incorrectly reported a successful permission assignment delete request as a failed one.
  • Fixed an issue in the Identity Center group import service which incorrectly handled import error event.

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Plugins

Download the current release of Teleport plugins from the links below.

labels: security-patch=v17.1.2|v17.1.3|v17.1.6

Loading

Teleport 16.4.16

14 Feb 03:28
@camscale camscale
v16.4.16
e873067
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.
Compare
Choose a tag to compare
Teleport 16.4.16

Description

Security Fixes

  • Fixed security issue with arbitrary file reads on SSH nodes. #52137
  • Verify that cluster name of TLS peer certs matches the cluster name of the CA that issued it to prevent Auth bypasses. #52131

Other fixes and improvements

  • Fixed Postgres database access control privileges auto-provisioning to grant USAGE on schemas as needed for table privileges and fixed an issue that prevented user privileges from being revoked at the end of their session in some cases. #52100
  • Updated Go to 1.23.6. #52083
  • Added an escape hatch to allow non-FIPS AWS endpoints on FIPS binaries (TELEPORT_UNSTABLE_DISABLE_AWS_FIPS=yes). #52082
  • Updated OpenSSL to 3.0.16. #52038
  • Reduced CPU consumption required to map roles between clusters and perform trait to role resolution. #51940
  • Client tools managed updates require a base URL for the open-source build type. #51933
  • Added securityContext value to the tbot Helm chart. #51910
  • Teleport agents always create the debug.sock UNIX socket. The configuration field debug_service.enabled now controls if the debug and metrics endpoints are available via the UNIX socket. #51888
  • Fixed connecting to Apps in a leaf cluster when Per-session MFA is enabled. #51854
  • Fixed bug where role max_duration is not respected unless request max_duration is set. #51828
  • Improved instance.join event error messaging. #51780
  • Include the format (indicates which format the session was accessed in) and session_type (represents the type of the recording, for example, ssh) fields for the session.recording.access audit event. #51695
  • Added support for caching Microsoft Remote Desktop Services licenses. #51685
  • Added Audit Log statistics to tctl top. #51657
  • Fixed an issue where the Postgres backend would drop App Access events. #51644
  • Fixed a rare crash that can happen with malformed SAML connector. #51635
  • Introduced tsh workload-identity issue-x509 as the replacement to tsh svid issue and which is compatible with the new WorkloadIdentity resource. #51607
  • Fixed occasional Web UI session renewal issues (reverts "Avoid tight renewals for sessions with short TTL"). #51602
  • Quoted the KUBECONFIG environment variable output by the tsh proxy kube command. #51524
  • Added support for continuous profile collection with Pyroscope. #51479
  • Added support for customizing the base URL for downloading Teleport packages used in client tools managed updates. #51478
  • Improved handling of client session termination during Kubernetes Exec sessions. The disconnection reason is now accurately returned for cases such as certificate expiration, forced lock activation, or idle timeout. #51455
  • Fixed an issue that prevented IPs provided in the X-Forwarded-For header from being honored in some scenarios when TrustXForwardedFor is enabled. #51424
  • Added support for multiple active CAs in the /auth/export endpoint. #51418
  • Fixed a bug in GKE auto-discovery where the process failed to discover any clusters if the identity lacked permissions for one or more detected GCP project IDs. #51400
  • Added support for multiple active CAs in tctl auth export. #51376
  • Added ability to disable path-style S3 access for third-party endpoints. #51360
  • Added wildcard-workload-identity-issuer preset role to improve Day 0 experience with configuring Teleport Workload Identity. #51346
  • Improved Azure join validation by verifying subscription ID. #51329
  • Added more granular audit logging surrounding SSH port forwarding. #51326
  • Fixes a bug causing the terraform-provider preset role to not automatically allow newly supported resources. #51321
  • Introduced the new workload_identity resource for configuring Teleport Workload Identity. #51289

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Plugins

Download the current release of Teleport plugins from the links below.

labels: security-patch=yes,security-patch-alts=v16.4.15

Loading

Teleport 14.3.36

14 Feb 02:39
@camscale camscale
v14.3.36
d35a2f9
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.
Compare
Choose a tag to compare
Teleport 14.3.36

Description

Security Fixes

  • Fixed security issue with arbitrary file reads on SSH nodes. #52139
  • Verify that cluster name of TLS peer certs matches the cluster name of the CA that issued it to prevent Auth bypasses. #52133
  • Updated golang.org/x/crypto to v0.31.0 (CVE-2024-45337). #50081

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Plugins

Download the current release of Teleport plugins from the links below.

labels: security-patch=yes,security-patch-alts=v14.3.35

Loading

Teleport 17.2.1

23 Jan 02:15
@camscale camscale
v17.2.1
1d267b0
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.
Compare
Choose a tag to compare
Teleport 17.2.1

Description

Security Fixes

  • Improve Azure join validation by verifying subscription ID. #51328

Other Improvements and Fixes

  • Added support for multiple active CAs in tctl auth export. #51375
  • Teleport Connect now shows a resource name in the status bar. #51374
  • Role presets now include default values for github_permissions and the git_server resource kind. github_permissions now supports traits. #51369
  • Fix backwards compatibility error where users were unable to login with Teleport Connect if Connect version is below v17.2.0 with Teleport cluster version v17.2.0. #51368
  • Added wildcard-workload-identity-issuer preset role to improve Day 0 experience with configuring Teleport Workload Identity. #51341
  • Added more granular audit logging surrounding SSH port forwarding. #51325
  • FIxes a bug causing the terraform-provider preset role to not automatically allow newly supported resources. #51320
  • GitHub server resource now shows in Web UI. #51303

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Plugins

Download the current release of Teleport plugins from the links below.

labels: security-patch=yes

Loading

Teleport 17.2.0

22 Jan 04:37
@camscale camscale
v17.2.0
43a9972
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.
Compare
Choose a tag to compare
Teleport 17.2.0

Description

Per-session MFA via IdP

Teleport users can now satisfy per-session MFA checks by authenticating with an
external identity provider as an alternative to using second factors registered
with Teleport.

GitHub access

Teleport now natively supports GitHub access allowing users to transparently
interact with GitHub with RBAC and audit logging support.

Oracle Toad client support

Oracle Database Access users can now use the Toad GUI client.

Trusted clusters support for Kubernetes operator

Kubernetes operator users can now create trusted clusters using Kubernetes
custom resources.

Other improvements and fixes

  • Fixed WebAuthn attestation for Windows Hello. #51247
  • Include invited and reason fields in SessionStartEvents. #51175
  • Updated Go to 1.23.5. #51172
  • Fixed client tools auto-updates executed by aliases (causes recursive alias error). #51154
  • Support proxying Git commands for github.com. #51086
  • Assuming an Access Request in Teleport Connect now propagates elevated permissions to already opened Kubernetes tabs. #51055
  • Fixed AWS SigV4 parse errors in app access when the application omits the optional spaces between the SigV4 components. #51043
  • Fixed a Database Service bug where db_service.resources.aws.assume_role_arn settings could affect non-AWS dynamic databases or incorrectly override db_service.aws.assume_role_arn settings. #51039
  • Adds support for defining labels in the web UI Discover flows for single resource enroll (server, AWS and web applications, Kubernetes, EKS, RDS). #51038
  • Added support for using multi-port TCP apps in Teleport Connect without VNet. #51014
  • Fix naming conflict of DynamoDB audit event auto scaling policy. #50990
  • Prevent routing issues for agentless nodes that are created with non-UUID metadata.name fields. #50924
  • Honor the cluster routing strategy when client initiated host resolution via proxy templates or label matching is ambiguous. #50799
  • Emit audit events on access request expiry. #50775
  • Add full SSO MFA support for the WebUI. #50529

Enterprise:

  • Oracle: accept database certificates configuration used by Teleport Connect.

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Plugins

Download the current release of Teleport plugins from the links below.

Loading

Teleport 16.4.14

21 Jan 20:48
@camscale camscale
v16.4.14
3553a42
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.
Compare
Choose a tag to compare
Teleport 16.4.14

Description

  • Fixed WebAuthn attestation for Windows Hello. #51248
  • Fixed client tools auto-updates executed by aliases (causes recursive alias error). #51182
  • Include invited and reason fields in SessionStartEvents. #51176
  • Updated Go to 1.22.11. #51137
  • Assuming an Access Request in Teleport Connect now propagates elevated permissions to already opened Kubernetes tabs. #51056
  • Fixed AWS SigV4 parse errors in app access when the application omits the optional spaces between the SigV4 components. #51044
  • Fixed a Database Service bug where db_service.resources.aws.assume_role_arn settings could affect non-AWS dynamic databases or incorrectly override db_service.aws.assume_role_arn settings. #51041
  • Prevent routing issues for agentless nodes that are created with non-UUID metadata.name fields. #50925
  • Honor the cluster routing strategy when client initiated host resolution via proxy templates or label matching is ambiguous. #50800

Enterprise:

  • Okta: Fixed web UI status display for SSO-only integration.

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Plugins

Download the current release of Teleport plugins from the links below.

Loading