Skip to content

Releases: gravitational/teleport

Teleport 18.7.0

17 Feb 23:03
@mjsmithnh mjsmithnh
v18.7.0
This tag was signed with the committer’s verified signature.
mjsmithnh Matt Smith
SSH Key Fingerprint: k063nd9uhyHXLXwa+ccoCcVh0PqPinXMMjebsu4kOHk
Verified
Learn about vigilant mode.
433b913
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
Teleport 18.7.0 Latest
Latest

Description

Session timeline view for Identity Security

Session player for Identity Security users received an enhanced timeline view with
per-command session breakdown.

Organization-level auto-discovery for AWS EC2 instances

AWS auto-discovery supports EC2 instance enrollment from all or a subset of accounts
of an AWS organization without having to configure per-account discovery.

Organization-level discovery for other resources within AWS (RDS, EKS) as well as other
for cloud providers will follow in future releases.

Terraform-native flow for configuration of AWS EC2 auto-discovery

Teleport provides in-product UX for configuring EC2 auto-discovery in a single AWS
account using terraform module.

Static labels for auto-discovered Windows desktops

Teleport can now be configured to apply a set of static labels to Windows
desktops that it discovers via LDAP. This is an alternative to setting labels
based on the value of LDAP attributes.

Access requests privilege escalation UX for AWS

Teleport users are now able to see specific IAM roles available to them when requesting
elevated access to AWS CLI/console. Future releases will extend support for specific
principal selection to access requests for other resource types as well.

Entra ID integration status page

Teleport users are now able to see status of the configured Entra ID integration in the
web UI.

Inventory UI

Teleport's web UI now includes a new page showing the complete inventory of all instances
and bots connected to the cluster.

Managed Updates UI

Teleport's web UI now includes new functionality for working with managed updates.
The UI offers the ability to view and manage the updater configuration as well
as monitor the progress of update rollouts.

Split Windows CA

Teleport now introduces a new Windows CA responsible for issuing user certificates for
Windows Desktop access. Currently the User CA issues those certificates, as they are end-user certs.
Splitting the CAs improves Teleport's security posture by introducing a more specialized CA
and allows both CAs to be rotated independently.

Other fixes and improvements

  • Fixed tsh kubectl failing when kubectl flags appear before positional arguments (e.g., tsh kubectl -n default get pod). #63807
  • The tsh status command can now be executed in client-only mode with --client. This skips all server-side operations. #63786
  • Improved tracing support via tsh --trace kubectl. #63762
  • Added tctl recordings download command to download session recordings to local files without requiring direct access to the storage backend. #63726
  • MWI: Add new tbot start no-op helper that starts no services. #63666
  • Improved performance and user experience of teleport backend clone. #63635
  • Fixed out of sequent audit logs rendering in ui for same timestamp logs. #63613
  • Added the Windows CA, used to issue Windows Desktop Access user certificates. The Windows CA is initially created as a copy of the User CA, so existing trust relationships are maintained. You may rotate either CA in order to create distinct key material (make sure to consult the Certificate Authority Rotation guide before performing a CA rotation). The Windows CA is a top-level CA entity, so it is reflected in all commands that operate on CAs. Updating both command-line tools and Windows Desktop agents is recommended. #63547
  • Added support for summarizer resources to the Teleport Terraform provider. #63534
  • Add Managed Updates dashboard to the WebUI. #63310
  • Fixed a bug that could cause Windows desktops discovered via LDAP to be removed in error. #62471
  • Fixed an issue that could cause failed Active Directory user lookups to cache the error rather than retry. #62471
  • Ensure that discovered Windows desktops don't expire when a large discovery interval is configured. #62471
  • Each Windows desktop discovery_config can now include a set of static labels to apply to discovered hosts. #62452
  • Added support for discovering EC2 instances in all the accounts under an AWS Organization. #62302
  • Added support for EC2 instances to join based on their AWS Organization. #62302

Enterprise:

  • Updated Entra ID plugin UI to support Access List owners source configuration.
  • Fixes a panic that occurred when External Audit Storage was available but not enabled in Teleport Cloud while Access Monitoring was enabled.
  • Added plugin status page for Teleport Entra ID integration.

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Plugins

Download the current release of Teleport plugins from the links below.

Assets 2
Loading

Teleport 18.6.8

10 Feb 23:21
@doggydogworld doggydogworld
v18.6.8
9a94677
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
Teleport 18.6.8

Description

  • Added --exec-cmd and --exec-arg flags to tsh proxy kube to allow launching custom commands like k9s directly without requiring environment variable workarounds. #63066

Enterprise:

  • Fixes a panic that occurred when External Audit Storage was available but not enabled in Teleport Cloud while Access Monitoring was enabled.

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Plugins

Download the current release of Teleport plugins from the links below.

Loading

Teleport 17.7.19

11 Feb 00:14
@doggydogworld doggydogworld
v17.7.19
265ff01
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
Teleport 17.7.19

Description

Enterprise:

  • Fixes a panic that occurred when External Audit Storage was available but not enabled in Teleport Cloud while Access Monitoring was enabled.

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Plugins

Download the current release of Teleport plugins from the links below.

Loading

Teleport 18.6.7

09 Feb 22:54
@doggydogworld doggydogworld
v18.6.7
0a2200f
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
Teleport 18.6.7

Description

  • Revised help messages for event handler CLI commands. #63620
  • Fixed tsh ssh user@foo=bar uptime from running serially if users did not have role:read permissions. #63612
  • The minimum version of macOS required to run Teleport or associated client tools is now macOS 12 (Monterey). #63587
  • The minimal macOS version required by Teleport Connect is now macOS 12. #63569
  • Fixed bug where event handler would throw an error on Athena backend when handling large events. #63550
  • Updated Go to 1.25.7. #63539
  • Fixed an issue where a role requiring a trusted device could incorrectly block access to all applications. #63527
  • Fixed bug where event handler would get stuck on DynamoDB backend when handling large events. #63526
  • Updated tsh/Linux to correctly capture the OS login user for device trust. #63452
  • Fixed a server error when rejecting a headless authentication request in the Web UI. #63431
  • Added opt-in support to use cert-manager certificates for teleport-plugin-event-handler helm chart. #63420
  • Modified tbot helm chart with default token value to simplify deployment. #63360
  • Improved GitHub + Kubernetes guide experience. #63185
  • Fixed teleport join openssh on recent versions of Ubuntu. #63040

Enterprise:

  • Extend Access Monitoring feature to Teleport Cloud customers using External Audit Storage.
  • Added recording and validation for the fixed OS login user values from tsh.
  • Mitigated a race in the Slack token refresh logic.

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Plugins

Download the current release of Teleport plugins from the links below.

Loading

Teleport 17.7.18

10 Feb 04:52
@doggydogworld doggydogworld
v17.7.18
61b7c02
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
Teleport 17.7.18

Description

Skipped 17.7.17 due to a build pipeline issue.

  • Revised help messages for event handler CLI commands. #63642
  • Fixed tsh ssh user@foo=bar uptime from running serially if users did not have role:read permissions. #63611
  • The minimum version of macOS required to run Teleport or associated client tools is now macOS 12 (Monterey). #63588
  • The minimal macOS version required by Teleport Connect is now macOS 12. #63570
  • Fixed bug where event handler would get stuck on DynamoDB backend when handling large events. #63562
  • Updated Go to 1.25.7. #63561
  • Fixed bug where event handler would throw an error on Athena backend when handling large events. #63551
  • Fixed an issue where a role requiring a trusted device could incorrectly block access to all applications. #63528
  • Updated tsh/Linux to correctly capture the OS login user for device trust. #63453
  • Fixed a server error when rejecting a headless authentication request in the Web UI. #63432
  • Fixed tsh/Linux sending a too-large username for device trust. #63388
  • Fixed teleport join openssh on recent versions of Ubuntu. #63042
  • Fix an issue in the Teleport SSH Service where interactive PAM Auth modules always fail when trying to run exec sessions with tty allocated. e.g. tsh ssh --tty <node> ls. #62065

Enterprise:

  • Extend Access Monitoring feature to Teleport Cloud customers using External Audit Storage.
  • Added recording and validation for the fixed OS login user values from tsh.

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Plugins

Download the current release of Teleport plugins from the links below.

Loading

Teleport 18.6.6

03 Feb 06:30
@camscale camscale
v18.6.6
6750243
This commit was signed with the committer’s verified signature.
aadc-dev Angel Dionisio
SSH Key Fingerprint: jY4y60vmj4+3cRs/6JKlm9J6fIg+zjntdtY7y9yXTA8
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
Teleport 18.6.6

Description

  • Fixed tsh/Linux sending a too-large username for device trust. #63387
  • Fixed an issue where MCP JSON-RPC messages with mixed-case field names could be parsed inconsistently and re-serialized to lower cases. Teleport now enforces canonical lowercase JSON-RPC fields. #63364
  • Improved robustness of the Slack hosted plugin to reduce the likeliness of failed token refresh when experiencing external disruption. #63344
  • Fixed a bug affecting access list review queries for lists where the name is a prefix of another list name. #63337
  • Updated the OCI SDK to support new regions. #63265
  • Ensure application session rejections for untrusted devices are consistently audited as AppSessionStart failures after MFA. #63149
  • Added Helm chart support to the teleport-event-handler configure command. #63147
  • Added tctl support for removing okta_assignment internal resource should it be needed. #62698

Enterprise:

  • Prevented manual membership changes to SCIM-type access lists while enabling support for their reviews.
  • Fixed the issue where Okta integration may not remove previously synced apps after plugin restart.

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Plugins

Download the current release of Teleport plugins from the links below.

Loading

Teleport 17.7.16

03 Feb 00:20
@aadc-dev aadc-dev
v17.7.16
323893d
This commit was signed with the committer’s verified signature.
aadc-dev Angel Dionisio
SSH Key Fingerprint: jY4y60vmj4+3cRs/6JKlm9J6fIg+zjntdtY7y9yXTA8
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
Teleport 17.7.16

Description

  • Improved robustness of the Slack hosted plugin to reduce the likeliness of failed token refresh when experiencing external disruption. #63347
  • Ensure application session rejections for untrusted devices are consistently audited as AppSessionStart failures after MFA. #63260
  • Fixed a CredentialContainer error when attempting to log in to the Web UI with a hardware key using Firefox >=147.0.2. #63246
  • Updated OpenSSL to 3.0.19. #63203

Enterprise:

  • Mitigated a race in the Slack token refresh logic.
  • Fixe the issue where Okta integration may not remove previously synced apps after plugin restart.
  • Added support for multi-arch lock file population for the terraform provider.

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Plugins

Download the current release of Teleport plugins from the links below.

Loading

Teleport 18.6.5

29 Jan 21:14
@fheinecke fheinecke
v18.6.5
4bc3277
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
Teleport 18.6.5

Description

  • Fixed a CredentialContainer error when attempting to log in to the Web UI with a hardware key using Firefox >=147.0.2. #63245
  • Added support for deleting cluster alerts via tctl alerts rm <alertID> command. #63211
  • Updated OpenSSL to 3.0.19. #63202
  • Added support for injecting Teleport-issued ID tokens into outgoing MCP requests, enabling integrations with MCP servers such as the AWS Bedrock AgentCore MCP Gateway that can validate tokens via OIDC discovery URL. #63156
  • Export "additional_trusted_keys" when exporting TLS CAs, which includes new certificates generated in the "init" rotation phase. Reflected in "tctl auth export" and the "/webapi/auth/export" endpoint. #63134
  • Updated indirect dependency go-chi/chi/v5 (addresses GO-2026-4316). #63092
  • The tbot systemd install command now supports a --pid-file flag for setting the path to the PID file. #63039
  • Allow kubeconfig and context to be explicitly configured for tbot kubernetes_secret destination. #63037
  • Implemented "tctl get cert_authority/catype", in addition to the already existing "tctl get cert_authority" and "tctl get cert_authority/catype/domain". #63027
  • Added a Terraform module to configure Teleport and AWS for EC2 discovery in an AWS account. #63004
  • Added opt-in support to bootstrap the teleport-plugin-event-handler helm chart with MWI to auto-join Teleport clusters when Operator is enabled. #63001
  • Added permissions to the editor role allowing users to view autoupdate agent reports. #62973
  • Improved performance of large search queries for DynamoDB event backend. #62890
  • Introduced tbot-spiffe-daemon-set helm chart for deploying a Daemon Set of tbot agents which serve SPIFFE SVIDs to Kubernetes pods via the SPIFFE Workload API. #62583

Enterprise:

  • Fixed an issue with the legacy Azure OIDC IdP SSO issuer=sts.windows.net where Teleport was unable to map Teleport roles from the groups claim available in the id_token.
  • Added updated resources to SCIM audit events that create or change SCIM resources.
  • Support multi-arch lock file population for the terraform provider.
  • Added audit events to SCIM PATCH operations.
  • Updated Entra ID plugin to support importing Entra ID group owners as Access List owners.
  • Replaced enterprise downloads list view in Web UI with links to Public Downloads page.

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Plugins

Download the current release of Teleport plugins from the links below.

Loading

Teleport 17.7.15

27 Jan 19:29
@fheinecke fheinecke
v17.7.15
f1db778
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
Teleport 17.7.15

Description

  • Updated indirect dependency go-chi/chi/v5 (addresses GO-2026-4316). #63093
  • The tbot systemd install command now supports a --pid-file flag for setting the path to the PID file. #63038
  • Fixed GCS session recording backend not respecting rate limits. #62987
  • Made the teleport-cluster Helm chart job resources configurable again via the jobResources value. #62924
  • Reverted a disruptive change from v17.7.11: teleport-cluster Helm chart uses resources for Jobs again. If set jobResources takes precedence. This will change in v18, only jobResources will be used. #62924

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Plugins

Download the current release of Teleport plugins from the links below.

Loading

Teleport 18.6.4

21 Jan 15:49
@aadc-dev aadc-dev
v18.6.4
bf7b201
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
Teleport 18.6.4

Description

  • Fixed GCS session recording backend not respecting rate limits. #62986
  • Fixed a bug where members of a former owner Access List retain the owner permissions grants of the former owned Access List. It also fixes the issue with not being able to delete a former owner Access List. Please note: this could only happen if the owner Access List ownership was removed via the web UI. #62979
  • Tctl commands executed from Teleport Connect now target the current root cluster with the TELEPORT_AUTH_SERVER env var, similar to how it works for tsh; this behavior can be turned off in the config file. #62923
  • Made the teleport-cluster Helm chart job resources configurable again via the jobResources value. #62922
  • Updated Go to 1.24.12. #62885
  • Fixed launching AWS Identity Center from Teleport Connect. #62840
  • Removed erroneous pair-wise subject type from Teleport's OpenID configuration. #62835
  • Fixed renewed X509-SVIDs not being proactively sent to Envoy instances. #62830
  • Fix an issue MCP Session Listen events may spam audit log with app service error malformed line in SSE stream: &#34;&#34;. #62811
  • Added automatic client certificate reloading option for postgres backends. #62747
  • Fixed an issue that would prevent tsh from working when the 1password SSH agent is running. #62736
  • Add tbot wait API and helper to let scripts wait for bots to become ready. #62719
  • MWI: Add support for templating secret annotations in the tbot's kubernetes/argo-cd service. #62709
  • Add quicksight.aws.amazon.com as valid URL for AWS Console access. #62700
  • Fixed potential delay in updating User Task status for Discovery resources. #62699
  • Fixed an issue where logging in to the Web UI with Device Trust would lose query params of the redirect URL. #62677
  • Fixed an issue where Teleport Connect could generate a flurry of notifications about not being able to connect to a resource. #62671
  • Fixed issuance of wildcard DNS SANs with Workload Identity. #62667
  • Fixed a memory leak in access list reminder notifications affecting clusters with more than 1000 pending Access List reviews. #62663
  • Added support for health checks to monitor cert authority availability and affect Teleport Auth readiness. #62637
  • Added IAM joining support from new AWS regions in asia. #62627
  • Added VNet config Create/Update/Delete audit events. #62618
  • Added cleanup of access entries for EKS auto-discovered clusters when they no longer match the filtering criteria and are removed. #62598
  • Added teleport debug metrics command. #62586
  • Fixed missing initialization of Azure IMDS clients, which could cause operational failures in some Teleport configurations deployed to Azure, in particular when accessing Azure SQL Server. #62579
  • Fixed some auto update audit events showing up as unknown in the web UI. #62547
  • The join tokens UI now indicates which tokens are managed by the Teleport Cloud platform. #62544
  • The tctl tokens add command now includes the CA pins in JSON and YAML output. #62536
  • Added teleport debug readyz command. #62532
  • Audit log and session uploader now respect region field of external_audit_storage resource when present. #62520
  • Added default routes to the web UI left nav top-level category buttons. #62502
  • Fixed an issue that prevented searching for users by role in the web UI. #62474
  • Fixed tilde expansion for moderated SFTP. #62453
  • Added support for standard TLS secret key names for helm charts: teleport-plugin-event-handler, teleport-cluster, teleport-operator, teleport-kube-agent. #62451
  • Added a plan modifier to recompute kubernetes_resources defaults during role version upgrades, fixing Terraform role upgrade issues. #62417
  • Fix an issue in the Teleport SSH Service where interactive PAM Auth modules always fail when trying to run exec sessions with tty allocated. e.g. tsh ssh --tty &lt;node&gt; ls. #62064

Enterprise:

  • Fixed an issue in the Entra ID integration where a user account with an unsupported username character / could prevent other valid users and groups to be synced to Teleport. Such user accounts are now filtered.
  • Cockroachdb: add automatic client certificate reloading option.
  • Enabled UI editing of Access List descriptions.
  • Added protections against replay attacks when IdP-initiated SAML is enabled.
  • Added Access Automations Terraform dialog.

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Plugins

Download the current release of Teleport plugins from the links below.

Loading