Description
Teleport 16 brings the following new features and improvements:
- Teleport VNet
- Device Trust for the Web UI
- Increased support for per-session MFA
- Web UI notification system
- Access requests from the resources view
tctlfor Windows- Teleport plugins improvements
Description
Teleport VNet
Teleport 16 introduces Teleport VNet, a new feature that provides a virtual IP subnet and DNS server which automatically proxies TCP connections to Teleport apps over mutually authenticated tunnels.
This allows scripts and software applications to connect to any Teleport-protected application as if they were connected to a VPN, without the need to manage local tunnels.
Teleport VNet is powered by the Teleport Connect client and is available for macOS. Support for other operating systems will come in a future release.
Device Trust for the Web UI
Teleport Device Trust can now be enforced for browser-based workflows like remote desktop and web application access. The Teleport Connect client must be installed in order to satisfy device locality checks.
Increased support for per-session MFA
Teleport 16 now supports per-session MFA checks when accessing both web and TCP applications via all supported clients (Web UI, tsh, and Teleport Connect).
Additionally, Teleport Connect now includes support for per-session MFA when accessing database resources.
Web UI notification system
Teleport’s Web UI includes a new notifications system that notifies users of items requiring attention (for example, access requests needing review).
Access requests from the resources view
The resources view in the web UI now shows both resources you currently have access to and resources you can request access to. This allows users to request access to resources without navigating to a separate page.
Cluster administrators who prefer the previous behavior of hiding requestable resources from the main view can set show_resources: accessible_only in their UI config:
For dynamic configuration, run tctl edit ui_config:
kind: ui_config
version: v1
metadata:
name: ui-config
spec:
show_resources: accessible_onlyAlternatively, self-hosted Teleport users can update the ui section of their proxy configuration:
proxy_service:
enabled: yes
ui:
show_resources: accessible_onlytctl for Windows
Teleport 16 includes Windows builds of the tctl administrative tool, allowing Windows users to administer their cluster without the need for a macOS or Linux workstation.
Additionally, there are no longer enterprise-specific versions of tctl. All Teleport clients (tsh, tctl, and Teleport Connect) are available in a single distribution that works on both Enterprise and Community Edition clusters.
Teleport plugins improvements
Teleport 16 includes major improvements to the plugins. All plugins now have:
- amd64 and arm64 binaries available
- amd64 and arm64 multi-arch images
- Major and minor version rolling tags (ie
public.ecr.aws/gravitational/teleport-plugin-email:16) - Image signatures for all images
- Additional debug images with all of the above features
In addition, we now support plugins for each supported major version, starting with v15. This means that if we fix a bug or security issue in a v16 plugin version, we will also apply and release the change for the v15 plugin version.
Other
The Jamf plugin now authenticates with Jamf API credentials instead of username and password.
🚨 Breaking changes and deprecations 🚨
Community Edition license
Starting with this release, Teleport Community Edition restricts commercial usage.
https://goteleport.com/blog/teleport-community-license/
License file validation on startup
Teleport 16 introduces license file validation on startup. This only applies to customers running Teleport Enterprise Self-Hosted. No action is required for customers running Teleport Enterprise Cloud or Teleport Community Edition.
If, after updating to Teleport 16, you receive an error message regarding an outdated license file, follow our step-by-step guide to update your license file.
Multi-factor authentication is now required for local users
Support for disabling second factor authentication has been removed. Teleport will refuse to start until the second_factor setting is set to on, webauthn or otp.
This change only affects self-hosted Teleport users, as Teleport Cloud has always required second factor authentication.
⚠️ Important: To avoid locking users out, we recommend the following steps:
- Ensure that all cluster administrators have second factor devices registered in Teleport so that they will be able to reset any other users.
- Announce to the user base that all users must register an MFA device. Consider creating a cluster alert with
tctl alerts createto help spread the word. - While you are still on Teleport 15, set
second_factor: on. This will help identify any users who have not registered MFA devices and allow you to quickly revert tosecond_factor: optionalif necessary. - Upgrade to Teleport 16.
Any users who do not register MFA devices prior to the Teleport 16 upgrade will be unable to log in and must be reset by an administrator (tctl users reset).
Incompatible clients are rejected
In accordance with our component compatibility
guidelines, Teleport 16 will start rejecting connections from clients and agents running incompatible (ie too old) versions.
If Teleport detects connection attempts from outdated clients, it will show an alert to cluster administrators in both the web UI and tsh.
To disable this behavior and run in an unsupported configuration that allows incompatible agents to connect to your cluster, start your auth server with the TELEPORT_UNSTABLE_ALLOW_OLD_CLIENTS=yes environment variable.
Opsgenie plugin annotations
Prior to Teleport 16, when using an Opsgenie plugin, the teleport.dev/schedules role annotation was used to specify both schedules for access request notifications as well as schedules to check for the request auto-approval.
Starting with Teleport 16, the annotations were split to provide behavior consistent with other access request plugins: a role must now contain the teleport.dev/notify-services to receive notifications on Opsgenie and the teleport.dev/schedules to check for auto-approval.
Detailed setup instructions are available in the documentation.
New required permissions for DynamoDB
Teleport clusters using the DynamoDB backend on AWS now require the dynamodb:ConditionCheckItem permissions. For a full list of required permissions, see the IAM policy example.
Updated keyboard shortcuts in Teleport connect
On Windows and Linux, some of Teleport Connect’s keyboard shortcuts conflicted with the default bash or nano shortcuts (Ctrl+E, Ctrl+K, etc). On those platforms, the default shortcuts have been changed to a combination of Ctrl+Shift+*.
On macOS, the default shortcut to open a new terminal has been changed to Ctrl+Shift+`.
See the configuration guide for a list of updated keyboard shortcuts.
Machine ID and OpenSSH client config changes
Users with custom ssh_config should modify their ProxyCommand to use the new, more performant tbot ssh-proxy command. See the v16 upgrade guide for more details.
Removal of Active Directory configuration flow
The Active Directory installation and configuration wizard has been removed. Users who don’t already have Active Directory should leverage Teleport’s local user support, and users with existing Active Directory environments should follow the manual setup guide.
Teleport Assist is removed
All Teleport Assist functionality and OpenAI integration has been removed from Teleport.
Download
Download the current and previous releases of Teleport at https://goteleport.com/download.
Plugins
Download the current release of Teleport plugins from the links below.
- Slack (Linux amd64)
- Mattermost (Linux amd64)
- Discord (Linux amd64)
- Terraform Provider (Linux amd64 | Linux arm64 | macOS amd64 | macOS arm64 | macOS universal)
- Event Handler (Linux amd64 | macOS amd64)
- PagerDuty (Linux amd64)
- Jira (Linux amd64)
- Email (Linux amd64)
- Microsoft Teams (Linux amd64)