Teleport 8.0 is a major release of Teleport that contains new features, improvements, and bug fixes.
New Features
Windows Desktop Access Preview
Teleport 8.0 includes a preview of the Windows Desktop Access feature, allowing users passwordless login to Windows Desktops via any modern web browser.
Teleport users can connect to Active Directory enrolled Windows hosts running Windows 10, Windows Server 2012 R2 and newer Windows versions.
To try this feature yourself, check out our Getting Started Guide.
Review the Desktop Access design in:
TLS Routing
In TLS routing mode all client connections are wrapped in TLS and multiplexed on a single Teleport proxy port.
TLS routing can be enabled by including the following auth service configuration:
auth_service:
proxy_listener_mode: multiplex
...and setting proxy configuration version to v2 to prevent legacy listeners from being created:
version: v2
proxy_service:
...AWS CLI
Teleport application access extends AWS console support to CLI . Users are able to log into their AWS console using tsh app login and use tsh aws commands to interact with AWS APIs.
See more info in the documentation.
Application and Database Dynamic Registration
With dynamic registration users are able to manage applications and databases without needing to update static YAML configuration or restart application or database agents.
See dynamic registration guides for apps
and databases.
RDS Automatic Discovery
With RDS auto discovery Teleport database agents can automatically discover RDS instances and Aurora clusters in an AWS account.
See updated RDS guide for more information.
WebAuthn
WebAuthn support enables Teleport users to use modern second factor options, including Apple FaceID and TouchID.
In addition, the Teleport Web UI includes new second factor management tools, enabling users to configure and update their second factor devices via their web browser.
Lastly, our UI becomes more secure by requiring an additional second factor confirmation for certain privileged actions (editing roles for second factor confirmation, for example).
Improvements
- Added support for CockroachDB to Database Access. #8505
- Reduced network utilization on large clusters during login. #8471
- Added metrics and added the ability for
tctl topto show network utilization for resource propagation. #8338 #8603 #8491 - Added support for account recovery and cancellation. #6769
- Added per-session MFA support to Database Access. #8270
- Added support for profile specific
kubeconfig. #7840
Fixes
- Fixed issues with web applications that utilized EventSource with Application Access. #8359 contributed by @stefansedich
- Fixed issue were interactive sessions would always return exit code 0. #8081
- Fixed issue where JWT signer was omitted from bootstrap logic. #8119
Breaking Changes
CentOS 6
CentOS 6 support will be deprecated in Teleport 8 and removed in Teleport 9.
Teleport 8 will continue to receive security patches for about 9 months after which it will be EOL. Users are encouraged to upgrade to CentOS 7 in that time frame.
Updated dependencies
New run time dependencies have been added to Teleport 8 due to the inclusion of Rust in the build chain. Teleport 8 requires libgcc_s.so and libm.so be installed on systems running Teleport.
Users of distroless container images are encouraged to use the gcr.io/distroless/cc-debian11 image to run Teleport.
FROM gcr.io/distroless/cc-debian11
Alpine users are recommended to install the libgcc package in addition to any glibc compatibility layer they have already been using.
apk --update --no-cache add libgcc
Database Access Certificates
With the GODEBUG=x509ignoreCN=0 flag removed in Go 1.17, Database Access users will no longer be able to connect to databases that include their hostname in the CommonName field of the presented certificate. Users are recommended to update their database certificates to include hostname in the Subject Alternative Name extension instead.
Subscribe to Github issue #7636 which will add ability to control level of TLS verification as a workaround.
Role Changes
New clusters will no longer have the default admin role, it has been replaced with 3 smaller scoped roles: access, auditor, and editor.
Download
Download the current and previous releases of Teleport at https://gravitational.com/teleport/download.