Skip to content

Releases: gravitational/teleport

Teleport 18.6.0

23 Dec 01:44
@aadc-dev aadc-dev
v18.6.0
5e1296c
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
Teleport 18.6.0 Latest
Latest

Description

Identifier-first login enhancements

Teleport now automatically passes the username to the identifier provider when performing Identifier-first login with OIDC or SAML IdPs.

GitHub Actions Kubernetes Wizard

Teleport now ships with a new guided flow for setting up GitHub Actions workflows that connects to Teleport-protected Kubernetes clusters without secrets.

Other changes and improvements

  • Fixed unspecified proxy address breaking moderated SFTP when mixing IPv4 and IPv6. #62296
  • Added full configuration file for teleport-plugin-event-handler helm chart. #62280
  • Added full environment variable configuration for event handler CLI. #62280
  • Added support for extraArgs/extraEnv/extraLabels patterns for teleport-plugin-event-handler helm chart. #62266
  • Fixed issue where AltGr key combinations did not work correctly in remote desktop sessions. #62198
  • Added annotations support for teleport-plugin-event-handler helm chart. #62188
  • Added a new global configuration section auth_connection_config allowing users to configure the backoff behavior for Proxy and Agent instances connecting to the Auth Service. #62139
  • Fixed a potential SSRF vulnerability in the Azure join method implementation. #62406
  • Support for v8 roles has been added to the Terraform provider. #62380
  • Added support for selecting Kube agents as Managed Updates v2 canaries. Important: the default update group is corrected to "default" from "stable/cloud". #62211

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Plugins

Download the current release of Teleport plugins from the links below.

Assets 2
Loading

Teleport 18.5.1

12 Dec 21:59
@doggydogworld doggydogworld
v18.5.1
0d82e73
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
Teleport 18.5.1

Description

  • Fixed Teleport instances running the Auth Service sometimes not becoming ready during initialization. #62194
  • Fixed an Auth Service bug causing the event handler to miss up to 1 event every 5 minutes when storing audit events in S3. #62150
  • Fixed bug where event handler dies on malformed session events. #62141
  • Updated event handler to ingest missing session recordings at twice the concurrency instead of only 10 sessions at a time. #62141
  • Changed "tsh --mfa-mode=cross-platform" to favor security keys on current Windows versions. #62134
  • Fixed "the client connection is closing" error happening under certain conditions in Teleport Connect when connecting to resources with per-session MFA enabled. #62127
  • Improved detail of error messages for identity service in tbot. #62120
  • Teleport Connect now supports expanding ~/ home-directory paths in the configuration file. #62104
  • Added support for --format flag for tsh request search. #62099
  • Fixed bug where event handler types filter is ignored for Teleport clients using Athena storage backend. #62082
  • Fixed intermittent issues with VNet on Windows when other NRPT rules from GPOs are present under HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\DnsPolicyConfig. #62052
  • Added Terraform provider support for teleport_integration resources. #62040
  • DiscoveryConfig resources can now be managed via the Teleport Terraform Provider. #62034
  • Reduced memory consumption of the Application service. #62014
  • Added support for listing application session recordings in tsh recording ls and the Web UI. #62010
  • Fixed a Web UI issue where the copy button for the session ID did not work for non-interactive session recordings. #62010
  • Prevented stuck teleport-cluster Helm chart rollouts in small Kubernetes clusters. Removed resource requests from configuration check hooks. #62003
  • Fixed static keypair creation in tbot keypair create when the --static-key-path flag is used. #61947
  • Re-enabled MySQL database health checks. MySQL health checks will now authenticate to the database as a user, rather than TCP dialing and closing the connection, to prevent MySQL from automatically blocking the Teleport database service instance host. The health check user name default is "teleport-healthchecker". #61942
  • Added support for templating secret_labels, and the {{.Labels}} template variable, to tbot's kubernetes/argo-cd output. #61876

Enterprise:

  • Updated AWS Identity Center integration sign-in start URL format to support AWS GovCloud accounts.
  • Fix a potential race where Okta assignments may never be cleaned up if the Okta integration is down while the assignment expires.
  • Created a dedicated Access Automations feature page within the Web UI.
  • Entra ID directory reconciler now overwrites user accounts created by the referenced SAML Auth Connector.

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Plugins

Download the current release of Teleport plugins from the links below.

Loading

Teleport 17.7.11

09 Dec 00:00
@doggydogworld doggydogworld
v17.7.11
89f770e
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
Teleport 17.7.11

Description

  • Reduced memory consumption of the Application service. #62013
  • Prevented stuck teleport-cluster Helm chart rollouts in small Kubernetes clusters. Removed resource requests from configuration check hooks. #62004
  • Updated Go to 1.24.11. #61954
  • Updates tsh workload-identity issue-x509 to automatically create the specified folder if it does not exist. #61951
  • Fixed a bug where JWT-SVID timestamp claims would be represented using scientific notation. #61922
  • Fixed a bug causing high memory consumption in the Teleport Auth Service when clients were listing large resources. #61848
  • Prevent data races when terminating interactive Kubernetes sessions. #61822
  • Fix tsh db connect failing to connect to databases using separate ports configuration (non-TLS routing mode). #61811
  • Fixed bug where Kubernetes App Discovery poll_interval is not set correctly. #61792
  • Fixed relative path evaluation for SFTP in proxy recording mode. #61759
  • Fixed tsh kube ls showing deleted clusters. #61743
  • Fixed workload identity templating to support certain numeric values that previously gave a "expression did not evaluate to a string" error. #61739
  • Fixed AWS Console access when using AWS IAM Roles Anywhere or AWS OIDC integrations, when IP Pinning is enabled. #61655
  • Added ability to update existing Azure OIDC integration with tctl. #61593
  • Prevented Trivy from reporting false positives when scanning the Teleport binaries. #61540
  • Updated tsh debug output to include tsh client version when --debug flag is set. #61526
  • Fixed web upload/download failure behind load balancers when web listen address is unspecified. #61394
  • Fixed corrupted private keys breaking tsh. #61387
  • Fix an issue connections to MongoDB Atlas clusters fail if clusters use certs signed by Google Trust Services (GTS). #61325
  • GOAWAY errors received from Kubernetes API Servers configured with a non-zero --goaway-chance are now forward to clients to be retried. #61255
  • Added a Workload Identities page to the web UI to list workload identities. #59478

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Plugins

Download the current release of Teleport plugins from the links below.

Loading

Teleport 18.5.0

04 Dec 22:32
@aadc-dev aadc-dev
v18.5.0
a7f136a
This commit was signed with the committer’s verified signature.
aadc-dev Angel Dionisio
SSH Key Fingerprint: jY4y60vmj4+3cRs/6JKlm9J6fIg+zjntdtY7y9yXTA8
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
Teleport 18.5.0

Description

Kubernetes support for Relay Service

The relay service now facilitates Kubernetes connections.

Shared state between tsh and Teleport Connect

Teleport Connect and tsh now share the same local state. Logins from one app will automatically be reflected in the other.

SCIM PATCH support in SailPoint integration

Teleport SCIM server now natively supports PATCH operations to improve reliability of bulk SCIM operations in integrations like SailPoint.

Other changes and improvements

  • Updated Go to 1.24.11. #61953
  • Added support for discovering EC2 instances in all regions, without enumerating them. Requires access to account.ListRegions in the IAM Role assumed by the Discovery Service. #61924
  • Fixed a bug where JWT-SVID timestamp claims would be represented using scientific notation. #61921
  • Fixed "SSH cert not found" errors in Teleport Connect. #61846
  • Added support for authenticating Azure resource discovery using Azure OIDC integrations. #61830
  • Fixed a bug in Proxy recording mode where Teleport Node sessions would result in duplicate audit events with a different session ID. #61246
  • Tuned teleport-cluster, teleport-kube-agent, and teleport-relay Helm charts to reduce the probability of Teleport exceeding its memory limits and being OOM-Killed. GOMEMLIMIT defaults to 90% of the configured memory limits.

Enterprise:

  • Added support for AWS Account name and ID labels (teleport.dev/account-id, teleport.dev/account-name) on AWS Identity Center resources (aws_ic_account_assignment and aws_ic_account). These labels improve compatibility with Access Monitoring Rules, allowing users to more easily target and audit AWS IC accounts.
  • Updated the Access Automation Rules dialog to display rules in a paginated view.

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Plugins

Download the current release of Teleport plugins from the links below.

Loading

Teleport 18.4.2

01 Dec 22:54
@aadc-dev aadc-dev
v18.4.2
455dbe7
This commit was signed with the committer’s verified signature.
aadc-dev Angel Dionisio
SSH Key Fingerprint: jY4y60vmj4+3cRs/6JKlm9J6fIg+zjntdtY7y9yXTA8
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
Teleport 18.4.2

Description

  • Fixed a bug causing high memory consumption in the Teleport Auth Service when clients were listing large resources. #61849
  • Prevent data races when terminating interactive Kubernetes sessions. #61818
  • Fixed tsh db connect failing to connect to databases using separate ports configuration (non-TLS routing mode). #61812
  • Fixed a bug where Kubernetes App Discovery poll_interval is not set correctly. #61791
  • Fixed an issue that caused a failed upload of an encrypted session recording to block other recordings from uploading. #61774
  • Fixed relative path evaluation for SFTP in proxy recording mode. #61760
  • Fixed tsh kube ls showing deleted clusters. #61742
  • Fixed workload identity templating to support certain numeric values that previously gave a "expression did not evaluate to a string" error. #61738
  • Added User Details view to Web UI. #61737
  • Added --roles flag for tsh request search, allowing users to list all requestable roles. This flag is mutually exclusive with --kind. #61699
  • Fixed EC2 SSM Document set up script used in Enroll New Resource. #61673
  • Fixed AWS Console access when using AWS IAM Roles Anywhere or AWS OIDC integrations, when IP Pinning is enabled. #61654
  • Fixed "invalid name syntax" connection error for PostgreSQL auto-provisioned users with email usernames. #61631
  • Auth readiness tuned to wait for cache initialization. #61620
  • Added ability to update existing Azure OIDC integration with tctl. #61592

Enterprise:

  • Added Entra directory sync metrics.
  • Improved the initial EntraID user and group synchronization time, reducing the time required for the first full sync.
  • Prevented Trivy from reporting false positives when scanning the Teleport binaries.

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Plugins

Download the current release of Teleport plugins from the links below.

Loading

Teleport 18.4.1

20 Nov 22:09
@doggydogworld doggydogworld
v18.4.1
19afa95
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
Teleport 18.4.1

Description

  • Fixed a bug that prevented searching audit log events in the web UI when using Athena audit storage. #61603
  • Prevented Trivy from reporting false positives when scanning the Teleport binaries. #61539
  • Added support for tsh logout --proxy (or TELEPORT_PROXY set) to work without --user flag when one identity exists. #61404
  • Fixed web upload/download failure behind load balancers when web listen address is unspecified. #61393
  • Fixed corrupted private keys breaking tsh. #61388
  • Resource names are now properly validated for AWS Roles Anywhere integration Generate Command. #61385
  • Added caches to reduce Active Directory user SID lookups and TLS certificate requests. #61317
  • GOAWAY errors received from Kubernetes API Servers configured with a non-zero --goaway-chance are now forward to clients to be retried. #61256
  • Added support for creating and managing scoped tokens using tctl scoped tokens add/ls/rm. SSH nodes can now join a cluster within a particular scope by joining with a scoped token. #60758

Enterprise:

  • Removed sync of the model identifier from Intune to avoid mismatches between the identifier reported by Intune vs Teleport clients.
  • Added support for Jamf's /v2/computers-inventory API (addresses Jamf's deprecation of /v1/computers-inventory).
  • Updated the AWS Identity Center resource synchronizer to handle AWS Account name changes more gracefully.
  • Added audit events in response to SCIM provisioning requests.

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Plugins

Download the current release of Teleport plugins from the links below.

Loading

Teleport 18.4.0

14 Nov 04:30
@camscale camscale
v18.4.0
f1ebe3c
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
Teleport 18.4.0

Description

Streamable-HTTP and SSE support for MCP Zero-Trust Access

MCP Zero-Trust Access users are now able to secure and audit connections to MCP servers that use HTTP-based transport protocols in addition to stdio.

Improved Bot Instances Dashboard

The Bot Instances dashboard now provides a more intuitive interface for managing a fleet of Machine & Workload Identity bot instances. This includes improved filtering, sorting and searching capabilities, and a high-level overview of the versions of all bot instances in the cluster.

Updated Oracle Joining Support

Oracle compute instances are no longer required to have additional IAM permissions granted to them in order to join. Oracle join tokens now also allow restricting which instances may leverage a token to join.

Other changes and improvements

  • Fixed an issue connections to MongoDB Atlas clusters fail if clusters use certs signed by Google Trust Services (GTS). #61324
  • Improved reverse tunnel dialing recovery from default route changes by 1min on average. #61319
  • Fixed an issue Postgres database cannot be accessed via Teleport Connect when per-session MFA is enabled and the role does not have wildcard db_names. #61299
  • Improved conflict detection of application public address and Teleport cluster addresses. #61290
  • Fixed AWS Roles Anywhere cli access when using per-session MFA. #61273
  • Fixed rare error in the authorized_keys secret scanner when running the Teleport agent on MacOS. #61268
  • Updated Go to v1.24.10. #61212
  • Terraform: teleport_bot resource now supports import, and follows the standard resource structure. #61201
  • Added support for tbot to teleport-update. #61198
  • Instrumented tbot to better support teleport-update. #61189
  • Improved error message of tsh when there is a certificate DNS SAN mismatch when connecting to Auth via Proxy. #61186
  • Improved error handling during desktop sessions that encounter unknown/invalid smartcard commands. This prevents abrupt desktop session termination with a "PDU error" message when using certain applications. #61180
  • Fixed an issue causing Access Automation Rules to evaluate incorrectly when users are granted traits via Access Lists. #61169
  • Added support for tsh copying files between two hosts, i.e. tsh scp alice@foo:/path/1.txt bob@bar:/path/2.txt. #61165
  • Added support for custom reason prompts for Access Requests, per requested role/resource (role.spec.allow.request.reason.prompt). #61127
  • Fixed the webUI timeout time to respect the cluster's WebIdleTimeout configuration. #61103
  • Added an option to restrict Oracle join tokens to specific instance IDs. #61078
  • Stabilized tsh paths when run from agent installation. #60873
  • Added advanced search and sorting to the bot instances list in the web UI. #60761
  • Added filter and sort flags to tctl bots instances ls. #60761
  • Added service health to the output tctl bots instances ls and tctl bot instance show commands. #60761
  • Added a dashboard to visualize bot instances by their version compatibility. #60761
  • Added bot instance service health to web UI. #60761
  • Added new env0 join method to support joining within Env0 workflows. #60710
  • Added a new OCI join method that does not require IAM policies. #60293
  • Added support for HTTP_PROXY in server auto-discovery installation. #60635

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Plugins

Download the current release of Teleport plugins from the links below.

Loading

Teleport 17.7.10

14 Nov 00:53
@aadc-dev aadc-dev
v17.7.10
f2d0ec2
This commit was signed with the committer’s verified signature.
aadc-dev Angel Dionisio
SSH Key Fingerprint: jY4y60vmj4+3cRs/6JKlm9J6fIg+zjntdtY7y9yXTA8
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
Teleport 17.7.10

Description

  • Improved reverse tunnel dialing recovery from default route changes by 1min on average. #61318
  • Fixed an issue with the Identity Center resource cache that could cause the account resources to be deleted from the cache. #61313
  • Fixed an issue Postgres database cannot be accessed via Teleport Connect when per-session MFA is enabled and the role does not have wildcard db_names. #61300
  • Improved conflict detection of application public address and Teleport cluster addresses. #61292
  • Fixed rare error in the authorized_keys secret scanner when running the Teleport agent on MacOS. #61267
  • Updated Go to v1.24.10. #61210
  • Instrumented tbot to better support teleport-update. #61190
  • Improved error message of tsh when there is a certificate DNS SAN mismatch when connecting to Auth via Proxy. #61187
  • Improved error handling during desktop sessions that encounter unknown/invalid smartcard commands. This prevents abrupt desktop session termination with a "PDU error" message when using certain applications. #61179
  • Updated github.com/containerd/containerd dependency to fix GHSA-pwhc-rpq9-4c8w. #61145
  • Updated quic-go dependency to fix CVE-2025-59530. #61111
  • Fixed a bug causing tsh to stop waiting for access request approval and incorrectly report that the request had been deleted. #61110
  • Fixed an issue where resources in Teleport Connect were not always refreshed correctly after re-logging in as a different user. #61100
  • Fixed an issue which could lead to session recordings saved on disk being truncated. #60965

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Plugins

Download the current release of Teleport plugins from the links below.

Loading

Teleport 18.3.2

07 Nov 21:34
@fheinecke fheinecke
v18.3.2
a5c17d6
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
Teleport 18.3.2

Description

  • Updated github.com/containerd/containerd dependency to fix GHSA-pwhc-rpq9-4c8w. #61143
  • Fixed regression when connecting to non-AD desktops. #61117
  • Fixed a bug causing tsh to stop waiting for access request approval and incorrectly report that the request had been deleted. #61109
  • Fixed an issue where resources in Teleport Connect were not always refreshed correctly after re-logging in as a different user. #61099

Enterprise:

  • Added support for Amazon Bedrock to session recording summarizer (unavailable in Teleport Cloud). #7463

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Plugins

Download the current release of Teleport plugins from the links below.

Loading

Teleport 17.7.9

06 Nov 05:59
@fheinecke fheinecke
v17.7.9
209122c
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
Teleport 17.7.9

Description

  • Fixed configuration files such as .kube/config referring to non-existent tsh binaries. #60872
  • Fixed an issue in the web UI where a bot with zero tokens would show a validation error. #60759
  • The browser window for SSO MFA is slightly taller in order to accommodate larger elements like QR codes. #60702
  • Fixed MongoDB topology monitoring connection leak in the Teleport Database Service. #60693
  • Okta-managed apps are now pinned correctly in the web UI. #60677
  • Slack access plugin no longer crashes in the event access list is unsupported. #60674
  • Fixed tsh scp failing on files that grow during transfer. #60608
  • Allowed moderated session peers to perform file transfers. #60605
  • Fixed a startup error EADDRINUSE: address already in use in Teleport Connect on macOS and Linux that could occur with long system usernames. #60577
  • MWI: tbot's auto-generated service names are now simpler and easier to use in the /readyz endpoint. #60459
  • Client tools managed updates stores OS and ARCH in the configuration. This ensures compatibility when TELEPORT_HOME directory is shared with a virtual instance running a different OS or architecture. #60413
  • Updated LDAP dial timeout from 15 seconds to 30 seconds. #60392
  • Fixed a bug that prevented using database role names longer than 30 chars for MySQL auto user provisioning. Now role names as long as 32 chars, which is the MySQL limit, can be used. #60378
  • Fixed a bug in Proxy Recording Mode that causes SSH sessions in the WebUI to fail. #60368
  • Added extraEnv and extraArgs to the teleport-operator helm chart. #60356
  • Fixed malformed audit events breaking the audit log. #60335
  • Added editing bot description to the web UI. #60213

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Plugins

Download the current release of Teleport plugins from the links below.

Loading