Simplifying Zero Trust Security for AWS with Teleport
Jan 23
Virtual
Register Now
Teleport logo

Home - Teleport Blog - What's New in Teleport 10 - Jul 27, 2022

What's New in Teleport 10

Teleport 10 feature overview

This post introduces all the features released in Teleport 10. Teleport 10 includes version 10.0, 10.1, 10.2 and 10.3. You can always find an up-to-date status of Teleport releases in our docs.

Teleport 10 is the biggest release so far in the history of Teleport in terms of feature sets. Before we dive into all the Teleport 10 features, let me first introduce you to...

Passwordless Access

The showstopper feature for Teleport 10 is unmistakably our passwordless authentication solution. Passwordless authentication replaces usernames and passwords with a more secure authentication method backed by biometrics, removing the most common cause of data breaches from the equation entirely: stolen secrets.

Teleport has long been an advocate of removing passwords and other secrets from infrastructure. For example, prior to Teleport 10, Teleport replaced SSH keys, admin credentials, and other shared secrets with a Single Sign-On (SSO) login protected with a second factor. And after the initial authentication, users would use Teleport-issued short-lived certificates as a passwordless method to access infrastructure resources. But in reality, users still needed to authenticate to the SSO system (like Okta) using password-based credentials. This changes with Teleport Passwordless Access.

Teleport Passwordless authentication offers an end-to-end passwordless solution for infrastructure access. Our solution is based on FIDO2 WebAuthn, which means compatibility across all supported web browsers and authenticator devices such as Apple Touch ID, Yubikey, Windows Hello etc. Passwordless access is available in both Teleport Community and Teleport Enterprise editions. Read more about our passwordless solution in our how to Access Infrastructure without Usernames and Passwords blog or follow our documentation to try Passwordless Access (Preview).

Below is video showcasing key features of Teleport 10, and the rest of the blog covers all the other major features in this release.

Enhanced access control

Resource access requests (Preview)

Teleport Just-in-time Access Requests allows any developer to request access to a resource or role depending on need. The request can then be approved or denied based on a configurable number of approvers.

Resource access requests let engineers build an inventory of resources that they need to access. This feature lets teams implement the principle of least privilege by only giving access to resources the engineer needs. This feature builds on role-based access requests that provide access to resources based on, you guessed it, a role. But for many use cases like implementing zero-standing privileges, role-based access requests don't provide enough granularity. With resource access requests, an engineer can request access to one or more individual resources they need when they need it.

Availability: Teleport 10.0 — Teleport Enterprise edition only (updated License is required)

IP-based restrictions in certificates (Preview)

Teleport provides access to resources using short-lived certificates. The short-lived certificates are backed by identity; for certificate renewals, a user must re-authenticate. During the short window of access, there is a possibility that the certificate could be stolen. Some Teleport customers have asked for additional protection against possible stolen certificates. Teleport Enterprise offers an additional layer of protection to your infrastructure with IP-based restrictions. In addition to role-based access controls, Teleport can bind short-lived SSH certificates to a client IP and validate the IP on every connection to prevent pivot attacks.

Availability: Teleport 10.0 — Teleport Enterprise edition only

Automatic Linux user provisioning (Preview)

When users access Linux servers via SSH, they access the local Linux user account. Every user's actions and permissions before and after authentication and authorization are attached to the local Linux account. But long-lived local user accounts can pose a security risk. They are just waiting to be compromised. With Teleport's automatic Linux user provisioning feature, the Teleport SSH node will automatically create a local Linux user account during the time of access and then de-provision it once the access is complete, removing all the risks associated with long-lived privileged residual accounts. Users can be added to specific Linux groups and assigned appropriate “sudoer” privileges. Learn more about it on our docs.

Automatic user provisioning improves user experience as it guarantees that a user with the right permissions will be allocated a Linux principal with which to login.

Availability: Teleport 10.0 — Teleport Community and Teleport Enterprise editions

Extended scope and features for Machine ID

Machine ID for Kubernetes, Application Access (Preview)

We released Teleport Machine ID as an easy way for developers to secure machine-to-machine communications based on X.509 and SSH certificates. The first preview of Machine ID only supported Teleport Server access and, among other things, let developers use short-lived certificates with Ansible. Teleport 9.3.0 added Database Access to Machine ID. Teleport 10 has added support for Kubernetes Access and Application Access. Now, you can control the level of permissions that a service account has to access Kubernetes clusters or a web application, just as easily as you can control access to a Linux server or database.

Availability: Teleport 10.1 — Teleport Community and Teleport Enterprise editions

Machine ID CA rotation (Preview)

This is an internal enhancement of Teleport Machine ID, which makes it compatible with Teleport's existing automated certificate authority (CA) rotation feature. Periodically rotating CA certificates helps invalidate compromised certificates. It helps build capability for resiliency. Teleport supports automated CA rotation and addresses operational security challenges associated with CA rotation. Read more on how Teleport supports CA rotation.

Availability: Teleport 10.1 — Teleport Community and Teleport Enterprise editions

Machine ID host certificate support (Preview)

In an mTLS connection, both the server and clients need to authenticate each other with certificates. Up until now, Machine ID only supported renewing the client's certificate. Machine ID host certificate support will allow servers in the mTLS connection to automatically receive renewed certificates via Teleport Machine ID.

Availability: Teleport 10.2 (coming in August) — Teleport Community and Teleport Enterprise editions

Enhanced scope and features of Database Access

Support for additional databases

We've added support for the following new databases:

DatabaseAvailability

Snowflake. The powerful commercial big data platform.

10.0 (Preview)

Elasticache for Redis. Amazon's Redis compatible in-memory database service.10.0 (Preview)
Memory DB. Amazon's another Redis compatible in-memory database. 10.0 (Preview)
Elasticsearch. The popular search database.

10.2 (August Preview)

Cassandra. Popular NoSQL database that started its life at Facebook.

10.3 (September Preview)

All the supported databases will be available in both the Teleport Community and Teleport Enterprise editions.

Access Audit logging for Microsoft SQL Server (Preview)

Teleport has supported Microsoft SQL Server since version Teleport 9. With Teleport 10, we've added protocol-level audit functionality, which will be helpful for Microsoft SQL Server access audits.

Availability: Teleport 10.0. Teleport Community, and Teleport Enterprise editions

Enhanced Teleport Desktop Access features

Desktop Access directory sharing (Preview)

Teleport Desktop Access enables secure certificate-based access to remote Windows hosts from a browser. With the support for directory sharing, Desktop Access users can now share files across Windows hosts. Files from the local client are instantly available on the remote Windows host and vice versa. No manual upload or download. All via the browser.

Although filesharing is a common feature, it is uniquely implemented in Teleport. Big props to the Teleport Desktop Access team for solving this, along with the engineering challenges of converting file sharing API to TDP. If you want to learn more, you can read how our team implemented the directory sharing feature.

Availability: Teleport 10.2 (coming in August) — Teleport Community and Teleport Enterprise editions

Desktop Access simplified Active Directory configuration (Preview)

Configuration in the Windows ecosystem is mostly GUI based. Powershell and Windows Registries and Active Directory (AD) Group Policies Objects (GPO) can be used for automation, but it is still challenging to implement auto-configuration to the level common on Linux. Teleport Desktop Access supports certificate-based authentication, and to configure this authentication method, the Group Policy Object and server's certificate configurations must be updated. This used to be a manual task that required updating multiple configurations, which is time-consuming for folks who want to try out Teleport Desktop Access. We've now made this simple for administrators to set up Teleport Desktop Access.

Availability: Teleport 10.2 (coming in August) — Teleport Community and Teleport Enterprise editions

Enhanced Teleport Application Access

Control access to any application with Teleport's TCP-aware proxy (Preview)

Currently, Teleport supports application access control based on HTTP, HTTPS, and WebSocket connections. But in an industrial Operational Technology (OT) environment, protocols such as MQTT, Modbus, etc., are popular and widely used. Teleport will now support Application Access control to arbitrary TCP endpoints. We've implemented a TCP proxy that now allows our users to protect any kind of application as long as they adhere to TCP/IP protocol.

To learn more about the start of the idea to support raw TCP/IP application proxy, read the first reported GitHub issue here. Thank you to the community for helping to improve Teleport!

Availability: Teleport 10.1 — Teleport Community and Teleport Enterprise editions

Teleport product operational improvements

Teleport Proxy Peering (Preview)

Teleport supports a multi-proxy deployment architecture where there can be N number of proxies managing access to N number of nodes. In a multi-proxy deployment, each node connected to the Teleport cluster via reverse tunnel needs to connect to all the proxies because then the client could access nodes with the nearest/fastest route. But in a node-heavy deployment, we saw network congestion and latency induced within the Teleport cluster, which may affect our cloud offering or customers who run very large installations of Teleport. We've now added support for proxy peering, which helps reduce latency and congestion in large-scale deployments.

Internally, Teleport proxies will be connected via a bidirectional gRPC stream, allowing access to nodes connected to a specific proxy without needing the node to connect to all the proxies. Read more on how Teleport proxy peering is implemented.

Availability: Teleport 10.0. Teleport Enterprise edition only

Kubernetes operator for easy deployment (Preview)

Kubernetes is a powerful, extensible platform for deploying applications. With Custom Resource Definitions (CRD), Kubernetes allows extending the Kubernetes API for defining resources and objects specific to application requirements that are not available by default. Teleport now uses these available CRD features to help simplify the installation and deployment of Teleport on the Kubernetes cluster.

Availability: Teleport 10.1 — Teleport Community and Teleport Enterprise editions

Moving away from Kubernetes persistent volume storage (Preview)

For various authentication and connection purposes, the Teleport Auth Service depends on stateful data such as Node join tokens, SSH keys, TLS keys, etc. When hosting Teleport on Linux servers, this stateful data is stored in the /var/lib/teleport and /var/lib/teleport/proc directories. When deploying Teleport on Kubernetes, we used Kubernetes persistent volume storage to store this stateful data. Administrators have the option to either use a StatefulState with a fixed number of pods and persistent volume storage or use Deployments with ephemeral storage, and long-lived join tokens. This both hampers on-demand scalability and creates potential security issues, respectively. So to overcome this issue, we are moving away from persistent storage and instead using Kubernetes secret storage that will be attached to individual Teleport agents, making it a lot easier for Teleport's operators to update and scale Teleport clusters securely.

Availability: Teleport 10.2 (coming in August) — Teleport Community and Teleport Enterprise editions

Teleport system upgrade notifications (Preview)

Updates and upgrades require planning and are not an easy task once a production deployment grows larger. Teleport now has a provision for upgrade notification that announces upcoming security and system updates/upgrades to our customers who can plan ahead for updating or upgrading the Teleport cluster. This is the first step of fully managing upgrades automatically for our customers.

Availability: Teleport 10.2 (coming in August) — Teleport Community and Teleport Enterprise editions

Try Teleport 10 today!

👉 Sign up for Teleport Cloud or download Teleport 10 from our download page.
👉 Follow our product documentation to get started.
👉 Join the Slack channel where Teleport users and developers hang out for community support.

Teleport is an open-source project, and everything we design and develop is discussed in the open. If these kinds of problems and solutions sound interesting to you, consider joining us at Teleport.

Tags

Teleport Newsletter

Stay up-to-date with the newest Teleport releases by subscribing to our monthly updates.

background

Subscribe to our newsletter

PAM / Teleport