Teleport 2.2 Released: New Features, Enhancements and Updated Security Audit Report Published.

Jun 13, 2017 by Ev Kontsevoy

Today we are officially releasing version 2.2 of Teleport. We’d like to thank the community and our growing customer base for their valuable feedback and support of Teleport. We are also excited to publish an updated security audit of the Teleport code performed by folks at Cure 53.

But first, let’s start with some quick stats on the Teleport Github repository as of 06/13/2017:

What is Teleport?

Teleport is a modern SSH server designed for teams managing distributed infrastructure. The most popular Teleport features are:

What’s new in 2.2?

HTTP proxy support

It is now possible to run behind-firewall Teleport clusters that are forced to tunnel all connections via an HTTP proxy set in http_proxy and https_proxy environment variables. See more here: #860

The use case for this is when you have a group of servers located in a locked-down enterprise environments (possibly controlled by enterprise IT) where all servers are forced to go via an HTTP proxy when talking to the outside world (public internet). If you need to remotely manage such cluster via SSH, Teleport proxy (SSH jump host) will now look for xxx_proxy environment variables and will establish an outgoing SSH tunnel going through HTTP proxy.

ARM

We have been happily running Teleport on our Raspberry Pi test cluster for over a year now. Due to the popular demand, we have decided to start officially publishing ARM binaries with our releases and we’re adding ARM platform to the list of supported platforms for Teleport Enterprise.

For those building Teleport from source, the official way to bake an ARM executable is to build on ARM. We do not use cross-compiling at the moment, so:

  1. Get yourself an ARM box. Raspberry Pi 3 would do. We like hosted ARM servers from Scaleway but hear that folks Packet have something even beefier.
  2. Get Golang 1.8.3 for ARM.
  3. Build as usual:
   $ git-clone [email protected]:gravitational/teleport.git
   $ cd teleport
   $ make release

Client Improvements

Server Improvements

Teleport 2.2 allows you to restrict ciphers, key exchange algorithms and MACs to your own subset. Teleport is based on Golang’s implementation of SSH, which we always felt provided secure defaults, but enterprise Teleport users needed a way to hand-pick which ciphers are allowed. With 2.2 this is now possible.

We have also significantly improved interoperability with OpenSSH, including:

New in Enterprise 2.2

Enterprise edition of Teleport also gained a couple new features:

Full Changelog

You can see the full list of changes in the CHANGELOG. You can also see the list of Github issues that have been addressed during 2.2 release cycle.

Security Audit

Last year before the release of Teleport 1.0, we hired a well known security consultancy to audit the Teleport code base so we could be confident calling Teleport 1.0 a production ready release. While we were incredibly satisfied with the work, we could not publicly publish the results. When we were discussing the release of Teleport 2.0, being able to publicly release the results of the latest security audit was one of the top requirements for the next audit because we wanted to increase transparency around Teleport security.

That’s why decided to use Cure 53. They have done impressive work auditing software like Dovecot and ntp as part of Mozilla’s Secure Open Source initiative and they also publish the results openly.

We started the engagement with Cure53 in late April as we were preparing the major changes in 2.x series of Teleport. We worked together to identify and patch all issues as they were found and released released Teleport 2.0.5 as they completed the audit. Now with the release of Teleport 2.2.0, which contains all the security fixes in addition to additional features, we’re also releasing the full report from Cure 53.

You can download the full report from Cure 53 here.

With two professional security audits and thousands of OSS adopters performing their own independent analysis, we continue to be confident in recommending Teleport for production use.

Upgrading

Teleport 2.2 is meant to be a drop-in replacement for the 2.x series. However, it is always recommended to make a backup of the cluster state prior to replacing the teleport binary with a new version. The cluster state is located in /var/lib/teleport directory for filesystem-based deployments. Users of the etcd backend should use etcdctl backup command to accomplish this.

More info

For more information about Teleport, you can take a look at the documentation or the Github repo. It is open sourced so feel free to dig in - issues and/or pull requests are welcome. Also, feel free to reach out via email if you have additional questions: [email protected].

Did you enjoy this post?

If you liked this post and believe this is something other people may enjoy, we'd appreciate if you shared it with your friends: