Teleport 2.7 Released: Improved performance, compliance settings and SCP for Web UI

Jul 27, 2018 by Ev Kontsevoy

We are excited to announce the release of Gravitational Teleport 2.7.

Before we cover the new features and improvements, let’s introduce Teleport to the new readers of this blog.

What is Teleport?

Teleport is a privileged SSH access manager for elastic compute infrastructure.

Teleport delivers hardened DevOps & SRE security best practices in a box to companies who have traditionally relied on static keys or complex DIY SSH bastion solutions.

By adopting Teleport in your organization you will:

Teleport allows low-level systems access to be controlled by who the user is within an organization, not based on which private key they have.

SSH ID card

Teleport is open source and compatible with OpenSSH clients and servers. With OpenSSH nodes, it can still be used as a man-in-the-middle bastion (aka jump box), issuing SSH certificates and providing session recording and audit logs for legacy clusters located behind firewalls.

What’s new in Teleport 2.7?

As usual, the full list of closed tickets can be found on Github. You can also glance at the CHANGELOG for a quick overview, but the two areas we have focused on for 2.7 are:

As with any release, version 2.7 brings various enhancements to the user experience and makes it even easier to introduce modern priveledged access patterns to systems administrators and end-users alike.

New Teleport Features

Web-based SSH secure copy (SCP) using the Teleport Proxy UI

The Teleport Web UI has proven to be immensely popular with its users. People use it as a great SSH certificate-based alternative to PuTTY or SecureCRT, others SSH on their phones / tablets via a browser.

A common request for the Web UI was to support uploading and downloading files via scp. Teleport 2.7 now supports this feature:

web-based-scp

Compliance Enforcement of Idle SSH Connections

To satisfy various compliance requirements, like PCI-DSS, SOC2 and HIPAA, organizations must enforce certain policies around handling of idle SSH connections. In the past, Teleport relied on sensible defaults in its source code and administrators were required to recompile from source if they wanted a different behavior.

With this release, Teleport adds a couple of configuration settings you can tweak:

# snippet from /etc/teleport.yaml
#
auth_service:
    # Determines if SSH sessions to cluster nodes are forcefully terminated 
    # after no activity from a client (idle client).
    # Examples: "30m", "1h" or "1h30m"
    client_idle_timeout: never

    # Determines if the clients will be forcefully disconnected when their
    # certificates expire in the middle of an active SSH session. (default is 'no')
    disconnect_expired_cert: no

Large Cluster SSH Performance Enhancements

This version also optimizes performance for those leveraging Teleport on large monolithic clusters. Some readers may question:

“Why would performance of an SSH service depend on how many nodes I have?”

The answer is that while the Teleport SSH daemon does not care about other nodes in a cluster, certain Teleport features are implemented by Auth Servers, not nodes. One example is searching for nodes by their labels. To support tens of thousands of nodes these features needed a performance boost which is delivered in version 2.7!

Upgrading Teleport

This release is meant to be a simple drop-in replacement for 2.6, but as usual, we recommend familiarizing yourself with the recommended upgrade procedure before upgrading to this version.

Talk to us!

For more information about Teleport, you can take a look at our friendly quickstart documentation or the Teleport overview. Our source code and developer community is wide open, so feel free to dig in. Issues and/or pull requests are always welcome. Also, feel free to reach out via email if you’d like a demo or would like to connect directly with the team: [email protected].

Get Teleport

Secure your infrastructure and meet compliance requirements. Teleport gives you security best-practices out of the box for the privileged access management of your cloud-native infrastructure.

Learn More About Teleport