Teleport 2.4 released
Jan 10, 2018 by Ev Kontsevoy
Today we are releasing version 2.4 of Teleport, our popular open source SSH server. Despite the uneventful version number, this release brings a couple exciting new features. As always, most of them have became a reality thanks to the Teleport community.
What is Teleport?
Teleport is a modern SSH+kubectl bastion server designed for teams managing distributed infrastructure. Major benefits include certificate-based authentication which removes the need to manage static keys, integration with SAML and OAuth2 OpenID Connect single sign-on, built-in bastion and advanced audit with full session recording. You can read more about Teleport on its website or online documentation.
This version brings three major new features to Teleport.
SSH Authentication via Github
Teleport’s Github Authentication Connector allows users of Teleport Community edition to move away from the local user database and use their Github credentials to SSH into their servers. This is exciting because OAuth2 authentication has previously only been available to Teleport Enterprise users. Now, by configuring your Teleport cluster to authenticate against Github, administrators automatically inherit Github’s robust 2FA features plus a single source of truth of who gets SSH access and who does not based on Github team membership.
Session Recording, Audit and Compliance for OpenSSH
One of the most popular Teleport features is that all SSH sessions are automatically recorded and can be replayed later or archived for audit purposes. One can say that a Teleport cluster is a “Youtube for SSH sessions.” However, there has always been two things users kept asking us for:
- Allow Teleport administrators to turn SSH session recording off.
- Implement session recording when connecting to OpenSSH servers (sshd).
The former is easy, there is now a switch to turn session recording off. The latter was more complicated but we consider it a major feature request because every large Teleport customer usually has pockets of infrastructure where OpenSSH cannot be replaced.
Version 2.4 now supports session recording when a user connects to an OpenSSH server via a Teleport proxy. You can read more in our blog post about how the Recording Proxy works.
Commercial Offering for Startups and Small Businesses
When we open sourced Teleport we did not expect it to become as popular as it did. Originally, it was just an SSH library we had built for Gravity, our product for remotely managing Kubernetes applications on enterprise private clouds. However, we started getting requests for the same enterprise features (like role-based access control and SAML / OAuth2 authentication via providers like Okta) from Teleport users who did not need Kubernetes. So, we started offering a commercial Teleport offering (Teleport Enterprise) for large companies with customized pricing.
Turns out, start-ups and smaller businesses also want role-based access control (RBAC) for SSH. We’ve had numerous conversations with smaller companies who wanted to move away from SSH keys to SSH certificates issued via Okta or Github but didn’t need a customized enterprise contract. That is why we’ve decided to launch a standardized and more affordable commercial Teleport edition.
Starting with 2.4 anyone can visit the Teleport Website and sign up for Teleport Pro or Teleport Business. Users of these editions will get the same enterprise features as large companies do, including commercial support from Gravitational.
You can download Teleport 2.4 binaries from Github or build your own from source.
Teleport 2.4 is meant to be a drop-in replacement for 2.x series.
However, it is always recommended to make a backup of the cluster state prior
to replacing the teleport binary with a new version. The cluster state is
/var/lib/teleport directory for filesystem-based deployments. Users
etcd backend should use etcdctl backup command to accomplish this.
Thanks to Josh Donzello, Brendan Germain and other community contributors and testers who helped us make 2.4 a reality!