Eliminating Shadow Access: The Hidden Dangers of SSH and API Keys
Feb 20
Virtual
Register Now
Teleport logo

Home - Teleport Blog - Teleport 17 - Jan 14, 2025

Teleport 17

Teleport 17

Teleport 17 marks our final major release of the year, bringing significant enhancements to our platform. In the six months since Teleport 16, we've not only developed this major release but also introduced several valuable features through minor and patch updates.

A core theme for this release is scalable, secure, and resilient infrastructure access. This starts with our expanded focus on AWS Access. Teleport 17 includes preview support for AWS IAM Identity Center. This new support expands our current AWS Console Access to broader AWS Organizations and accounts. With SCIM sync of users and roles, it’s now easier than ever to provide secure, scoped, and audited access to AWS Console.

As teams expand, and their cloud footprint grows, it quickly becomes hard to handle the sprawl of complex access permissions and policies. We’ve added a few tools to help. Teleport Policy can be used to understand the size of the problem. With new additions, such as closer monitoring of critical assets using Teleport Policy Crown Jewels, and more easily mapping organization structures using Teleport Identity and our latest addition of Nested Access Lists.

As with all releases, we use major releases as an opportunity to introduce breaking changes. These are at the end of this post. We recommend everyone follow our upgrade procedure. For people using Teleport Cloud, we’ll start upgrading clusters starting the week of January 10th.

For the rest of the blog post, I’ll split it into new features added in different areas of the Teleport Platform.

Teleport Identity

Teleport Identity provides identity governance and security. This product helps secure and lock users’ identity, thereby reducing and stopping identity-based attacks. It can make phishing attacks a thing of the past, and can greatly improve the security posture by enforcing device trust and moving to zero-standing privilege using access requests.

AWS IAM Identity Center integration

AWS IAM Identity Center is a free service from AWS that makes managing and administering AWS accounts and organizations easier. Teleport 17 introduces a new AWS IAM Identity Center integration.

This integration expands our AWS support with SCIM-based User and Access List sync from Teleport to IAM Identity Center, making it easier to provide centralized access to both AWS console, CLI, and Apps. Along with the centralized and consolidated access, the integration fits within Teleports platform and can be used to provide Just-in-Time access to different AWS roles and Accounts.

AWS IAM Identity Center Integration vs AWS Access With Teleport Application Access

We’ve supported access to the AWS Console and CLI since Teleport 14. This leverages Teleport Application Access to proxy the connect between Teleport and Apps. For resources, we have a guide on How to access AWS Console using AWS IAM and Managing Multi-Account AWS Console and CLI Access with Teleport webinar. Both methods provide access to AWS console and resources, but the difference is the management of users and groups. AWS IAM Identity Center integration is designed for teams looking to sync groups, users into AWS providing more holistic account management that includes JIT access. Customers can get extra auditing when using Teleport Application Access, but that requires more customization. We recommend orgs start with the new AWS IAM Identity Center integration and layer in Teleport Application Access for AWS for special edge cases, such as access to customers/MSP or for a very specific fine-grained access to an AWS resource.

Why use this? ~ Ben’s take:

Providing the right amount of access to AWS can be painful, and hackers know that a root access on an account gets them access to all sorts of data. If you’re not already using AWS Orgs and isolated AWS accounts, AWS IAM Identity Center is the perfect solution, and Teleport’s integration makes it easier to provide Just-in-Time admin access to these accounts, thereby reducing the blast radius of a root access account getting hijacked... Learn more about the importance of securing AWS Orgs in the Infosec for startup podcast episode.

Nested Access Lists

Access Lists allow Teleport users to be granted long-term access to resources managed within Teleport. With Access Lists, administrators and access list owners can regularly audit and control membership to specific roles and traits. Access Lists can be combined with Access requests to provide longer-term but audited access to resources.

The addition of nested access lists makes it easier to map common logical nested grouping of org structures. This can look like:

  1. Company-Wide Access
    • Engineering Department
      • Frontend Team
      • Backend Team
      • DevOps Team
    • Marketing Department
    • HR Department

Okta Integration Updates

Okta is a popular Identity provider and auth connect for Teleport. This new support provides more visibility into the integration and automatically creates the Auth Connector in Teleport.

The Okta service can set up:

  • Single Sign-on via the Auth Connector
  • SCIM to enable Okta to push user (and other resource) updates to Teleport in near real time, without waiting for the Okta integration to run a synchronization
  • User Sync: All Teleport users match Okta users
  • Access List Sync: Syncs Groups and Okta Apps, to Access Lists
  • Groups and Applications
Okta Dashboard
Okta Dashboard

New Access Request Plugins

We’ve added two new access request plugins, so teams can get notified about access where they are.

  • Datadog Incident Management Access Request Alerts - Docs
  • Hosted Microsoft Teams plugin for access request notifications - Docs
  • Hosted Email Plugin with easy MailGun integration - Docs

Teleport Access

Teleport Access is our most mature product. It helps teams provide on-demand, least privileged access on a foundation of cryptographic identity and zero trust. We’ve added a few additions to Teleport Application Access and have improved our broader Machine to Machine support with Machine ID and Teleport Workload Identity.

Multi-domain support for Teleport Application Access

This lengthy feature title has solved a top Teleport requested feature: Authenticate all domains when launching a multi-domain app #17588. This feature means Teleport Application Access now supports the Backend for Frontend Pattern allowing a frontend to communicate with other Teleport protected apps. The new config helps set CORS and cookies. We’ve created an open-source demo app to try this feature out:

Run the Teleport Terraform Provider on Terraform Cloud

We’ve added a new join method to make it easier to use our Terraform Provider on Terraform Cloud. This addition leverages Workload Identity tokens to authenticate between Teleport Auth Service and Terraform Cloud. Explore it in the docs.

Machine ID & Workload Identity

The team has been busy adding a range of new features to Teleport Machine ID & Teleport Workload Identity. For those new to Teleport, Teleport Machine ID is all about connecting machines to machines. This could be securing CI/CD services or running scripts against Teleport protected resources. Teleport Workload Identity securely issues short-lived cryptographic identities to workloads. Built on top of the SPIFFE standard, it’s perfect for providing both workload authentication and mTLS between workloads.

TPM Join Method

Teleport 16 introduced a new TPM join method, for both Machine ID and joining agents, providing an additional layer of security for automated processes and bot authentication on bare metal hosts. By leveraging TPM signatures, Teleport ensures that machine enrollment is securely tied to the hardware itself. Here’s the Docs link for Deploying Machine ID on Linux (TPM).

Teleport Join Method
Teleport Join Method

JWT SVID & OIDC SVIDs

Teleport Workload Identity now offers native support for cloud provider authentication using JWT SVIDs and OIDC SVIDs. This integration allows seamless and secure communication between workloads running on major cloud platforms like AWS, GCP, and Azure. By leveraging standardized workload identity formats, Teleport simplifies the process of establishing trust across different cloud environments. For more details, refer to our documentation on JWT SVIDs and OIDC SVIDs.

Why use this? ~ Ben’s take:

Managing identity across clouds is messy — each provider has their own IAM roles, service accounts, and managed identities. Native JWT/OIDC SVID support means your workloads can authenticate using their cloud-native identity whether they're in AWS, GCP, or Azure. No more maintaining separate identity systems or complex federation — just consistent, secure workload authentication across your entire multi-cloud infrastructure. It's like having a universal translator that lets all your cloud services speak the same identity language.

SPIFFE Federation for Workload Identity

SPIFFE Federation allows organizations to now establish secure communication between workloads across different trust domains. This feature enables cross-domain workload identity validation, allowing workloads to authenticate and authorize each other even when they belong to separate Teleport clusters or external systems. SPIFFE Federation is particularly beneficial for multi-environment deployments and inter-organization collaboration scenarios. It provides a standardized way to establish trust between disparate systems, ensuring secure communication and reducing the complexity of managing workload identity across boundaries. To get started with SPIFFE Federation, see our documentation.

Want to learn more about Workload Identity? Check out this webinar.

Teleport Policy

Teleport Policy is our latest addition to the Teleport Platform. It provides visibility and reporting on access policies across all your infrastructure. With integrations that important IdP rules from Entra to Okta to cloud-specific visibility in AWS. Two recent additions to Teleport Policy make it easier to report and alert on access, and SSH Key Scanning helps identify potential shadow access.

Crown Jewels

If you’ve ever seen the 1996 Mission Impossible Into the Vault Scene, you’ll know that attackers will go to great lengths to obtain a 3.5 inch floppy disk drive with all of the top secret files on it. We’ve come a long way in the past 27 years, and while there are still air-gapped environments with strong physical security, more often attackers are trying to get access to critical systems. Some are so sensitive that we identify them as crown jewels, which are also closely protected in the Tower of London.

This addition to Teleport Policy provides teams with:

  • Critical resource and access pattern tracking and monitoring
  • Real-time alerts for access changes to sensitive assets
  • Detailed audit trails for compliance reporting
  • Integration with third-party SIEM platforms

For reference, see permission changes with Access Graph Crown Jewels.

SSH Key Scanning

Teleport doesn’t use SSH keys, and instead uses short-lived SSH certificates to provide access to hosts. We’ve written at length about this topic — on why SSH certificates are more secure and better for an organization… But there are always ways for engineers to be cheeky and try to circumvent Teleport by using SSH keys. There are multiple ways teams can thwart this backchannel, including security group and networking limitation. But let’s assume someone is trying to create a SSH public/private key pair backdoor. Prior to SSH keyscanning, it was difficult to audit all systems to find all of these keys. With Teleport Policies SSH Keyscanning, it’s easy to report and view all the authorized keys on a host.

Teleport SSH Key Scanning works in two ways: on the server and on the client. On the server, the Teleport will scan for authorized keys located in ~/.ssh/authorized_keys every 15 min, and will report them back to Teleport. On the client side, Teleport will scan for SSH private keys, create finger prints and send these to Teleport. Teleport Policy combines these two to view which machine and user has uploaded these keys.

Teleport Policy SSH Key Scanning features:

  • Identify potential backdoor SSH keys
  • Automated scanning via MDM tools like Jamf Pro
  • Cross-platform support (Windows, Mac, Linux)
  • Map shadow access patterns across infrastructure

Docs Discover Insecure SSH Access with Teleport Policy.

Microsoft Entra ID Integration

Our Microsoft Entra ID integration pulls in access policies, users and group memberships into Teleport Policy. This data can be layered on top of Teleport Policy to get a better understanding of access patterns and standing privileges within an account.

Learn how to Analyze Entra ID policies with Teleport Policy

Teleport Platform

This section is a catch-all for all extra additions that have made it into this release but may or may not fit within a product.

Automatic Client Updates

Teleport 17 introduces automatic client updates for Teleport Desktop and Teleport CLI. This feature automatically update Teleport clients to match the cluster version, ensuring that all users have access to the latest features and security updates.

This feature has been backport to Teleport 17.0.1, 16.4.10, and 15.4.24.

This capability is enabled by default for Teleport Cloud users but self-hosted customers need to enable it. Please review our documentation.

➜  tsh version
Teleport v16.4.12 git:v16.4.12-0-g5722b8b go1.22.10
Proxy version: 17.1.4
Proxy: example.teleport.sh:443
➜  tsh login --proxy=example.teleport.sh
Update progress: [▒▒▒▒▒▒▒▒▒ ] (Ctrl-C to cancel update)

Updated UI

The new UI makes it easier to access the different parts of the Teleport Platform, with less real estate being taken up.

Updated Teleport UI
Updated Teleport UI

Hardware Key Support for Teleport Connect

By default, tsh, Teleport Connect, and other Teleport clients store a user's key and certificates directly on their filesystem. If a user's filesystem is compromised, any of their active Teleport user keys and certificates would also be compromised. This is where Hardware Key Support comes to the rescue! To prevent these types of attacks, Teleport supports hardware-based private keys. Unlike disk-based private keys, hardware-based private keys are generated and stored directly on a hardware device and are impossible to export. With hardware-based private keys, a login session is only functional if there's also access to the hardware device where the key was generated and stored.

This support has now been extended to Teleport Connect, our Desktop Client.

Modern Signature Algorithms

By default we’ve updated the Signature Algorithms for Teleport. We’ve written about the pros and cons of different signature algorithms, and we have stayed with RSA keys for backwards compatibility and broader support. Luckily, most services and providers now have robust Ed25519 support, and we can use this stronger and faster algorithm for clusters. At scale, teams should see increased performance and get increased security.

authority rotation                protocol status algorithm   storage  
--------- ----------------------- -------- ------ ----------- -------- 
host      standby (never rotated) SSH      active Ed25519     software 
                                  TLS      active ECDSA P-256 software 
user      standby (never rotated) SSH      active Ed25519     software 
                                  TLS      active ECDSA P-256 software 
db        standby (never rotated) TLS      active RSA 2048    software 
db_client standby (never rotated) TLS      active RSA 2048    software 
openssh   standby (never rotated) SSH      active Ed25519     software 
jwt       standby (never rotated) JWT      active ECDSA P-256 software 
saml_idp  standby (never rotated) TLS      active RSA 2048    software 
oidc_idp  standby (never rotated) JWT      active RSA 2048    software 
spiffe    standby (never rotated) JWT      active RSA 2048    software 
                                  TLS      active ECDSA P-256 software 
okta      standby (never rotated) JWT      active ECDSA P-256 software 

Docs on Teleport Signature Algorithms.

Signed and Notarized macOS Assets

Last but not least, our macOS teleport.pkg installer includes signed and notarized tsh.app and tctl.app,resulting in Touch ID support out of the box without any extra downloads.

Breaking Changes

macOS assets

Starting with version 17, Teleport no longer provides a separate tsh.pkg macOS package.

Instead, teleport.pkg and all macOS tarballs include signed and notarized tsh.app and tctl.app.

Enforced stricter requirements for SSH hostnames

Hostnames are only allowed if they are less than 257 characters and consist of only alphanumeric characters and the symbols . and -.

Any hostname that violates the new restrictions will be changed, the original hostname will be moved to the teleport.internal/invalid-hostname label for discoverability.

Any Teleport agents with an invalid hostname will be replaced with the host UUID. Any Agentless OpenSSH Servers with an invalid hostname will be replaced with the host of the address, if it is valid, or a randomly generated identifier. Any hosts with invalid hostnames should be updated to comply with the new requirements to avoid Teleport renaming them.

TOTP for per-session MFA

Teleport 17 is the last release where tsh will allow for using TOTP with per-session MFA. Starting with Teleport 18, tsh will require a strong webauthn credential for per-session MFA.

TOTP will continue to be accepted for the initial login.

Try Teleport 17

Teleport 17 delivers on our commitment to scalable, secure, and resilient infrastructure access. From AWS IAM Identity Center integration to enhanced policy features like Crown Jewels monitoring, and improved machine-to-machine communication with Workload Identity, this release helps organizations better manage their growing infrastructure footprint. Ready to upgrade? Follow our upgrade procedure, and Teleport Cloud customers can expect their clusters to be upgraded starting this week.

Tags

Teleport Newsletter

Stay up-to-date with the newest Teleport releases by subscribing to our monthly updates.

background

Subscribe to our newsletter

PAM / Teleport