Release 17.5.0

[doggydogworld]

17.5.0 (06/03/25)

Azure Console via SAML IdP

Teleport SAML IdP now supports Azure web console as a service provider.

Desktop Access in Teleport Connect

Teleport Connect now allows users to connect to Windows desktops directly from the Teleport Connect application without needing to use a browser.

Desktop Access latency detector

Teleport's web UI now shows latency measurements during remote desktop sessions which indicate both the latency between the user and the Teleport proxy as well as the latency between the Teleport proxy and the target host.

Machine & Workload Identity - Sigstore attestation

Machine & Workload Identity now supports attesting Sigstore signatures of workloads running on Docker, Podman and Kubernetes. This allows the issuance of credentials to be restricted to workloads with container images produced by legitimate CI/CD systems.

Azure DevOps joining

Teleport now supports secretless authentication for Bots running within Azure DevOps pipelines.

Security fixes

This release also includes fixes for the following security issues.
These issues are present in previous v17 releases.
Impacted users are recommended to upgrade their auth and proxy servers to the latest version.

[High] Unauthorized deletion in AWS IAM Identity Center integration

• Fixed an issue that allowed unauthenticated access to delete resources created by Identity Center integration. #55400

This vulnerability affects all AWS IAM Identity Center integration users. You can check whether you have AWS Identity Center integration installed either in the Teleport web UI under Zero Trust Access / Integrations or by running “tctl get plugins/aws-identity-center” CLI command.

[High] Short to long term access escalation in Okta integration

• Enterprise fix: Verify required Okta OAuth scopes during plugin creation/update.

In Okta integration configurations with enabled access lists sync, a user with an approved just-in-time access request to an Okta application could be unintentionally promoted to an access list granting access to the same application. This would result in the access to the Okta app/group persisting after the access request expiration.

This vulnerability affects Okta integration users who have access lists sync enabled. You can check whether you have an Okta integration installed with access lists sync enabled either in the Teleport web UI under Zero Trust Access / Integrations page or by running “tctl get plugins/okta” CLI command and looking at the “spec.settings.okta.sync_settings.sync_access_lists” flag.

[High] Credential theft via GitHub SSO authentication flow

• Fix improper redirect URL validation for SSO login which could be taken advantage of in a phishing attack. #55399

This vulnerability affects GitHub SSO users. You can check whether you’re using GitHub SSO either on the Zero Trust Access / Auth Connectors page in Teleport web UI or by running “tctl get connectors” CLI command against your cluster.

Other fixes and improvements

• Allow the ssh_service.listen_addr to forcibly be enabled when operating in reverse tunnel mode to provide an optional direct access path to hosts. #54215
• View details for a bot instance. #55347
• Prevent unknown resource kinds from rendering errors in the web UI. #55208
• View and explore "active" bot instances. #55201
• UI: Access Request reason prompts configured in Role.spec.options.request_prompt are now displayed in the reason text box, if such a role is assigned to the user. #55173
• Okta: Fixed RBAC sync and Access Requests when only App and Group sync is enabled (no Access Lists sync). #55169
• Fixed tctl rendering of timestamps in BotInstance resource YAML. #55163
• Fix the impact of malicious --db-user values on PKINIT flow. #55142
• Fix an issue with Hardware Key Support on Windows where a command would fail if the PIN prompt was not answered within 5 seconds. #55110
• Fix an issue "Allowed Users" from "tsh db ls" may include irrelevant entities. #55068
• Updated Web UI, tsh and Connect SSO login to support SAML http-post binding authentication method. The feature can be enabled from the SSO connector configuration by adding a new field as preferred_request_binding: http-post. #55065
• Fix an issue database discovery fails when there are more than 5 OpenSearch domains. #55058
• Fixed an issue with Device Trust web authentication redirection that lost the original encoding of SAML authentication data during service provider initiated SAML login. #55048
• Fix configured X509 CA override chain not being used by AWS Roles Anywhere exchange. #54947
• Disabled the "another session is active" prompt when per-session MFA is enabled, since MFA already enforces user confirmation when starting a desktop session. #54928
• Added support for desktop access in Teleport Connect. #54926
• Added workload_identity_x509_issuer_override kind to editor preset role. #54913
• Hardware Key Agent validates known keys by checking active or expired login session. #54907
• Expose the Teleport service cache health via prometheus metrics. #54902
• Updated Go to 1.23.9. #54896
• Okta: Fix creating Access Requests for Okta-originated resources in the legacy okta_service setup. #54876
• Introduced the azure_devops join method to support Bot joining from the Azure Devops CI/CD platform. #54875
• Add support for exclude filter for AWS IC account and groups filters. #54835
• Terraform: Fixed Access List resource import. #54802
• Fixed Proxy cache initialization errors in clusters with large amounts of open web sessions. #54781
• Prevent restrictive validation of cluster auth preferences from causing non-auth instances to become healthy. #54761
• Improved performance of joining & improved audit log entries for failed joins. #54747
• Resolved an issue that could cause Teleport Connect to crash after downgrading from a newer version. #54740
• Reverted the default behavior of the teleport-cluster Helm chart to use authentication.secondFactor rather than authentication.secondFactors to avoid incompatibility during upgrades. #54735
• Workload ID: Added binary_path and binary_hash to the Unix workload attestor's attributes. #54716
• Includes the attributes used in templating and rule evaluation within the audit log event for a workload identity credential issuance. #54714
• Fix an issue with PIV PIN caching where a PIN that is incorrect would be cached. #54697
• Fix a bug causing a malformed user to break Teleport web UI's "Users" page. #54681
• Machine ID: Allow --no-oneshot and similar flags to override config file values. #54651
• Fixed major version check for stateless environment. #54639
• Teleport-update: full support for FIPS agent installations. #54609
• Added support for SSO MFA as a headless MFA method. #54599
• Fixed an issue preventing connections due to missing client IPs when using class E address space with GKE or CloudFlare pseudo IPv4 forward headers. #54597
• Create and edit GitHub join tokens from the Join Tokens page. #54477

Enterprise:

• Added ability to re-run group import in Identity Center integration.

[camscale]

Can you add a "Security Fixes" section before this one with the changelog entries for those fixes?

[doggydogworld]

Added the section. Not sure if it's too verbose though. What do you think @r0mant

[zmb3]

On the upcoming releases page, future tense (will) makes sense, but when we move this to the changelog we need to reword it a bit.

[doggydogworld]

Reworded it so it should be present tense.

[rosstimothy]

Can we please include #54215 in this release?