Release 10.3.15 (#23849)

* Prevent tunneling if the os login doesn't exist

A user.Lookup was added to srv.RunForward to prevent dialing
and forwarding any data if the os login is not found. The check
alone only terminates the direct-tcpip ssh channel and not the
underlying ssh connection.

In order for the parent process to determine if the ssh connection
should be terminated it needs to know why the child exited. That was
not possible by looking at the exit code and any data written to
standard error of the child process was forwarded to standard error
on the parent; which was used to simply log the error and move on.
To pass more detailed errors to the parent, the child process spawned
by srv.RunForward now json marshals the trace.Error to standard
error which is then decoded by the parent process. If the parent
detects the error was due to a missing user it terminates the ssh
connection.

tsh ssh -N was also modified to terminate if the command context
of tsh OR the ssh connection to the node is closes. Prior, it
only terminated if the user cancelled the process by blocking on
ctx.Done(). While this was necessary to end session if the os
login does not exit, it also forces tsh to exit if the node
goes offline.

Note: This does not include any propagation of error messages to the user,
so there won't be any indication from tsh about why the connection was closed.
The session also will not be terminated until the first attempt to forward data and
NOT when the session is created due to the way -N is implemented.

Fixes #217

* Prevent unauthorized access to kube clusters by upserting kube_servers (#470)

This PR changes the behavior of the kubernetes_service when validating access
to kubernetes clusters. Previously, the kubernetes_service would use the first
kubernetes cluster it found in the Auth server backend to validate access. This was
problematic because if the first kubernetes cluster was upserted with a
the same name as a kubernetes cluster the user was trying to access but
with different labels, the user would be able to access the cluster even
though they shouldn't be able to.

This PR changes the behavior of the kubernetes_service to use the
in memory kubernetes cluster representation used for heartbeats
instead of relying on the information received from the auth server. This would
block the user from accessing the cluster if the cluster was upserted
with a different set of labels since the kubernetes_service would not
have the updated labels in memory and would deny access.

Fixes #469

* Release 10.3.15

---------

Co-authored-by: Tim Ross <tim.ross@goteleport.com>
Co-authored-by: Tiago Silva <tiago.silva@goteleport.com>

CHANGELOG.md

@@ -1,5 +1,92 @@
 # Changelog
 
+## 10.3.15 (03/30/23)
+
+This release of Teleport contains 2 security fixes as well as multiple improvements and bug fixes.
+
+### [High] OS authorization bypass in SSH tunneling
+
+When establishing an SSH port forwarding connection, Teleport did not
+sufficiently validate the specified OS principal.
+
+This could allow an attacker in possession of valid cluster credentials to
+establish a TCP tunnel to a node using a non-existent Linux user.
+
+The connection attempt would show up in the audit log as a "port" audit event
+(code T3003I) and include a Teleport username in the "user" field.
+
+### [High] Teleport authorization bypass in Kubernetes Access
+
+When authorizing a Kubernetes Access request, Teleport did not adequately
+validate the target Kubernetes cluster.
+
+This could allow an attacker in possession of valid Kubernetes agent credentials
+or a join token to trick Teleport into forwarding requests to a different
+Kubernetes cluster.
+
+Every Kubernetes request would show up in the audit log as a "kube.request"
+audit event (code T3009I) and include the Kubernetes cluster metadata.
+
+### [Medium] Moderated sessions leave behavior
+
+Fixed issue with moderated session being terminated after a short delay instead
+of being immediately paused when moderator leaves.
+
+[#21972](https://github.com/gravitational/teleport/pull/21972)
+
+### Other improvements and fixes
+
+* AMIs
+  * Added support for configuring TLS routing mode in AMIs. [#23676](https://github.com/gravitational/teleport/pull/23676)
+* Application Access
+  * Fixed app access requests being redirected to leaf's public address in some cases. [#23222](https://github.com/gravitational/teleport/pull/23222)
+  * Reduced log noise. [#23367](https://github.com/gravitational/teleport/pull/23367)
+* Access Management
+  * Added per-session MFA support to connection testers. [#22922](https://github.com/gravitational/teleport/pull/22922)
+* Performance & scalability
+  * Improved idle connection handling. [#22916](https://github.com/gravitational/teleport/pull/22916)
+  * Removed unnecessary resource updates. [#22573](https://github.com/gravitational/teleport/pull/22573)
+  * Fixed proxy peering issues when running behind a load balancer. [#23508](https://github.com/gravitational/teleport/pull/23508)
+  * Improved `tsh ls -R` performance in large clusters. [#23606](https://github.com/gravitational/teleport/pull/23606)
+  * Improved performance when setting environment for user session. [#23832](https://github.com/gravitational/teleport/pull/23832)
+* Database Access
+  * Fixed `tsh db config` returning incorrect port in TLS routing mode. [#22891](https://github.com/gravitational/teleport/pull/22891)
+  * Fixed issue with query audit events always having `success: false` status. [#23276](https://github.com/gravitational/teleport/pull/23276)
+  * Fixed issue with Redis protocol not handling nil response [#22230](https://github.com/gravitational/teleport/pull/22230)
+* Server Access
+  * Fixed issue with OS group check leading to session failures in some cases. [#22803](https://github.com/gravitational/teleport/pull/22803)
+  * Fixed issue with PuTTY `winadj` channel requests not being correctly handled. [#22421](https://github.com/gravitational/teleport/pull/22421)
+  * Improved handling of child processes upon session termination. [#22231](https://github.com/gravitational/teleport/pull/22231)
+* Desktop Access
+  * Fixed panics on systems using large numbers of file descriptors. [#22800](https://github.com/gravitational/teleport/pull/22800)
+  * Fixed incorrect login options for Windows desktops. [#22344](https://github.com/gravitational/teleport/pull/22344)
+  * Updated setup script to be idempotent. [#23174](https://github.com/gravitational/teleport/pull/23174)
+* Kubernetes Access
+  * Improved label validation for Kubernetes service. [#22780](https://github.com/gravitational/teleport/pull/22780)
+  * Fixed issue with Kubernetes impersonation header overwrite for leaf clusters. [#22247](https://github.com/gravitational/teleport/pull/22247)
+  * Fixed issue with `tsh kube credentials` failing on remote clusters. [#23352](https://github.com/gravitational/teleport/pull/23352)
+  * Fixed issue with `tsh kube credentials` loading incorrect profile. [#23717](https://github.com/gravitational/teleport/pull/23717)
+* Auto-discovery
+  * Fixed issue with open-source package being installed for enterprise clusters. [#22768](https://github.com/gravitational/teleport/pull/22768)
+* Trusted Clusters
+  * Added ability to update role map without having to recreate the trusted cluster resource. [#23645](https://github.com/gravitational/teleport/pull/23645)
+* Tooling
+  * Updated Go to `1.19.7`. [#22729](https://github.com/gravitational/teleport/pull/22729)
+  * Updated Rust to `1.68.0`. [#23103](https://github.com/gravitational/teleport/pull/23103)
+* CLI
+  * Fixed issue with `tsh` not respecting `HTTPS_PROXY` in some cases. [#22490](https://github.com/gravitational/teleport/pull/22490)
+  * Added flag to `tsh` to only display the binary version. [#22169](https://github.com/gravitational/teleport/pull/22169)
+  * Added `app_server` support to `tctl` resource commands. [#23138](https://github.com/gravitational/teleport/pull/23138)
+  * Display year in `tctl` commands output. [#23373](https://github.com/gravitational/teleport/pull/23373)
+  * Added `--cluster` flag to `tsh kube sessions` command. [#23827](https://github.com/gravitational/teleport/pull/23827)
+* Resource Joining
+  * Fixed issue when joining leaf cluster over tunnel port with enabled proxy protocol. [#23485](https://github.com/gravitational/teleport/pull/23485)
+  * Added support for IAM joining in `ap-southeast-4` region. [#22488](https://github.com/gravitational/teleport/pull/22488)
+* FIPS
+  * Fixed startup issue in FIPS mode when `local_auth` isn't explicitly set. [#22242](https://github.com/gravitational/teleport/pull/22242)
+* Web UI
+  * Fixed intermittent "client connection is closing" errors in web UI after logging in. [#23736](https://github.com/gravitational/teleport/pull/23736)
+
 ## 10.3.13
 
 This release of Teleport contains two security fixes as well as multiple improvements and bug fixes.

Makefile

@@ -11,7 +11,7 @@
 #   Stable releases:   "1.0.0"
 #   Pre-releases:      "1.0.0-alpha.1", "1.0.0-beta.2", "1.0.0-rc.3"
 #   Master/dev branch: "1.0.0-dev"
-VERSION=10.3.13
+VERSION=10.3.15
 
 DOCKER_IMAGE ?= teleport
 

api/version.go

@@ -3,7 +3,7 @@
 package api
 
 const (
-	Version = "10.3.13"
+	Version = "10.3.15"
 )
 
 // Gitref variable is automatically set to the output of git-describe

examples/chart/teleport-cluster/Chart.yaml

@@ -1,4 +1,4 @@
-.version: &version "10.3.13"
+.version: &version "10.3.15"
 
 name: teleport-cluster
 apiVersion: v2

examples/chart/teleport-cluster/charts/teleport-operator/Chart.yaml

@@ -1,4 +1,4 @@
-.version: &version "10.3.13"
+.version: &version "10.3.15"
 
 name: teleport-operator
 apiVersion: v2