security/teleport: Update to 4.4.12

Pass maintainership to submitter due to multiple timeouts from current.

Changelog:
https://github.com/gravitational/teleport/releases/tag/v4.4.12

PR:		267052
Approved by:	portmgr (maintainer timeout, 3+ weeks)

14 files changed, 115 insertions, 104 deletions

diff --git a/security/teleport/Makefile b/security/teleport/Makefile
index 6e3442557a4b..68134871f0fd 100644
--- a/security/teleport/Makefile
+++ b/security/teleport/Makefile
@@ -1,12 +1,11 @@
 PORTNAME=	teleport
 DISTVERSIONPREFIX=	v
-DISTVERSION=	4.3.9
-PORTREVISION=	6
+DISTVERSION=	4.4.12
 CATEGORIES=	security
 
-MAINTAINER=	swills@FreeBSD.org
-COMMENT=	Gravitational Teleport SSH
-WWW=		https://gravitational.com/teleport/
+MAINTAINER=	kraileth@elderlinux.org
+COMMENT=	Centralized access gateway using the SSH protocol
+WWW=		https://goteleport.com/teleport
 
 LICENSE=	APACHE20
 
@@ -15,11 +14,13 @@ NOT_FOR_ARCHS_REASON=	Uses 64bit types
 
 BUILD_DEPENDS=	zip:archivers/zip
 
+# If you need the auth service to work, you need to compile this port with
+# Go 1.17 or older. In case tsh is what you're after, Go 1.19 is fine.
 USES=		compiler gmake go
 
 USE_GITHUB=		yes
 GH_ACCOUNT=		gravitational
-GH_TUPLE=		gravitational:webassets:eac734b:webassets/webassets
+GH_TUPLE=		gravitational:webassets:2ee76aa:webassets/webassets
 GH_COMMIT_SHORT=	fabee242d
 GH_TAG_COMMIT=		${DISTVERSIONPREFIX}${DISTVERSION}-0-g${GH_COMMIT_SHORT}
 
diff --git a/security/teleport/distinfo b/security/teleport/distinfo
index 27c4250be5b5..362cf0489a3b 100644
--- a/security/teleport/distinfo
+++ b/security/teleport/distinfo
@@ -1,5 +1,5 @@
-TIMESTAMP = 1609025109
-SHA256 (gravitational-teleport-v4.3.9_GH0.tar.gz) = 6b095366cfe788ca72ef7dc2bb052ff258b0e48de82b05b34f935f928b1aa776
-SIZE (gravitational-teleport-v4.3.9_GH0.tar.gz) = 54786284
-SHA256 (gravitational-webassets-eac734b_GH0.tar.gz) = 3f78270f137d690adafd3ec918e51cebc0c2f18c6b3879a57eaa19a267bfc64c
-SIZE (gravitational-webassets-eac734b_GH0.tar.gz) = 4683803
+TIMESTAMP = 1665730213
+SHA256 (gravitational-teleport-v4.4.12_GH0.tar.gz) = 097537273bd0579b3b833870cab74ce1da5432357a14c5501db7a2c525fbcb15
+SIZE (gravitational-teleport-v4.4.12_GH0.tar.gz) = 37824023
+SHA256 (gravitational-webassets-2ee76aa_GH0.tar.gz) = 16c5fbdc43723c392d46163073053c850cae7d355fb97b5ba8fd298246be85c4
+SIZE (gravitational-webassets-2ee76aa_GH0.tar.gz) = 4684443
diff --git a/security/teleport/files/patch-build.assets_pkg_etc_teleport.yaml b/security/teleport/files/patch-build.assets_pkg_etc_teleport.yaml
deleted file mode 100644
index 7a370e692e2e..000000000000
--- a/security/teleport/files/patch-build.assets_pkg_etc_teleport.yaml
+++ /dev/null
@@ -1,51 +0,0 @@
---- build.assets/pkg/etc/teleport.yaml.orig	2020-07-08 18:08:40 UTC
-+++ build.assets/pkg/etc/teleport.yaml
-@@ -9,7 +9,7 @@ teleport:
- 
-     # Data directory where Teleport daemon keeps its data.
-     # See "Filesystem Layout" section above for more details.
--    # data_dir: /var/lib/teleport
-+    # data_dir: /var/db/teleport
- 
-     # Invitation token used to join a cluster. it is not used on
-     # subsequent starts
-@@ -54,8 +54,8 @@ teleport:
-         type: dir
- 
-         # Array of locations where the audit log events will be stored. by
--        # default they are stored in `/var/lib/teleport/log`
--        # audit_events_uri: ['file:///var/lib/teleport/log', 'dynamodb://events_table_name', 'stdout://']
-+        # default they are stored in `/var/db/teleport/log`
-+        # audit_events_uri: ['file:///var/db/teleport/log', 'dynamodb://events_table_name', 'stdout://']
- 
-         # Use this setting to configure teleport to store the recorded sessions in
-         # an AWS S3 bucket. see "Using Amazon S3" chapter for more information.
-@@ -111,7 +111,7 @@ auth_service:
-     # By default an automatically generated name is used (not recommended)
-     #
-     # IMPORTANT: if you change cluster_name, it will invalidate all generated
--    # certificates and keys (may need to wipe out /var/lib/teleport directory)
-+    # certificates and keys (may need to wipe out /var/db/teleport directory)
-     # cluster_name: "main"
- 
-     authentication:
-@@ -185,7 +185,7 @@ auth_service:
-     #
-     # If not set, by default Teleport will look for the `license.pem` file in
-     # the configured `data_dir`.
--    # license_file: /var/lib/teleport/license.pem
-+    # license_file: /var/db/teleport/license.pem
- 
-     # DEPRECATED in Teleport 3.2 (moved to proxy_service section)
-     # kubeconfig_file: /path/to/kubeconfig
-@@ -258,8 +258,8 @@ proxy_service:
- 
-     # TLS certificate for the HTTPS connection. Configuring these properly is
-     # critical for Teleport security.
--    # https_key_file: /var/lib/teleport/webproxy_key.pem
--    # https_cert_file: /var/lib/teleport/webproxy_cert.pem
-+    # https_key_file: /var/db/teleport/webproxy_key.pem
-+    # https_cert_file: /var/db/teleport/webproxy_cert.pem
- 
-     # This section configures the Kubernetes proxy service
-     # kubernetes:
diff --git a/security/teleport/files/patch-docs_pages_config-reference.mdx b/security/teleport/files/patch-docs_pages_config-reference.mdx
new file mode 100644
index 000000000000..b5a8eabc6bb0
--- /dev/null
+++ b/security/teleport/files/patch-docs_pages_config-reference.mdx
@@ -0,0 +1,68 @@
+--- docs/pages/config-reference.mdx.orig	2022-02-23 04:58:43 UTC
++++ docs/pages/config-reference.mdx
+@@ -21,7 +21,7 @@ teleport:
+
+     # Data directory where Teleport daemon keeps its data.
+     # See "Filesystem Layout" section above for more details.
+-    data_dir: /var/lib/teleport
++    data_dir: /var/db/teleport
+
+     # Invitation token used to join a cluster. it is not used on
+     # subsequent starts
+@@ -52,11 +52,11 @@ teleport:
+         max_connections: 1000
+         max_users: 250
+
+-    # Logging configuration. Possible output values to disk via '/var/lib/teleport/teleport.log',
++    # Logging configuration. Possible output values to disk via '/var/db/teleport/teleport.log',
+     # 'stdout', 'stderr' and 'syslog'. Possible severity values are INFO, WARN
+     # and ERROR (default). Possible format values include: timestamp, component, caller, and level.
+     log:
+-        output: /var/lib/teleport/teleport.log
++        output: /var/db/teleport/teleport.log
+         severity: ERROR
+         format: [level, timestamp, component, caller]
+     # Configuration for the storage back-end used for the cluster state and the
+@@ -68,11 +68,11 @@ teleport:
+         type: dir
+
+         # List of locations where the audit log events will be stored. By default,
+-        # they are stored in `/var/lib/teleport/log`
++        # they are stored in `/var/db/teleport/log`
+         # When specifying multiple destinations like this, make sure that any highly-available
+         # storage methods (like DynamoDB or Firestore) are specified first, as this is what the
+         # Teleport web UI uses as its source of events to display.
+-        audit_events_uri: ['dynamodb://events_table_name', 'firestore://events_table_name', 'file:///var/lib/teleport/log', 'stdout://']
++        audit_events_uri: ['dynamodb://events_table_name', 'firestore://events_table_name', 'file:///var/db/teleport/log', 'stdout://']
+
+         # Use this setting to configure teleport to store the recorded sessions in
+         # an AWS S3 bucket or use GCP Storage with 'gs://'. See "Using Amazon S3"
+@@ -131,7 +131,7 @@ auth_service:
+     # By default an automatically generated name is used (not recommended)
+     #
+     # IMPORTANT: if you change cluster_name, it will invalidate all generated
+-    # certificates and keys (may need to wipe out /var/lib/teleport directory)
++    # certificates and keys (may need to wipe out /var/db/teleport directory)
+     cluster_name: "main"
+
+     authentication:
+@@ -223,7 +223,7 @@ auth_service:
+     #
+     # If not set, by default Teleport will look for the `license.pem` file in
+     # the configured `data_dir` .
+-    license_file: /var/lib/teleport/license.pem
++    license_file: /var/db/teleport/license.pem
+
+ # This section configures the 'node service':
+ ssh_service:
+@@ -320,8 +320,8 @@ proxy_service:
+
+     # TLS certificate for the HTTPS connection. Configuring these properly is
+     # critical for Teleport security.
+-    https_key_file: /var/lib/teleport/webproxy_key.pem
+-    https_cert_file: /var/lib/teleport/webproxy_cert.pem
++    https_key_file: /var/db/teleport/webproxy_key.pem
++    https_cert_file: /var/db/teleport/webproxy_cert.pem
+
+     # This section configures the Kubernetes proxy service
+     kubernetes:
diff --git a/security/teleport/files/patch-lib_config_fileconf.go b/security/teleport/files/patch-lib_config_fileconf.go
deleted file mode 100644
index 5f8e7c1374a6..000000000000
--- a/security/teleport/files/patch-lib_config_fileconf.go
+++ /dev/null
@@ -1,11 +0,0 @@
---- lib/config/fileconf.go.orig	2020-07-08 18:08:40 UTC
-+++ lib/config/fileconf.go
-@@ -281,7 +281,7 @@ func MakeSampleFileConfig() (fc *FileConfig, err error
- 	s.Commands = []CommandLabel{
- 		{
- 			Name:    "hostname",
--			Command: []string{"/usr/bin/hostname"},
-+			Command: []string{"/bin/hostname"},
- 			Period:  time.Minute,
- 		},
- 		{
diff --git a/security/teleport/files/patch-lib_defaults_defaults.go b/security/teleport/files/patch-lib_defaults_defaults.go
index 7fbb9101de4f..a0ec9693613e 100644
--- a/security/teleport/files/patch-lib_defaults_defaults.go
+++ b/security/teleport/files/patch-lib_defaults_defaults.go
@@ -1,6 +1,6 @@
---- lib/defaults/defaults.go.orig	2020-07-08 18:08:40 UTC
+--- lib/defaults/defaults.go.orig	2022-02-23 04:58:43 UTC
 +++ lib/defaults/defaults.go
-@@ -436,7 +436,7 @@ var (
+@@ -466,7 +466,7 @@ var (
  
  	// DataDir is where all mutable data is stored (user keys, recorded sessions,
  	// registered SSH servers, etc):
diff --git a/security/teleport/files/patch-lib_events_auditlog.go b/security/teleport/files/patch-lib_events_auditlog.go
index 5d4bf68432a4..ab0c4e04e7bf 100644
--- a/security/teleport/files/patch-lib_events_auditlog.go
+++ b/security/teleport/files/patch-lib_events_auditlog.go
@@ -1,4 +1,4 @@
---- lib/events/auditlog.go.orig	2020-07-08 18:08:40 UTC
+--- lib/events/auditlog.go.orig	2022-02-23 04:58:43 UTC
 +++ lib/events/auditlog.go
 @@ -45,7 +45,7 @@ import (
  const (
@@ -8,4 +8,4 @@
 +	// in /var/db/teleport/logs/sessions
  	SessionLogsDir = "sessions"
  
- 	// PlaybacksDir is a directory for playbacks
+	// StreamingLogsDir is a subdirectory of sessions /var/lib/teleport/logs/streaming
diff --git a/security/teleport/files/patch-lib_events_doc.go b/security/teleport/files/patch-lib_events_doc.go
index bc308eaeec0e..570c0aba3879 100644
--- a/security/teleport/files/patch-lib_events_doc.go
+++ b/security/teleport/files/patch-lib_events_doc.go
@@ -1,4 +1,4 @@
---- lib/events/doc.go.orig	2020-07-08 18:08:40 UTC
+--- lib/events/doc.go.orig	2022-02-23 04:58:43 UTC
 +++ lib/events/doc.go
 @@ -85,7 +85,7 @@ Main Audit Log Format
  
diff --git a/security/teleport/files/patch-lib_services_server.go b/security/teleport/files/patch-lib_services_server.go
index f763c90a51db..a93f72ee384f 100644
--- a/security/teleport/files/patch-lib_services_server.go
+++ b/security/teleport/files/patch-lib_services_server.go
@@ -1,6 +1,6 @@
---- lib/services/server.go.orig	2020-07-08 18:08:40 UTC
+--- lib/services/server.go.orig	2022-02-23 04:58:43 UTC
 +++ lib/services/server.go
-@@ -546,7 +546,7 @@ type CommandLabelV1 struct {
+@@ -578,7 +578,7 @@ type CommandLabelV1 struct {
  	// Period is a time between command runs
  	Period time.Duration `json:"period"`
  	// Command is a command to run
diff --git a/security/teleport/files/patch-tool_teleport_common_teleport__test.go b/security/teleport/files/patch-tool_teleport_common_teleport__test.go
index d2f64d5757d3..cccc072a243f 100644
--- a/security/teleport/files/patch-tool_teleport_common_teleport__test.go
+++ b/security/teleport/files/patch-tool_teleport_common_teleport__test.go
@@ -1,4 +1,4 @@
---- tool/teleport/common/teleport_test.go.orig	2020-07-08 18:08:40 UTC
+--- tool/teleport/common/teleport_test.go.orig	2022-02-23 04:58:43 UTC
 +++ tool/teleport/common/teleport_test.go
 @@ -62,7 +62,7 @@ func (s *MainTestSuite) SetUpSuite(c *check.C) {
  
diff --git a/security/teleport/files/patch-vendor_github.com_kr_pty_ztypes__freebsd__arm64.go b/security/teleport/files/patch-vendor_github.com_kr_pty_ztypes__freebsd__arm64.go
index 1362356deb92..3178f17f721b 100644
--- a/security/teleport/files/patch-vendor_github.com_kr_pty_ztypes__freebsd__arm64.go
+++ b/security/teleport/files/patch-vendor_github.com_kr_pty_ztypes__freebsd__arm64.go
@@ -1,4 +1,4 @@
---- vendor/github.com/kr/pty/ztypes_freebsd_arm64.go.orig	2020-07-24 04:36:27 UTC
+--- vendor/github.com/kr/pty/ztypes_freebsd_arm64.go.orig	2022-10-14 07:07:07 UTC
 +++ vendor/github.com/kr/pty/ztypes_freebsd_arm64.go
 @@ -0,0 +1,13 @@
 +// Created by cgo -godefs - DO NOT EDIT
diff --git a/security/teleport/files/patch-version.mk b/security/teleport/files/patch-version.mk
index ee12c2c4fbe7..1457af7a19fc 100644
--- a/security/teleport/files/patch-version.mk
+++ b/security/teleport/files/patch-version.mk
@@ -1,4 +1,4 @@
---- version.mk.orig	2020-07-08 18:08:40 UTC
+--- version.mk.orig	2022-02-23 04:58:43 UTC
 +++ version.mk
 @@ -1,4 +1,4 @@
 -GITREF=`git describe --dirty --long --tags`
diff --git a/security/teleport/files/pkg-message.in b/security/teleport/files/pkg-message.in
index 2a874bdc7840..f15cd53d3bfc 100644
--- a/security/teleport/files/pkg-message.in
+++ b/security/teleport/files/pkg-message.in
@@ -1,13 +1,20 @@
 [
 { type: install
   message: <<EOM
+ATTENTION! This version of Teleport is very old and likely to contain unfixed
+ATTENTION! vulnerabilities. It's only provided to allow for a working upgrade
+ATTENTION! path from 4.3. Watch for an upgrade to teleport5 next.
+ATTENTION! New installations are STRONGLY discouraged (wait for version 7).
+
 Quick getting started guide:
 
 1. Read through the Quick Start Guide (see below).
 2. Start teleport: su -c 'sysrc teleport_enable=YES'
-3. Start teleport: su -c 'service teleport start'
-3. Add yourself as a user: su -c "tctl users add $USER"
-4. Create a password and 2FA code using the URL emitted during
+3. If not just setting up a node: su -c 'sysrc teleport_roles=auth,proxy,node'
+4. Review and edit /usr/local/etc/teleport.yaml
+5. Start teleport: su -c 'service teleport start'
+6. Add yourself as a user on the auth server: su -c "tctl users add $USER"
+7. Create a password and 2FA code using the URL emitted during
    the previous step.
 
 To add a new node to the cluster, on the auth server:
@@ -16,11 +23,11 @@ To add a new node to the cluster, on the auth server:
 
 See the docs for additional details:
 
-Quick start:	https://gravitational.com/teleport/docs/quickstart/
-Admin Manual:	https://gravitational.com/teleport/docs/admin-guide/
-User Manual:	https://gravitational.com/teleport/docs/user-manual/
-Architecture:	https://gravitational.com/teleport/docs/architecture/
-FAQ:		https://gravitational.com/teleport/docs/faq/
+Quick start:	https://github.com/gravitational/teleport/blob/branch/4.4/docs/pages/quickstart.mdx
+Admin Manual:	https://github.com/gravitational/teleport/blob/branch/4.4/docs/pages/admin-guide.mdx
+User Manual:	https://github.com/gravitational/teleport/blob/branch/4.4/docs/pages/user-manual.mdx
+Architecture:	https://github.com/gravitational/teleport/blob/branch/4.4/docs/pages/architecture/overview.mdx
+FAQ:		https://github.com/gravitational/teleport/blob/branch/4.4/docs/pages/faq.mdx
 EOM
 }
 ]
diff --git a/security/teleport/pkg-descr b/security/teleport/pkg-descr
index d74249c8a8f9..e9cb0029b1fa 100644
--- a/security/teleport/pkg-descr
+++ b/security/teleport/pkg-descr
@@ -1,16 +1,13 @@
 What is Teleport?
 =================
-Gravitational Teleport ("Teleport") is a modern SSH server for remotely
-accessing clusters of servers via SSH or HTTPS. It is intended to be used
-instead of sshd. Teleport enables teams to easily adopt the best SSH practices
-like:
+Teleport is a gateway for managing access to clusters of *nix servers via
+SSH or the Kubernetes API. While it does also support connecting to
+servers running traditional OpenSSH, its own node deamon is intended to be
+used instead for additional functionality.
 
-Integrated SSH credentials with your organization Google Apps identities or
-other OAuth identitiy providers. No need to distribute keys: Teleport uses
-certificate-based access with automatic expiration time. Enforcement of 2nd
-factor authentication. Cluster introspection: every Teleport node becomes a part
-of a cluster and is visible on the Web UI. Record and replay SSH sessions for
-knowledge sharing and auditing purposes. Collaboratively troubleshoot issues
-through session sharing. Connect to clusters located behind firewalls without
-direct Internet access via SSH bastions. Teleport is built on top of the
-high-quality Golang SSH implementation and it is compatible with OpenSSH.
+With Teleport it is simple to adopt SSH best practices like using
+certificate-based access and enabling 2FA via TOTP (e.g. Google
+Authenticator), U2F or an SSO provider. Cluster nodes can be accessed via
+a CLI (tsh) or a Web UI which both allow for session sharing. Teleport
+provides centralized user management as well as full session recordings
+that can be played back for knowledge sharing or auditing purposes.