warp-tech / warpgate Goto Github PK

This issue is a feature request.

Could be nice to have the possibility to automatically add new targets to warpgate via terraform directly when a new vm or LXC container is created.

This probably requires some api that the provider may call to add new targets.

A datasource could be used to obtain the public key directly from the warpgate server to be injected to the authorized_keys file.

is it possible to add an option to ignore certificates error? i use a few internal services with a self signed certificate and if i use those as a http target, warpgate crash and have this issue.

SCP seems to work fine, but should SFTP via warpgate be supported also?

If I try with sftp -o User=<username:target> <warpgate-address>, I am prompted with the user:target (and even OTP correctly), but the connection is never established fully and will eventually timeout. If I try with scp or even WinSCP set to Protocol: SCP, file transfers work fine.

The warpgate logs only show: Requesting subsystem sftp channel=<channel id> Debug log only shows additional Data channel=2 data=<somebinary> session=<session id> session_username=<username>

RHEL9 are moving from scp to sftp and WinSCP also defaults to SFTP, so this would be highly relevant to my interests: https://www.redhat.com/en/blog/openssh-scp-deprecation-rhel-9-what-you-need-know

First of all: Thanks for this nice peace of Software!

We have multiple Aruba Switches in our Infrastructure and I was trying to add them to Warpgate but I wasn't succesfull.
There is an issue with the key exchange algorithm. The one offered by the Aruba Switch is not supported by Warpgate and vice versa.

As with other Linux hosts I tried to add the warpgate kex algorithm to the Aruba Switch, but it looks like it does not support it.

Would it be possible to add additional kex algorithms to warpgate?

ssh admin:"Switch Aruba"@WarpGate -p 2222
admin:Switch Aruba@warpgate's password:
channel 0: protocol error: close rcvd twice
Warpgate Selected target: Switch Aruba
Connection failed No common key exchange algorithm
Connection to warpgate closed.

02.08.2022 11:26:31 DEBUG russh::negotiation: Could not find common kex algorithm, other side only supports Ok("diffie-hellman-group14-sha1"), we only support [Name("[email protected]")]

Hi,

Here a person that has heared about teleport (but never used it (due the "high corporate appearance")).

I, seasoned sysadmin, miss a description how warpgate looks like when it is running.

This are the things that I made up myself:

• warpgate listens by default on port 2222 and can be configured to listen on the default ssh port ( port 22)
• Configuration lives in a sql database, configuration can be live updated
• There is a CLI user interface and a webbased UI, both use the same REST API that listens at configurable port
• Session recordings are stored as files. Recording sessions is optional

Add support for RADIUS. Get mapping which user can access which host from RADIUS server. More or less the way a VPN server would work with RADIUS.

if a http target is not available, warpgate crash with the following message (run in foreground):

thread 'tokio-runtime-worker' panicked at 'called Result::unwrap()on anErrvalue: reqwest::Error { kind: Request, url: Url { scheme: "http", cannot_be_a_base: false, username: "", password: None, host: Some(Ipv4(192.168.0.22)), port: Some(80), path: "/", query: Some("warpgate-target=Service"), fragment: None }, source: hyper::Error(Connect, ConnectError("tcp connect error", Os { code: 111, kind: ConnectionRefused, message: "Connection refused" })) }', warpgate-protocol-http/src/proxy.rs:206:64 note: run withRUST_BACKTRACE=1environment variable to display a backtrace Aborted (core dumped)

possible to catch this error without a crash?

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/deployment_guide/sec-using_openssh_certificate_authentication
https://smallstep.com/blog/use-ssh-certificates/
https://www.vaultproject.io/docs/secrets/ssh/signed-ssh-certificates

I don't know how possible this would be but it would be pretty cool if a dropdown/selection menu for targets was shown if I don't provide a target.

Could you add arm64 build in the release through a github action.
It's very difficult to build on ARM with poor performances

Regards

When I select a recorded session I get an entry shell-channel-2 under Recordings. When I click on the entry, I get a screen with the headline Session recording and a video-player.
Clicking on the play button in the center of the player starts the Playback and the playback progress indicator at the bottom is updated, but the player screen is just plain black.

On the browser console I get:

containerW = 0 [index.js:3025:12](https://172.16.152.3:8888/node_modules/asciinema-player/dist/index.js)
player mounted [index.js:2863:20](https://172.16.152.3:8888/node_modules/asciinema-player/dist/index.js)
containerW = 1296 [index.js:3025:12](https://172.16.152.3:8888/node_modules/asciinema-player/dist/index.js)
batched 259 frames to 87 frames [index.js:3839:16](https://172.16.152.3:8888/node_modules/asciinema-player/dist/index.js)
containerW = 1296 [index.js:3025:12](https://172.16.152.3:8888/node_modules/asciinema-player/dist/index.js)

and when I interact with the player (clicking on pause / play) I get an exception: Uncought RuntimeError: unreachable executed.

This is feature request issue, it asks to split /etc/warp.yaml into several files.

Having only seen documentation of warpgate ( not having tried it ) there is only one big configuration file.

The idea:

/etc/
/etc/warpgate/
/etc/warpgate/main
/etc/warpgate/target/
/etc/warpgate/target/foo
/etc/warpgate/target/bar
/etc/warpgate/role/
/etc/warpgate/role/wgadmin
/etc/warpgate/role/engineer
/etc/warpgate/user/
/etc/warpgate/user/alice
/etc/warpgate/user/bob

What ends with a /, is a _directory.

/etc/warpgate/main is the YAML file that defines ssh port, webUI port and other main configuration.

In /etc/warpgate/target/foo is content like

   - name: foo
     allow_roles:
       - "warpgate:admin"
     ssh:
       host: 192.168.10.20
       username: root  # optional
       port: 22  # optional

In /etc/warpgate/user/alice is content like:

    - username: alice
      credentials:
        - type: password
          hash: "$argon2id$v=19$m=4096,...eq6Hog"
        - type: publickey
          key: ssh-ed25519 AAAAC3Nz...D4I

The advantages I see:

• the warpgate process does not need write privilege in /etc/
• changes in targets, users and roles don't need rewrite of one big fat single configuration file
• adding and removal of users and targets can easy be done by other tooling as warpgate (think ansible or just cp and just rm)

OpenSSH supports hardware authentication through the two key types "ecdsa-sk" and "ed25519-sk". From what I can tell this is not supported by warpgate.

How hard would it be to implement this? If it is relatively straightforward I would be willing to create a PR in the following weeks.

I'm not sure who can fix this issue, so I start here ;)

I'm a heavy iPad user, but none of the used ssh client is able to connect to warpgate :( when I connect with ShellFish I see the following message in shellfish:
Error: Connection test failed: Error Domain=SSH Code=-5 "Unable to establish SSH connection: Encryption key exchange failed." UserInfo={NSLocalizedDescription=Unable to establish SSH connection: Encryption key exchange failed.}
and in warpgate is see this:
Could not find common cipher, other side only supports Ok("aes128-ctr,aes192-ctr,aes256-ctr,aes256-cbc,[email protected],aes192-cbc,aes128-cbc,blowfish-cbc,arcfour128,arcfour,cast128-c bc,3des-cbc"), we only support [Name("[email protected]"), Name("[email protected]")]

also when I use the blink ssh client I see:
Error connecting to warp. connError(msg: "kex error : no match for method mac algo client->server: server [none], client [[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1]")

I looks like those clients use different cipher then warpgate support.

Hey @Eugeny, feel free to submit a PR to showcase your project!

• SeaQL/sea-orm#403

If you have spaces in your ssh target name like so:

targets:
  - name: Dev Server
    allow_roles:
      - "admin"
    ssh:
      host: dev.example.org
      username: john

you get a command looking like this:

ssh thru:Dev [email protected] -p 2022

with the whitespace the command isnt working. Maybe just replace all whitespaces with _ or -?

I'm not able to login in to v 0.5.0, well I can login but after a successful login I get endless redirects. if I start warpgate in the foreground I see only this:

06:30:55 INFO Warpgate version=0.5.0 06:30:55 INFO Using config: "/etc/warpgate.yaml" (users: 1, targets: 1, roles: 1) 06:30:55 INFO -------------------------------------------- 06:30:55 INFO Warpgate is now running. 06:30:55 INFO Accepting SSH connections on 0.0.0.0:2222 06:30:55 INFO Accepting HTTP connections on https://warpgate:8888 06:30:55 INFO -------------------------------------------- 06:30:55 INFO Listening address=0.0.0.0:2222 06:30:55 INFO Listening address=warpgate:8888 06:31:35 INFO HTTP: Request method=GET url=https://warpgate:8888/@warpgate status=200 OK 06:31:35 INFO HTTP: Request method=GET url=https://warpgate:8888/@warpgate/assets/gateway.e9b0efd6.js status=200 OK 06:31:35 INFO HTTP: Request method=GET url=https://warpgate:8888/@warpgate/assets/gateway.55661b15.css status=200 OK 06:31:35 INFO HTTP: Request method=GET url=https://warpgate:8888/@warpgate/assets/Logo.081db3d4.css status=200 OK 06:31:35 INFO HTTP: Request method=GET url=https://warpgate:8888/@warpgate/assets/Alert.273812d1.js status=200 OK 06:31:35 INFO HTTP: Request method=GET url=https://warpgate:8888/@warpgate/assets/Logo.a5b40f23.js status=200 OK 06:31:35 INFO HTTP: Request method=GET url=https://warpgate:8888/@warpgate/assets/api.af344ead.js status=200 OK 06:31:35 INFO HTTP: Request method=GET url=https://warpgate:8888/@warpgate/api/info status=200 OK 06:31:35 INFO HTTP: Request method=GET url=https://warpgate:8888/@warpgate/api/sso/providers status=200 OK 06:31:35 WARN HTTP: Request failed method=GET url=https://warpgate:8888/@warpgate/api/auth/state status=404 Not Found 06:31:40 INFO HTTP: Authenticated username=admin 06:31:40 INFO HTTP: Request method=POST url=https://warpgate:8888/@warpgate/api/auth/login status=201 Created 06:31:40 INFO HTTP: Request method=GET url=https://warpgate:8888/@warpgate/api/info status=200 OK session=af2d4de4-8d86-40b7-ba58-07076b5e0469 session_username=admin 06:31:41 INFO HTTP: Request method=GET url=https://warpgate:8888/@warpgate status=200 OK session=af2d4de4-8d86-40b7-ba58-07076b5e0469 session_username=admin 06:31:41 INFO HTTP: Request method=GET url=https://warpgate:8888/@warpgate/api/info status=200 OK session=af2d4de4-8d86-40b7-ba58-07076b5e0469 session_username=admin 06:31:41 INFO HTTP: Request method=GET url=https://warpgate:8888/@warpgate/api/auth/state status=200 OK session=af2d4de4-8d86-40b7-ba58-07076b5e0469 session_username=admin 06:31:41 INFO HTTP: Request method=GET url=https://warpgate:8888/@warpgate/api/sso/providers status=200 OK session=af2d4de4-8d86-40b7-ba58-07076b5e0469 session_username=admin 06:31:41 INFO HTTP: Request method=GET url=https://warpgate:8888/@warpgate status=200 OK session=af2d4de4-8d86-40b7-ba58-07076b5e0469 session_username=admin 06:31:41 INFO HTTP: Request method=GET url=https://warpgate:8888/@warpgate/api/info status=200 OK session=af2d4de4-8d86-40b7-ba58-07076b5e0469 session_username=admin 06:31:41 INFO HTTP: Request method=GET url=https://warpgate:8888/@warpgate/api/sso/providers status=200 OK session=af2d4de4-8d86-40b7-ba58-07076b5e0469 session_username=admin 06:31:41 INFO HTTP: Request method=GET url=https://warpgate:8888/@warpgate/api/auth/state status=200 OK session=af2d4de4-8d86-40b7-ba58-07076b5e0469 session_username=admin 06:31:41 INFO HTTP: Request method=GET url=https://warpgate:8888/@warpgate status=200 OK session=af2d4de4-8d86-40b7-ba58-07076b5e0469 session_username=admin 06:31:41 INFO HTTP: Request method=GET url=https://warpgate:8888/@warpgate/api/info status=200 OK session=af2d4de4-8d86-40b7-ba58-07076b5e0469 session_username=admin 06:31:41 INFO HTTP: Request method=GET url=https://warpgate:8888/@warpgate/api/sso/providers status=200 OK session=af2d4de4-8d86-40b7-ba58-07076b5e0469 session_username=admin 06:31:41 INFO HTTP: Request method=GET url=https://warpgate:8888/@warpgate/api/auth/state status=200 OK session=af2d4de4-8d86-40b7-ba58-07076b5e0469 session_username=admin 06:31:41 INFO HTTP: Request method=GET url=https://warpgate:8888/@warpgate status=200 OK session=af2d4de4-8d86-40b7-ba58-07076b5e0469 session_username=admin 06:31:41 INFO HTTP: Request method=GET url=https://warpgate:8888/@warpgate/api/info status=200 OK session=af2d4de4-8d86-40b7-ba58-07076b5e0469 session_username=admin 06:31:41 INFO HTTP: Request method=GET url=https://warpgate:8888/@warpgate/api/auth/state status=200 OK session=af2d4de4-8d86-40b7-ba58-07076b5e0469 session_username=admin 06:31:41 INFO HTTP: Request method=GET url=https://warpgate:8888/@warpgate/api/sso/providers status=200 OK session=af2d4de4-8d86-40b7-ba58-07076b5e0469 session_username=admin 06:31:41 INFO HTTP: Request method=GET url=https://warpgate:8888/@warpgate status=200 OK session=af2d4de4-8d86-40b7-ba58-07076b5e0469 session_username=admin 06:31:41 INFO HTTP: Request method=GET url=https://warpgate:8888/@warpgate/api/info status=200 OK session=af2d4de4-8d86-40b7-ba58-07076b5e0469 session_username=admin 06:31:41 INFO HTTP: Request method=GET url=https://warpgate:8888/@warpgate/api/auth/state status=200 OK session=af2d4de4-8d86-40b7-ba58-07076b5e0469 session_username=admin 06:31:41 INFO HTTP: Request method=GET url=https://warpgate:8888/@warpgate/api/sso/providers status=200 OK session=af2d4de4-8d86-40b7-ba58-07076b5e0469 session_username=admin 06:31:41 INFO HTTP: Request method=GET url=https://warpgate:8888/@warpgate status=200 OK session=af2d4de4-8d86-40b7-ba58-07076b5e0469 session_username=admin 06:31:41 INFO HTTP: Request method=GET url=https://warpgate:8888/@warpgate/api/info status=200 OK session=af2d4de4-8d86-40b7-ba58-07076b5e0469 session_username=admin 06:31:41 INFO HTTP: Request method=GET url=https://warpgate:8888/@warpgate/api/auth/state status=200 OK session=af2d4de4-8d86-40b7-ba58-07076b5e0469 session_username=admin 06:31:41 INFO HTTP: Request method=GET url=https://warpgate:8888/@warpgate/api/sso/providers status=200 OK session=af2d4de4-8d86-40b7-ba58-07076b5e0469 session_username=admin 06:31:41 INFO HTTP: Request method=GET url=https://warpgate:8888/@warpgate status=200 OK session=af2d4de4-8d86-40b7-ba58-07076b5e0469 session_username=admin 06:31:41 INFO HTTP: Request method=GET url=https://warpgate:8888/@warpgate/api/info status=200 OK session=af2d4de4-8d86-40b7-ba58-07076b5e0469 session_username=admin

Just tryed to test out Warp on a small VPS
False advertising with v0.1.1 & v0.1.0 😏

no dependencies.

a CentOS Linux release 7.9.2009 machine

curl -sLO https://github.com/warp-tech/warpgate/releases/download/v0.1.1/warpgate-v0.1.1-x86_64-linux
mv warpgate-v0.1.1-x86_64-linux /usr/bin/warpgate
chmod +x /usr/bin/warpgate
warpgate setup
> warpgate: /lib64/libc.so.6: version `GLIBC_2.18' not found (required by warpgate)

rpm -qa | grep glibc
glibc-devel-2.17-325.el7_9.x86_64
glibc-common-2.17-325.el7_9.x86_64
glibc-devel-2.17-324.el7_9.x86_64
glibc-2.17-325.el7_9.x86_64
glibc-headers-2.17-324.el7_9.x86_64

Is this functionality supposed to work?

I am using the following configuration:

  # User for Bram
  - username: bram
    credentials:
      - type: password
        hash: "argon hash here"
      - type: publickey
        key: "public key here"
      - type: otp
        key: ...
    require: [publickey, otp]
    roles:
      - "warpgate:admin"

I noticed that the Warpgate's own SSH keys have a displaying issue:
While the ssh-ed25519 displays fine, the rsa-sha2-256 one introduces a blank space after a slash (/) symbol.
The CLI displays both keys correctly.

I have created two screenshots showing the outputs.
This is a test system and I've wiped / regenerated my keys.

I have one host using Duo's PAM module to provide multi factor authentication and another using Jumpcloud for the same purpose. Through Warpgate it fails despite having the ~/.ssh/authorized_keys file configured properly.

Connection failed  Authentication failed
channel 0: protocol error: close rcvd twice

Here's what the entire workflow looks like on the host using Duo:

ssh heywoodlh:[email protected]
heywoodlh:[email protected]'s password:
 Warpgate  Selected target: arch-firewall.wireguard
 Warpgate  Host key ...
 Connection failed  Authentication failed
channel 0: protocol error: close rcvd twice
Connection to warpgate.kube closed.

And here's what it looks like for the host with Jumpcloud (I changed the hostname in this output):

ssh heywoodlh:[email protected]
heywoodlh:[email protected]'s password:
channel 0: protocol error: close rcvd twice
 Warpgate  Selected target: example-host
 Connection failed  Connection refused (os error 111)
Connection to warpgate.kube closed.

As a sanity check, it seems to work just fine with my other machines not using multi-factor auth:

ssh heywoodlh:[email protected]
heywoodlh:[email protected]'s password:
 Warpgate  Selected target: boba.wireguard
 Warpgate  Host key ...
 ✓ Warpgate connected

Last login: Wed Apr 13 15:09:11 2022 from 10.50.50.38
[heywoodlh@boba ~]$

When connecting to a target with OpenSSH version 7.4, I get the following errors on the server:

Jun 14 11:03:33 [localhost] sshd[1613]: Connection from <redacted> port <port> on <redacted> port 2222
Jun 14 11:03:33 [localhost] sshd[1613]: Postponed publickey for <redacted> from <redacted> port <port> ssh2 [preauth]
Jun 14 11:03:33 [localhost] sshd[1613]: Accepted publickey for <redacted> from <redacted> port <port> ssh2: ED25519 SHA256:<fingerprint>
Jun 14 11:03:33 [localhost] sshd[1613]: pam_unix(sshd:session): session opened for user <redacted> by (uid=0)
Jun 14 11:03:33 [localhost] sshd[1613]: User child is on pid 1615
Jun 14 11:03:33 [localhost] sshd[1615]: parse_tty_modes: n_bytes_ptr != n_bytes: 141 141
Jun 14 11:03:33 [localhost] sshd[1615]: Packet integrity error (120 bytes remaining) at session.c:2035
Jun 14 11:03:33 [localhost] sshd[1615]: Disconnecting: Packet integrity error.
Jun 14 11:03:33 [localhost] sshd[1613]: pam_unix(sshd:session): session closed for user <redacted>

This results in an immediate disconnect after authenticating successfully, Warpgate even says in green text "Warpgate connected".

Just FYI, the web admin UI does not seem to work for me on Safari (works just fine in Chrome):

To be specific, in the page User authentication and roles.

The line: (it can also run in unattended mode: echo 123 | warpgate hash)
should be echo -n 123 | warpgate hash since echo will create a new line. Causing the hash to be mismatched.

Implement logging to a vector listener socket.

Expected Behavior:
Showing 2 HTTP endpoints with the same IP but different port simultaneously in the dashboard
Current Behavior:
Only the first endpoints included in the file of the above type is shown

Steps to reproduce:
append the following to warpgate.yaml

- allow_roles:
  - warpgate:admin
  - user
  http: [redacted]
  name: svr_10
- allow_roles:
  - warpgate:admin
  - user
  http:
    tls:
      verify: false
    url: [redacted]
  name: svr_7

Awesome work so far @Eugeny!
Currently trying to implement warpgate bastion in our org. Been great!

I'm concerned with two things actually:

• to use warpgate everywhere, we would have to drop warpgate public key to each user .authorized_keys file, a bit of administrative burden (can be automated)
• warpgate key or server instance gets hacked (somehow) person holding the keys would be able to ssh everywhere bastion can (can be mitigated by ip address limiting, but wont do much if bastion is compromised).

Both can be mitigated if warpgate can support ssh-forwarded keys. So keys for accessing aren't stored on bastion.
Than user can do ssh -A user:host@wg and warpgate will use forwarded key to access destination host.

Would such a thing be possible in future?

Discussed in #129

The session list of Warpgate now has over 12.000 entries of "", these are presumably spam from random IP's.

It would be nice if there's a way to paginate or lazy load on scroll.

I tried following getting start with docker, and I'm getting this error message:

Error response from daemon: Head "https://ghcr.io/v2/warp-tech/warpgate/manifests/latest": unauthorized

It would be nice if this popup could show the actual SSH command that can be used:

This is a feature request/suggestion.

Just like #27 it might make sense to be able to sync users, groups and pubkeys with LDAP.
This would lessen the administrative overhead of user-management.

Hi 👋 . Cool project ! I have a question that I'm unable to answer because I'm illiterate on Rust 🙈 .

I noticed I need to drop warpgate's ssh public keys in the authorized_host of the end host. Does this mean, warpgate makes two ssh sessions ? one between client and warpgate and another between warpgate and end host ?

thanks !

It'd be nice to be able to generate a password hash by passing it to warpgate hash via STDIN, like so:

echo -n 'mypass' | warpgate hash

not sure if this is really the issue, but i use ttyd and i'm not able to access it via warpgate. I only see "connection close" when i connect. i see the same error when I disable websocket support in npm (nginx proxy manager). so I think it's the same issue in warpgate, that web socket is not supported there.

if this is really a websocket issue, any plans to support also websocket connections?