warp-tech / warpgate Goto Github PK
View Code? Open in Web Editor NEWSmart SSH, HTTPS and MySQL bastion that requires no additional client-side software
License: Apache License 2.0
Smart SSH, HTTPS and MySQL bastion that requires no additional client-side software
License: Apache License 2.0
if a http target is not available, warpgate crash with the following message (run in foreground):
thread 'tokio-runtime-worker' panicked at 'called
Result::unwrap()on an
Errvalue: reqwest::Error { kind: Request, url: Url { scheme: "http", cannot_be_a_base: false, username: "", password: None, host: Some(Ipv4(192.168.0.22)), port: Some(80), path: "/", query: Some("warpgate-target=Service"), fragment: None }, source: hyper::Error(Connect, ConnectError("tcp connect error", Os { code: 111, kind: ConnectionRefused, message: "Connection refused" })) }', warpgate-protocol-http/src/proxy.rs:206:64 note: run with
RUST_BACKTRACE=1environment variable to display a backtrace Aborted (core dumped)
possible to catch this error without a crash?
Is this functionality supposed to work?
I am using the following configuration:
# User for Bram
- username: bram
credentials:
- type: password
hash: "argon hash here"
- type: publickey
key: "public key here"
- type: otp
key: ...
require: [publickey, otp]
roles:
- "warpgate:admin"
Implement logging to a vector
listener socket.
The session list of Warpgate now has over 12.000 entries of "", these are presumably spam from random IP's.
It would be nice if there's a way to paginate or lazy load on scroll.
SCP seems to work fine, but should SFTP via warpgate be supported also?
If I try with sftp -o User=<username:target> <warpgate-address>
, I am prompted with the user:target (and even OTP correctly), but the connection is never established fully and will eventually timeout. If I try with scp or even WinSCP set to Protocol: SCP, file transfers work fine.
The warpgate logs only show: Requesting subsystem sftp channel=<channel id>
Debug log only shows additional Data channel=2 data=<somebinary> session=<session id> session_username=<username>
RHEL9 are moving from scp to sftp and WinSCP also defaults to SFTP, so this would be highly relevant to my interests: https://www.redhat.com/en/blog/openssh-scp-deprecation-rhel-9-what-you-need-know
is it possible to add an option to ignore certificates error? i use a few internal services with a self signed certificate and if i use those as a http target, warpgate crash and have this issue.
Awesome work so far @Eugeny!
Currently trying to implement warpgate bastion in our org. Been great!
I'm concerned with two things actually:
.authorized_keys
file, a bit of administrative burden (can be automated)Both can be mitigated if warpgate can support ssh-forwarded keys. So keys for accessing aren't stored on bastion.
Than user can do ssh -A user:host@wg
and warpgate will use forwarded key to access destination host.
Would such a thing be possible in future?
This issue is a feature request.
Could be nice to have the possibility to automatically add new targets to warpgate via terraform directly when a new vm or LXC container is created.
This probably requires some api that the provider may call to add new targets.
A datasource could be used to obtain the public key directly from the warpgate server to be injected to the authorized_keys
file.
I don't know how possible this would be but it would be pretty cool if a dropdown/selection menu for targets was shown if I don't provide a target.
Just tryed to test out Warp on a small VPS
False advertising with v0.1.1 & v0.1.0 ๐
no dependencies.
a CentOS Linux release 7.9.2009
machine
curl -sLO https://github.com/warp-tech/warpgate/releases/download/v0.1.1/warpgate-v0.1.1-x86_64-linux
mv warpgate-v0.1.1-x86_64-linux /usr/bin/warpgate
chmod +x /usr/bin/warpgate
warpgate setup
> warpgate: /lib64/libc.so.6: version `GLIBC_2.18' not found (required by warpgate)
rpm -qa | grep glibc
glibc-devel-2.17-325.el7_9.x86_64
glibc-common-2.17-325.el7_9.x86_64
glibc-devel-2.17-324.el7_9.x86_64
glibc-2.17-325.el7_9.x86_64
glibc-headers-2.17-324.el7_9.x86_64
I noticed that the Warpgate's own SSH keys
have a displaying issue:
While the ssh-ed25519
displays fine, the rsa-sha2-256
one introduces a blank space after a slash (/) symbol.
The CLI
displays both keys correctly.
I have created two screenshots showing the outputs.
This is a test system and I've wiped / regenerated my keys.
First of all: Thanks for this nice peace of Software!
We have multiple Aruba Switches in our Infrastructure and I was trying to add them to Warpgate but I wasn't succesfull.
There is an issue with the key exchange algorithm. The one offered by the Aruba Switch is not supported by Warpgate and vice versa.
As with other Linux hosts I tried to add the warpgate kex algorithm to the Aruba Switch, but it looks like it does not support it.
Would it be possible to add additional kex algorithms to warpgate?
ssh admin:"Switch Aruba"@WarpGate -p 2222
admin:Switch Aruba@warpgate's password:
channel 0: protocol error: close rcvd twice
Warpgate Selected target: Switch Aruba
Connection failed No common key exchange algorithm
Connection to warpgate closed.
02.08.2022 11:26:31 DEBUG russh::negotiation: Could not find common kex algorithm, other side only supports Ok("diffie-hellman-group14-sha1"), we only support [Name("[email protected]")]
It'd be nice to be able to generate a password hash by passing it to warpgate hash
via STDIN, like so:
echo -n 'mypass' | warpgate hash
OpenSSH supports hardware authentication through the two key types "ecdsa-sk" and "ed25519-sk". From what I can tell this is not supported by warpgate.
How hard would it be to implement this? If it is relatively straightforward I would be willing to create a PR in the following weeks.
I have one host using Duo's PAM module to provide multi factor authentication and another using Jumpcloud for the same purpose. Through Warpgate it fails despite having the ~/.ssh/authorized_keys
file configured properly.
Connection failed Authentication failed
channel 0: protocol error: close rcvd twice
Here's what the entire workflow looks like on the host using Duo:
ssh heywoodlh:[email protected]
heywoodlh:[email protected]'s password:
Warpgate Selected target: arch-firewall.wireguard
Warpgate Host key ...
Connection failed Authentication failed
channel 0: protocol error: close rcvd twice
Connection to warpgate.kube closed.
And here's what it looks like for the host with Jumpcloud (I changed the hostname in this output):
ssh heywoodlh:[email protected]
heywoodlh:[email protected]'s password:
channel 0: protocol error: close rcvd twice
Warpgate Selected target: example-host
Connection failed Connection refused (os error 111)
Connection to warpgate.kube closed.
As a sanity check, it seems to work just fine with my other machines not using multi-factor auth:
ssh heywoodlh:[email protected]
heywoodlh:[email protected]'s password:
Warpgate Selected target: boba.wireguard
Warpgate Host key ...
โ Warpgate connected
Last login: Wed Apr 13 15:09:11 2022 from 10.50.50.38
[heywoodlh@boba ~]$
Hi ๐ . Cool project ! I have a question that I'm unable to answer because I'm illiterate on Rust ๐ .
I noticed I need to drop warpgate's ssh public keys in the authorized_host
of the end host. Does this mean, warpgate makes two ssh sessions ? one between client and warpgate and another between warpgate and end host ?
thanks !
I'm not sure who can fix this issue, so I start here ;)
I'm a heavy iPad user, but none of the used ssh client is able to connect to warpgate :( when I connect with ShellFish I see the following message in shellfish:
Error: Connection test failed: Error Domain=SSH Code=-5 "Unable to establish SSH connection: Encryption key exchange failed." UserInfo={NSLocalizedDescription=Unable to establish SSH connection: Encryption key exchange failed.}
and in warpgate is see this:
Could not find common cipher, other side only supports Ok("aes128-ctr,aes192-ctr,aes256-ctr,aes256-cbc,[email protected],aes192-cbc,aes128-cbc,blowfish-cbc,arcfour128,arcfour,cast128-c bc,3des-cbc"), we only support [Name("[email protected]"), Name("[email protected]")]
also when I use the blink ssh client I see:
Error connecting to warp. connError(msg: "kex error : no match for method mac algo client->server: server [none], client [[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1]")
I looks like those clients use different cipher then warpgate support.
When connecting to a target with OpenSSH version 7.4, I get the following errors on the server:
Jun 14 11:03:33 [localhost] sshd[1613]: Connection from <redacted> port <port> on <redacted> port 2222
Jun 14 11:03:33 [localhost] sshd[1613]: Postponed publickey for <redacted> from <redacted> port <port> ssh2 [preauth]
Jun 14 11:03:33 [localhost] sshd[1613]: Accepted publickey for <redacted> from <redacted> port <port> ssh2: ED25519 SHA256:<fingerprint>
Jun 14 11:03:33 [localhost] sshd[1613]: pam_unix(sshd:session): session opened for user <redacted> by (uid=0)
Jun 14 11:03:33 [localhost] sshd[1613]: User child is on pid 1615
Jun 14 11:03:33 [localhost] sshd[1615]: parse_tty_modes: n_bytes_ptr != n_bytes: 141 141
Jun 14 11:03:33 [localhost] sshd[1615]: Packet integrity error (120 bytes remaining) at session.c:2035
Jun 14 11:03:33 [localhost] sshd[1615]: Disconnecting: Packet integrity error.
Jun 14 11:03:33 [localhost] sshd[1613]: pam_unix(sshd:session): session closed for user <redacted>
This results in an immediate disconnect after authenticating successfully, Warpgate even says in green text "Warpgate connected".
If you have spaces in your ssh target name like so:
targets:
- name: Dev Server
allow_roles:
- "admin"
ssh:
host: dev.example.org
username: john
you get a command looking like this:
ssh thru:Dev [email protected] -p 2022
with the whitespace the command isnt working. Maybe just replace all whitespaces with _
or -
?
I tried following getting start with docker, and I'm getting this error message:
Error response from daemon: Head "https://ghcr.io/v2/warp-tech/warpgate/manifests/latest": unauthorized
Hi,
Here a person that has heared about teleport (but never used it (due the "high corporate appearance")).
I, seasoned sysadmin, miss a description how warpgate looks like when it is running.
This are the things that I made up myself:
warpgate
listens by default on port 2222 and can be configured to listen on the default ssh port ( port 22)I'm not able to login in to v 0.5.0, well I can login but after a successful login I get endless redirects. if I start warpgate in the foreground I see only this:
06:30:55 INFO Warpgate version=0.5.0 06:30:55 INFO Using config: "/etc/warpgate.yaml" (users: 1, targets: 1, roles: 1) 06:30:55 INFO -------------------------------------------- 06:30:55 INFO Warpgate is now running. 06:30:55 INFO Accepting SSH connections on 0.0.0.0:2222 06:30:55 INFO Accepting HTTP connections on https://warpgate:8888 06:30:55 INFO -------------------------------------------- 06:30:55 INFO Listening address=0.0.0.0:2222 06:30:55 INFO Listening address=warpgate:8888 06:31:35 INFO HTTP: Request method=GET url=https://warpgate:8888/@warpgate status=200 OK 06:31:35 INFO HTTP: Request method=GET url=https://warpgate:8888/@warpgate/assets/gateway.e9b0efd6.js status=200 OK 06:31:35 INFO HTTP: Request method=GET url=https://warpgate:8888/@warpgate/assets/gateway.55661b15.css status=200 OK 06:31:35 INFO HTTP: Request method=GET url=https://warpgate:8888/@warpgate/assets/Logo.081db3d4.css status=200 OK 06:31:35 INFO HTTP: Request method=GET url=https://warpgate:8888/@warpgate/assets/Alert.273812d1.js status=200 OK 06:31:35 INFO HTTP: Request method=GET url=https://warpgate:8888/@warpgate/assets/Logo.a5b40f23.js status=200 OK 06:31:35 INFO HTTP: Request method=GET url=https://warpgate:8888/@warpgate/assets/api.af344ead.js status=200 OK 06:31:35 INFO HTTP: Request method=GET url=https://warpgate:8888/@warpgate/api/info status=200 OK 06:31:35 INFO HTTP: Request method=GET url=https://warpgate:8888/@warpgate/api/sso/providers status=200 OK 06:31:35 WARN HTTP: Request failed method=GET url=https://warpgate:8888/@warpgate/api/auth/state status=404 Not Found 06:31:40 INFO HTTP: Authenticated username=admin 06:31:40 INFO HTTP: Request method=POST url=https://warpgate:8888/@warpgate/api/auth/login status=201 Created 06:31:40 INFO HTTP: Request method=GET url=https://warpgate:8888/@warpgate/api/info status=200 OK session=af2d4de4-8d86-40b7-ba58-07076b5e0469 session_username=admin 06:31:41 INFO HTTP: Request method=GET url=https://warpgate:8888/@warpgate status=200 OK session=af2d4de4-8d86-40b7-ba58-07076b5e0469 session_username=admin 06:31:41 INFO HTTP: Request method=GET url=https://warpgate:8888/@warpgate/api/info status=200 OK session=af2d4de4-8d86-40b7-ba58-07076b5e0469 session_username=admin 06:31:41 INFO HTTP: Request method=GET url=https://warpgate:8888/@warpgate/api/auth/state status=200 OK session=af2d4de4-8d86-40b7-ba58-07076b5e0469 session_username=admin 06:31:41 INFO HTTP: Request method=GET url=https://warpgate:8888/@warpgate/api/sso/providers status=200 OK session=af2d4de4-8d86-40b7-ba58-07076b5e0469 session_username=admin 06:31:41 INFO HTTP: Request method=GET url=https://warpgate:8888/@warpgate status=200 OK session=af2d4de4-8d86-40b7-ba58-07076b5e0469 session_username=admin 06:31:41 INFO HTTP: Request method=GET url=https://warpgate:8888/@warpgate/api/info status=200 OK session=af2d4de4-8d86-40b7-ba58-07076b5e0469 session_username=admin 06:31:41 INFO HTTP: Request method=GET url=https://warpgate:8888/@warpgate/api/sso/providers status=200 OK session=af2d4de4-8d86-40b7-ba58-07076b5e0469 session_username=admin 06:31:41 INFO HTTP: Request method=GET url=https://warpgate:8888/@warpgate/api/auth/state status=200 OK session=af2d4de4-8d86-40b7-ba58-07076b5e0469 session_username=admin 06:31:41 INFO HTTP: Request method=GET url=https://warpgate:8888/@warpgate status=200 OK session=af2d4de4-8d86-40b7-ba58-07076b5e0469 session_username=admin 06:31:41 INFO HTTP: Request method=GET url=https://warpgate:8888/@warpgate/api/info status=200 OK session=af2d4de4-8d86-40b7-ba58-07076b5e0469 session_username=admin 06:31:41 INFO HTTP: Request method=GET url=https://warpgate:8888/@warpgate/api/sso/providers status=200 OK session=af2d4de4-8d86-40b7-ba58-07076b5e0469 session_username=admin 06:31:41 INFO HTTP: Request method=GET url=https://warpgate:8888/@warpgate/api/auth/state status=200 OK session=af2d4de4-8d86-40b7-ba58-07076b5e0469 session_username=admin 06:31:41 INFO HTTP: Request method=GET url=https://warpgate:8888/@warpgate status=200 OK session=af2d4de4-8d86-40b7-ba58-07076b5e0469 session_username=admin 06:31:41 INFO HTTP: Request method=GET url=https://warpgate:8888/@warpgate/api/info status=200 OK session=af2d4de4-8d86-40b7-ba58-07076b5e0469 session_username=admin 06:31:41 INFO HTTP: Request method=GET url=https://warpgate:8888/@warpgate/api/auth/state status=200 OK session=af2d4de4-8d86-40b7-ba58-07076b5e0469 session_username=admin 06:31:41 INFO HTTP: Request method=GET url=https://warpgate:8888/@warpgate/api/sso/providers status=200 OK session=af2d4de4-8d86-40b7-ba58-07076b5e0469 session_username=admin 06:31:41 INFO HTTP: Request method=GET url=https://warpgate:8888/@warpgate status=200 OK session=af2d4de4-8d86-40b7-ba58-07076b5e0469 session_username=admin 06:31:41 INFO HTTP: Request method=GET url=https://warpgate:8888/@warpgate/api/info status=200 OK session=af2d4de4-8d86-40b7-ba58-07076b5e0469 session_username=admin 06:31:41 INFO HTTP: Request method=GET url=https://warpgate:8888/@warpgate/api/auth/state status=200 OK session=af2d4de4-8d86-40b7-ba58-07076b5e0469 session_username=admin 06:31:41 INFO HTTP: Request method=GET url=https://warpgate:8888/@warpgate/api/sso/providers status=200 OK session=af2d4de4-8d86-40b7-ba58-07076b5e0469 session_username=admin 06:31:41 INFO HTTP: Request method=GET url=https://warpgate:8888/@warpgate status=200 OK session=af2d4de4-8d86-40b7-ba58-07076b5e0469 session_username=admin 06:31:41 INFO HTTP: Request method=GET url=https://warpgate:8888/@warpgate/api/info status=200 OK session=af2d4de4-8d86-40b7-ba58-07076b5e0469 session_username=admin 06:31:41 INFO HTTP: Request method=GET url=https://warpgate:8888/@warpgate/api/auth/state status=200 OK session=af2d4de4-8d86-40b7-ba58-07076b5e0469 session_username=admin 06:31:41 INFO HTTP: Request method=GET url=https://warpgate:8888/@warpgate/api/sso/providers status=200 OK session=af2d4de4-8d86-40b7-ba58-07076b5e0469 session_username=admin 06:31:41 INFO HTTP: Request method=GET url=https://warpgate:8888/@warpgate status=200 OK session=af2d4de4-8d86-40b7-ba58-07076b5e0469 session_username=admin 06:31:41 INFO HTTP: Request method=GET url=https://warpgate:8888/@warpgate/api/info status=200 OK session=af2d4de4-8d86-40b7-ba58-07076b5e0469 session_username=admin
not sure if this is really the issue, but i use ttyd and i'm not able to access it via warpgate. I only see "connection close" when i connect. i see the same error when I disable websocket support in npm (nginx proxy manager). so I think it's the same issue in warpgate, that web socket is not supported there.
if this is really a websocket issue, any plans to support also websocket connections?
When I select a recorded session I get an entry shell-channel-2
under Recordings
. When I click on the entry, I get a screen with the headline Session recording
and a video-player.
Clicking on the play button in the center of the player starts the Playback and the playback progress indicator at the bottom is updated, but the player screen is just plain black.
On the browser console I get:
containerW = 0 [index.js:3025:12](https://172.16.152.3:8888/node_modules/asciinema-player/dist/index.js)
player mounted [index.js:2863:20](https://172.16.152.3:8888/node_modules/asciinema-player/dist/index.js)
containerW = 1296 [index.js:3025:12](https://172.16.152.3:8888/node_modules/asciinema-player/dist/index.js)
batched 259 frames to 87 frames [index.js:3839:16](https://172.16.152.3:8888/node_modules/asciinema-player/dist/index.js)
containerW = 1296 [index.js:3025:12](https://172.16.152.3:8888/node_modules/asciinema-player/dist/index.js)
and when I interact with the player (clicking on pause / play) I get an exception: Uncought RuntimeError: unreachable executed
.
Originally posted by jeffbrl June 7, 2022
What is the recommended way to secure warpgate from unwanted users connecting via SSH? By following the Getting Started guide, I believe you end up with an insecure setup in which anyone who can guess the targets can SSH to them.
Add support for RADIUS. Get mapping which user can access which host from RADIUS server. More or less the way a VPN server would work with RADIUS.
Expected Behavior:
Showing 2 HTTP endpoints with the same IP but different port simultaneously in the dashboard
Current Behavior:
Only the first endpoints included in the file of the above type is shown
Steps to reproduce:
append the following to warpgate.yaml
- allow_roles:
- warpgate:admin
- user
http: [redacted]
name: svr_10
- allow_roles:
- warpgate:admin
- user
http:
tls:
verify: false
url: [redacted]
name: svr_7
This is a feature request/suggestion.
Just like #27 it might make sense to be able to sync users, groups and pubkeys with LDAP.
This would lessen the administrative overhead of user-management.
Could you add arm64 build in the release through a github action.
It's very difficult to build on ARM with poor performances
Regards
This is feature request issue, it asks to split /etc/warp.yaml
into several files.
Having only seen documentation of warpgate
( not having tried it ) there is only one big configuration file.
The idea:
/etc/
/etc/warpgate/
/etc/warpgate/main
/etc/warpgate/target/
/etc/warpgate/target/foo
/etc/warpgate/target/bar
/etc/warpgate/role/
/etc/warpgate/role/wgadmin
/etc/warpgate/role/engineer
/etc/warpgate/user/
/etc/warpgate/user/alice
/etc/warpgate/user/bob
What ends with a /
, is a _directory.
/etc/warpgate/main
is the YAML file that defines ssh port, webUI port and other main configuration.
In /etc/warpgate/target/foo
is content like
- name: foo
allow_roles:
- "warpgate:admin"
ssh:
host: 192.168.10.20
username: root # optional
port: 22 # optional
In /etc/warpgate/user/alice
is content like:
- username: alice
credentials:
- type: password
hash: "$argon2id$v=19$m=4096,...eq6Hog"
- type: publickey
key: ssh-ed25519 AAAAC3Nz...D4I
The advantages I see:
/etc/
ansible
or just cp
and just rm
)To be specific, in the page User authentication and roles.
The line: (it can also run in unattended mode: echo 123 | warpgate hash
)
should be echo -n 123 | warpgate hash
since echo will create a new line. Causing the hash to be mismatched.
Hey @Eugeny, feel free to submit a PR to showcase your project!
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.