v0.12.0

Changes

• Self-service credentials management (#1145) - you can now allow users to manage their own credentials. Enable it in Config -> Misc -> Global parameters.
• Multiple return domains for SSO, prefer host header over external_host (dbf96a8 / #1093) - Warpgate now users the Host header to resolve its own external URL and only falls back to the external_host from the config file if the header is missing. If you're running behind a reverse proxy, make sure that http.trust_x_forwarded_headers is set in the config and you're passing the X-Forwarded-Host header. SSO logins will also dynamically construct their return URL from the Host header. You can restrict the allowed return domains with the new sso_providers[].return_domain_whitelist option (a list of hostnames).
• Passing user-identifying headers to HTTP targets (cc0b054 / #1107) - Warpgate now passes x-warpgate-username and x-warpgate-authentication-type headers to HTTP targets.
• --enable-admin-token option (9dd1c58) - setting it allows passing a global admin token via the WARPGATE_ADMIN_TOKEN env variable. This token can be used to authenticate against the admin REST API (pass it in the x-warpgate-token header).

Other changes

• ef46e75: add keepalive_interval to ssh config (#1134) (Piotr Rotter)
• f1d565b: Svelte 5 migration (#1101)
• a20fdb8: Bumped russh (#1131)
• 379b1bc: fixed #983 - enable ssh-rsa when insecure algorithms are allowed
• b359838: Separate DB models for credentials (#1143)

Fixes

• 846e6d1: fixed #1110 - Fix switch for insecure ssh algorithms option (#1111) (hashfunc)
• 38dbb3b: fixed #1096 - SEC1 EC private key file support for TLS
• 80ee6cc: fixed #1074 - strip trailing slash in SSO issuer URLs and log errors properly
• 8acaaee: show more detailed error messages for API errors
• 3b29a3e: fixed #929 - sso: broken additional_trusted_audiences config option
• 557921f: postgres listener was incorrectly using the mysql certificate & key
• 41d3158: fixed #1039 - first DB migration failing on Postgres
• 64d7194: fixed #1150 - send the ssh-rsa client key when insecure algorithms are enabled

v0.12.0-beta.1

Changes

• Self-service credentials management (#1145) - you can now allow users to manage their own credentials. Enable it in Config -> Misc -> Global parameters.
• Multiple return domains for SSO, prefer host header over external_host (dbf96a8 / #1093) - Warpgate now users the Host header to resolve its own external URL and only falls back to the external_host from the config file if the header is missing. If you're running behind a reverse proxy, make sure that http.trust_x_forwarded_headers is set in the config and you're passing the X-Forwarded-Host header. SSO logins will also dynamically construct their return URL from the Host header. You can restrict the allowed return domains with the new sso_providers[].return_domain_whitelist option (a list of hostnames).
• Passing user-identifying headers to HTTP targets (cc0b054 / #1107) - Warpgate now passes x-warpgate-username and x-warpgate-authentication-type headers to HTTP targets.
• --enable-admin-token option (9dd1c58) - setting it allows passing a global admin token via the WARPGATE_ADMIN_TOKEN env variable. This token can be used to authenticate against the admin REST API (pass it in the x-warpgate-token header).

Other changes

• ef46e75: add keepalive_interval to ssh config (#1134) (Piotr Rotter)
• f1d565b: Svelte 5 migration (#1101)
• a20fdb8: Bumped russh (#1131)
• 379b1bc: fixed #983 - enable ssh-rsa when insecure algorithms are allowed
• b359838: Separate DB models for credentials (#1143)

Fixes

• 846e6d1: fixed #1110 - Fix switch for insecure ssh algorithms option (#1111) (hashfunc)
• 38dbb3b: fixed #1096 - SEC1 EC private key file support for TLS
• 80ee6cc: fixed #1074 - strip trailing slash in SSO issuer URLs and log errors properly
• 8acaaee: show more detailed error messages for API errors
• 3b29a3e: fixed #929 - sso: broken additional_trusted_audiences config option
• 557921f: postgres listener was incorrectly using the mysql certificate & key
• 41d3158: fixed #1039 - first DB migration failing on Postgres

v0.11.0

⚠️ This is the last release that supports loading targets, users and roles from the config file. Upgrade to this version before installing v0.12 if you haven't migrated yet!

PostgreSQL

v0.11 adds experimental PostgreSQL target support.

Enable the PostgreSQL protocol in your config file (default: /etc/warpgate.yaml) if you didn't do so during the initial setup:

+ postgres:
+   enable: true
+   certificate: /var/lib/warpgate/tls.certificate.pem
+   key: /var/lib/warpgate/tls.key.pem

You can reuse the same certificate and key that are used for the HTTP listener.

See [https://github.com/warp-tech/warpgate/wiki/Adding-a-PostgreSQL-target](Adding a PostgreSQL target) for more details.

Changes

• 00d3c36: PostgreSQL support (#1021) #1021
• fe521f2: OIDC RP-initiated logout (SSO single logout) support (#992) #992
• 3c3b843: Validate a TOTP code before saving it (#1055) (kekkon) #1055

Fixes

• 116bf9f: fixed SSO authentication getting incorrectly rejected when user has both an "any provider" and a provider specific SSO credential
• 1f597a8: fixed #1053 - prevent repeated consumption of the ticket uses within the same SSH session
• 38bdbad: fixed #1077 - handle non-standard PKCS8 EC private key PEMs
• 7e49f13: #1056 - auto-strip .well-known/openid-configuration from OIDC URLs
• 9e3760e: fixed #1082 - terminal replay crashing when the session is finished

v0.10.2

Security fixes

CVE-2024-43410 - SSH OOM DoS through malicious packet length

It was possible for an attacker to cause Warpgate to allocate an arbitrary amount of memory by sending a packet with a malformed length field, potentially causing the service to get killed due to excessive RAM usage.

Other fIxes

• c328127: fixed #941 - unnecessary port number showing up in external URLs

v0.10.1

Fixes

• ed6f68c: fixed #1017 - fixed broken HTTP proxying
• daacd55: fixed #972 - ssh: only offer available auth methods after a rejected public key offer

v0.10.0

HTTP

• Added remote_addr to logs #945 (Néfix Estrada)
• TLS implementation switched to Rustls

SSH

• Made inactivity timeout configurable (#990) #990 (Néfix Estrada)
• 5551c33: Switch OOB SSO authentication for SSH to use the instructions instead of the name (#964) (Shea Smith) #964
• Bumped russh to v0.44
• 8896bb3: fixed #961 - added option to allow insecure ssh key exchanges (#971) #971

SSO

• 916d51a: Add support for role mappings on custom SSO providers. (#920) (Skyler Mansfield) #920
• 75a2b8c: fixed #929 - support additional trusted OIDC audiences

UI

• 257fb38: Enhance ticket creation api and UI to support ticket expiry (#957) (Thibaud Lepretre) #957
• f3dc1ad: Enhance ticket creation api and UI to support ticket number of usage (#959) (Thibaud Lepretre) #959

Other changes

• 72236d0: Added options to specify per-protocol external ports (#973) #973
• Added arm64 docker image #930 (Zasda Yusuf Mikail)
• 81cefeb: fixed #966 - don't actually try to tighten config file permissions unless necessary
• 7e45fa5: migrate from moment to date-fns (#988) (Konstantin Nosov) #988
• b65a189: Upgrade TypeScript and Svelte Versions (#995) (Yachen Mao) #995

v0.9.1

Security fixes

CVE-2023-48795 - Terrapin Attack [12fdf62]

A flaw in the SSH protocol itself allows an active MitM attacker to prevent the client & server from negotiating OpenSSH security extensions, or, with AsyncSSH, take control of the user's session.

This release adds the support for the kex-strict-*-v00@openssh.com extensions designed by OpenSSH specifically to prevent this attack.

More info: https://terrapin-attack.com

Changes

• 21d6ab4: make HTTP session timeout and cookie age configurable in the config file (Nicolas SEYS) #922

v0.9.0

Security fixes

CVE-2023-48712

⚠️ Update ASAP.

This vulnerability allows a user to escalate their privileges if the admin account isn't protected by 2FA.

Migration

• If you have a proxy in front of Warpgate setting X-Forwarded-* headers, set http.trust_x_forwarded_for to true in the config file.

Changes

• b0a9130: Add support for trusting X-Forwarded-For header to get client IP (Skyler Mansfield) #921
• d9af747: Add better support for X-Forward-* headers when constructing external url (Skyler Mansfield) #921

v0.8.1

Security fixes

CVE-2023-43660

The SSH key verification for a user could be bypassed by sending an SSH key offer without a signature. This allowed bypassing authentication completely under following conditions:

• The attacker knows the username and a valid target name
• The attacked knows the user's public key
• Only SSH public key authentication is required for the user account

Fixes

• dec0b97: Fix redirection with a relative location (Nicolas SEYS) #896

v0.8.0

Changes

• 0bc9ae1: session details (IP & security key) are now shown during OOB auth to reduce the chance of phishing a user into approving an auth attempt #858
• 983d0ad: bumped russh

Fixes

• f0bc1db: fixed #358 - quotes in connection instructions on Windows #859
• 49b92cd: fixed #855 - log client IPs and credentials used #861
• aca8d3d: fixed #857 - fixed default ticket expiry when using MySQL as a database, bumped sea-orm #862