v0.11.0

⚠️ This is the last release that supports loading targets, users and roles from the config file. Upgrade to this version before installing v0.12 if you haven't migrated yet!

PostgreSQL

v0.11 adds experimental PostgreSQL target support.

Enable the PostgreSQL protocol in your config file (default: /etc/warpgate.yaml) if you didn't do so during the initial setup:

+ postgres:
+   enable: true
+   certificate: /var/lib/warpgate/tls.certificate.pem
+   key: /var/lib/warpgate/tls.key.pem

You can reuse the same certificate and key that are used for the HTTP listener.

See [https://github.com/warp-tech/warpgate/wiki/Adding-a-PostgreSQL-target](Adding a PostgreSQL target) for more details.

Changes

• 00d3c36: PostgreSQL support (#1021) #1021
• fe521f2: OIDC RP-initiated logout (SSO single logout) support (#992) #992
• 3c3b843: Validate a TOTP code before saving it (#1055) (kekkon) #1055

Fixes

• 116bf9f: fixed SSO authentication getting incorrectly rejected when user has both an "any provider" and a provider specific SSO credential
• 1f597a8: fixed #1053 - prevent repeated consumption of the ticket uses within the same SSH session
• 38bdbad: fixed #1077 - handle non-standard PKCS8 EC private key PEMs
• 7e49f13: #1056 - auto-strip .well-known/openid-configuration from OIDC URLs
• 9e3760e: fixed #1082 - terminal replay crashing when the session is finished

v0.10.2

Security fixes

CVE-2024-43410 - SSH OOM DoS through malicious packet length

It was possible for an attacker to cause Warpgate to allocate an arbitrary amount of memory by sending a packet with a malformed length field, potentially causing the service to get killed due to excessive RAM usage.

Other fIxes

• c328127: fixed #941 - unnecessary port number showing up in external URLs

v0.10.1

Fixes

• ed6f68c: fixed #1017 - fixed broken HTTP proxying
• daacd55: fixed #972 - ssh: only offer available auth methods after a rejected public key offer

v0.10.0

HTTP

• Added remote_addr to logs #945 (Néfix Estrada)
• TLS implementation switched to Rustls

SSH

• Made inactivity timeout configurable (#990) #990 (Néfix Estrada)
• 5551c33: Switch OOB SSO authentication for SSH to use the instructions instead of the name (#964) (Shea Smith) #964
• Bumped russh to v0.44
• 8896bb3: fixed #961 - added option to allow insecure ssh key exchanges (#971) #971

SSO

• 916d51a: Add support for role mappings on custom SSO providers. (#920) (Skyler Mansfield) #920
• 75a2b8c: fixed #929 - support additional trusted OIDC audiences

UI

• 257fb38: Enhance ticket creation api and UI to support ticket expiry (#957) (Thibaud Lepretre) #957
• f3dc1ad: Enhance ticket creation api and UI to support ticket number of usage (#959) (Thibaud Lepretre) #959

Other changes

• 72236d0: Added options to specify per-protocol external ports (#973) #973
• Added arm64 docker image #930 (Zasda Yusuf Mikail)
• 81cefeb: fixed #966 - don't actually try to tighten config file permissions unless necessary
• 7e45fa5: migrate from moment to date-fns (#988) (Konstantin Nosov) #988
• b65a189: Upgrade TypeScript and Svelte Versions (#995) (Yachen Mao) #995

v0.9.1

Security fixes

CVE-2023-48795 - Terrapin Attack [12fdf62]

A flaw in the SSH protocol itself allows an active MitM attacker to prevent the client & server from negotiating OpenSSH security extensions, or, with AsyncSSH, take control of the user's session.

This release adds the support for the kex-strict-*[email protected] extensions designed by OpenSSH specifically to prevent this attack.

More info: https://terrapin-attack.com

Changes

• 21d6ab4: make HTTP session timeout and cookie age configurable in the config file (Nicolas SEYS) #922

v0.9.0

Security fixes

CVE-2023-48712

⚠️ Update ASAP.

This vulnerability allows a user to escalate their privileges if the admin account isn't protected by 2FA.

Migration

• If you have a proxy in front of Warpgate setting X-Forwarded-* headers, set http.trust_x_forwarded_for to true in the config file.

Changes

• b0a9130: Add support for trusting X-Forwarded-For header to get client IP (Skyler Mansfield) #921
• d9af747: Add better support for X-Forward-* headers when constructing external url (Skyler Mansfield) #921

v0.8.1

Security fixes

CVE-2023-43660

The SSH key verification for a user could be bypassed by sending an SSH key offer without a signature. This allowed bypassing authentication completely under following conditions:

• The attacker knows the username and a valid target name
• The attacked knows the user's public key
• Only SSH public key authentication is required for the user account

Fixes

• dec0b97: Fix redirection with a relative location (Nicolas SEYS) #896

v0.8.0

Changes

• 0bc9ae1: session details (IP & security key) are now shown during OOB auth to reduce the chance of phishing a user into approving an auth attempt #858
• 983d0ad: bumped russh

Fixes

• f0bc1db: fixed #358 - quotes in connection instructions on Windows #859
• 49b92cd: fixed #855 - log client IPs and credentials used #861
• aca8d3d: fixed #857 - fixed default ticket expiry when using MySQL as a database, bumped sea-orm #862

v0.7.4

Changes

• Fixed Docker image build

v0.7.3

Security fixes

CVE-2023-37268 [8173f65]

Insufficient authentication checks for SSO users allowed any SSO user to elevate their permission to these of any other SSO user. All configurations using SSO are affected.

Changes

• f13a22f: HTTP: fixed #747 - don't include port in the X-Forwarded-For header
• UI: added search boxes - #761
• 4fe4bfe: fixed login errors not being displayed properly
• b1995be: Admin: disallow completely disabling authentication for a protocol