warp-tech/warpgate
1
1
Fork 0
mirror of https://github.com/warp-tech/warpgate.git synced 2024-09-20 06:46:17 +08:00
Code Issues Packages Projects Releases Wiki Activity

fixed #961 - added option to allow insecure ssh kex (#971)

Browse source
This commit is contained in:
Eugene 2024-03-24 14:09:20 +01:00 committed by GitHub
parent 21e0008695
commit 8896bb361e
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
5 changed files with 43 additions and 17 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
warpgate-common/src/config/target.rs
View file

@ -15,6 +15,8 @@ pub struct TargetSSHOptions {
#[serde(default = "_default_username")]
pub username: String,
#[serde(default)]
pub allow_insecure_algos: Option<bool>,
#[serde(default)]
pub auth: SSHTargetAuth,
}

32
warpgate-protocol-ssh/src/client/mod.rs
View file

@ -15,8 +15,8 @@ pub use error::SshClientError;
use futures::pin_mut;
use handler::ClientHandler;
use russh::client::Handle;
use russh::{Preferred, Sig};
use russh_keys::key::{self, PublicKey};
use russh::{kex, Preferred, Sig};
use russh_keys::key::PublicKey;
use tokio::sync::mpsc::{unbounded_channel, UnboundedReceiver, UnboundedSender};
use tokio::sync::{oneshot, Mutex};
use tokio::task::JoinHandle;
@ -401,16 +401,28 @@ impl RemoteClient {
};
info!(?address, username = &ssh_options.username[..], "Connecting");
let config = russh::client::Config {
preferred: Preferred {
key: &[
key::ED25519,
key::RSA_SHA2_256,
key::RSA_SHA2_512,
key::SSH_RSA,
let algos = if ssh_options.allow_insecure_algos.unwrap_or(false) {
Preferred {
kex: &[
kex::CURVE25519,
kex::CURVE25519_PRE_RFC_8731,
kex::DH_G16_SHA512,
kex::DH_G14_SHA256, // non-default
kex::DH_G14_SHA256,
kex::DH_G1_SHA1, // non-default
kex::EXTENSION_SUPPORT_AS_CLIENT,
kex::EXTENSION_SUPPORT_AS_SERVER,
kex::EXTENSION_OPENSSH_STRICT_KEX_AS_CLIENT,
kex::EXTENSION_OPENSSH_STRICT_KEX_AS_SERVER,
],
..<_>::default()
},
}
} else {
Preferred::default()
};
let config = russh::client::Config {
preferred: algos,
..Default::default()
};
let config = Arc::new(config);

14
warpgate-web/src/admin/CreateTarget.svelte
View file

@ -15,24 +15,24 @@ async function create () {
try {
const options: TargetOptions|undefined = {
Ssh: {
kind: 'Ssh',
kind: 'Ssh' as const,
host: '192.168.0.1',
port: 22,
username: 'root',
auth: {
kind: 'PublicKey',
kind: 'PublicKey' as const,
},
} as TargetOptions,
},
Http: {
kind: 'Http',
kind: 'Http' as const,
url: 'http://192.168.0.1',
tls: {
mode: TlsMode.Preferred,
verify: true,
},
} as TargetOptions,
},
MySql: {
kind: 'MySql',
kind: 'MySql' as const,
host: '192.168.0.1',
port: 3306,
tls: {
@ -41,7 +41,7 @@ async function create () {
},
username: 'root',
password: '',
} as TargetOptions,
},
}[type]
if (!options) {
return

9
warpgate-web/src/admin/Target.svelte
View file

@ -175,6 +175,15 @@ async function toggleRole (role: Role) {
</FormGroup>
{/if}
</div>
<div class="d-flex">
<Input
class="mb-0 me-2"
type="switch"
label="Allow insecure SSH algorithms (e.g. for older networks devices)"
checked={target.options.allowInsecureAlgos} />
</div>
{/if}
{#if target.options.kind === 'Http'}

3
warpgate-web/src/admin/lib/openapi-schema.json
View file

@ -1657,6 +1657,9 @@
"username": {
"type": "string"
},
"allow_insecure_algos": {
"type": "boolean"
},
"auth": {
"$ref": "#/components/schemas/SSHTargetAuth"
}