Skip to content

Commit

Permalink
fixed #961 - added option to allow insecure ssh kex (#971)
Browse files Browse the repository at this point in the history
  • Loading branch information
Eugeny authored Mar 24, 2024
1 parent 21e0008 commit 8896bb3
Show file tree
Hide file tree
Showing 5 changed files with 43 additions and 17 deletions.
2 changes: 2 additions & 0 deletions warpgate-common/src/config/target.rs
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,8 @@ pub struct TargetSSHOptions {
#[serde(default = "_default_username")]
pub username: String,
#[serde(default)]
pub allow_insecure_algos: Option<bool>,
#[serde(default)]
pub auth: SSHTargetAuth,
}

Expand Down
32 changes: 22 additions & 10 deletions warpgate-protocol-ssh/src/client/mod.rs
Original file line number Diff line number Diff line change
Expand Up @@ -15,8 +15,8 @@ pub use error::SshClientError;
use futures::pin_mut;
use handler::ClientHandler;
use russh::client::Handle;
use russh::{Preferred, Sig};
use russh_keys::key::{self, PublicKey};
use russh::{kex, Preferred, Sig};
use russh_keys::key::PublicKey;
use tokio::sync::mpsc::{unbounded_channel, UnboundedReceiver, UnboundedSender};
use tokio::sync::{oneshot, Mutex};
use tokio::task::JoinHandle;
Expand Down Expand Up @@ -401,16 +401,28 @@ impl RemoteClient {
};

info!(?address, username = &ssh_options.username[..], "Connecting");
let config = russh::client::Config {
preferred: Preferred {
key: &[
key::ED25519,
key::RSA_SHA2_256,
key::RSA_SHA2_512,
key::SSH_RSA,
let algos = if ssh_options.allow_insecure_algos.unwrap_or(false) {
Preferred {
kex: &[
kex::CURVE25519,
kex::CURVE25519_PRE_RFC_8731,
kex::DH_G16_SHA512,
kex::DH_G14_SHA256, // non-default
kex::DH_G14_SHA256,
kex::DH_G1_SHA1, // non-default
kex::EXTENSION_SUPPORT_AS_CLIENT,
kex::EXTENSION_SUPPORT_AS_SERVER,
kex::EXTENSION_OPENSSH_STRICT_KEX_AS_CLIENT,
kex::EXTENSION_OPENSSH_STRICT_KEX_AS_SERVER,
],
..<_>::default()
},
}
} else {
Preferred::default()
};

let config = russh::client::Config {
preferred: algos,
..Default::default()
};
let config = Arc::new(config);
Expand Down
14 changes: 7 additions & 7 deletions warpgate-web/src/admin/CreateTarget.svelte
Original file line number Diff line number Diff line change
Expand Up @@ -15,24 +15,24 @@ async function create () {
try {
const options: TargetOptions|undefined = {
Ssh: {
kind: 'Ssh',
kind: 'Ssh' as const,
host: '192.168.0.1',
port: 22,
username: 'root',
auth: {
kind: 'PublicKey',
kind: 'PublicKey' as const,
},
} as TargetOptions,
},
Http: {
kind: 'Http',
kind: 'Http' as const,
url: 'http://192.168.0.1',
tls: {
mode: TlsMode.Preferred,
verify: true,
},
} as TargetOptions,
},
MySql: {
kind: 'MySql',
kind: 'MySql' as const,
host: '192.168.0.1',
port: 3306,
tls: {
Expand All @@ -41,7 +41,7 @@ async function create () {
},
username: 'root',
password: '',
} as TargetOptions,
},
}[type]
if (!options) {
return
Expand Down
9 changes: 9 additions & 0 deletions warpgate-web/src/admin/Target.svelte
Original file line number Diff line number Diff line change
Expand Up @@ -175,6 +175,15 @@ async function toggleRole (role: Role) {
</FormGroup>
{/if}
</div>

<div class="d-flex">
<Input
class="mb-0 me-2"
type="switch"
label="Allow insecure SSH algorithms (e.g. for older networks devices)"
checked={target.options.allowInsecureAlgos} />
</div>

{/if}

{#if target.options.kind === 'Http'}
Expand Down
3 changes: 3 additions & 0 deletions warpgate-web/src/admin/lib/openapi-schema.json
Original file line number Diff line number Diff line change
Expand Up @@ -1657,6 +1657,9 @@
"username": {
"type": "string"
},
"allow_insecure_algos": {
"type": "boolean"
},
"auth": {
"$ref": "#/components/schemas/SSHTargetAuth"
}
Expand Down

0 comments on commit 8896bb3

Please sign in to comment.