search

warp-tech / warpgate

Smart SSH, HTTPS and MySQL bastion that requires no additional client-side software
Apache License 2.0
3.88k stars 120 forks source link

Any credential with SSO and public key credentials available for user asks for password in specific circumstances for SSH #972

Open SheaSmith opened 7 months ago

SheaSmith commented 7 months ago

If you have the following conditions:

  1. A user with an SSH public key and SSO configured.
  2. SSH is set to use 'Any credential'
  3. You attempt to login to SSH without the specified public key being installed (and therefore would expect to be prompted for a keyboard interactive login)

Then you will be actually asked for a password, rather than the keyboard interactive flow: image

Warpgate config for the user: image

Happy to provide any relevant logs or config if that helps.

theMackabu commented 6 months ago

https://github.com/warp-tech/warpgate/issues/946#issuecomment-2087785920 comment moved here

Eugeny commented 3 months ago

I haven't been able to reproduce this but I suspect that your client might have a different preferred auth method order than mine. Anyway, the fix makes sure that password auth won't be offered when the user has no password.

SheaSmith commented 3 months ago

Thanks - I'm not seeing the issue with the password any more with the latest update. However, it doesn't seem like I'm prompted with keyboard interactive when I deny public key access (I'm using the 1Password SSH agent, which allows for public key access to be denied) with this config: image

Here's the logs for sftp -v when connecting:

sftp -v -P 2222 -o User=shea:<site name> <host>
OpenSSH_for_Windows_8.6p1, LibreSSL 3.4.3
debug1: Authenticator provider $SSH_SK_PROVIDER did not resolve; disabling
debug1: Connecting to <host> [192.168.1.201] port 2222.
debug1: Connection established.
debug1: identity file C:\\Users\\SheaSmith/.ssh/id_rsa type -1
debug1: identity file C:\\Users\\SheaSmith/.ssh/id_rsa-cert type -1
debug1: identity file C:\\Users\\SheaSmith/.ssh/id_dsa type -1
debug1: identity file C:\\Users\\SheaSmith/.ssh/id_dsa-cert type -1
debug1: identity file C:\\Users\\SheaSmith/.ssh/id_ecdsa type -1
debug1: identity file C:\\Users\\SheaSmith/.ssh/id_ecdsa-cert type -1
debug1: identity file C:\\Users\\SheaSmith/.ssh/id_ecdsa_sk type -1
debug1: identity file C:\\Users\\SheaSmith/.ssh/id_ecdsa_sk-cert type -1
debug1: identity file C:\\Users\\SheaSmith/.ssh/id_ed25519 type -1
debug1: identity file C:\\Users\\SheaSmith/.ssh/id_ed25519-cert type -1
debug1: identity file C:\\Users\\SheaSmith/.ssh/id_ed25519_sk type -1
debug1: identity file C:\\Users\\SheaSmith/.ssh/id_ed25519_sk-cert type -1
debug1: identity file C:\\Users\\SheaSmith/.ssh/id_xmss type -1
debug1: identity file C:\\Users\\SheaSmith/.ssh/id_xmss-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_for_Windows_8.6
debug1: Remote protocol version 2.0, remote software version russh_0.44.0
debug1: compat_banner: no match: russh_0.44.0
debug1: Authenticating to <host>:2222 as 'shea:<site name>'
debug1: load_hostkeys: fopen C:\\Users\\SheaSmith/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen __PROGRAMDATA__\\ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen __PROGRAMDATA__\\ssh/ssh_known_hosts2: No such file or directory
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ssh-ed25519
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: SSH2_MSG_KEX_ECDH_REPLY received
debug1: Server host key: ssh-ed25519 SHA256:xVWOC/rHefNW0i0G9IurVCPc+REGuAcoDmQtyMULzbE
debug1: load_hostkeys: fopen C:\\Users\\SheaSmith/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen __PROGRAMDATA__\\ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen __PROGRAMDATA__\\ssh/ssh_known_hosts2: No such file or directory
debug1: Host '[<host>]:2222' is known and matches the ED25519 host key.
debug1: Found key in C:\\Users\\SheaSmith/.ssh/known_hosts:17
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 134217728 blocks
debug1: Will attempt key: Test Key ED25519 SHA256:dEqsKHcXY8v3cQ7Xp8uUg2P20TktUfdQES3m2iJORLI agent
debug1: Will attempt key: <another key> Access ED25519 SHA256:rTqMg0ntdf7sd0jUBty2dEwLT/ILeZjCLNByMi9+qO4 agent
debug1: Will attempt key: <yet another key> ED25519 SHA256:bVkq0AbK8MRrV1kTDM/SwtPp4ed1Y5t3FR4UtCme9bM agent
debug1: Will attempt key: <fourth key> key ED25519 SHA256:S9GgTPUpwbHHNTFARPtY7eSkKzYG5GU57kfpB7LTM/A agent
debug1: Will attempt key: C:\\Users\\SheaSmith/.ssh/id_rsa
debug1: Will attempt key: C:\\Users\\SheaSmith/.ssh/id_dsa
debug1: Will attempt key: C:\\Users\\SheaSmith/.ssh/id_ecdsa
debug1: Will attempt key: C:\\Users\\SheaSmith/.ssh/id_ecdsa_sk
debug1: Will attempt key: C:\\Users\\SheaSmith/.ssh/id_ed25519
debug1: Will attempt key: C:\\Users\\SheaSmith/.ssh/id_ed25519_sk
debug1: Will attempt key: C:\\Users\\SheaSmith/.ssh/id_xmss
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,rsa-sha2-256,rsa-sha2-512,ssh-rsa>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: password,publickey,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Offering public key: Test Key ED25519 SHA256:dEqsKHcXY8v3cQ7Xp8uUg2P20TktUfdQES3m2iJORLI agent
debug1: Server accepts key: Test Key ED25519 SHA256:dEqsKHcXY8v3cQ7Xp8uUg2P20TktUfdQES3m2iJORLI agent
sign_and_send_pubkey: signing failed for ED25519 "Test Key" from agent: agent refused operation
debug1: Offering public key: <another key> Access ED25519 SHA256:rTqMg0ntdf7sd0jUBty2dEwLT/ILeZjCLNByMi9+qO4 agent
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering public key: <yet another key> ED25519 SHA256:bVkq0AbK8MRrV1kTDM/SwtPp4ed1Y5t3FR4UtCme9bM agent
debug1: Authentications that can continue: publickey
debug1: Offering public key: <fourth key> key ED25519 SHA256:S9GgTPUpwbHHNTFARPtY7eSkKzYG5GU57kfpB7LTM/A agent
debug1: Authentications that can continue: publickey
debug1: Trying private key: C:\\Users\\SheaSmith/.ssh/id_rsa
debug1: Trying private key: C:\\Users\\SheaSmith/.ssh/id_dsa
debug1: Trying private key: C:\\Users\\SheaSmith/.ssh/id_ecdsa
debug1: Trying private key: C:\\Users\\SheaSmith/.ssh/id_ecdsa_sk
debug1: Trying private key: C:\\Users\\SheaSmith/.ssh/id_ed25519
debug1: Trying private key: C:\\Users\\SheaSmith/.ssh/id_ed25519_sk
debug1: Trying private key: C:\\Users\\SheaSmith/.ssh/id_xmss
debug1: No more authentication methods to try.
shea:<site name>@<host>: Permission denied (publickey).

When I change it so that both SSO and public key are required in the config, e.g.: image

I am prompted for the keyboard interactive login after denying the public key access, but it hangs after asking for approval (which I imagine is somewhat expected, since I would've thought that configuration requires both public key and keyboard interactive to login):

sftp -v -P 2222 -o User=shea:<site name> <host>
OpenSSH_for_Windows_8.6p1, LibreSSL 3.4.3
debug1: Authenticator provider $SSH_SK_PROVIDER did not resolve; disabling
debug1: Connecting to <host> [192.168.1.201] port 2222.
debug1: Connection established.
debug1: identity file C:\\Users\\SheaSmith/.ssh/id_rsa type -1
debug1: identity file C:\\Users\\SheaSmith/.ssh/id_rsa-cert type -1
debug1: identity file C:\\Users\\SheaSmith/.ssh/id_dsa type -1
debug1: identity file C:\\Users\\SheaSmith/.ssh/id_dsa-cert type -1
debug1: identity file C:\\Users\\SheaSmith/.ssh/id_ecdsa type -1
debug1: identity file C:\\Users\\SheaSmith/.ssh/id_ecdsa-cert type -1
debug1: identity file C:\\Users\\SheaSmith/.ssh/id_ecdsa_sk type -1
debug1: identity file C:\\Users\\SheaSmith/.ssh/id_ecdsa_sk-cert type -1
debug1: identity file C:\\Users\\SheaSmith/.ssh/id_ed25519 type -1
debug1: identity file C:\\Users\\SheaSmith/.ssh/id_ed25519-cert type -1
debug1: identity file C:\\Users\\SheaSmith/.ssh/id_ed25519_sk type -1
debug1: identity file C:\\Users\\SheaSmith/.ssh/id_ed25519_sk-cert type -1
debug1: identity file C:\\Users\\SheaSmith/.ssh/id_xmss type -1
debug1: identity file C:\\Users\\SheaSmith/.ssh/id_xmss-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_for_Windows_8.6
debug1: Remote protocol version 2.0, remote software version russh_0.44.0
debug1: compat_banner: no match: russh_0.44.0
debug1: Authenticating to <host>:2222 as 'shea:<site name>'
debug1: load_hostkeys: fopen C:\\Users\\SheaSmith/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen __PROGRAMDATA__\\ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen __PROGRAMDATA__\\ssh/ssh_known_hosts2: No such file or directory
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ssh-ed25519
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: SSH2_MSG_KEX_ECDH_REPLY received
debug1: Server host key: ssh-ed25519 SHA256:xVWOC/rHefNW0i0G9IurVCPc+REGuAcoDmQtyMULzbE
debug1: load_hostkeys: fopen C:\\Users\\SheaSmith/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen __PROGRAMDATA__\\ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen __PROGRAMDATA__\\ssh/ssh_known_hosts2: No such file or directory
debug1: Host '[<host>]:2222' is known and matches the ED25519 host key.
debug1: Found key in C:\\Users\\SheaSmith/.ssh/known_hosts:17
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 134217728 blocks
debug1: Will attempt key: Test Key ED25519 SHA256:dEqsKHcXY8v3cQ7Xp8uUg2P20TktUfdQES3m2iJORLI agent
debug1: Will attempt key: <another key> ED25519 SHA256:rTqMg0ntdf7sd0jUBty2dEwLT/ILeZjCLNByMi9+qO4 agent
debug1: Will attempt key: <yet another key> ED25519 SHA256:bVkq0AbK8MRrV1kTDM/SwtPp4ed1Y5t3FR4UtCme9bM agent
debug1: Will attempt key: <fourth key> ED25519 SHA256:S9GgTPUpwbHHNTFARPtY7eSkKzYG5GU57kfpB7LTM/A agent
debug1: Will attempt key: C:\\Users\\SheaSmith/.ssh/id_rsa
debug1: Will attempt key: C:\\Users\\SheaSmith/.ssh/id_dsa
debug1: Will attempt key: C:\\Users\\SheaSmith/.ssh/id_ecdsa
debug1: Will attempt key: C:\\Users\\SheaSmith/.ssh/id_ecdsa_sk
debug1: Will attempt key: C:\\Users\\SheaSmith/.ssh/id_ed25519
debug1: Will attempt key: C:\\Users\\SheaSmith/.ssh/id_ed25519_sk
debug1: Will attempt key: C:\\Users\\SheaSmith/.ssh/id_xmss
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,rsa-sha2-256,rsa-sha2-512,ssh-rsa>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: password,publickey,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Offering public key: Test Key ED25519 SHA256:dEqsKHcXY8v3cQ7Xp8uUg2P20TktUfdQES3m2iJORLI agent
debug1: Server accepts key: Test Key ED25519 SHA256:dEqsKHcXY8v3cQ7Xp8uUg2P20TktUfdQES3m2iJORLI agent
sign_and_send_pubkey: signing failed for ED25519 "Test Key" from agent: agent refused operation
debug1: Offering public key: <another key> ED25519 SHA256:rTqMg0ntdf7sd0jUBty2dEwLT/ILeZjCLNByMi9+qO4 agent
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Offering public key: <yet another key> ED25519 SHA256:bVkq0AbK8MRrV1kTDM/SwtPp4ed1Y5t3FR4UtCme9bM agent
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: Offering public key: <fourth key> ED25519 SHA256:S9GgTPUpwbHHNTFARPtY7eSkKzYG5GU57kfpB7LTM/A agent
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: Trying private key: C:\\Users\\SheaSmith/.ssh/id_rsa
debug1: Trying private key: C:\\Users\\SheaSmith/.ssh/id_dsa
debug1: Trying private key: C:\\Users\\SheaSmith/.ssh/id_ecdsa
debug1: Trying private key: C:\\Users\\SheaSmith/.ssh/id_ecdsa_sk
debug1: Trying private key: C:\\Users\\SheaSmith/.ssh/id_ed25519
debug1: Trying private key: C:\\Users\\SheaSmith/.ssh/id_ed25519_sk
debug1: Trying private key: C:\\Users\\SheaSmith/.ssh/id_xmss
debug1: Next authentication method: keyboard-interactive
Warpgate authentication
-----------------------------------------------------------------------
Warpgate authentication: please open the following URL in your browser:
https://<host>/@warpgate#/login/b0bc6009-6e90-49cf-a7b8-f58c41b40c6e

Make sure you're seeing this security key: 1 E 8 B
-----------------------------------------------------------------------

(shea:<site name>@<host>) Press Enter when done:
theMackabu commented 2 months ago

@SheaSmith same issue, able to reproduce

amapi commented 2 months ago

@SheaSmith same issue, able to reproduce