Tickets

[netwaze]

Hello,
I don't understand how the ticket system works, because when I create one with my user I get this message :

netwaze@MacBook-Pro ~ % ssh 'ticket-926a9522cdc85c7013410d27d957cd7b9f3025a266940ff454414e708ceac819@domain name' -p 2222 ticket-926a9522cdc85c7013410d27d957cd7b9f3025a266940ff454414e708ceac819@domain name's password: ticket-926a9522cdc85c7013410d27d957cd7b9f3025a266940ff454414e708ceac819@domain name: Permission denied (publickey,keyboard-interactive).

of course I've put the RSA key in my authorized_keys file and I've entered my user's password. Is there anything else I need to do for this to work?

thank you for your answer 🙂

[Eugeny]

Could you please add -v to your SSH command and post its log? With a ticket, no further authentication should be needed.

[netwaze]

netwaze@MacBook-Pro ~ % ssh -v 'ticket-ba15125edd0581e29121ca6d322a402456f1c2491dbb819265d40e6c4ab185d8@domain name' -p 2222 OpenSSH_9.0p1, LibreSSL 3.3.6 debug1: Reading configuration data /Users/netwaze/.ssh/config debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 21: include /etc/ssh/ssh_config.d/* matched no files debug1: /etc/ssh/ssh_config line 54: Applying options for * debug1: Authenticator provider $SSH_SK_PROVIDER did not resolve; disabling debug1: Connecting to domaine name port 2222. debug1: Connection established. debug1: identity file /Users/netwaze/.ssh/id_rsa type -1 debug1: identity file /Users/netwaze/.ssh/id_rsa-cert type -1 debug1: identity file /Users/netwaze/.ssh/id_ecdsa type -1 debug1: identity file /Users/netwaze/.ssh/id_ecdsa-cert type -1 debug1: identity file /Users/netwaze/.ssh/id_ecdsa_sk type -1 debug1: identity file /Users/netwaze/.ssh/id_ecdsa_sk-cert type -1 debug1: identity file /Users/netwaze/.ssh/id_ed25519 type -1 debug1: identity file /Users/netwaze/.ssh/id_ed25519-cert type -1 debug1: identity file /Users/netwaze/.ssh/id_ed25519_sk type -1 debug1: identity file /Users/netwaze/.ssh/id_ed25519_sk-cert type -1 debug1: identity file /Users/netwaze/.ssh/id_xmss type -1 debug1: identity file /Users/netwaze/.ssh/id_xmss-cert type -1 debug1: identity file /Users/netwaze/.ssh/id_dsa type -1 debug1: identity file /Users/netwaze/.ssh/id_dsa-cert type -1 debug1: Local version string SSH-2.0-OpenSSH_9.0 debug1: Remote protocol version 2.0, remote software version russh_0.37.1 debug1: compat_banner: no match: russh_0.37.1 debug1: Authenticating to domain name:2222 as 'ticket-ba15125edd0581e29121ca6d322a402456f1c2491dbb819265d40e6c4ab185d8' debug1: load_hostkeys: fopen /Users/netwaze/.ssh/known_hosts2: No such file or directory debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: algorithm: curve25519-sha256@libssh.org debug1: kex: host key algorithm: ssh-ed25519 debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none debug1: expecting SSH2_MSG_KEX_ECDH_REPLY debug1: SSH2_MSG_KEX_ECDH_REPLY received debug1: Server host key: ssh-ed25519 SHA256:YJP5scLfpw0SDp7d9qjOAhoEEyxd1itgmC5ofKWWGaA debug1: load_hostkeys: fopen /Users/netwaze/.ssh/known_hosts2: No such file or directory debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory debug1: Host '[domaine name]:2222' is known and matches the ED25519 host key. debug1: Found key in /Users/netwaze/.ssh/known_hosts:1 debug1: rekey out after 134217728 blocks debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: rekey in after 134217728 blocks debug1: get_agent_identities: bound agent to hostkey debug1: get_agent_identities: ssh_fetch_identitylist: agent contains no identities debug1: Will attempt key: /Users/netwaze/.ssh/id_rsa debug1: Will attempt key: /Users/netwaze/.ssh/id_ecdsa debug1: Will attempt key: /Users/netwaze/.ssh/id_ecdsa_sk debug1: Will attempt key: /Users/netwaze/.ssh/id_ed25519 debug1: Will attempt key: /Users/netwaze/.ssh/id_ed25519_sk debug1: Will attempt key: /Users/netwaze/.ssh/id_xmss debug1: Will attempt key: /Users/netwaze/.ssh/id_dsa debug1: SSH2_MSG_EXT_INFO received debug1: kex_input_ext_info: server-sig-algs=<ssh-rsa,ssh-ed25519,rsa-sha2-256,rsa-sha2-512> debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications that can continue: password,publickey,keyboard-interactive debug1: Next authentication method: publickey debug1: Trying private key: /Users/netwaze/.ssh/id_rsa debug1: Trying private key: /Users/netwaze/.ssh/id_ecdsa debug1: Trying private key: /Users/netwaze/.ssh/id_ecdsa_sk debug1: Trying private key: /Users/netwaze/.ssh/id_ed25519 debug1: Trying private key: /Users/netwaze/.ssh/id_ed25519_sk debug1: Trying private key: /Users/netwaze/.ssh/id_xmss debug1: Trying private key: /Users/netwaze/.ssh/id_dsa debug1: Next authentication method: keyboard-interactive debug1: Authentications that can continue: password,publickey,keyboard-interactive debug1: Next authentication method: password ticket-ba15125edd0581e29121ca6d322a402456f1c2491dbb819265d40e6c4ab185d8@domain name's password: debug1: Authentications that can continue: publickey,keyboard-interactive debug1: No more authentication methods to try. ticket-ba15125edd0581e29121ca6d322a402456f1c2491dbb819265d40e6c4ab185d8@domain name: Permission denied (publickey,keyboard-interactive). netwaze@MacBook-Pro-de-Kiu ~ %

[netwaze]

log.txt
easier to read I think in a txt file 🙂

[Eugeny]

That looks fine actually. Are you sure the ticket still exists on the Tickets admin page? Do tickets work for other targets, e.g. HTTP?

Also try running Warpgate with RUST_LOG=debug and grab the log after a failed ticket auth.

[netwaze]

Yes, the ticket is still there, as shown in the screenshot. Here are the logs with the connection.

log.txt

[netwaze]

I've just tested with an http ticket and I've got the same thing, it asks for my login and password but once I'm in I can't access the resource.

[ntimo]

I also just tried to use a ticket for ssh, and then get promoted for an ssh login via password. So it seems like tickets are really not working I am on 0.7.3.

Steps to recreate:

• create ticket on admin panel for user / target
• copy the ssh command
• paste it into a terminal
• get password prompt

I also verified that the ticket is listed on the web ui.

[Eugeny]

Interesting - the log says Ticket has expired, but currently there's no way to create an expirable ticket through the UI, even though the database field is there. By default, tickets created through the UI never expire.

Could you please check the contents of the tickets table in warpgate's .sqlite database that's in /var/lib/warpgate?

[ntimo]

@Eugeny
The expiry field in the table is set to the date when the ticket was created (at least in my mariadb):

queried using: select * from tickets;

[Eugeny]

Ohh this could be related to sea-orm not specifying NULL as field default for providers other than SQLite - I'll look into it

[Eugeny]

It was actually due to older MySQL defaulting timestamp columns to "not null": https://dev.mysql.com/doc/refman/8.0/en/timestamp-initialization.html, fix incoming

[Eugeny]

Fixed for new MySQL installations, but existing ones would need to be manually fixed with ALTER TABLE ticketsMODIFY COLUMNexpiry TIMESTAMP NULL DEFAULT NULL;

[ntimo]

@Eugeny after running the sql statement the tickets work, but they are not removed after a single use. Is that correct behavior?

[Eugeny]

Yes, the tickets are designed to work until removed from the UI. I'm planning to add UI support for expiry and use limits in the future

[netwaze]

thank you this works !! 😃