Skip to content

Releases: warp-tech/warpgate


04 Mar 15:51
Choose a tag to compare


  • 306138f: reenabled HTTP/2 support as client (both for HTTP targets and OIDC)


26 Feb 10:04
Choose a tag to compare


  • ee05440: pasting a public key will automatically fill out the label field now if the key has a comment



19 Feb 21:03
Choose a tag to compare



  • 2e75b28: fixed #1261 - reenable accidentally disabled Postgres TLS support


18 Feb 22:56
Choose a tag to compare



  • 40e49a2: Fixed SSO not respecting the OS' trusted TLS CAs (Thibaud Lepretre) #1233
  • 2abe104: fixed #1234 - rustls panic in tokio-tungstenite
  • 2cdf8ba: bump vulnerable deps (#1241) #1241
  • 8d53f7b: bumped russh for the mlock() fix
  • 7e15422: fixed #1258 - hide the version info until logged in (Eugene)
  • 6ade841: correctly bind to both ipv4 and ipv6 when [::] is set as listen endpoint (#1193)
  • create and canonicalize relative data_path (#1180) (willow)
  • e89bc03: fixed #1218 - make target search case insensitive
  • b665ca1: fixed #1197 - ticket creation on non-sqlite databases


18 Feb 11:14
Choose a tag to compare
v0.13.0-beta.2 Pre-release




02 Feb 21:30
Choose a tag to compare
v0.13.0-beta.1 Pre-release


  • 409b382: UI facelift (#1175)
  • 010534a: added support for user API tokens and an API playground (#1191)
  • 1dec4c9: added a title field for public keys (#1171) (Mohammad Al Shakoush)
  • 59884fb: added "last used" and "date created" fields for public keys (#1182) (Mohammad Al Shakoush)
  • d51d882: fixed #1189 - updated default config to listen on IPv6 as well


  • 6ade841: correctly bind to both ipv4 and ipv6 when [::] is set as listen endpoint (#1193)
  • create and canonicalize relative data_path (#1180) (willow)
  • e89bc03: fixed #1218 - make target search case insensitive
  • b665ca1: fixed #1197 - ticket creation on non-sqlite databases


12 Dec 23:17
Choose a tag to compare


  • Self-service credentials management (#1145) - you can now allow users to manage their own credentials. Enable it in Config -> Misc -> Global parameters.
  • Multiple return domains for SSO, prefer host header over external_host (dbf96a8 / #1093) - Warpgate now users the Host header to resolve its own external URL and only falls back to the external_host from the config file if the header is missing. If you're running behind a reverse proxy, make sure that http.trust_x_forwarded_headers is set in the config and you're passing the X-Forwarded-Host header. SSO logins will also dynamically construct their return URL from the Host header. You can restrict the allowed return domains with the new sso_providers[].return_domain_whitelist option (a list of hostnames).
  • Passing user-identifying headers to HTTP targets (cc0b054 / #1107) - Warpgate now passes x-warpgate-username and x-warpgate-authentication-type headers to HTTP targets.
  • --enable-admin-token option (9dd1c58) - setting it allows passing a global admin token via the WARPGATE_ADMIN_TOKEN env variable. This token can be used to authenticate against the admin REST API (pass it in the x-warpgate-token header).

Other changes


  • 846e6d1: fixed #1110 - Fix switch for insecure ssh algorithms option (#1111) (hashfunc)
  • 38dbb3b: fixed #1096 - SEC1 EC private key file support for TLS
  • 80ee6cc: fixed #1074 - strip trailing slash in SSO issuer URLs and log errors properly
  • 8acaaee: show more detailed error messages for API errors
  • 3b29a3e: fixed #929 - sso: broken additional_trusted_audiences config option
  • 557921f: postgres listener was incorrectly using the mysql certificate & key
  • 41d3158: fixed #1039 - first DB migration failing on Postgres
  • 64d7194: fixed #1150 - send the ssh-rsa client key when insecure algorithms are enabled


07 Dec 22:54
Choose a tag to compare
v0.12.0-beta.1 Pre-release


  • Self-service credentials management (#1145) - you can now allow users to manage their own credentials. Enable it in Config -> Misc -> Global parameters.
  • Multiple return domains for SSO, prefer host header over external_host (dbf96a8 / #1093) - Warpgate now users the Host header to resolve its own external URL and only falls back to the external_host from the config file if the header is missing. If you're running behind a reverse proxy, make sure that http.trust_x_forwarded_headers is set in the config and you're passing the X-Forwarded-Host header. SSO logins will also dynamically construct their return URL from the Host header. You can restrict the allowed return domains with the new sso_providers[].return_domain_whitelist option (a list of hostnames).
  • Passing user-identifying headers to HTTP targets (cc0b054 / #1107) - Warpgate now passes x-warpgate-username and x-warpgate-authentication-type headers to HTTP targets.
  • --enable-admin-token option (9dd1c58) - setting it allows passing a global admin token via the WARPGATE_ADMIN_TOKEN env variable. This token can be used to authenticate against the admin REST API (pass it in the x-warpgate-token header).

Other changes


  • 846e6d1: fixed #1110 - Fix switch for insecure ssh algorithms option (#1111) (hashfunc)
  • 38dbb3b: fixed #1096 - SEC1 EC private key file support for TLS
  • 80ee6cc: fixed #1074 - strip trailing slash in SSO issuer URLs and log errors properly
  • 8acaaee: show more detailed error messages for API errors
  • 3b29a3e: fixed #929 - sso: broken additional_trusted_audiences config option
  • 557921f: postgres listener was incorrectly using the mysql certificate & key
  • 41d3158: fixed #1039 - first DB migration failing on Postgres


09 Oct 08:03
Choose a tag to compare

⚠️ This is the last release that supports loading targets, users and roles from the config file. Upgrade to this version before installing v0.12 if you haven't migrated yet!


v0.11 adds experimental PostgreSQL target support.

Enable the PostgreSQL protocol in your config file (default: /etc/warpgate.yaml) if you didn't do so during the initial setup:

+ postgres:
+   enable: true
+   certificate: /var/lib/warpgate/tls.certificate.pem
+   key: /var/lib/warpgate/tls.key.pem

You can reuse the same certificate and key that are used for the HTTP listener.

See [](Adding a PostgreSQL target) for more details.



  • 116bf9f: fixed SSO authentication getting incorrectly rejected when user has both an "any provider" and a provider specific SSO credential
  • 1f597a8: fixed #1053 - prevent repeated consumption of the ticket uses within the same SSH session
  • 38bdbad: fixed #1077 - handle non-standard PKCS8 EC private key PEMs
  • 7e49f13: #1056 - auto-strip .well-known/openid-configuration from OIDC URLs
  • 9e3760e: fixed #1082 - terminal replay crashing when the session is finished


14 Aug 21:11
Choose a tag to compare

Security fixes

CVE-2024-43410 - SSH OOM DoS through malicious packet length

It was possible for an attacker to cause Warpgate to allocate an arbitrary amount of memory by sending a packet with a malformed length field, potentially causing the service to get killed due to excessive RAM usage.

Other fIxes

  • c328127: fixed #941 - unnecessary port number showing up in external URLs