warpgate icon indicating copy to clipboard operation
warpgate copied to clipboard
verified publisher icon warp-tech

Auto create users when first login via SSH and SSO provider

Open M0ustach3 opened this issue 3 months ago • 6 comments

Hi there,

I would like to know If it was possible (I guess It is ?) to auto create users when first connecting via SSH.

Right now, the users first need to login to https://warpgate.whatever.com with the SSO button, and only then, they are able to launch ssh with the target. It would be a great addition for users just to have to do the ssh command and Warpgate handles creating the user first if it doesn't exist. Right now, the feature "auto_create_users" only works when logging in through the HTTP web interface first, It would be nice If it was for all protocols at first login !

It is truly an amazing project, keep it like this !!

Cheers,

M0ustach3 avatar Oct 01 '25 15:10 M0ustach3

How would that work?

Eugeny avatar Oct 02 '25 17:10 Eugeny

Well it could be just auto create the user on first login, whichever the way : could be either directly going to the UI, or when doing "ssh warpgate" and being redirected to log in. From what I saw, If you do not "pre-create" the user by telling him to first go to the warpgate UI, the SSH login just doesn't work, as the user seems to not be auto-created.

Dunno If this is clear enough though, apologies If it is not

M0ustach3 avatar Oct 02 '25 17:10 M0ustach3

The point is, you wouldn't be able to log in anywhere over ssh because the user doesn't exist yet and hence has no roles.

We can't match them against SSO either because OIDC claims are only available when actually logging in via the browser

Eugeny avatar Oct 02 '25 17:10 Eugeny

Yeah no, I mean :

  • take a user that does not yet exist on the warpgate instance, that have to login through SSO
  • launch the command "ssh myuser:target warpgate", which prints out a link to warpgate to authorize the session
  • click the link, which takes you to the login page of warpgate, login through your SSO provider
  • the redirect takes place, but you land on the warpgate login page saying "the user does not exist"

However if you just :

  • force the user to access the webpage of warpgate, make him login
  • and only THEN tell him to "ssh myuser:target warpgate"
  • this works fine

M0ustach3 avatar Oct 02 '25 17:10 M0ustach3

depending on your environment, might be worth considering https://kanidm.com/ which does handle local user creation for ssh auth.

shleeable avatar Oct 18 '25 09:10 shleeable

Yep but I'm already using Authentik as an IdP, and would like to keep it instead of using another solution. Although It provides a way to do SSH in the browser directly, it does not (yet?) provide the ability to login with a native OpenSSH cmdline.

Cheers,

M0ustach3 avatar Oct 19 '25 20:10 M0ustach3