-
Notifications
You must be signed in to change notification settings - Fork 767
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for GSSAPIAuthentication and GSSAPIDelegateCredentials via SSPI #1295
Comments
Adding GSSAPI authentication and delegation to sshd involves
Microsoft's SSPI is essentially a clone of GSSAPI, even the function names are rather similar, e.g. gss_accept_sec_context in GSSAPI becomes AcceptSecurityContext in SSPI, etc. It looks like this should really be little more than like-for-like API call translation. Related reading: |
In order to perform GSSAPI authentication (and delegation) on Windows via the SSPI authentication functions, the ssh client will have to call InitializeSecurityContext() and the sshd server will have to call AcceptSecurityContext() and both have to pass the resulting GSSAPI tokens across the SSH2 protocol (as per RFC 4462) to the respective other side, and repeat this exchange of tokens to and fro until these SSPI calls return SEC_E_OK to report that the security context was successfully initialized. |
Just an update. Yesterday I created a skeleton of what could be a minimalist, OpenSSH-focused SSPI Kerberos GSSAPI implementation. This would be a downsized gssapi.h and corresponding gssapi.c that would be statically compiled. Only a few OpenSSH source code changes would be required other than GSSAPI being defined. Assuming I don't hit any fundamental roadblocks, probably a few weeks out for an alpha version. |
Another update. I have a working prototype for both the client and server. There is still quite a bit of testing and cleanup to do. Delegation will work provided that the computer account of the server is setup to allow it in Active Directory (using unconstrained, constrained, or resource-based delegation techniques). Unfortunately if the server is running Credential Guard, unconstrained delegation no longer works. It'll probably be a week before I'll be ready for any one to test. |
I would not be surprised if another prerequisite for delegation to work is to understand and fix #996 first. |
@mgkuhn I'm not sure supporting kerb delegation will get 996 to start working. The issue with that one is due to the logon session type used with the initial logon and not the delegation of credentials. |
@NoMoreFood, recommend posting binaries (as a release in your fork ?) so we can get your work tested out and validated. I wont be able to get to reviewing your changes until next year, have my plate full until then. |
@manojampalam I'll post a binary release in my fork shortly. As of right now, it only supports Kerberos. That's pretty much industry standard for SSH servers/clients. Use of NTLM deprecated and somewhat taboo these days. |
@NoMoreFood I personally think you do the world a service by not adding NTLM support to a new product in 2018. NTLM support would just create additional worries that using OpenSSH with GSSAPI might pass on an NTLM hash by accident, and therefore expose a user password to dictionary and pass-the-hash attacks. Adding NTLM support to OpenSSH could well reduce security in practice. |
@manojampalam Test binaries are here: https://github.com/NoMoreFood/openssh-portable/releases/tag/v7.9-sspi |
Lots of thanks to @NoMoreFood for the pull request and to @manojampalam for merging it! This very happy user is delighted to report that the requested Kerberos authentication+delegation functionality works fine in both |
Thanks @NoMoreFood for yet another phenomenol contribution. I didn't expect this to materialize anytime soon. |
This is fantastic! I've been working with my support channels to get this worked via Microsoft, I just tested this as well successfully! I hope this can get pushed upstream and officially released soon. Going to point my contacts in MS to this thread to hopefully help it along! tested on Windows 10.0.17134.471 |
Further to my comment above (that NTLM authentication is generally pretty dangerous and therefore best left out of SSH), I just noticed that section 7.3 in RFC 4462 specifically forbids the use of SPNEGO over SSH GSSAPI. This is because SSH has already a method negotiation mechanism, and running a second negotiation inside GSSAPI could subvert the preference order of mechanisms and lead to interoperability problems. |
In and beyond the comments below, I’ve never seen any implementation abroad
where the clients using ssh-gssapi from windows to Linux doesn’t also want
to realistically remove any NTLM based with as well, it’s just harder in
pure windows environments to accomplish this. Even if there was not an RFC
forbidding it, this is an epic Dr. Malcolm moment. “Your scientists were so
preoccupied with whether or not they could that they didn’t stop to think
of they should.”
…On Fri, Mar 8, 2019 at 8:28 AM Markus Kuhn ***@***.***> wrote:
Otherwise, I'm wondering if your changes are specific to supporting
Kerberos or can they also do SPNEGO (that can also do NTLM if needed)?
Further to my comment above (that NTLM authentication is generally pretty
dangerous and therefore best left out of SSH), I just noticed that section
7.3 in RFC 4462 <https://www.ietf.org/rfc/rfc4462.txt> specifically
*forbids* the use of SPNEGO over SSH GSSAPI. This is because SSH has
already a method negotiation mechanism, and running a second negotiation
inside GSSAPI could subvert the preference order of mechanisms and lead to
interoperability problems.
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#1295 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AImRjTVa4r4Evye66jI8x2bley5YG18qks5vUnObgaJpZM4Ys0pg>
.
|
It's not practical to use Windows AD tickets. It will only work if your Domain controller is the same that you are using with your Unix servers and you always need to login to AD. You may need to add MIT Kerberos. |
@maxadamo Actually, it is perfectly feasible to use Windows AD tickets from Windows 10 computers that are not joined to any Active Directory domain, both for GSSAPI-authenticated SMB and OpenSSH for Windows access. I've just tried it successfully. Before you can authenticate as user
(This is Windows' kind-of GUI equivalent of the This tells the SSPI implementation of your OS which username and password to use when using Kerberos to authenticate to Then open a This possibility probably should be be better documented. Microsoft's documentation mostly focuses on PCs that are domain joined when it comes to using Kerberos authentication. |
Interesting I always assumed that only did NTLM auth for those scenarios, the fact that it can still use Kerberos when it hasn't explicitly trusted that realm is surprising to me. Will have to play with that a bit more. Thanks for the info!. |
@mgkuhn really appreciated! Thanks. I had no clue how to set this up until now. However, it would be slightly different from the way I am using MIT Kerberos on my laptop (either Linux or Windows, it won't change much). I have one file (krb5.conf) where I map a REALM domain to a bunch of Active Directory servers (it could be MIT Kerberos servers but I have Windows AD servers) and I obtain a ticket against this REALM: EXAMPLE.COM and not SERVER.EXAMPLE.COM This is what happens if I use MIT Kerberos on Linux and Windows and I guess it might be the same if I log in to AD (but I have never tried). |
@maxadamo Windows appears to be by default far more cautious about engaging with unknown KDCs than MIT Kerberos or Heimdal are. I don't know for sure the reason behind this, but my suspicion is that this may be due to concerns that SMB UNCs, such as For an unconfigured client machine to be able to allow the user to perform Kerberos/GSSAPI authentication when logging in as
On macOS and Linux, this "just works" if you type
because:
Windows is also able to find KDCs via DNS this way, but (if that KDC is not already your domain controller) you need to explicitly configure the client to permit it to contact them. One way to do that is via “Credential Manager” or Another route, to enable Kerberos authentication for an entire remote realm, might be via the |
Yes, it's correct what you're saying about SRV record, SPN, and so on. ~> I could try to experiment with p.s.: Windows 10 + Putty + GSSAPI + MIT Kerberos, will work the same way as Linux/Mac. |
Further to what I wrote above, I have since learnt that both the Credential Manager configuration menu and the
and that will enable Kerberos-authenticated communication (both SMB and That makes However, I believe they don't do exactly the same thing:
So giving your password to |
While cmdkey doesn’t expose the functionality I’m fairly certain it is possible to store a credential that persists just for the current logon session rather than all the time. The underlying Win32 api CredWrite takes in a Credential and one of the |
@jborean93 Thanks for the link to the I think I also think Microsoft ought to provide an implementation of |
There sort of is one, klist. It’s not the same |
Who is looking after cmdkey and Credential Manager these days? Do they have a GitHub project where one can file issues? (suggestion filed at uservoice.com) |
GSSAPIAuthentication was added with *OpenSSH for Windows 8.1* which came in “2021-05 Cumulative Update for Windows 10” (KB5003173), which is available for Windows 10 Version 20H1 or newer. Source: PowerShell/Win32-OpenSSH#1693 GSSAPIAuthentication only supports Kerberos (i.e., not SPNEGO or NTLM authentication), so it is useful to mention Kerberos explicitly here. Source: PowerShell/Win32-OpenSSH#1295
Although GSSAPI authentication support was excluded from the initial scope of the project, this remains a highly desireable feature. In domain-managed "enterprise" environments, where both clients and servers usually have already been issued cryptographic keys via Active Directory's Kerberos implementation, GSSAPI would enable secure password-free ssh logins without any need to manage public-key credentials for openssh.
A particular priority would be support of GSSAPI authentication and ticket delegation in the sshd server. This is because client-side GSSAPI support exists already in two other forms:
However there is currently no freely available sshd server that can receive a delegated ticket and provide it to the logon session such that the user can then use it on the server to access there other Kerberos-authenticated resources, such as shares on a file server. MIT's Kerberos for Windows maintains its own ticket cache separate from those used by the Windows Local Security Authority (LSA). Therefore sshd will have to use Microsoft's SSPI interface in order to ensure that a password-free GSSAPI-authenticated login with ticket delegation will give via the LSA logon session access to all Kerberos-authenticated resources on the server.
The text was updated successfully, but these errors were encountered: