-
Notifications
You must be signed in to change notification settings - Fork 771
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support for Credential Guard #2214
Comments
AFAIK the limitation is with credential guard itself and is not something that ssh can override. |
I'm not skilled enough but why do SSH need the TGT? shouldn't it be enough to request a ordinary key? |
To request the key it needs to know the user's secret (it's password). An SSH private key is not related at all to the user's password so there's nothing to do. Kerberos delegation can get around this problem but it's specific to the Kerberos protocol and dependent on the ticket the user provides during authentication so SSH key auth can't really re-use it (without really opening up some holes like delegation with protocol transition). |
Thanks. I made a typo and meant ticket and not key, sorry about that |
Isn't the whole point of Credential Guard to prevent anyone from moving (stealing, passing) tickets elsewhere? And isn't the whole point of unconstrained delegation to move (forward, delegate) one's ticket elsewhere? So aren't these two simply exactly opposing functional requirements, and if Kerberos ticket forwarding does not work with Credential Guard enabled, then doesn't that simply mean that Credential Guard works exactly as designed and does its job correctly? |
It might be useful to extend Credential Guard to provide more fine-grained control over what kinds of credentials it covers or does not cover. For example, a “Windows credential” stored in Credential Manager (e.g. with Alternative: What I really miss in Windows is an equivalent of the (But all of that is really outside this OpenSSH port.) |
Yes, again I'm not familiar with how Credential Guard works in details, but having fine-grained control would certainly help. Now, having said that, Credential Guard should be able to do TGS requests without taking the TGT out of the sandbox which is the whole point. With SSPI, technically you're trying to delegate a forwarded TGT (which could be constrained to some addresses and checked against |
Summary of the new feature / enhancement
Would it be possible to support SSPI unconstrained delegation with Credential Guard enabled?
Our users currently need to turn off Credential Guard in order to delegate their ticket which is far from ideal.
When Credential Guard is enabled ssh won't perform delegation (
sspi delegation was requested but not fulfilled
), see#1606
#1295
This limitation is documented here: https://learn.microsoft.com/en-us/windows/security/identity-protection/credential-guard/considerations-known-issues#kerberos-considerations
I'm not very familiar with Credential Guard, but technically the initial TGT could stay in the vault. SSH only has to produce and send the forwarded TGT.
Proposed technical implementation details (optional)
No response
The text was updated successfully, but these errors were encountered: