Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

DefaultCredentials: add KerberosCredential. #196

Merged
merged 1 commit into from
Jun 24, 2024

Conversation

tmds
Copy link
Owner

@tmds tmds commented Jun 24, 2024

@jborean93 ptal.

@tmds
Copy link
Owner Author

tmds commented Jun 24, 2024

@jborean93 I assume it makes sense to include this in the DefaultCredentials?

@jborean93
Copy link
Contributor

I personally think so, my only concern is I missed a spot where an exception could be thrown. While I think we covered them I cannot say for sure I did. One other point to consider is that OpenSSH doesn't include it by default, you either need to specify -k or add it in your ssh config file.

@tmds
Copy link
Owner Author

tmds commented Jun 24, 2024

I'm not worried a potential exception. If it's there, we'll fix it.

Might there some information we're leaking to the remote SSH server about the user, like its Kerberos username?

@jborean93
Copy link
Contributor

Might there some information we're leaking to the remote SSH server about the user, like its Kerberos username?

Certainly if there is a cached credential you could be leaking the username but the sensitive information are all part of the encrypted value that only the intended target would be able to decrypt.

@tmds
Copy link
Owner Author

tmds commented Jun 24, 2024

only the intended target would be able to decrypt.

Paraphrasing to see if I understand correctly: if the target isn't part of the "domain", it won't be able to decrypt the username (or might even never see the username)?

@tmds
Copy link
Owner Author

tmds commented Jun 24, 2024

Paraphrasing to see if I understand correctly: if the target isn't part of the "domain", it won't be able to decrypt the username (or might even never see the username)?

To answer this question, from the Wikipedia Kerberos page: Client-to-server ticket, encrypted using service's Secret key.

@jborean93 thanks for chiming in! I'm going to include this.

@tmds tmds merged commit 933a014 into main Jun 24, 2024
2 checks passed
@jborean93
Copy link
Contributor

Paraphrasing to see if I understand correctly: if the target isn't part of the "domain", it won't be able to decrypt the username (or might even never see the username)?

Just to add further information the ticket won’t even be generated if the target server isn’t valid/present in the KDC database.

@tmds
Copy link
Owner Author

tmds commented Jun 25, 2024

@jborean93 do the methods we call on the NegotiateAuthentication cause network packets to be exchanged with the Kerberos servers? If so, we should probably do some work to make these methods run asynchronously in order to respect the CancellationToken?

@jborean93
Copy link
Contributor

Retrieving the service ticket does a call to the KDC in the backend to the call to get the outgoing blob may block. As this happens in the underlying C library I don't believe .NET exposes an async API for this. I believe it would need to run in Task.Run to support async. The other calls to NegotiateAuthentication should not require any network IO.

@tmds
Copy link
Owner Author

tmds commented Jun 25, 2024

Thanks for confirming. Yes, it will have to be Task.Run.

I will look into making those changes and ask you for review. If you would want to pick it up, let me know.

@tmds tmds deleted the default_include_kerberos_credential branch June 29, 2024 07:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants