-
Notifications
You must be signed in to change notification settings - Fork 11
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
DefaultCredentials: add KerberosCredential. #196
Conversation
@jborean93 I assume it makes sense to include this in the |
I personally think so, my only concern is I missed a spot where an exception could be thrown. While I think we covered them I cannot say for sure I did. One other point to consider is that OpenSSH doesn't include it by default, you either need to specify |
I'm not worried a potential exception. If it's there, we'll fix it. Might there some information we're leaking to the remote SSH server about the user, like its Kerberos username? |
Certainly if there is a cached credential you could be leaking the username but the sensitive information are all part of the encrypted value that only the intended target would be able to decrypt. |
Paraphrasing to see if I understand correctly: if the target isn't part of the "domain", it won't be able to decrypt the username (or might even never see the username)? |
To answer this question, from the Wikipedia Kerberos page: Client-to-server ticket, encrypted using service's Secret key. @jborean93 thanks for chiming in! I'm going to include this. |
Just to add further information the ticket won’t even be generated if the target server isn’t valid/present in the KDC database. |
@jborean93 do the methods we call on the |
Retrieving the service ticket does a call to the KDC in the backend to the call to get the outgoing blob may block. As this happens in the underlying C library I don't believe .NET exposes an async API for this. I believe it would need to run in |
Thanks for confirming. Yes, it will have to be I will look into making those changes and ask you for review. If you would want to pick it up, let me know. |
@jborean93 ptal.