[20450] in Kerberos_V5_Development
Re: [External] : Re: Windows Credential Guard with MSLSA
daemon@ATHENA.MIT.EDU (Ken Hornstein via krbdev)
Thu Sep 7 09:32:53 2023
Message-ID: <202309071330.387DUg61019698@hedwig.cmf.nrl.navy.mil>
To: Seshan Parameswaran <seshan.parameswaran@oracle.com>
cc: <krbdev@mit.edu>
In-Reply-To: <BYAPR10MB347992FE12CC47CCCB5B5B659DEEA@BYAPR10MB3479.namprd10.prod.outlook.com>
MIME-Version: 1.0
Date: Thu, 07 Sep 2023 09:30:42 -0400
From: Ken Hornstein via krbdev <krbdev@mit.edu>
Reply-To: Ken Hornstein <kenh@cmf.nrl.navy.mil>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
>Windows Credential Guard cannot be used on Linux. However the service
>that Windows Credential Guard is protecting, a database service
>running on Linux in this case, whether there is a way to retrieve the
>credentials protected by Windows Credential Guard without using GSSAPI
So I was mildly curious and I did some more digging. Here's what I
believe to be true, with the caveat I am not that experienced in the
details and I might be wrong (and I would appreciate any corrections
where I get things wrong):
- The MIT Kerberos 5 libraries do have native support for doing S4U2proxy
which I believe is the protocol you want to use.
- The specific details here is you need to send an "evidence ticket"
from the client to the server (which in test example I see is just
the complete ASN.1-encoded Kerberos service ticket for the database
server), the application server (the database service running on the
Linux system), the database service would call krb5_decode_ticket()
and krb5_server_decrypt_ticket_keytab() to get the the decrypted
ticket contents, and then call krb5_get_credentials_for_proxy() to
make the actual S4U2Proxy request (the database server will also have
to have a TGT for itself).
- I'm actually a little unclear how you'd do the "send a raw ticket
from the client to the server" inside of the GSSAPI. I suspect it
is possible but the MIT documentation just talks about the application
server API pieces.
- As I mentioned previously, this would require client-server protocol
rework AND significant changes on the database server side. If we
are talking about Oracle (just a guess based on your email address)
I was under the impression that Oracle includes a very old copy of MIT
Kerberos internally; if that is still the case then this would also
require the Kerberos implementation inside of Oracle to be updated
to something much newer.
- From what others have said, there is essentially no way to get out
a TGT from the MSLSA credential cache when using Windows Credential
Guard.
--Ken
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
