Comments (7)
AFAIK the limitation is with credential guard itself and is not something that ssh can override.
from win32-openssh.
AFAIK the limitation is with credential guard itself and is not something that ssh can override.
I'm not skilled enough but why do SSH need the TGT? shouldn't it be enough to request a ordinary key?
from win32-openssh.
To request the key it needs to know the user's secret (it's password). An SSH private key is not related at all to the user's password so there's nothing to do. Kerberos delegation can get around this problem but it's specific to the Kerberos protocol and dependent on the ticket the user provides during authentication so SSH key auth can't really re-use it (without really opening up some holes like delegation with protocol transition).
from win32-openssh.
To request the key it needs to know the user's secret (it's password). An SSH private key is not related at all to the user's password so there's nothing to do. Kerberos delegation can get around this problem but it's specific to the Kerberos protocol and dependent on the ticket the user provides during authentication so SSH key auth can't really re-use it (without really opening up some holes like delegation with protocol transition).
Thanks. I made a typo and meant ticket and not key, sorry about that
from win32-openssh.
Isn't the whole point of Credential Guard to prevent anyone from moving (stealing, passing) tickets elsewhere? And isn't the whole point of unconstrained delegation to move (forward, delegate) one's ticket elsewhere? So aren't these two simply exactly opposing functional requirements, and if Kerberos ticket forwarding does not work with Credential Guard enabled, then doesn't that simply mean that Credential Guard works exactly as designed and does its job correctly?
from win32-openssh.
It might be useful to extend Credential Guard to provide more fine-grained control over what kinds of credentials it covers or does not cover. For example, a “Windows credential” stored in Credential Manager (e.g. with cmdkey
or the GUI) currently contains not just the user's short-term Kerberos ticket (which typically expires after a working day), and which you might want to keep easily accessible for unconstrained delegation, but also the user's long-term keytab (the hash of their password, possibly valid for many years), which you might want to protect well via Credential Guard, or not kept stored at all. At the moment, I understand you can either protect both or neither, which can be a bit inconvenient.
Alternative: What I really miss in Windows is an equivalent of the kinit
command in MIT Kerberos. That uses the user's password only very briefly, just to get a ticket, and then destroys the password and its hash again immediately (e.g., a kinit password can't be recovered from a discarded disk drive). There sadly seems to be no equivalent command in Windows to obtain a Kerberos ticket without storing the (hash of the) password in Credential Manager. If kinit were available, there would be much less need for using anything like Credential Guard.
(But all of that is really outside this OpenSSH port.)
from win32-openssh.
Yes, again I'm not familiar with how Credential Guard works in details, but having fine-grained control would certainly help.
Being able to do unconstrained delegation without having to turn it off would be nice.
Now, having said that, Credential Guard should be able to do TGS requests without taking the TGT out of the sandbox which is the whole point. With SSPI, technically you're trying to delegate a forwarded TGT (which could be constrained to some addresses and checked against OK-AS-DELEGATE
) not the initial one. Security-wise it might not look so different, but depending on how SSPI and CG interact this might be implementable.
from win32-openssh.
Related Issues (20)
- Account & Password authenticated, session never opens & hangs. Only for a specific user HOT 1
- "Match Group" together with "ChrootDirectory" breaks SFTP HOT 3
- OpenSSH ssh ignores contents of .config file in User HOT 4
- Command Prompt Font Fallbacks To Vector If Default Was Raster HOT 2
- passwordless public key ssh from linuxe to windows works for domain user fails for local user HOT 4
- Windows <-> Linux SSH tunnels result in connection errors HOT 1
- Change README.md, add a reference to the latest stable for Windows HOT 2
- SCP using SFTP fails with UNC paths
- BSOD on 'scp' HOT 1
- OpenSSH 9.7 HOT 4
- Add SSH server compression support HOT 2
- Using `ssh-add` with a ecdsa_sk key with Windows Hello will still constantly prompt for Windows Hello. HOT 1
- Digitally sign the OpenSSH binaries that come default in Windows and official FOD HOT 2
- Bad configuration option: GSSAPIDelegation HOT 1
- Error "BN_is_negative not found in DLL" when calling ssh after moving exe HOT 2
- Compile in windows 10 HOT 1
- unexpected "key enrollment failed: invalid format" HOT 1
- Connection is stuck when time on SSH Server is set after the Year-2038 Problem HOT 2
- Certificates aren't properly added to the ssh-agent service HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from win32-openssh.