Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support for Credential Guard #2214

Open
3XX0 opened this issue Mar 5, 2024 · 7 comments
Open

Support for Credential Guard #2214

3XX0 opened this issue Mar 5, 2024 · 7 comments
Labels
Area-Authentication Issue-Enhancement Feature request

Comments

@3XX0
Copy link

3XX0 commented Mar 5, 2024

Summary of the new feature / enhancement

Would it be possible to support SSPI unconstrained delegation with Credential Guard enabled?

Our users currently need to turn off Credential Guard in order to delegate their ticket which is far from ideal.
When Credential Guard is enabled ssh won't perform delegation (sspi delegation was requested but not fulfilled), see
#1606
#1295

This limitation is documented here: https://learn.microsoft.com/en-us/windows/security/identity-protection/credential-guard/considerations-known-issues#kerberos-considerations

I'm not very familiar with Credential Guard, but technically the initial TGT could stay in the vault. SSH only has to produce and send the forwarded TGT.

Proposed technical implementation details (optional)

No response
@tgauth tgauth transferred this issue from PowerShell/openssh-portable Mar 6, 2024
@jborean93
Copy link

AFAIK the limitation is with credential guard itself and is not something that ssh can override.

@matsmcp
Copy link

matsmcp commented Mar 20, 2024

AFAIK the limitation is with credential guard itself and is not something that ssh can override.

I'm not skilled enough but why do SSH need the TGT? shouldn't it be enough to request a ordinary key?

@jborean93
Copy link

jborean93 commented Mar 20, 2024
edited

To request the key it needs to know the user's secret (it's password). An SSH private key is not related at all to the user's password so there's nothing to do. Kerberos delegation can get around this problem but it's specific to the Kerberos protocol and dependent on the ticket the user provides during authentication so SSH key auth can't really re-use it (without really opening up some holes like delegation with protocol transition).

@matsmcp
Copy link

matsmcp commented Mar 21, 2024

To request the key it needs to know the user's secret (it's password). An SSH private key is not related at all to the user's password so there's nothing to do. Kerberos delegation can get around this problem but it's specific to the Kerberos protocol and dependent on the ticket the user provides during authentication so SSH key auth can't really re-use it (without really opening up some holes like delegation with protocol transition).

Thanks. I made a typo and meant ticket and not key, sorry about that

@mgkuhn
Copy link

mgkuhn commented Apr 9, 2024
edited

Isn't the whole point of Credential Guard to prevent anyone from moving (stealing, passing) tickets elsewhere? And isn't the whole point of unconstrained delegation to move (forward, delegate) one's ticket elsewhere? So aren't these two simply exactly opposing functional requirements, and if Kerberos ticket forwarding does not work with Credential Guard enabled, then doesn't that simply mean that Credential Guard works exactly as designed and does its job correctly?

@mgkuhn
Copy link

mgkuhn commented Apr 9, 2024
edited

It might be useful to extend Credential Guard to provide more fine-grained control over what kinds of credentials it covers or does not cover. For example, a “Windows credential” stored in Credential Manager (e.g. with cmdkey or the GUI) currently contains not just the user's short-term Kerberos ticket (which typically expires after a working day), and which you might want to keep easily accessible for unconstrained delegation, but also the user's long-term keytab (the hash of their password, possibly valid for many years), which you might want to protect well via Credential Guard, or not kept stored at all. At the moment, I understand you can either protect both or neither, which can be a bit inconvenient.

Alternative: What I really miss in Windows is an equivalent of the kinit command in MIT Kerberos. That uses the user's password only very briefly, just to get a ticket, and then destroys the password and its hash again immediately (e.g., a kinit password can't be recovered from a discarded disk drive). There sadly seems to be no equivalent command in Windows to obtain a Kerberos ticket without storing the (hash of the) password in Credential Manager. If kinit were available, there would be much less need for using anything like Credential Guard.

(But all of that is really outside this OpenSSH port.)

@3XX0
Copy link
Author

3XX0 commented Apr 30, 2024

Yes, again I'm not familiar with how Credential Guard works in details, but having fine-grained control would certainly help.
Being able to do unconstrained delegation without having to turn it off would be nice.

Now, having said that, Credential Guard should be able to do TGS requests without taking the TGT out of the sandbox which is the whole point. With SSPI, technically you're trying to delegate a forwarded TGT (which could be constrained to some addresses and checked against OK-AS-DELEGATE) not the initial one. Security-wise it might not look so different, but depending on how SSPI and CG interact this might be implementable.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Area-Authentication Issue-Enhancement Feature request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@3XX0 @mgkuhn @jborean93 @maertendMSFT @matsmcp