Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Including support for NTLM for the microsoft/docker container #124

Open
arizvisa opened this issue Feb 7, 2019 · 18 comments

Comments

@arizvisa
Copy link

commented Feb 7, 2019

As per PowerShell/PowerShell#8817, the microsoft/docker container does not support NTLM which makes it pretty limited against what you can invoke WinRM with. I was under the assumption that NTLM would be implemented as part of PowerShell or at the very least be included as part of the container.

As per the blogpost at https://blog.quickbreach.io/ps-remote-from-linux-to-windows/, the container at https://hub.docker.com/r/quickbreach/powershell-ntlm/ includes the gssapi library that you need to include in order to include NTLM support.

Status

  • Evaluate other image
  • stable images
    • CentOs7
    • Ubuntu Images
    • Debian Images
    • Fedora Images
    • Alpine
    • openSUSE
  • preview images
    • CentOs7
    • Ubuntu Images
    • Debian Images
    • Fedora Images
    • Alpine
    • openSUSE
  • All Community Stable Images

FYI, there are no plan to do functional validation for this.

Our efforts currently are focusing on SSH remoting.

@TravisEz13

This comment has been minimized.

Copy link
Member

commented Feb 7, 2019

relevant code

# Required for gssntlmssp
RUN yum install -y epel-release

# Update now that we have epel-release
RUN yum update -y

# Install libraries for NTLM support
RUN yum install -y gssntlmssp
@TravisEz13

This comment has been minimized.

Copy link
Member

commented Feb 7, 2019

What images would you expect to be fixed? centos obviously anything else?

@arizvisa

This comment has been minimized.

Copy link
Author

commented Feb 7, 2019

I mean I would expect you guys to fix anything you can? I mean, if you're going to do something why not do it well.

@arizvisa

This comment has been minimized.

Copy link
Author

commented Feb 8, 2019

To make it easier:

  • Debian, and Ubuntu uses gss-ntlmssp
  • Fedora, Redhat, and Suse use gssntlmssp
  • (i think) gentoo uses app-crypt/mit-krb5 with a ntlm useflag
  • Alpine will need mit-krb5 to build gssapi and then build-essentials (alpine-sdk iirc) then to compile gssntlmssp
  • Suse will need build-essentials (the same as alpine) to build gssntlmssp
  • Arch linux will use gss-ntlmssp,
@arizvisa

This comment has been minimized.

Copy link
Author

commented Feb 8, 2019

It's understandable if the ones that need building are not supported, but the ones with binary packages readily available is kind of silly to not support it in the "official" microsoft/powershell container.

If y'all are concerned about tainting the regular docker containers with non-microsoft code, at the very least it'd be good to have an official microsoft/powershell container with ntlm support.

(edited to fix a miswording)

@TravisEz13

This comment has been minimized.

Copy link
Member

commented Feb 8, 2019

@arizvisa Also, finding the information on what the packages are called and how to install them is time consuming.

Feel free to submit a PR and we can review your code and take it if the change in acceptable.

We have to prioritize what issues we look into. Although a dev made me aware of this issue, he did not look into it even to the details that the quickbreach blog gives.

I've asked @RDIL, a new contributor, to start looking into fixing centos

Assuming you don't look at the other images, I'll leave the issue open and I'm sure we will test of PSRP remoting compatibility again in the future. After that, I can update the status of issues with which images are working with kerberos and which are not.

@RDIL

This comment has been minimized.

Copy link
Collaborator

commented Feb 8, 2019

I'll look into it :)

@RDIL

This comment has been minimized.

Copy link
Collaborator

commented Feb 8, 2019

CentOS is done.

@arizvisa

This comment has been minimized.

Copy link
Author

commented Feb 9, 2019

Cool. Nice one, RDIL.

@TravisEz13, Yeah. I'm not really a fan of pwsh. I just think it's lame to build an official container and miss out on a key feature like remoting. There's literally hundreds of people asking how to get remoting to work from their machines. Pointing them at a container solves that problem..

Thanks for listening!

@RDIL

This comment has been minimized.

Copy link
Collaborator

commented Feb 10, 2019

I would be willing to fix the other OS’s if you guys want me to.

@TravisEz13

This comment has been minimized.

Copy link
Member

commented Feb 10, 2019

apt install gss-ntlmssp

@TravisEz13

This comment has been minimized.

Copy link
Member

commented Feb 11, 2019

@arizvisa FYI, we release new docker images (usually all) whenever we release a new version of PowerShell Core. It shouldn't be more than a week or two.

@kiazhi

This comment has been minimized.

Copy link
Contributor

commented Feb 12, 2019

I just found out that gss-ntlmssp package is not in the community repo and therefore pacman cannot find it and install it. That means in order to get that the ArchLinux image with gss-ntlmssp package, it will have to download source and use make to build the package with additional packages to assist the make.

May have to revisit this using a 2 stages dockerfile to reduce container image size.

@TravisEz13, can we skip the gss-ntlmssp pester test for now?

@TravisEz13

This comment has been minimized.

Copy link
Member

commented Feb 12, 2019

@kiazhi Yup, I updated your PR with the metadata to skip the tests

@RDIL

This comment has been minimized.

Copy link
Collaborator

commented Mar 11, 2019

@TravisEz13 can you update the checklist:
Ubuntu is done
Deb is done

@RDIL

This comment has been minimized.

Copy link
Collaborator

commented Mar 19, 2019

@arizvisa or @TravisEz13 can one of you please check off Fedora as it is done

@RDIL RDIL referenced this issue Oct 10, 2019
1 of 8 tasks complete
@RDIL

This comment has been minimized.

Copy link
Collaborator

commented Oct 15, 2019

Status update as of Yesterday:

  • Evaluate other image
  • stable images
    • CentOs7
    • Ubuntu Images
    • Debian Images
    • Fedora Images
    • Alpine (working on now)
    • openSUSE (planned)
  • preview images - basically same as above
  • All Community Stable Images
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
4 participants
You can’t perform that action at this time.