Including support for NTLM for the microsoft/docker container

[arizvisa]

As per PowerShell/PowerShell#8817, the microsoft/docker container does not support NTLM which makes it pretty limited against what you can invoke WinRM with. I was under the assumption that NTLM would be implemented as part of PowerShell or at the very least be included as part of the container.

As per the blogpost at https://blog.quickbreach.io/ps-remote-from-linux-to-windows/, the container at https://hub.docker.com/r/quickbreach/powershell-ntlm/ includes the gssapi library that you need to include in order to include NTLM support.

Status

• Evaluate other image
• stable images
  • CentOs7
  • Ubuntu Images
  • Debian Images
  • Fedora Images
  • Alpine
  • openSUSE
• preview images
  • CentOs7
  • Ubuntu Images
  • Debian Images
  • Fedora Images
  • Alpine
  • openSUSE
• All Community Stable Images

FYI, there are no plan to do functional validation for this.

Our efforts currently are focusing on SSH remoting.

[TravisEz13]

relevant code

# Required for gssntlmssp
RUN yum install -y epel-release

# Update now that we have epel-release
RUN yum update -y

# Install libraries for NTLM support
RUN yum install -y gssntlmssp

[TravisEz13]

What images would you expect to be fixed? centos obviously anything else?

[TravisEz13]

The code exists here:
https://github.com/PowerShell/PowerShell-Docker/blob/master/release/stable/centos7/docker/Dockerfile
and
https://github.com/PowerShell/PowerShell-Docker/blob/master/release/preview/centos7/docker/Dockerfile
and (but this will be out of support in 6 days)
https://github.com/PowerShell/PowerShell-Docker/blob/master/release/servicing/centos7/docker/Dockerfile

[arizvisa]

I mean I would expect you guys to fix anything you can? I mean, if you're going to do something why not do it well.

[arizvisa]

To make it easier:

• Debian, and Ubuntu uses gss-ntlmssp
• Fedora, Redhat, and Suse use gssntlmssp
• (i think) gentoo uses app-crypt/mit-krb5 with a ntlm useflag
• Alpine will need mit-krb5 to build gssapi and then build-essentials (alpine-sdk iirc) then to compile gssntlmssp
• Suse will need build-essentials (the same as alpine) to build gssntlmssp
• Arch linux will use gss-ntlmssp,

[arizvisa]

It's understandable if the ones that need building are not supported, but the ones with binary packages readily available is kind of silly to not support it in the "official" microsoft/powershell container.

If y'all are concerned about tainting the regular docker containers with non-microsoft code, at the very least it'd be good to have an official microsoft/powershell container with ntlm support.

(edited to fix a miswording)

[TravisEz13]

@arizvisa Also, finding the information on what the packages are called and how to install them is time consuming.

Feel free to submit a PR and we can review your code and take it if the change in acceptable.

We have to prioritize what issues we look into. Although a dev made me aware of this issue, he did not look into it even to the details that the quickbreach blog gives.

I've asked @RDIL, a new contributor, to start looking into fixing centos

Assuming you don't look at the other images, I'll leave the issue open and I'm sure we will test of PSRP remoting compatibility again in the future. After that, I can update the status of issues with which images are working with kerberos and which are not.

[RDIL]

I'll look into it :)

[RDIL]

CentOS is done. ✅

[arizvisa]

Cool. Nice one, RDIL.

@TravisEz13, Yeah. I'm not really a fan of pwsh. I just think it's lame to build an official container and miss out on a key feature like remoting. There's literally hundreds of people asking how to get remoting to work from their machines. Pointing them at a container solves that problem..

Thanks for listening!

[RDIL]

I would be willing to fix the other OS’s if you guys want me to.

[TravisEz13]

apt install gss-ntlmssp

[TravisEz13]

@arizvisa FYI, we release new docker images (usually all) whenever we release a new version of PowerShell Core. It shouldn't be more than a week or two.

[kiazhi]

I just found out that gss-ntlmssp package is not in the community repo and therefore pacman cannot find it and install it. That means in order to get that the ArchLinux image with gss-ntlmssp package, it will have to download source and use make to build the package with additional packages to assist the make.

May have to revisit this using a 2 stages dockerfile to reduce container image size.

@TravisEz13, can we skip the gss-ntlmssp pester test for now?

[TravisEz13]

@kiazhi Yup, I updated your PR with the metadata to skip the tests

[RDIL]

Status update as of Yesterday:

• Evaluate other image
• stable images
  • CentOs7
  • Ubuntu Images
  • Debian Images
  • Fedora Images
  • Alpine (working on now)
  • openSUSE (planned)
• preview images - basically same as above
• All Community Stable Images

[RDIL]

Community Stable statuses:

• Arch (black, normal)
• Amzn
• Oracle
• Clear
• Parrot
• Photon - I have no idea how photon works but I'll try to add it...

[TravisEz13]

I'm going to consider this done.

[mikeTWC1984]

If anyone needs ntlm on alpine - I put some instructions on how to build/install it from source.
https://github.com/mikeTWC1984/gssntlm
The only thing - it works on alpine 3.11 or higher

GitHub

mikeTWC1984/gssntlm

setting up ntlm auth for dotnet core apps. Contribute to mikeTWC1984/gssntlm development by creating an account on GitHub.