Fix Kerberos Decryption Corruption by Iristyle · Pull Request #302 · WinRb/WinRM

Iristyle · 2019-04-23T23:30:24Z

The winrm_decrypt method, which appears to be a near copy of the
original GSSAPI gem helpers from

https://github.com/zenchild/gssapi/blob/master/examples

includes a fatal bug.

Specifically the original code at line
https://github.com/zenchild/gssapi/blob/master/examples/gss_iov_helpers.rb#L50

When breaking apart the given binary string response into length of header,
header and payload - the incorrect value is given to Rubys unpack method.

https://ruby-doc.org/core-2.3.0/String.html#method-i-unpack

The directive 'A' is used:

A | String | arbitrary binary string (remove trailing nulls and ASCII spaces)

Since the given string is encrypted binary data, 'A' is the wrong directive
given it performs removals.

Instead, the directive 'a' should be used as it leaves all bytes intact:

a | String | arbitrary binary string
Without this change, intermittent failures will occur as the decrypted SOAP
messages will contain almost valid XML, but usually end with corrupt binary
strings at the end of otherwise valid UTF-8 like

</s:Body></s\xB5f\xAF\x9B\xE5\x9B\xE9\xFE\xBB

These failures occur frequently enough to make Kerberos usage completely
unreliable

- The winrm_decrypt method, which appears to be a near copy of the original GSSAPI gem helpers from https://github.com/zenchild/gssapi/blob/master/examples includes a fatal bug. Specifically the original code at line https://github.com/zenchild/gssapi/blob/master/examples/gss_iov_helpers.rb#L50 When breaking apart the given binary string response into length of header, header and payload - the incorrect value is given to Rubys unpack method. https://ruby-doc.org/core-2.3.0/String.html#method-i-unpack The directive 'A' is used: A | String | arbitrary binary string (remove trailing nulls and ASCII spaces) Since the given string is encrypted binary data, 'A' is the wrong directive given it performs removals. Instead, the directive 'a' should be used as it leaves all bytes intact: a | String | arbitrary binary string - Without this change, intermittent failures will occur as the decrypted SOAP messages will contain almost valid XML, but usually end with corrupt binary strings at the end of otherwise valid UTF-8 like </s:Body></s\xB5f\xAF\x9B\xE5\x9B\xE9\xFE\xBB These failures occur frequently enough to make Kerberos usage completely unreliable

Iristyle · 2019-04-23T23:31:27Z

IMHO, this is one that could use a bugfix release @mwrock / @sneal. Thanks!

Iristyle · 2019-04-24T15:44:39Z

Docs for these APIs are at https://web.mit.edu/Kerberos/krb5-1.14/doc/appdev/gssapi.html#iov-message-wrapping

mwrock · 2019-04-25T01:28:44Z

Thanks a bunch Ethan! Will get a release out ASAP

- WinRM gem 2.3.2 is necessary to enable Kerberos. Earlier versions of the gem contained a bug with decrypting Kerberos payloads that would result in decryption failures / corruptions about 10% of the time. 10% of the time is enough to make Kerberos completely unusable. See WinRb/WinRM#302 for more info

- This PR is considered experimental due to a number of current limitations: * Works only with MIT Kerberos from a Linux node * Does not work with Heimdal on OSX - gssapi gem support for Heimdal is not well vetted - OSX doesn't export Kerberos IOV functions needed for MS DCE RPC * Has been manually tested in a simple AD environment that has a CentOS host domain joined to Windows Active Directory - Provides initial support for the --realm command line switch, which can be used intead of --username / --password. Note that Kerberos is an authentication method, not a transport, so can be used with or without SSL just like other authentication. - Manual verification includes the following steps: * Acquire ticket from KDC (in this case Active Directory) [centos@bolt-dev-centos7 bolt]$ echo '*****!' | kinit -C Administrator@bolt.puppet Password for Administrator@bolt.puppet: [centos@bolt-dev-centos7 bolt]$ klist Ticket cache: KEYRING:persistent:1000:1000 Default principal: Administrator@BOLT.PUPPET Valid starting Expires Service principal 07/12/2019 18:18:04 07/13/2019 04:18:04 krbtgt/BOLT.PUPPET@BOLT.PUPPET renew until 07/19/2019 18:18:04 * Ask Bolt to run a command over WinRM over HTTPS using the AD domain as realm [centos@bolt-dev-centos7 bolt]$ bundle exec bolt command run 'whoami' --targets winrm://bolt-dc.bolt.puppet --realm BOLT.PUPPET --no-ssl-verify Started on bolt-dc.bolt.puppet... Finished on bolt-dc.bolt.puppet: STDOUT: bolt\administrator Successful on 1 node: winrm://bolt-dc.bolt.puppet Ran on 1 node in 0.82 seconds * Ask Bolt to run a command over WinRM over SSL using the AD domain as realm [centos@bolt-dev-centos7 bolt]$ klist Ticket cache: KEYRING:persistent:1000:1000 Default principal: Administrator@BOLT.PUPPET Valid starting Expires Service principal 07/12/2019 18:18:20 07/13/2019 04:18:04 HTTP/bolt-dc.bolt.puppet@BOLT.PUPPET renew until 07/19/2019 18:18:04 07/12/2019 18:18:04 07/13/2019 04:18:04 krbtgt/BOLT.PUPPET@BOLT.PUPPET renew until 07/19/2019 18:18:04 * Ask Bolt to run a command over WinRM over HTTP using the AD domain as realm [centos@bolt-dev-centos7 bolt]$ bundle exec bolt command run 'whoami' --targets winrm://bolt-dc.bolt.puppet --realm BOLT.PUPPET --no-ssl Started on bolt-dc.bolt.puppet... Finished on bolt-dc.bolt.puppet: STDOUT: bolt\administrator Successful on 1 node: winrm://bolt-dc.bolt.puppet Ran on 1 node in 0.74 seconds * Verify an incorrectly specified realm fails to connnect over HTTP [centos@bolt-dev-centos7 bolt]$ bundle exec bolt command run 'whoami' --targets winrm://bolt-dc.bolt.puppet --realm foo --no-ssl Started on bolt-dc.bolt.puppet... Failed on bolt-dc.bolt.puppet: Failed to connect to http://bolt-dc.bolt.puppet:5985/wsman: gss_init_sec_context did not return GSS_S_COMPLETE: Unspecified GSS failure. Minor code may provide more information Server not found in Kerberos database Failed on 1 node: winrm://bolt-dc.bolt.puppet Ran on 1 node in 0.22 seconds * Verify an incorrectly specified realm fails to connnect over HTTPS [centos@bolt-dev-centos7 bolt]$ bundle exec bolt command run 'whoami' --targets winrm://bolt-dc.bolt.puppet --realm foo --no-ssl-verify Started on bolt-dc.bolt.puppet... Failed on bolt-dc.bolt.puppet: Failed to connect to https://bolt-dc.bolt.puppet:5986/wsman: gss_init_sec_context did not return GSS_S_COMPLETE: Unspecified GSS failure. Minor code may provide more information Server not found in Kerberos database Failed on 1 node: winrm://bolt-dc.bolt.puppet Ran on 1 node in 0.16 seconds - This PR also relies on version 2.3.2 of the winrm gem which includes a critical Kerberos encryption bug that was fixed in WinRb/WinRM#302 - There is a separate PR which will add a Docker container setup to verify Kerberos in an automated fashion against TravisCI using Samba and OMI server. At present, there is a problem properly establishing a connection between the WinRM gem and OMI server, which appears to be a bug in the WinRM gem protocol handling. - Windows support is https://tickets.puppet.com/browse/BOLT-1323 - OSX support is https://tickets.puppet.com/browse/BOLT-1471

- This PR is considered experimental due to a number of current limitations: * Works only with MIT Kerberos from a Linux node * Does not work with Heimdal on OSX - gssapi gem support for Heimdal is not well vetted - OSX doesn't export Kerberos IOV functions needed for MS DCE RPC * Does not work from a Windows node as winrm / gssapi gems only support MIT Kerberos, and Windows has its own APIs * Has been manually tested in a simple AD environment that has a CentOS host domain joined to Windows Active Directory - Provides initial support for the --realm command line switch, which can be used intead of --username / --password. Note that Kerberos is an authentication method, not a transport, so can be used with or without SSL just like other authentication. - Manual verification includes the following steps: * Acquire ticket from KDC (in this case Active Directory) [centos@bolt-dev-centos7 bolt]$ echo '*****!' | kinit -C Administrator@bolt.puppet Password for Administrator@bolt.puppet: [centos@bolt-dev-centos7 bolt]$ klist Ticket cache: KEYRING:persistent:1000:1000 Default principal: Administrator@BOLT.PUPPET Valid starting Expires Service principal 07/12/2019 18:18:04 07/13/2019 04:18:04 krbtgt/BOLT.PUPPET@BOLT.PUPPET renew until 07/19/2019 18:18:04 * Ask Bolt to run a command over WinRM over HTTPS using the AD domain as realm [centos@bolt-dev-centos7 bolt]$ bundle exec bolt command run 'whoami' --targets winrm://bolt-dc.bolt.puppet --realm BOLT.PUPPET --no-ssl-verify Started on bolt-dc.bolt.puppet... Finished on bolt-dc.bolt.puppet: STDOUT: bolt\administrator Successful on 1 node: winrm://bolt-dc.bolt.puppet Ran on 1 node in 0.82 seconds * Ask Bolt to run a command over WinRM over SSL using the AD domain as realm [centos@bolt-dev-centos7 bolt]$ klist Ticket cache: KEYRING:persistent:1000:1000 Default principal: Administrator@BOLT.PUPPET Valid starting Expires Service principal 07/12/2019 18:18:20 07/13/2019 04:18:04 HTTP/bolt-dc.bolt.puppet@BOLT.PUPPET renew until 07/19/2019 18:18:04 07/12/2019 18:18:04 07/13/2019 04:18:04 krbtgt/BOLT.PUPPET@BOLT.PUPPET renew until 07/19/2019 18:18:04 * Ask Bolt to run a command over WinRM over HTTP using the AD domain as realm [centos@bolt-dev-centos7 bolt]$ bundle exec bolt command run 'whoami' --targets winrm://bolt-dc.bolt.puppet --realm BOLT.PUPPET --no-ssl Started on bolt-dc.bolt.puppet... Finished on bolt-dc.bolt.puppet: STDOUT: bolt\administrator Successful on 1 node: winrm://bolt-dc.bolt.puppet Ran on 1 node in 0.74 seconds * Verify an incorrectly specified realm fails to connnect over HTTP [centos@bolt-dev-centos7 bolt]$ bundle exec bolt command run 'whoami' --targets winrm://bolt-dc.bolt.puppet --realm foo --no-ssl Started on bolt-dc.bolt.puppet... Failed on bolt-dc.bolt.puppet: Failed to connect to http://bolt-dc.bolt.puppet:5985/wsman: gss_init_sec_context did not return GSS_S_COMPLETE: Unspecified GSS failure. Minor code may provide more information Server not found in Kerberos database Failed on 1 node: winrm://bolt-dc.bolt.puppet Ran on 1 node in 0.22 seconds * Verify an incorrectly specified realm fails to connnect over HTTPS [centos@bolt-dev-centos7 bolt]$ bundle exec bolt command run 'whoami' --targets winrm://bolt-dc.bolt.puppet --realm foo --no-ssl-verify Started on bolt-dc.bolt.puppet... Failed on bolt-dc.bolt.puppet: Failed to connect to https://bolt-dc.bolt.puppet:5986/wsman: gss_init_sec_context did not return GSS_S_COMPLETE: Unspecified GSS failure. Minor code may provide more information Server not found in Kerberos database Failed on 1 node: winrm://bolt-dc.bolt.puppet Ran on 1 node in 0.16 seconds - This PR also relies on version 2.3.2 of the winrm gem which includes a critical Kerberos encryption bug that was fixed in WinRb/WinRM#302 - There is a separate PR which will add a Docker container setup to verify Kerberos in an automated fashion against TravisCI using Samba and OMI server. At present, there is a problem properly establishing a connection between the WinRM gem and OMI server, which appears to be a bug in the WinRM gem protocol handling. - Windows support is https://tickets.puppet.com/browse/BOLT-1323 - OSX support is https://tickets.puppet.com/browse/BOLT-1471

- This PR is considered experimental due to a number of current limitations: * Works only with MIT Kerberos from a Linux node * Does not work with Heimdal on OSX - gssapi gem support for Heimdal is not well vetted - OSX doesn't export Kerberos IOV functions needed for MS DCE RPC * Does not work from a Windows node as winrm / gssapi gems only support MIT Kerberos, and Windows has its own APIs * Has been manually tested in a simple AD environment that has a CentOS host domain joined to Windows Active Directory - Provides initial support for the --realm command line switch, which can be used intead of --username / --password. Note that Kerberos is an authentication method, not a transport, so can be used with or without SSL just like other authentication. - Manual verification includes the following steps: * Acquire ticket from KDC (in this case Active Directory) [centos@bolt-dev-centos7 bolt]$ echo '*****!' | kinit -C Administrator@bolt.puppet Password for Administrator@bolt.puppet: [centos@bolt-dev-centos7 bolt]$ klist Ticket cache: KEYRING:persistent:1000:1000 Default principal: Administrator@BOLT.PUPPET Valid starting Expires Service principal 07/12/2019 18:18:04 07/13/2019 04:18:04 krbtgt/BOLT.PUPPET@BOLT.PUPPET renew until 07/19/2019 18:18:04 * Ask Bolt to run a command over WinRM over HTTPS using the AD domain as realm [centos@bolt-dev-centos7 bolt]$ bundle exec bolt command run 'whoami' --targets winrm://bolt-dc.bolt.puppet --realm BOLT.PUPPET --no-ssl-verify Started on bolt-dc.bolt.puppet... Finished on bolt-dc.bolt.puppet: STDOUT: bolt\administrator Successful on 1 node: winrm://bolt-dc.bolt.puppet Ran on 1 node in 0.82 seconds * Verify Kerberos tickets (not the new `HTTP` service ticket) [centos@bolt-dev-centos7 bolt]$ klist Ticket cache: KEYRING:persistent:1000:1000 Default principal: Administrator@BOLT.PUPPET Valid starting Expires Service principal 07/12/2019 18:18:20 07/13/2019 04:18:04 HTTP/bolt-dc.bolt.puppet@BOLT.PUPPET renew until 07/19/2019 18:18:04 07/12/2019 18:18:04 07/13/2019 04:18:04 krbtgt/BOLT.PUPPET@BOLT.PUPPET renew until 07/19/2019 18:18:04 * Ask Bolt to run a command over WinRM over HTTP using the AD domain as realm [centos@bolt-dev-centos7 bolt]$ bundle exec bolt command run 'whoami' --targets winrm://bolt-dc.bolt.puppet --realm BOLT.PUPPET --no-ssl Started on bolt-dc.bolt.puppet... Finished on bolt-dc.bolt.puppet: STDOUT: bolt\administrator Successful on 1 node: winrm://bolt-dc.bolt.puppet Ran on 1 node in 0.74 seconds * Verify an incorrectly specified realm fails to connnect over HTTP [centos@bolt-dev-centos7 bolt]$ bundle exec bolt command run 'whoami' --targets winrm://bolt-dc.bolt.puppet --realm foo --no-ssl Started on bolt-dc.bolt.puppet... Failed on bolt-dc.bolt.puppet: Failed to connect to http://bolt-dc.bolt.puppet:5985/wsman: gss_init_sec_context did not return GSS_S_COMPLETE: Unspecified GSS failure. Minor code may provide more information Server not found in Kerberos database Failed on 1 node: winrm://bolt-dc.bolt.puppet Ran on 1 node in 0.22 seconds * Verify an incorrectly specified realm fails to connnect over HTTPS [centos@bolt-dev-centos7 bolt]$ bundle exec bolt command run 'whoami' --targets winrm://bolt-dc.bolt.puppet --realm foo --no-ssl-verify Started on bolt-dc.bolt.puppet... Failed on bolt-dc.bolt.puppet: Failed to connect to https://bolt-dc.bolt.puppet:5986/wsman: gss_init_sec_context did not return GSS_S_COMPLETE: Unspecified GSS failure. Minor code may provide more information Server not found in Kerberos database Failed on 1 node: winrm://bolt-dc.bolt.puppet Ran on 1 node in 0.16 seconds - This PR also relies on version 2.3.2 of the winrm gem which includes a critical Kerberos encryption bug that was fixed in WinRb/WinRM#302 - There is a separate PR which will add a Docker container setup to verify Kerberos in an automated fashion against TravisCI using Samba and OMI server. At present, there is a problem properly establishing a connection between the WinRM gem and OMI server, which appears to be a bug in the WinRM gem protocol handling. - Windows support is https://tickets.puppet.com/browse/BOLT-1323 - OSX support is https://tickets.puppet.com/browse/BOLT-1471

- This PR is considered experimental due to a number of current limitations: * Works only with MIT Kerberos from a Linux node * Does not work with Heimdal on OSX - gssapi gem support for Heimdal is not well vetted - OSX doesn't export Kerberos IOV functions needed for MS DCE RPC * Does not work from a Windows node as winrm / gssapi gems only support MIT Kerberos, and Windows has its own APIs * Has been manually tested in a simple AD environment that has a CentOS host domain joined to Windows Active Directory - Provides initial support for the --realm command line switch, which can be used intead of --username / --password. Note that Kerberos is an authentication method, not a transport, so can be used with or without SSL just like other authentication. - Automatic tests have been scaffolded, to be completed in a future PR that enables a Kerberos authentication test setup through Docker - Manual verification includes the following steps: * Acquire ticket from KDC (in this case Active Directory) [centos@bolt-dev-centos7 bolt]$ echo '*****!' | kinit -C Administrator@bolt.puppet Password for Administrator@bolt.puppet: [centos@bolt-dev-centos7 bolt]$ klist Ticket cache: KEYRING:persistent:1000:1000 Default principal: Administrator@BOLT.PUPPET Valid starting Expires Service principal 07/12/2019 18:18:04 07/13/2019 04:18:04 krbtgt/BOLT.PUPPET@BOLT.PUPPET renew until 07/19/2019 18:18:04 * Ask Bolt to run a command over WinRM over HTTPS using the AD domain as realm [centos@bolt-dev-centos7 bolt]$ bundle exec bolt command run 'whoami' --targets winrm://bolt-dc.bolt.puppet --realm BOLT.PUPPET --no-ssl-verify Started on bolt-dc.bolt.puppet... Finished on bolt-dc.bolt.puppet: STDOUT: bolt\administrator Successful on 1 node: winrm://bolt-dc.bolt.puppet Ran on 1 node in 0.82 seconds * Verify Kerberos tickets (not the new `HTTP` service ticket) [centos@bolt-dev-centos7 bolt]$ klist Ticket cache: KEYRING:persistent:1000:1000 Default principal: Administrator@BOLT.PUPPET Valid starting Expires Service principal 07/12/2019 18:18:20 07/13/2019 04:18:04 HTTP/bolt-dc.bolt.puppet@BOLT.PUPPET renew until 07/19/2019 18:18:04 07/12/2019 18:18:04 07/13/2019 04:18:04 krbtgt/BOLT.PUPPET@BOLT.PUPPET renew until 07/19/2019 18:18:04 * Ask Bolt to run a command over WinRM over HTTP using the AD domain as realm [centos@bolt-dev-centos7 bolt]$ bundle exec bolt command run 'whoami' --targets winrm://bolt-dc.bolt.puppet --realm BOLT.PUPPET --no-ssl Started on bolt-dc.bolt.puppet... Finished on bolt-dc.bolt.puppet: STDOUT: bolt\administrator Successful on 1 node: winrm://bolt-dc.bolt.puppet Ran on 1 node in 0.74 seconds * Verify an incorrectly specified realm fails to connnect over HTTP [centos@bolt-dev-centos7 bolt]$ bundle exec bolt command run 'whoami' --targets winrm://bolt-dc.bolt.puppet --realm foo --no-ssl Started on bolt-dc.bolt.puppet... Failed on bolt-dc.bolt.puppet: Failed to connect to http://bolt-dc.bolt.puppet:5985/wsman: gss_init_sec_context did not return GSS_S_COMPLETE: Unspecified GSS failure. Minor code may provide more information Server not found in Kerberos database Failed on 1 node: winrm://bolt-dc.bolt.puppet Ran on 1 node in 0.22 seconds * Verify an incorrectly specified realm fails to connnect over HTTPS [centos@bolt-dev-centos7 bolt]$ bundle exec bolt command run 'whoami' --targets winrm://bolt-dc.bolt.puppet --realm foo --no-ssl-verify Started on bolt-dc.bolt.puppet... Failed on bolt-dc.bolt.puppet: Failed to connect to https://bolt-dc.bolt.puppet:5986/wsman: gss_init_sec_context did not return GSS_S_COMPLETE: Unspecified GSS failure. Minor code may provide more information Server not found in Kerberos database Failed on 1 node: winrm://bolt-dc.bolt.puppet Ran on 1 node in 0.16 seconds - This PR also relies on version 2.3.2 of the winrm gem which includes a critical Kerberos encryption bug that was fixed in WinRb/WinRM#302 - There is a separate PR which will add a Docker container setup to verify Kerberos in an automated fashion against TravisCI using Samba and OMI server. At present, there is a problem properly establishing a connection between the WinRM gem and OMI server, which appears to be a bug in the WinRM gem protocol handling. - Windows support is https://tickets.puppet.com/browse/BOLT-1323 - OSX support is https://tickets.puppet.com/browse/BOLT-1471

- This PR is considered experimental due to a number of current limitations: * Works only with MIT Kerberos from a Linux node * Does not work with Heimdal on OSX - gssapi gem support for Heimdal is not well vetted - OSX doesn't export Kerberos IOV functions needed for MS DCE RPC * Does not work from a Windows node as winrm / gssapi gems only support MIT Kerberos, and Windows has its own APIs * Has been manually tested in a simple AD environment that has a CentOS host domain joined to Windows Active Directory - Provides initial support for the --realm command line switch, which can be used intead of --username / --password. Note that Kerberos is an authentication method, not a transport, so can be used with or without SSL just like other authentication. - Automated tests have been scaffolded, to be completed in a future PR that enables a Kerberos authentication test setup through Docker - Manual verification includes the following steps: * Acquire ticket from KDC (in this case Active Directory) [centos@bolt-dev-centos7 bolt]$ echo '*****!' | kinit -C Administrator@bolt.puppet Password for Administrator@bolt.puppet: [centos@bolt-dev-centos7 bolt]$ klist Ticket cache: KEYRING:persistent:1000:1000 Default principal: Administrator@BOLT.PUPPET Valid starting Expires Service principal 07/12/2019 18:18:04 07/13/2019 04:18:04 krbtgt/BOLT.PUPPET@BOLT.PUPPET renew until 07/19/2019 18:18:04 * Ask Bolt to run a command over WinRM over HTTPS using the AD domain as realm [centos@bolt-dev-centos7 bolt]$ bundle exec bolt command run 'whoami' --targets winrm://bolt-dc.bolt.puppet --realm BOLT.PUPPET --no-ssl-verify Started on bolt-dc.bolt.puppet... Finished on bolt-dc.bolt.puppet: STDOUT: bolt\administrator Successful on 1 node: winrm://bolt-dc.bolt.puppet Ran on 1 node in 0.82 seconds * Verify Kerberos tickets (note the new `HTTP` service ticket) [centos@bolt-dev-centos7 bolt]$ klist Ticket cache: KEYRING:persistent:1000:1000 Default principal: Administrator@BOLT.PUPPET Valid starting Expires Service principal 07/12/2019 18:18:20 07/13/2019 04:18:04 HTTP/bolt-dc.bolt.puppet@BOLT.PUPPET renew until 07/19/2019 18:18:04 07/12/2019 18:18:04 07/13/2019 04:18:04 krbtgt/BOLT.PUPPET@BOLT.PUPPET renew until 07/19/2019 18:18:04 * Ask Bolt to run a command over WinRM over HTTP using the AD domain as realm [centos@bolt-dev-centos7 bolt]$ bundle exec bolt command run 'whoami' --targets winrm://bolt-dc.bolt.puppet --realm BOLT.PUPPET --no-ssl Started on bolt-dc.bolt.puppet... Finished on bolt-dc.bolt.puppet: STDOUT: bolt\administrator Successful on 1 node: winrm://bolt-dc.bolt.puppet Ran on 1 node in 0.74 seconds * Verify an incorrectly specified realm fails to connnect over HTTP [centos@bolt-dev-centos7 bolt]$ bundle exec bolt command run 'whoami' --targets winrm://bolt-dc.bolt.puppet --realm foo --no-ssl Started on bolt-dc.bolt.puppet... Failed on bolt-dc.bolt.puppet: Failed to connect to http://bolt-dc.bolt.puppet:5985/wsman: gss_init_sec_context did not return GSS_S_COMPLETE: Unspecified GSS failure. Minor code may provide more information Server not found in Kerberos database Failed on 1 node: winrm://bolt-dc.bolt.puppet Ran on 1 node in 0.22 seconds * Verify an incorrectly specified realm fails to connnect over HTTPS [centos@bolt-dev-centos7 bolt]$ bundle exec bolt command run 'whoami' --targets winrm://bolt-dc.bolt.puppet --realm foo --no-ssl-verify Started on bolt-dc.bolt.puppet... Failed on bolt-dc.bolt.puppet: Failed to connect to https://bolt-dc.bolt.puppet:5986/wsman: gss_init_sec_context did not return GSS_S_COMPLETE: Unspecified GSS failure. Minor code may provide more information Server not found in Kerberos database Failed on 1 node: winrm://bolt-dc.bolt.puppet Ran on 1 node in 0.16 seconds - This PR also relies on version 2.3.2 of the winrm gem which includes a critical Kerberos encryption bug that was fixed in WinRb/WinRM#302 - There is a separate PR which will add a Docker container setup to verify Kerberos in an automated fashion against TravisCI using Samba and OMI server. At present, there is a problem properly establishing a connection between the WinRM gem and OMI server, which appears to be a bug in the WinRM gem protocol handling. - Windows support is https://tickets.puppet.com/browse/BOLT-1323 - OSX support is https://tickets.puppet.com/browse/BOLT-1471

- This PR is considered experimental due to a number of current limitations: * Works only with MIT Kerberos from a Linux node * Does not work with Heimdal on OSX - gssapi gem support for Heimdal is not well vetted - OSX doesn't export Kerberos IOV functions needed for MS DCE RPC * Does not work from a Windows node as winrm / gssapi gems only support MIT Kerberos, and Windows has its own APIs * Has been manually tested in a simple AD environment that has a CentOS host domain joined to Windows Active Directory - Provides initial support for the --realm command line switch, which can be used intead of --username / --password. Note that Kerberos is an authentication method, not a transport, so can be used with or without SSL just like other authentication. - Automated tests have been scaffolded, to be completed in a future PR that enables a Kerberos authentication test setup through Docker - Some basic developer docs are in place describing some Kerberos basics - Manual verification includes the following steps: * Acquire ticket from KDC (in this case Active Directory) [centos@bolt-dev-centos7 bolt]$ echo '*****!' | kinit -C Administrator@bolt.puppet Password for Administrator@bolt.puppet: [centos@bolt-dev-centos7 bolt]$ klist Ticket cache: KEYRING:persistent:1000:1000 Default principal: Administrator@BOLT.PUPPET Valid starting Expires Service principal 07/12/2019 18:18:04 07/13/2019 04:18:04 krbtgt/BOLT.PUPPET@BOLT.PUPPET renew until 07/19/2019 18:18:04 * Ask Bolt to run a command over WinRM over HTTPS using the AD domain as realm [centos@bolt-dev-centos7 bolt]$ bundle exec bolt command run 'whoami' --targets winrm://bolt-dc.bolt.puppet --realm BOLT.PUPPET --no-ssl-verify Started on bolt-dc.bolt.puppet... Finished on bolt-dc.bolt.puppet: STDOUT: bolt\administrator Successful on 1 node: winrm://bolt-dc.bolt.puppet Ran on 1 node in 0.82 seconds * Verify Kerberos tickets (note the new `HTTP` service ticket) [centos@bolt-dev-centos7 bolt]$ klist Ticket cache: KEYRING:persistent:1000:1000 Default principal: Administrator@BOLT.PUPPET Valid starting Expires Service principal 07/12/2019 18:18:20 07/13/2019 04:18:04 HTTP/bolt-dc.bolt.puppet@BOLT.PUPPET renew until 07/19/2019 18:18:04 07/12/2019 18:18:04 07/13/2019 04:18:04 krbtgt/BOLT.PUPPET@BOLT.PUPPET renew until 07/19/2019 18:18:04 * Ask Bolt to run a command over WinRM over HTTP using the AD domain as realm [centos@bolt-dev-centos7 bolt]$ bundle exec bolt command run 'whoami' --targets winrm://bolt-dc.bolt.puppet --realm BOLT.PUPPET --no-ssl Started on bolt-dc.bolt.puppet... Finished on bolt-dc.bolt.puppet: STDOUT: bolt\administrator Successful on 1 node: winrm://bolt-dc.bolt.puppet Ran on 1 node in 0.74 seconds * Verify an incorrectly specified realm fails to connnect over HTTP [centos@bolt-dev-centos7 bolt]$ bundle exec bolt command run 'whoami' --targets winrm://bolt-dc.bolt.puppet --realm foo --no-ssl Started on bolt-dc.bolt.puppet... Failed on bolt-dc.bolt.puppet: Failed to connect to http://bolt-dc.bolt.puppet:5985/wsman: gss_init_sec_context did not return GSS_S_COMPLETE: Unspecified GSS failure. Minor code may provide more information Server not found in Kerberos database Failed on 1 node: winrm://bolt-dc.bolt.puppet Ran on 1 node in 0.22 seconds * Verify an incorrectly specified realm fails to connnect over HTTPS [centos@bolt-dev-centos7 bolt]$ bundle exec bolt command run 'whoami' --targets winrm://bolt-dc.bolt.puppet --realm foo --no-ssl-verify Started on bolt-dc.bolt.puppet... Failed on bolt-dc.bolt.puppet: Failed to connect to https://bolt-dc.bolt.puppet:5986/wsman: gss_init_sec_context did not return GSS_S_COMPLETE: Unspecified GSS failure. Minor code may provide more information Server not found in Kerberos database Failed on 1 node: winrm://bolt-dc.bolt.puppet Ran on 1 node in 0.16 seconds - This PR also relies on version 2.3.2 of the winrm gem which includes a critical Kerberos encryption bug that was fixed in WinRb/WinRM#302 - There is a separate PR which will add a Docker container setup to verify Kerberos in an automated fashion against TravisCI using Samba and OMI server. At present, there is a problem properly establishing a connection between the WinRM gem and OMI server, which appears to be a bug in the WinRM gem protocol handling. - Windows support is https://tickets.puppet.com/browse/BOLT-1323 - OSX support is https://tickets.puppet.com/browse/BOLT-1471

- This PR is considered experimental due to a number of current limitations: * Works only with MIT Kerberos from a Linux node * Does not work with Heimdal on OSX - gssapi gem support for Heimdal is not well vetted - OSX doesn't export Kerberos IOV functions needed for MS DCE RPC * Does not work from a Windows node as winrm / gssapi gems only support MIT Kerberos, and Windows has its own APIs * Has been manually tested in a simple AD environment that has a CentOS host domain joined to Windows Active Directory - Provides initial support for the --realm command line switch, which can be used intead of --username / --password. Note that Kerberos is an authentication method, not a transport, so can be used with or without SSL just like other authentication. - Automated tests have been scaffolded, to be completed in a future PR that enables a Kerberos authentication test setup through Docker - Some basic developer docs are in place describing some Kerberos basics - Manual verification includes the following steps: * Acquire ticket from KDC (in this case Active Directory) [centos@bolt-dev-centos7 bolt]$ echo '*****!' | kinit -C Administrator@bolt.puppet Password for Administrator@bolt.puppet: [centos@bolt-dev-centos7 bolt]$ klist Ticket cache: KEYRING:persistent:1000:1000 Default principal: Administrator@BOLT.PUPPET Valid starting Expires Service principal 07/12/2019 18:18:04 07/13/2019 04:18:04 krbtgt/BOLT.PUPPET@BOLT.PUPPET renew until 07/19/2019 18:18:04 * Show that bolt.yaml contains the default winrm realm configuration [centos@bolt-dev-centos7 bolt]$ cat ~/.puppetlabs/bolt/bolt.yaml --- winrm: realm: BOLT.PUPPET * Ask Bolt to run a command over WinRM over HTTPS using the AD domain as realm [centos@bolt-dev-centos7 bolt]$ bundle exec bolt command run 'whoami' --targets winrm://bolt-dc.bolt.puppet --no-ssl-verify Started on bolt-dc.bolt.puppet... Finished on bolt-dc.bolt.puppet: STDOUT: bolt\administrator Successful on 1 node: winrm://bolt-dc.bolt.puppet Ran on 1 node in 0.82 seconds * Verify Kerberos tickets (note the new `HTTP` service ticket) [centos@bolt-dev-centos7 bolt]$ klist Ticket cache: KEYRING:persistent:1000:1000 Default principal: Administrator@BOLT.PUPPET Valid starting Expires Service principal 07/12/2019 18:18:20 07/13/2019 04:18:04 HTTP/bolt-dc.bolt.puppet@BOLT.PUPPET renew until 07/19/2019 18:18:04 07/12/2019 18:18:04 07/13/2019 04:18:04 krbtgt/BOLT.PUPPET@BOLT.PUPPET renew until 07/19/2019 18:18:04 * Ask Bolt to run a command over WinRM over HTTP using the AD domain as realm [centos@bolt-dev-centos7 bolt]$ bundle exec bolt command run 'whoami' --targets winrm://bolt-dc.bolt.puppet --no-ssl Started on bolt-dc.bolt.puppet... Finished on bolt-dc.bolt.puppet: STDOUT: bolt\administrator Successful on 1 node: winrm://bolt-dc.bolt.puppet Ran on 1 node in 0.74 seconds * Show that bolt.yaml contains an invalid realm [centos@bolt-dev-centos7 bolt]$ cat ~/.puppetlabs/bolt/bolt.yaml --- winrm: realm: foo * Verify an incorrectly specified realm fails to connnect over HTTP [centos@bolt-dev-centos7 bolt]$ bundle exec bolt command run 'whoami' --targets winrm://bolt-dc.bolt.puppet --no-ssl Started on bolt-dc.bolt.puppet... Failed on bolt-dc.bolt.puppet: Failed to connect to http://bolt-dc.bolt.puppet:5985/wsman: gss_init_sec_context did not return GSS_S_COMPLETE: Unspecified GSS failure. Minor code may provide more information Server not found in Kerberos database Failed on 1 node: winrm://bolt-dc.bolt.puppet Ran on 1 node in 0.22 seconds * Verify an incorrectly specified realm fails to connnect over HTTPS [centos@bolt-dev-centos7 bolt]$ bundle exec bolt command run 'whoami' --targets winrm://bolt-dc.bolt.puppet --no-ssl-verify Started on bolt-dc.bolt.puppet... Failed on bolt-dc.bolt.puppet: Failed to connect to https://bolt-dc.bolt.puppet:5986/wsman: gss_init_sec_context did not return GSS_S_COMPLETE: Unspecified GSS failure. Minor code may provide more information Server not found in Kerberos database Failed on 1 node: winrm://bolt-dc.bolt.puppet Ran on 1 node in 0.16 seconds - This PR also relies on version 2.3.2 of the winrm gem which includes a critical Kerberos encryption bug that was fixed in WinRb/WinRM#302 - There is a separate PR which will add a Docker container setup to verify Kerberos in an automated fashion against TravisCI using Samba and OMI server. At present, there is a problem properly establishing a connection between the WinRM gem and OMI server, which appears to be a bug in the WinRM gem protocol handling. - Windows support is https://tickets.puppet.com/browse/BOLT-1323 - OSX support is https://tickets.puppet.com/browse/BOLT-1471

- This PR is considered experimental due to a number of current limitations: * Works only with MIT Kerberos from a Linux node * Does not work with Heimdal on OSX - gssapi gem support for Heimdal is not well vetted - OSX doesn't export Kerberos IOV functions needed for MS DCE RPC * Does not work from a Windows node as winrm / gssapi gems only support MIT Kerberos, and Windows has its own APIs * Has been manually tested in a simple AD environment that has a CentOS host domain joined to Windows Active Directory Note that Kerberos is an authentication method, not a transport, so can be used with or without SSL just like other authentication. - Automated tests have been scaffolded, to be completed in a future PR that enables a Kerberos authentication test setup through Docker - Some basic developer docs are in place describing some Kerberos basics - Manual verification includes the following steps: * Acquire ticket from KDC (in this case Active Directory) [centos@bolt-dev-centos7 bolt]$ echo '*****!' | kinit -C Administrator@bolt.puppet Password for Administrator@bolt.puppet: [centos@bolt-dev-centos7 bolt]$ klist Ticket cache: KEYRING:persistent:1000:1000 Default principal: Administrator@BOLT.PUPPET Valid starting Expires Service principal 07/12/2019 18:18:04 07/13/2019 04:18:04 krbtgt/BOLT.PUPPET@BOLT.PUPPET renew until 07/19/2019 18:18:04 * Show that bolt.yaml contains the default winrm realm configuration [centos@bolt-dev-centos7 bolt]$ cat ~/.puppetlabs/bolt/bolt.yaml --- winrm: realm: BOLT.PUPPET * Ask Bolt to run a command over WinRM over HTTPS using the AD domain as realm [centos@bolt-dev-centos7 bolt]$ bundle exec bolt command run 'whoami' --targets winrm://bolt-dc.bolt.puppet --no-ssl-verify Started on bolt-dc.bolt.puppet... Finished on bolt-dc.bolt.puppet: STDOUT: bolt\administrator Successful on 1 node: winrm://bolt-dc.bolt.puppet Ran on 1 node in 0.82 seconds * Verify Kerberos tickets (note the new `HTTP` service ticket) [centos@bolt-dev-centos7 bolt]$ klist Ticket cache: KEYRING:persistent:1000:1000 Default principal: Administrator@BOLT.PUPPET Valid starting Expires Service principal 07/12/2019 18:18:20 07/13/2019 04:18:04 HTTP/bolt-dc.bolt.puppet@BOLT.PUPPET renew until 07/19/2019 18:18:04 07/12/2019 18:18:04 07/13/2019 04:18:04 krbtgt/BOLT.PUPPET@BOLT.PUPPET renew until 07/19/2019 18:18:04 * Ask Bolt to run a command over WinRM over HTTP using the AD domain as realm [centos@bolt-dev-centos7 bolt]$ bundle exec bolt command run 'whoami' --targets winrm://bolt-dc.bolt.puppet --no-ssl Started on bolt-dc.bolt.puppet... Finished on bolt-dc.bolt.puppet: STDOUT: bolt\administrator Successful on 1 node: winrm://bolt-dc.bolt.puppet Ran on 1 node in 0.74 seconds * Show that bolt.yaml contains an invalid realm [centos@bolt-dev-centos7 bolt]$ cat ~/.puppetlabs/bolt/bolt.yaml --- winrm: realm: foo * Verify an incorrectly specified realm fails to connnect over HTTP [centos@bolt-dev-centos7 bolt]$ bundle exec bolt command run 'whoami' --targets winrm://bolt-dc.bolt.puppet --no-ssl Started on bolt-dc.bolt.puppet... Failed on bolt-dc.bolt.puppet: Failed to connect to http://bolt-dc.bolt.puppet:5985/wsman: gss_init_sec_context did not return GSS_S_COMPLETE: Unspecified GSS failure. Minor code may provide more information Server not found in Kerberos database Failed on 1 node: winrm://bolt-dc.bolt.puppet Ran on 1 node in 0.22 seconds * Verify an incorrectly specified realm fails to connnect over HTTPS [centos@bolt-dev-centos7 bolt]$ bundle exec bolt command run 'whoami' --targets winrm://bolt-dc.bolt.puppet --no-ssl-verify Started on bolt-dc.bolt.puppet... Failed on bolt-dc.bolt.puppet: Failed to connect to https://bolt-dc.bolt.puppet:5986/wsman: gss_init_sec_context did not return GSS_S_COMPLETE: Unspecified GSS failure. Minor code may provide more information Server not found in Kerberos database Failed on 1 node: winrm://bolt-dc.bolt.puppet Ran on 1 node in 0.16 seconds - This PR also relies on version 2.3.2 of the winrm gem which includes a critical Kerberos encryption bug that was fixed in WinRb/WinRM#302 - There is a separate PR which will add a Docker container setup to verify Kerberos in an automated fashion against TravisCI using Samba and OMI server. At present, there is a problem properly establishing a connection between the WinRM gem and OMI server, which appears to be a bug in the WinRM gem protocol handling. - Windows support is https://tickets.puppet.com/browse/BOLT-1323 - OSX support is https://tickets.puppet.com/browse/BOLT-1471

This was referenced Apr 23, 2019

Fix corruption in iov_decrypt example zentourist/gssapi#26

Merged

(BOLT-126) Add WinRM Kerberos support puppetlabs/bolt#950

Closed

mwrock merged commit 2a9a2ff into WinRb:master Apr 25, 2019

Iristyle deleted the fix-kerberos-decryption branch April 26, 2019 21:07

Iristyle mentioned this pull request May 6, 2019

(BOLT-126) Upgrade winrm gem to 2.3.2 puppetlabs/bolt-vanagon#100

Closed

This was referenced May 6, 2019

(BOLT-126) Upgrade winrm gem to 2.3.2 puppetlabs/puppet-runtime#169

Merged

Intermitent decryption problem with Kerberos #161

Closed

Iristyle mentioned this pull request Jul 12, 2019

(BOLT-126) Add WinRM Kerberos support from Linux puppetlabs/bolt#1087

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Fix Kerberos Decryption Corruption#302

Fix Kerberos Decryption Corruption#302
mwrock merged 1 commit intoWinRb:masterfrom
Iristyle:fix-kerberos-decryption

Iristyle commented Apr 23, 2019

Uh oh!

Iristyle commented Apr 23, 2019

Uh oh!

Iristyle commented Apr 24, 2019

Uh oh!

mwrock commented Apr 25, 2019

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Conversation

Iristyle commented Apr 23, 2019

Uh oh!

Iristyle commented Apr 23, 2019

Uh oh!

Iristyle commented Apr 24, 2019

Uh oh!

mwrock commented Apr 25, 2019

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants