forked from gravitational/teleport
/
auth.go
97 lines (79 loc) · 2.5 KB
/
auth.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
/*
Copyright 2022 Gravitational, Inc.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package sqlserver
import (
"github.com/gravitational/trace"
"github.com/jcmturner/gokrb5/v8/client"
"github.com/jcmturner/gokrb5/v8/config"
"github.com/jcmturner/gokrb5/v8/keytab"
"github.com/jcmturner/gokrb5/v8/spnego"
"github.com/zmb3/teleport/lib/srv/db/common"
)
// getAuth returns Kerberos authenticator used by SQL Server driver.
//
// TODO(r0mant): Unit-test this. In-memory Kerberos server?
func (c *connector) getAuth(sessionCtx *common.Session) (*krbAuth, error) {
// Load keytab.
keytab, err := keytab.Load(sessionCtx.Database.GetAD().KeytabFile)
if err != nil {
return nil, trace.Wrap(err)
}
// Load krb5.conf.
config, err := config.Load(sessionCtx.Database.GetAD().Krb5File)
if err != nil {
return nil, trace.Wrap(err)
}
// Create Kerberos client.
client := client.NewWithKeytab(
sessionCtx.DatabaseUser,
sessionCtx.Database.GetAD().Domain,
keytab,
config,
// Active Directory does not commonly support FAST negotiation.
client.DisablePAFXFAST(true))
// Login.
err = client.Login()
if err != nil {
return nil, trace.Wrap(err)
}
// Obtain service ticket for the database's Service Principal Name.
ticket, encryptionKey, err := client.GetServiceTicket(sessionCtx.Database.GetAD().SPN)
if err != nil {
return nil, trace.Wrap(err)
}
// Create init negotiation token.
initToken, err := spnego.NewNegTokenInitKRB5(client, ticket, encryptionKey)
if err != nil {
return nil, trace.Wrap(err)
}
// Marshal init negotiation token.
initTokenBytes, err := initToken.Marshal()
if err != nil {
return nil, trace.Wrap(err)
}
return &krbAuth{
initToken: initTokenBytes,
}, nil
}
// krbAuth implements SQL Server driver's "auth" interface used during login
// to provide Kerberos authentication.
type krbAuth struct {
initToken []byte
}
func (a *krbAuth) InitialBytes() ([]byte, error) {
return a.initToken, nil
}
func (a *krbAuth) NextBytes(bytes []byte) ([]byte, error) {
return nil, nil
}
func (a *krbAuth) Free() {}