Uploaded image for project: 'Puppet Task Runner'
  1. Puppet Task Runner
  2. BOLT-1323

Support WinRM with Kerberos (from Windows node)


    • Template:
    • Team:
    • Sprint:
      Bolt Ready for Grooming
    • QA Risk Assessment:
      Needs Assessment


      BOLT-126 was originally intended to be for supporting Kerberos authentication over WinRM.

      After working on that effort, it was uncovered that the winrm gem only supports the MIT GSSAPI. While this is fine on Linux, where installation of the relevant packages is straightforward, it is a non-standard approach on Windows (even given the Windows installer for GSSAPI). No Windows admin wants to install an additional 3rd party library to access Kerberos functionality that is already built into the OS.

      Supporting Windows to Windows authentication using Kerberos and WinRM should use built-in Windows API calls, and should default to using the credentials from the active domain login (as a starting point).

      This will require adding support to the WinRM gem to provide encryption / decryption using Windows APIs.

      There are some useful details in https://docs.microsoft.com/en-us/windows/desktop/secauthn/sspi-kerberos-interoperability-with-gssapi about translating gssapi calls to equivalent Windows APIs:

      _iov functions may already be supported with the above APIs, but may require the *Ex versions.

      Code changes to winrm gem will need to be made to replicate the behavior of the HttpGSSAPI class at https://github.com/WinRb/WinRM/blob/master/lib/winrm/http/transport.rb#L287-L461 in a new class, HttpSSPI

      Ruby already has some limited helper code available around the Win32 SSPI layer, namely support for the AcquireCredentialsHandle and InitializeSecurityContext APIs - see https://github.com/ruby/ruby/blob/d48783bb0236db505fe1205d1d9822309de53a36/ext/win32/lib/win32/sspi.rb

      The code from gssapi simple that will need to be ported to a Windows API equivalent is at https://github.com/zenchild/gssapi/blob/master/lib/gssapi/simple.rb


      Some other ideas tossed around for consuming the MIT dep:

      • compile / build / redistribute Windows binaries in MSI from https://github.com/krb5/krb5
            - build once / stash as a "static" dep in Artifactory
            - build via some kind of build step in puppet-runtime
            - not great solution for testing "source"
      • drag in older prebuilt binaries from upstream somehow
      • provide docs on how to install deps in Windows


          Issue Links



              • Assignee:
                ethan Ethan Brown
                ethan Ethan Brown
                People Involved:
                Ethan Brown
              • Votes:
                0 Vote for this issue
                3 Start watching this issue


                • Created:

                  Zendesk Support