Uploaded image for project: 'Puppet Task Runner'
  1. Puppet Task Runner
  2. BOLT-1323

Support WinRM with Kerberos (from Windows node)

    Details

    • Type: New Feature
    • Status: Open
    • Priority: Normal
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: Windows, WinRM
    • Labels:
      None
    • Template:
    • Team:
      Bolt
    • Sprint:
      Bolt Ready for Grooming
    • QA Risk Assessment:
      Needs Assessment

      Description

      BOLT-126 was originally intended to be for supporting Kerberos authentication over WinRM.

      After working on that effort, it was uncovered that the winrm gem only supports the MIT GSSAPI. While this is fine on Linux, where installation of the relevant packages is straightforward, it is a non-standard approach on Windows (even given the Windows installer for GSSAPI). No Windows admin wants to install an additional 3rd party library to access Kerberos functionality that is already built into the OS.

      Supporting Windows to Windows authentication using Kerberos and WinRM should use built-in Windows API calls, and should default to using the credentials from the active domain login (as a starting point).

      This will require adding support to the WinRM gem to provide encryption / decryption using Windows APIs.

      There are some useful details in https://docs.microsoft.com/en-us/windows/desktop/secauthn/sspi-kerberos-interoperability-with-gssapi about translating gssapi calls to equivalent Windows APIs:

      _iov functions may already be supported with the above APIs, but may require the *Ex versions.

      Code changes to winrm gem will need to be made to replicate the behavior of the HttpGSSAPI class at https://github.com/WinRb/WinRM/blob/master/lib/winrm/http/transport.rb#L287-L461 in a new class, HttpSSPI

      Ruby already has some limited helper code available around the Win32 SSPI layer, namely support for the AcquireCredentialsHandle and InitializeSecurityContext APIs - see https://github.com/ruby/ruby/blob/d48783bb0236db505fe1205d1d9822309de53a36/ext/win32/lib/win32/sspi.rb

      The code from gssapi simple that will need to be ported to a Windows API equivalent is at https://github.com/zenchild/gssapi/blob/master/lib/gssapi/simple.rb

        Attachments

          Issue Links

            Activity

              jsd-sla-details-panel

                People

                • Assignee:
                  ethan Ethan Brown
                  Reporter:
                  ethan Ethan Brown
                  People Involved:
                  Ethan Brown
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  2 Start watching this issue

                  Dates

                  • Created:
                    Updated: