From 143958f06aa43de8c241cc46e752e4a8a6f41cb7 Mon Sep 17 00:00:00 2001 From: ltamaster Date: Thu, 17 Sep 2020 19:46:07 -0300 Subject: [PATCH] add kerberos delegation --- contents/winrm-check.py | 9 ++++++++- contents/winrm-exec.py | 13 +++++++++---- contents/winrm-filecopier.py | 9 ++++++++- plugin.yaml | 24 ++++++++++++++++++++++++ 4 files changed, 49 insertions(+), 6 deletions(-) diff --git a/contents/winrm-check.py b/contents/winrm-check.py index 27d9189..70a97a3 100644 --- a/contents/winrm-check.py +++ b/contents/winrm-check.py @@ -117,6 +117,7 @@ krb5config = None kinit = "kinit" +krbdelegation = False if args.hostname: hostname = args.hostname @@ -182,6 +183,11 @@ if "RD_CONFIG_KINIT" in os.environ: kinit = os.getenv("RD_CONFIG_KINIT") +if "RD_CONFIG_KRBDELEGATION" in os.environ: + if os.getenv("RD_CONFIG_KRBDELEGATION") == "true": + krbdelegation = True + else: + krbdelegation = False endpoint=transport+'://'+hostname+':'+port @@ -194,7 +200,7 @@ log.debug("diabletls12:" + str(diabletls12)) log.debug("krb5config:" + krb5config) log.debug("kinit command:" + kinit) - +log.debug("kerberos delegation:" + str(krbdelegation)) if(certpath): log.debug("certpath:" + certpath) @@ -240,6 +246,7 @@ if authentication == "kerberos": k5bConfig = kerberosauth.KerberosAuth(krb5config=krb5config, log=log, kinit_command=kinit,username=username, password=password) k5bConfig.get_ticket() + arguments["kerberos_delegation"] = krbdelegation session = winrm.Session(target=endpoint, auth=(username, password), diff --git a/contents/winrm-exec.py b/contents/winrm-exec.py index 7118abf..480767c 100644 --- a/contents/winrm-exec.py +++ b/contents/winrm-exec.py @@ -111,6 +111,7 @@ def filter(self, record): certpath = None krb5config = None kinit = None +krbdelegation = False forceTicket = False readtimeout = None operationtimeout = None @@ -190,6 +191,12 @@ def filter(self, record): if "RD_CONFIG_KINIT" in os.environ: kinit = os.getenv("RD_CONFIG_KINIT") +if "RD_CONFIG_KRBDELEGATION" in os.environ: + if os.getenv("RD_CONFIG_KRBDELEGATION") == "true": + krbdelegation = True + else: + krbdelegation = False + log.debug("------------------------------------------") log.debug("endpoint:" + endpoint) log.debug("authentication:" + authentication) @@ -198,14 +205,11 @@ def filter(self, record): log.debug("diabletls12:" + str(diabletls12)) log.debug("krb5config:" + krb5config) log.debug("kinit command:" + kinit) +log.debug("kerberos delegation:" + str(krbdelegation)) log.debug("shell:" + shell) log.debug("readtimeout:" + str(readtimeout)) log.debug("operationtimeout:" + str(operationtimeout)) log.debug("exit Behaviour:" + exitBehaviour) - - - - log.debug("------------------------------------------") if not URLLIB_INSTALLED: @@ -253,6 +257,7 @@ def filter(self, record): if authentication == "kerberos": k5bConfig = kerberosauth.KerberosAuth(krb5config=krb5config, log=log, kinit_command=kinit,username=username, password=password) k5bConfig.get_ticket() + arguments["kerberos_delegation"] = krbdelegation session = winrm.Session(target=endpoint, auth=(username, password), diff --git a/contents/winrm-filecopier.py b/contents/winrm-filecopier.py index 3f85e96..40eba4d 100644 --- a/contents/winrm-filecopier.py +++ b/contents/winrm-filecopier.py @@ -243,6 +243,7 @@ def winrm_upload(self, diabletls12 = False kinit = None krb5config = None +krbdelegation = False forceTicket = False if "RD_CONFIG_AUTHTYPE" in os.environ: @@ -298,6 +299,12 @@ def winrm_upload(self, if "RD_CONFIG_KINIT" in os.environ: kinit = os.getenv("RD_CONFIG_KINIT") +if "RD_CONFIG_KRBDELEGATION" in os.environ: + if os.getenv("RD_CONFIG_KRBDELEGATION") == "true": + krbdelegation = True + else: + krbdelegation = False + endpoint = transport+'://'+args.hostname+':'+port arguments = {} @@ -340,7 +347,7 @@ def winrm_upload(self, if authentication == "kerberos": k5bConfig = kerberosauth.KerberosAuth(krb5config=krb5config, log=log, kinit_command=kinit,username=username, password=password) k5bConfig.get_ticket() - + arguments["kerberos_delegation"] = krbdelegation session = winrm.Session(target=endpoint, auth=(username, password), diff --git a/plugin.yaml b/plugin.yaml index 3219f65..c8bd1e8 100644 --- a/plugin.yaml +++ b/plugin.yaml @@ -165,6 +165,14 @@ providers: required: false renderingOptions: groupName: Kerberos + - name: krbdelegation + title: Kerberos Delegations + description: "Kerberos Delegation: if True, TGT is sent to target server to allow multiple hops" + type: Boolean + default: "false" + required: false + renderingOptions: + groupName: Kerberos - name: WinRMcpPython title: WinRM Python File Copier description: Copying files to remote Windows computer @@ -283,6 +291,14 @@ providers: required: false renderingOptions: groupName: Kerberos + - name: krbdelegation + title: Kerberos Delegations + description: "Kerberos Delegation: if True, TGT is sent to target server to allow multiple hops" + type: Boolean + default: "false" + required: false + renderingOptions: + groupName: Kerberos - name: WinRMCheck title: WinRM Check Step description: Check the connection with a remote node using winrm-python @@ -377,4 +393,12 @@ providers: required: false renderingOptions: groupName: Kerberos + - name: krbdelegation + title: Kerberos Delegations + description: "Kerberos Delegation: if True, TGT is sent to target server to allow multiple hops" + type: Boolean + default: "false" + required: false + renderingOptions: + groupName: Kerberos