omi
omi copied to clipboard
jborean93
Feature request: Credssp
SUMMARY
Read your extensive post in hunt for a solution for Credssp, most impressive, got me all dizzy ;)
Seems authentication w/ CredSSP is the only way do get an elevated powershell session on a remote system. My specific problem is that Add-DnsServerResourceRecord does't seem to exist on PS for Linux, which leads me to create and enter a remote-session, but then when I try to add I get permission denied. If I run the same commands on the windows host, as the remote user, it succeeds.
Currently I'm using https://github.com/quickbreach/PowerShell-NTLM docker image, getting powershell onto Ubuntu 20.04 was quite a hassle and the latter didn't include the "missing" modules either.
For the record, I'm quite new to powershell
LIBMI VERSION
OS / ENVIRONMENT
Docker:
Name Value
---- -----
PSVersion 6.1.1
PSEdition Core
GitCommitId 6.1.1
OS Linux 4.15.0-123-generic #126-Ubuntu SMP Wed Oct 21 09:40:11 UTC 2020
Platform Unix
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...}
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
WSManStackVersion 3.0
Native install Ubuntu 20.04:
Name Value
---- -----
PSVersion 7.1.0
PSEdition Core
GitCommitId 7.1.0
OS Linux 5.4.0-52-generic #57-Ubuntu SMP Thu Oct 15 10:57:00 UTC 2020
Platform Unix
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
WSManStackVersion 3.0
Seems authentication w/ CredSSP is the only way do get an elevated powershell session on a remote system.
Just so I don't mix up terms later in this comment I thought it best to clarify this point. The issue that CredSSP is designed to "fix" is a problem when re-authenticating as your account on further network hops. Say I'm connecting to host1 through PowerShell and I'm running Get-Content -Path '\\host2\share\file.txt'. For me to access \\host2\share\file.txt I need to authenticate myself to prove I am who I say I am. Typically this is done by sending an NTLM or Kerberos token which is derived from the password I used when I logged on.
Because a network logon done by PowerShell is done by that NTLM/Kerberos token, my process on host1 does not have enough information to generate a new token when I'm going to re authenticate with host2. At this point I appear as an anonymous user to host2 causing the access is denied error message.
What CredSSP does is during the authentication process to host1, it sends my username and password as part of the authentication process which means that the remote logon on host1 has enough information to generate further NTLM/Kerberos tokens for it to access host2. In terms of permissions in the traditional elevated vs non-elevated sense on Windows the process is elevated, it just cannot re authenticate itself against another host without CredSSP.
My specific problem is that Add-DnsServerResourceRecord does't seem to exist on PS for Linux, which leads me to create and enter a remote-session, but then when I try to add I get permission denied
Yep this is the same credential delegation/double hop problem that CredSSP can fix. I highly recommend you read through https://docs.microsoft.com/en-us/powershell/scripting/learn/remoting/ps-remoting-second-hop?view=powershell-7.1 which goes into way more detail than the blog post you shared and gives some alternatives to CredSSP that are entirely possible in this library right now. For instance here are some of the options it has and what you can use here
| Option | Details |
|---|---|
| CredSSP | Not implemented in this library |
| Kerberos delegation | Definitely possible, requires Kerberos auth (not NTLM) and a few tweaks in AD |
| JEA | Also possible, just need to specify -ConfigurationName on your Invoke-Command call. Requires the endpoint to be configured on the server side |
| Explicit credential in scripblock | Also possible but may be difficult depending on the cmdlet you want to use |
Luckily your Add-DnsServerResourceRecord cmdlet offers you a quick and easy way that will work regardless of the authentication used.
$cred = Get-Credential
Invoke-Command -ComputerName MyServer -ScriptBlock {
# Copy your credential into your remote process
# You must be running on pwsh 7.1 or above on the client side for this to work
$cred = $using:Cred
# Create a CimSession to your DNS server using the same credentials you used for PSRemoting
$cimSession = New-CimSession -ComputerName MyDnsServer -Credential $cred
try {
# Use the CimSession in this cmdlet call which means it will authenticate using your explicit credentials
Add-DnsServerRecourceRecord -CimSession $cimSession ...
} finally {
Remove-CimSession -CimSession $cimSession
}
}
If you don't have pwsh 7.1 you need to send your username and password as plaintext over the wire which isn't ideal at all.
There are a few other options available to you but this would be the simplest option.
Currently I'm using https://github.com/quickbreach/PowerShell-NTLM docker image, getting powershell onto Ubuntu 20.04 was quite a hassle and the latter didn't include the "missing" modules either.
You might be interested in running ./test.py ubuntu20.04 --output-script from this repo dir to see the steps the tests run which installs both PowerShell and the Kerberos/NTLM components. You will still need to modify it to suite your process and to use PSWSMan from the PSGallery but it shows you the deps required by that distribution on the PowerShell side.
Supporting CredSSP
As for the actual request for CredSSP. It can technically be done it's just a massive amount of work and I don't see myself getting it to at any time soon. CredSSP is a pretty complex protocol and requires some work to deal with parsing ASN.1 structures, exchanging multiple message tokens and so on.
Hi Jordan,
Sorry for not getting around to read and reply to you sooner, been a busy week. Thanks for taking time to breaking it down for me in a understandable way.
Funny that you mention JEA*, as I stumbled over a post that briefly mentioned it by name. Didn't get around to read it until a few days ago and sure enough, this was my "golden key" after reading up on it. (*Never heard of it before)
A bit uncertain about the Cimsession, seems that I don't need it when creating a DNS entry. I've created Session Configuration that allows the virtual account to RunAs the account with DNS update permissions. Question is, right or wrong, or merely a different way of doing things?
Thanks for the installation tip, I will definitely take a look at this during the Christmas holiday
Cheers! \Dan