Affected by GO-2024-2442 and 3 other vulnerabilities

GO-2024-2442: Withdrawn Advisory: Teleport Access List owners can escalate their privileges in github.com/gravitational/teleport

GO-2024-2445: Withdrawn Advisory: SFTP is possible on the Proxy server for any user with SFTP access in github.com/gravitational/teleport

GO-2024-2447: Withdrawn Advisory: Teleport Proxy and Teleport Agents: SSRF to arbitrary hosts is possible from low privileged users in github.com/gravitational/teleport

GO-2024-2449: Withdrawn Advisory: User-provided environment values allow execution on macOS agents in github.com/gravitational/teleport

windows

package

v1.2.3-fred.12 Latest Latest Go to latest Published: Nov 1, 2022 License: Apache-2.0 Imports: 13 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/gravitational/teleport

Documentation ¶

Index ¶

Constants
Variables
func CertKeyPEM(ctx context.Context, username, domain string, ttl time.Duration, ...) (certPEM, keyPEM []byte, err error)
func GenerateCredentials(ctx context.Context, username, domain string, ttl time.Duration, ...) (certDER, keyDER []byte, err error)
func SubjectAltNameExtension(user, domain string) (pkix.Extension, error)
type LDAPConfig
- func (cfg LDAPConfig) Check() error
- func (cfg LDAPConfig) DomainDN() string
type SubjectAltName

Constants ¶

View Source

const (
	// CertTTL is the TTL for Teleport-issued Windows Certificates.
	// Certificates are requested on each connection attempt, so the TTL is
	// deliberately set to a small value to give enough time to establish a
	// single desktop session.
	CertTTL = 5 * time.Minute
)

Variables ¶

View Source

var (
	// EnhancedKeyUsageExtensionOID is the object identifier for a
	// certificate's enhanced key usage extension
	EnhancedKeyUsageExtensionOID = asn1.ObjectIdentifier{2, 5, 29, 37}

	// SubjectAltNameExtensionOID is the object identifier for a
	// certificate's subject alternative name extension
	SubjectAltNameExtensionOID = asn1.ObjectIdentifier{2, 5, 29, 17}

	// ClientAuthenticationOID is the object idnetifier that is used to
	// include client SSL authentication in a certificate's enhanced
	// key usage
	ClientAuthenticationOID = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 3, 2}

	// SmartcardLogonOID is the object identifier that is used to include
	// smartcard login in a certificate's enhanced key usage
	SmartcardLogonOID = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 311, 20, 2, 2}

	// UPNOtherNameOID is the object identifier that is used to include
	// the user principal name in a certificate's subject alternative name
	UPNOtherNameOID = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 311, 20, 2, 3}
)

The following vars contain the various object identifiers required for smartcard login certificates.

https://docs.microsoft.com/en-us/troubleshoot/windows-server/windows-security/enabling-smart-card-logon-third-party-certification-authorities

View Source

var EnhancedKeyUsageExtension = pkix.Extension{
	Id: EnhancedKeyUsageExtensionOID,
	Value: func() []byte {
		val, err := asn1.Marshal([]asn1.ObjectIdentifier{
			ClientAuthenticationOID,
			SmartcardLogonOID,
		})
		if err != nil {
			panic(err)
		}
		return val
	}(),
}

EnhancedKeyUsageExtension is a set of required extended key fields specific for Microsoft certificates

Functions ¶

func CertKeyPEM ¶

func CertKeyPEM(ctx context.Context, username, domain string, ttl time.Duration, clusterName string, ldapConfig LDAPConfig, authClient auth.ClientI) (certPEM, keyPEM []byte, err error)

CertKeyPEM returns certificate and private key bytes encoded in PEM format for use with `kinit`

func GenerateCredentials ¶

func GenerateCredentials(ctx context.Context, username, domain string, ttl time.Duration, clusterName string, ldapConfig LDAPConfig, authClient auth.ClientI) (certDER, keyDER []byte, err error)

GenerateCredentials generates a private key / certificate pair for the given Windows username. The certificate has certain special fields different from the regular Teleport user certificate, to meet the requirements of Active Directory. See: https://docs.microsoft.com/en-us/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration

func SubjectAltNameExtension ¶

func SubjectAltNameExtension(user, domain string) (pkix.Extension, error)

SubjectAltNameExtension fills in the SAN for a Windows certificate

Types ¶

type LDAPConfig ¶

type LDAPConfig struct {
	// Addr is the LDAP server address in the form host:port.
	// Standard port is 636 for LDAPS.
	Addr string
	// Domain is an Active Directory domain name, like "example.com".
	Domain string
	// Username is an LDAP username, like "EXAMPLE\Administrator", where
	// "EXAMPLE" is the NetBIOS version of Domain.
	Username string
	// InsecureSkipVerify decides whether we skip verifying with the LDAP server's CA when making the LDAPS connection.
	InsecureSkipVerify bool
	// ServerName is the name of the LDAP server for TLS.
	ServerName string
	// CA is an optional CA cert to be used for verification if InsecureSkipVerify is set to false.
	CA *x509.Certificate
}

LDAPConfig contains parameters for connecting to an LDAP server.

func (LDAPConfig) Check ¶

func (cfg LDAPConfig) Check() error

Check verifies this LDAPConfig

func (LDAPConfig) DomainDN ¶

func (cfg LDAPConfig) DomainDN() string

DomainDN returns the distinguished name for the domain

type SubjectAltName ¶

type SubjectAltName struct {
	OtherName otherName `asn1:"tag:0"`
}

SubjectAltName is a struct for marshaling the SAN field in a certificate

Source Files ¶

View all Source files

windows.go

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL