Affected by GO-2024-2442 and 3 other vulnerabilities

GO-2024-2442: Withdrawn Advisory: Teleport Access List owners can escalate their privileges in github.com/gravitational/teleport

GO-2024-2445: Withdrawn Advisory: SFTP is possible on the Proxy server for any user with SFTP access in github.com/gravitational/teleport

GO-2024-2447: Withdrawn Advisory: Teleport Proxy and Teleport Agents: SSRF to arbitrary hosts is possible from low privileged users in github.com/gravitational/teleport

GO-2024-2449: Withdrawn Advisory: User-provided environment values allow execution on macOS agents in github.com/gravitational/teleport

kinit

package

v1.3.3-0...-f31c912 Latest Latest Go to latest Published: Jan 9, 2024 License: AGPL-3.0 Imports: 15 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/gravitational/teleport

Documentation ¶

Overview ¶

Package kinit provides utilities for interacting with a KDC (Key Distribution Center) for Kerberos5

Index ¶

type CertGetter
type CommandConfig
type CommandGenerator
type CommandLineInitializer
- func NewCommandLineInitializer(config CommandConfig) *CommandLineInitializer
- func (k *CommandLineInitializer) UseOrCreateCredentials(ctx context.Context) (*credentials.CCache, *config.Config, error)
- func (k *CommandLineInitializer) WriteKRB5Config(path string) error
type DBCertGetter
- func (d *DBCertGetter) GetCertificateBytes(ctx context.Context) (*WindowsCAAndKeyPair, error)
type PKInit
- func New(provider Provider) *PKInit
- func (k *PKInit) UseOrCreateCredentialsCache(ctx context.Context) (*credentials.CCache, *config.Config, error)
type Provider
type WindowsCAAndKeyPair

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

This section is empty.

Types ¶

type CertGetter ¶

type CertGetter interface {
	// GetCertificateBytes returns a new cert/key pair along with a CA for use with x509 Auth
	GetCertificateBytes(ctx context.Context) (*WindowsCAAndKeyPair, error)
}

CertGetter is an interface for getting a new cert/key pair along with a CA cert

type CommandConfig ¶

type CommandConfig struct {
	// AuthClient is a subset of the auth interface
	AuthClient windows.AuthInterface
	// User is the username of the database/AD user
	User string
	// Realm is the domain name
	Realm string
	// KDCHost is the key distribution center hostname (usually AD server)
	KDCHost string
	// AdminServer is the administration server hostname (usually AD server)
	AdminServer string
	// DataDir is the Teleport Data Directory
	DataDir string
	// LDAPCA is the Windows LDAP Certificate for client signing
	LDAPCA *x509.Certificate
	// LDAPCAPEM contains the same certificate as LDAPCA but in PEM format. It
	// can be used to embed the LDAPCA into files without needing to convert
	// it.
	LDAPCAPEM string
	// Command is a command generator that generates an executable command
	Command CommandGenerator
	// CertGetter is a Teleport Certificate getter that prepares an x509 certificate
	// for use with windows AD
	CertGetter CertGetter
}

CommandConfig is used to configure a kinit binary execution

type CommandGenerator ¶

type CommandGenerator interface {
	// CommandContext is a wrapper for creating a command
	CommandContext(ctx context.Context, name string, args ...string) *exec.Cmd
}

CommandGenerator is a small interface for wrapping *exec.Cmd

type CommandLineInitializer ¶

type CommandLineInitializer struct {

	// RealmName is the kerberos realm Name (domain Name, like `example.com`
	RealmName string
	// KDCHostName is the key distribution center host Name (usually AD host, like ad.example.com)
	KDCHostName string
	// AdminServerName is the admin server Name (usually AD host)
	AdminServerName string
	// contains filtered or unexported fields
}

CommandLineInitializer uses a command line `kinit` binary to provide a kerberos CCache

func NewCommandLineInitializer ¶

func NewCommandLineInitializer(config CommandConfig) *CommandLineInitializer

NewCommandLineInitializer returns a new command line initializer using a preinstalled `kinit` binary

func (*CommandLineInitializer) UseOrCreateCredentials ¶

func (k *CommandLineInitializer) UseOrCreateCredentials(ctx context.Context) (*credentials.CCache, *config.Config, error)

UseOrCreateCredentials uses an existing cacheData or creates a new one

func (*CommandLineInitializer) WriteKRB5Config ¶

func (k *CommandLineInitializer) WriteKRB5Config(path string) error

WriteKRB5Config writes a krb configuration to path

type DBCertGetter ¶

type DBCertGetter struct {
	// Auth is the auth client
	Auth windows.AuthInterface
	// KDCHostName is the Name of the key distribution center host
	KDCHostName string
	// RealmName is the kerberos realm Name (domain Name)
	RealmName string
	// AdminServerName is the Name of the admin server. Usually same as the KDC
	AdminServerName string
	// UserName is the database username
	UserName string
	// LDAPCA is the windows ldap certificate
	LDAPCA *x509.Certificate
}

DBCertGetter obtains a new cert/key pair along with the Teleport database CA

func (*DBCertGetter) GetCertificateBytes ¶

func (d *DBCertGetter) GetCertificateBytes(ctx context.Context) (*WindowsCAAndKeyPair, error)

GetCertificateBytes returns a new cert/key pem and the DB CA bytes

type PKInit ¶

type PKInit struct {
	// contains filtered or unexported fields
}

PKInit is a structure used for initializing a kerberos context

func New ¶

func New(provider Provider) *PKInit

New returns a new PKInit initializer

func (*PKInit) UseOrCreateCredentialsCache ¶

func (k *PKInit) UseOrCreateCredentialsCache(ctx context.Context) (*credentials.CCache, *config.Config, error)

UseOrCreateCredentialsCache uses or creates a credentials cacheData.

type Provider ¶

type Provider interface {
	// UseOrCreateCredentials uses or updates an existing cacheData or creates a new one
	UseOrCreateCredentials(ctx context.Context) (cache *credentials.CCache, conf *config.Config, err error)
}

Provider is a kinit provider capable of producing a credentials cacheData for kerberos

type WindowsCAAndKeyPair ¶

type WindowsCAAndKeyPair struct {
	// contains filtered or unexported fields
}

WindowsCAAndKeyPair is a wrapper around PEM bytes for Windows authentication

Source Files ¶

View all Source files

kinit.go

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL