windows

package
v0.0.0-...-5c79d48 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Feb 15, 2024 License: AGPL-3.0 Imports: 21 Imported by: 0

Documentation

Index

Constants

View Source
const (
	// WritableDomainControllerGroupID is the windows security identifier for dcs with write permissions
	WritableDomainControllerGroupID = "516"
	// ReadOnlyDomainControllerGroupID is the windows security identifier for read only dcs
	ReadOnlyDomainControllerGroupID = "521"
)

See: https://docs.microsoft.com/en-US/windows/security/identity-protection/access-control/security-identifiers

View Source
const (
	// ClassComputer is the object class for computers in Active Directory
	ClassComputer = "computer"
	// ClassContainer is the object class for containers in Active Directory
	ClassContainer = "container"
	// ClassGMSA is the object class for group managed service accounts in Active Directory.
	ClassGMSA = "msDS-GroupManagedServiceAccount"

	// AccountTypeUser is the SAM account type for user accounts.
	// See https://learn.microsoft.com/en-us/windows/win32/adschema/a-samaccounttype
	// (SAM_USER_OBJECT)
	AccountTypeUser = "805306368"

	// AttrName is the name of an LDAP object
	AttrName = "name"
	// AttrSAMAccountName is the SAM Account name of an LDAP object
	AttrSAMAccountName = "sAMAccountName"
	// AttrSAMAccountType is the SAM Account type for an LDAP object
	AttrSAMAccountType = "sAMAccountType"
	// AttrCommonName is the common name of an LDAP object, or "CN"
	AttrCommonName = "cn"
	// AttrDistinguishedName is the distinguished name of an LDAP object, or "DN"
	AttrDistinguishedName = "distinguishedName"
	// AttrDNSHostName is the DNS Host name of an LDAP object
	AttrDNSHostName = "dNSHostName" // unusual capitalization is correct
	// AttrObjectGUID is the globally unique identifier for an LDAP object
	AttrObjectGUID = "objectGUID"
	// AttrOS is the operating system of a computer object
	AttrOS = "operatingSystem"
	// AttrOSVersion is the operating system version of a computer object
	AttrOSVersion = "operatingSystemVersion"
	// AttrPrimaryGroupID is the primary group id of an LDAP object
	AttrPrimaryGroupID = "primaryGroupID"
	// AttrObjectSid is the Security Identifier of an LDAP object
	AttrObjectSid = "objectSid"
	// AttrObjectCategory is the object category of an LDAP object
	AttrObjectCategory = "objectCategory"
	// AttrObjectClass is the object class of an LDAP object
	AttrObjectClass = "objectClass"
)
View Source
const (
	// CertTTL is the TTL for Teleport-issued Windows Certificates.
	// Certificates are requested on each connection attempt, so the TTL is
	// deliberately set to a small value to give enough time to establish a
	// single desktop session.
	CertTTL = 5 * time.Minute
)

Variables

View Source
var (
	// EnhancedKeyUsageExtensionOID is the object identifier for a
	// certificate's enhanced key usage extension
	EnhancedKeyUsageExtensionOID = asn1.ObjectIdentifier{2, 5, 29, 37}

	// SubjectAltNameExtensionOID is the object identifier for a
	// certificate's subject alternative name extension
	SubjectAltNameExtensionOID = asn1.ObjectIdentifier{2, 5, 29, 17}

	// ClientAuthenticationOID is the object idnetifier that is used to
	// include client SSL authentication in a certificate's enhanced
	// key usage
	ClientAuthenticationOID = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 3, 2}

	// SmartcardLogonOID is the object identifier that is used to include
	// smartcard login in a certificate's enhanced key usage
	SmartcardLogonOID = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 311, 20, 2, 2}

	// UPNOtherNameOID is the object identifier that is used to include
	// the user principal name in a certificate's subject alternative name
	UPNOtherNameOID = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 311, 20, 2, 3}

	// ADUserMappingExtensionOID is the Active Directory SID extension for mapping certificates
	// to their user's Active Directory SID. This value goes in the Id field of the pkix.Extension.
	// See https://go.microsoft.com/fwlink/?linkid=2189925.
	ADUserMappingExtensionOID = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 311, 25, 2}
	// ADUserMappingInternalOID is the OID that's sent as part of the Other Name section
	// of the Active Directory SID extension. There's limited documentation on this extension,
	// this value was determined empirically based on how AD CA's Enterprise CA issues these
	// certificates post the May 10, 2022 Windows update.
	ADUserMappingInternalOID = append(ADUserMappingExtensionOID, 1)
)

The following vars contain the various object identifiers required for smartcard login certificates.

https://docs.microsoft.com/en-us/troubleshoot/windows-server/windows-security/enabling-smart-card-logon-third-party-certification-authorities

View Source
var EnhancedKeyUsageExtension = pkix.Extension{
	Id: EnhancedKeyUsageExtensionOID,
	Value: func() []byte {
		val, err := asn1.Marshal([]asn1.ObjectIdentifier{
			ClientAuthenticationOID,
			SmartcardLogonOID,
		})
		if err != nil {
			panic(err)
		}
		return val
	}(),
}

EnhancedKeyUsageExtension is a set of required extended key fields specific for Microsoft certificates

Functions

func ADSIDStringFromLDAPEntry

func ADSIDStringFromLDAPEntry(entry *ldap.Entry) (string, error)

ADSIDStringFromLDAPEntry extracts the objectSid attribute from an ldap.Entry and returns its string representation.

func CertKeyPEM

func CertKeyPEM(ctx context.Context, req *GenerateCredentialsRequest) (certPEM, keyPEM []byte, caCerts [][]byte, err error)

CertKeyPEM returns certificate and private key bytes encoded in PEM format for use with `kinit`

func CombineLDAPFilters

func CombineLDAPFilters(filters []string) string

CombineLDAPFilters joins the slice of filters

func GenerateWindowsDesktopCredentials

func GenerateWindowsDesktopCredentials(ctx context.Context, req *GenerateCredentialsRequest) (certDER, keyDER []byte, err error)

GenerateWindowsDesktopCredentials generates a private key / certificate pair for the given Windows username. The certificate has certain special fields different from the regular Teleport user certificate, to meet the requirements of Active Directory. See: https://docs.microsoft.com/en-us/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration

func SubjectAltNameExtension

func SubjectAltNameExtension(user, domain string) (pkix.Extension, error)

SubjectAltNameExtension fills in the SAN for a Windows certificate

Types

type AuthInterface

type AuthInterface interface {
	// GenerateDatabaseCert generates a database certificate for windows SQL Server
	GenerateDatabaseCert(context.Context, *proto.DatabaseCertRequest) (*proto.DatabaseCertResponse, error)
	// GenerateWindowsDesktopCert generates a windows remote desktop certificate
	GenerateWindowsDesktopCert(context.Context, *proto.WindowsDesktopCertRequest) (*proto.WindowsDesktopCertResponse, error)
	// GetCertAuthority returns a types.CertAuthority interface
	GetCertAuthority(ctx context.Context, id types.CertAuthID, loadKeys bool) (types.CertAuthority, error)
	// GetClusterName returns a types.ClusterName interface
	GetClusterName(opts ...services.MarshalOption) (types.ClusterName, error)
}

AuthInterface is a subset of auth.ClientI

type CertificateStoreClient

type CertificateStoreClient struct {
	// contains filtered or unexported fields
}

CertificateStoreClient implements access to a Windows Certificate Authority

func NewCertificateStoreClient

func NewCertificateStoreClient(cfg CertificateStoreConfig) *CertificateStoreClient

NewCertificateStoreClient returns a new structure for modifying windows certificates in a Windows CA.

func (*CertificateStoreClient) Update

Update publishes an empty certificate revocation list to LDAP.

type CertificateStoreConfig

type CertificateStoreConfig struct {
	// AccessPoint is the Auth API client (with caching).
	AccessPoint auth.WindowsDesktopAccessPoint
	// LDAPConfig is the ldap configuration
	LDAPConfig
	// Log is the logging sink for the service
	Log logrus.FieldLogger
	// ClusterName is the name of this cluster
	ClusterName string
	// LC is the LDAPClient
	LC *LDAPClient
}

CertificateStoreConfig is a config structure for a Windows Certificate Authority

type GenerateCredentialsRequest

type GenerateCredentialsRequest struct {
	// Username is the Windows username
	Username string
	// Domain is the Windows domain
	Domain string
	// TTL is the ttl for the certificate
	TTL time.Duration
	// ClusterName is the local cluster name
	ClusterName string
	// ActiveDirectorySID is the SID of the Windows user
	// specified by Username. If specified (!= ""), it is
	// encoded in the certificate per https://go.microsoft.com/fwlink/?linkid=2189925.
	ActiveDirectorySID string
	// LDAPConfig is the ldap config
	LDAPConfig LDAPConfig
	// AuthClient is the windows AuthInterface
	AuthClient AuthInterface
	// CAType is the certificate authority type used to generate the certificate.
	// This is used to proper generate the CRL LDAP path.
	CAType types.CertAuthType
	// CreateUser specifies if Windows user should be created if missing
	CreateUser bool
	// Groups are groups that user should be member of
	Groups []string
}

GenerateCredentialsRequest are the request parameters for generating a windows cert/key pair

type LDAPClient

type LDAPClient struct {
	// Cfg is the LDAPConfig
	Cfg LDAPConfig
	// contains filtered or unexported fields
}

LDAPClient is a windows LDAP client.

It does not automatically detect when the underlying connection is closed. Callers should check for trace.ConnectionProblem errors and provide a new client with [SetClient].

func (*LDAPClient) Close

func (c *LDAPClient) Close()

Close closes the underlying ldap.Client

func (*LDAPClient) Create

func (c *LDAPClient) Create(dn string, class string, attrs map[string][]string) error

Create creates an LDAP entry at the given path, with the given class and attributes. Note that AD will create a bunch of attributes for each object class automatically and you don't need to specify all of them.

You can browse LDAP on the Windows host to find the objectClass and attributes for similar entries using ADSIEdit.msc. You can find the list of all AD classes at https://docs.microsoft.com/en-us/windows/win32/adschema/classes-all

func (*LDAPClient) CreateContainer

func (c *LDAPClient) CreateContainer(dn string) error

CreateContainer creates an LDAP container entry if it doesn't already exist.

func (*LDAPClient) Read

func (c *LDAPClient) Read(dn string, class string, attrs []string) ([]*ldap.Entry, error)

Read fetches an LDAP entry at path and its children, if any. Only entries with the given class are returned and only with the specified attributes.

You can browse LDAP on the Windows host to find the objectClass for a specific entry using ADSIEdit.msc. You can find the list of all AD classes at https://docs.microsoft.com/en-us/windows/win32/adschema/classes-all

func (*LDAPClient) ReadWithFilter

func (c *LDAPClient) ReadWithFilter(dn string, filter string, attrs []string) ([]*ldap.Entry, error)

ReadWithFilter searches the specified DN (and its children) using the specified LDAP filter. See https://ldap.com/ldap-filters/ for more information on LDAP filter syntax.

func (*LDAPClient) SetClient

func (c *LDAPClient) SetClient(client ldap.Client)

SetClient sets the underlying ldap.Client

func (*LDAPClient) Update

func (c *LDAPClient) Update(dn string, replaceAttrs map[string][]string) error

Update updates an LDAP entry at the given path, replacing the provided attributes. For each attribute in replaceAttrs, the value is completely replaced, not merged. If you want to modify the value of an existing attribute, you should read the existing value first, modify it and provide the final combined value in replaceAttrs.

You can browse LDAP on the Windows host to find attributes of existing entries using ADSIEdit.msc.

type LDAPConfig

type LDAPConfig struct {
	// Addr is the LDAP server address in the form host:port.
	// Standard port is 636 for LDAPS.
	Addr string //nolint:unused // False-positive
	// Domain is an Active Directory domain name, like "example.com".
	Domain string //nolint:unused // False-positive
	// Username is an LDAP username, like "EXAMPLE\Administrator", where
	// "EXAMPLE" is the NetBIOS version of Domain.
	Username string //nolint:unused // False-positive
	// SID is the SID for the user specified by Username.
	SID string //nolint:unused // False-positive
	// InsecureSkipVerify decides whether we skip verifying with the LDAP server's CA when making the LDAPS connection.
	InsecureSkipVerify bool //nolint:unused // False-positive
	// ServerName is the name of the LDAP server for TLS.
	ServerName string //nolint:unused // False-positive
	// CA is an optional CA cert to be used for verification if InsecureSkipVerify is set to false.
	CA *x509.Certificate //nolint:unused // False-positive
}

LDAPConfig contains parameters for connecting to an LDAP server.

func (LDAPConfig) Check

func (cfg LDAPConfig) Check() error

Check verifies this LDAPConfig

func (LDAPConfig) DomainDN

func (cfg LDAPConfig) DomainDN() string

DomainDN returns the distinguished name for the domain

type SubjectAltName

type SubjectAltName[T any] struct {
	OtherName otherName[T] `asn1:"tag:0"`
}

SubjectAltName is a struct that can be marshaled as ASN.1 into the SAN field in an x.509 certificate.

See RFC 3280: https://www.ietf.org/rfc/rfc3280.txt

T is the ASN.1 encodeable struct corresponding to an otherName item of the GeneralNames sequence.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL