Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
# frozen_string_literal: true
2

3
require 'net/ldap/auth_adapter'
4
require 'net/ldap/auth_adapter/sasl'
5
require 'rubyntlm'
6

7
module Rex::Proto::LDAP::AuthAdapter
8
  class RexKerberos < Net::LDAP::AuthAdapter
9
    def bind(auth)
10
      kerberos_authenticator = auth[:kerberos_authenticator]
11
      unless kerberos_authenticator
12
        raise Net::LDAP::BindingInformationInvalidError, 'Invalid binding information (missing kerberos authenticator)'
13
      end
14

15
      options = {}
16
      if @connection.socket.respond_to?(:peer_cert)
17
        options = {
18
          gss_channel_binding: Rex::Proto::Gss::ChannelBinding.from_tls_cert(
19
            @connection.socket.peer_cert
20
          ),
21
          # when TLS channel binding is in use, disable the sign and seal flags
22
          gss_flag_confidential: false,
23
          gss_flag_integrity: false
24
        }
25
      end
26

27
      kerberos_result = kerberos_authenticator.authenticate(options)
28
      initial_credential = kerberos_result[:security_blob]
29

30
      result = Net::LDAP::AuthAdapter::Sasl.new(@connection).bind(
31
        method: :sasl,
32
        mechanism: 'GSS-SPNEGO',
33
        initial_credential: initial_credential,
34
        challenge_response: true
35
      )
36

37
      if auth[:sign_and_seal]
38
        encryptor = Encryptor.new(kerberos_authenticator)
39
        encryptor.setup(@connection, kerberos_result, result.result[:serverSaslCreds])
40
      end
41

42
      result
43
    end
44
  end
45
end
46

47
Net::LDAP::AuthAdapter.register(:rex_kerberos, Rex::Proto::LDAP::AuthAdapter::RexKerberos)
48

49