Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

krb5 Kerberos #1706

Merged
merged 31 commits into from
Dec 17, 2024
Merged
Show file tree
Hide file tree
Changes from 30 commits
Commits
Show all changes
31 commits
Select commit Hold shift + click to select a range
825f1b1
Initial proposal of a Dev container
nichtsfrei Sep 5, 2024
a1e4d16
Remove tmp and add some convencience in the Makefile
nichtsfrei Oct 4, 2024
7b149ba
Fixes wrong directory when figuring out ssh
nichtsfrei Oct 15, 2024
d988091
Add pyright
nichtsfrei Oct 25, 2024
f1641f1
Adds runtime dependencies for openvas
nichtsfrei Nov 11, 2024
2db4a7f
feat: Initial Kerberos integration proposal
nichtsfrei Aug 17, 2024
656aadb
Implement caching
nichtsfrei Aug 18, 2024
4cde96b
Add check for writing krb5.conf
nichtsfrei Aug 28, 2024
2f07ffd
Fix: remove unnecessary creds free
nichtsfrei Aug 28, 2024
6a43dad
Seperare cache_authentication into an own function
nichtsfrei Aug 28, 2024
f61ea93
Renamed keberos to kerberos.
nichtsfrei Sep 30, 2024
c44fcb0
Added c-nasl-binding, moved implementation to misc
nichtsfrei Oct 1, 2024
cea5270
Adds functionality to create gss context into openvas-krb5
nichtsfrei Oct 2, 2024
3733b3b
Add additional functions for krb5
nichtsfrei Oct 3, 2024
643f6c8
Add: krb5_gss_session_key, krb5_error_code_to_string
nichtsfrei Oct 24, 2024
256005a
example/gss.nasl: send data to target and update context
nichtsfrei Nov 4, 2024
86abcd3
Add: find or add realm, fixes error code handling
nichtsfrei Nov 5, 2024
ce68199
Refactor: remove old krb5 implementation
nichtsfrei Nov 6, 2024
f0890f8
Minor refacting
nichtsfrei Nov 6, 2024
7d818a8
Fix: krb5_gss_update_context and okrb5_gss_free_context
nichtsfrei Nov 7, 2024
6e435c3
Add: releasing of gss when scan_attack is finished
nichtsfrei Nov 7, 2024
cfaa4fc
Removes obsolete kerberos dir
nichtsfrei Nov 11, 2024
562b940
Add: nasl-function: ip_reverse_lookup
nichtsfrei Dec 3, 2024
662dd41
Add: krb5 functionality to win_cmd_exec
nichtsfrei Dec 3, 2024
2ee0f86
Fix: win_cmd_exec: add domain name to realm whe nusername doesn't con…
nichtsfrei Dec 3, 2024
b856b1c
Add: multiple kdc support
nichtsfrei Dec 4, 2024
be99668
Lint: check for file instead of NOT_FOUND
nichtsfrei Dec 5, 2024
394ece8
Refactoring: change macros to MACROS, remove TODOs and dead code
nichtsfrei Dec 10, 2024
c50b9c8
Fix: Document nasl functions
nichtsfrei Dec 11, 2024
5577eb6
Typos
nichtsfrei Dec 12, 2024
3367ce6
Adds libkrb5 to debian-oldstable
nichtsfrei Dec 17, 2024
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
65 changes: 65 additions & 0 deletions .devcontainer/Dockerfile
Original file line number Diff line number Diff line change
@@ -0,0 +1,65 @@
FROM rust:latest
ARG UID=1000
ARG GID=1000

RUN apt-get update && apt-get install -y \
sudo \
git \
rsync \
pipx \
redis-server \
clangd \
# Runtime dependencies, required for .devcontainer
nmap \
snmp \
netdiag \
pnscan \
# net-tools is required by some nasl plugins.
# nasl_pread: Failed to execute child process “netstat” (No such file or directory)
net-tools
# Add prepare-user-dirs.sh and execcute it
COPY prepare-user-dirs.sh /prepare-user-dirs.sh
COPY build-cmake-project.sh /usr/local/bin/build-cmake-project.sh
RUN chmod +x /usr/local/bin/build-cmake-project.sh
COPY build-openvas /usr/local/bin/build-openvas
RUN chmod +x /usr/local/bin/build-openvas
COPY build-gvm-libs /usr/local/bin/build-gvm-libs
RUN chmod +x /usr/local/bin/build-gvm-libs
COPY github-clone.sh /usr/local/bin/github-clone
RUN chmod +x /usr/local/bin/github-clone

RUN bash /prepare-user-dirs.sh && rm /prepare-user-dirs.sh
USER user
RUN python3 -m pipx install greenbone-feed-sync
# installing gvm-libs and openvas-scanner
RUN github-clone greenbone/gvm-libs
RUN github-clone greenbone/openvas-scanner
RUN sudo sh /workspaces/greenbone/gvm-libs/.github/install-dependencies.sh
RUN sudo sh /workspaces/greenbone/openvas-scanner/.github/install-openvas-dependencies.sh

RUN build-gvm-libs
RUN build-openvas
# Currently we don't install scannerctl and openvasd as they don't have dependencies
# that must be preloaded in order to function.
# WORKDIR /workspaces/openvas/rust/scannerctl
# RUN cargo install --path .
# WORKDIR /workspaces/openvas/rust/openvasd
# RUN cargo install --path .
USER redis
RUN sed 's/redis-openvas/redis/' /workspaces/greenbone/openvas-scanner/config/redis-openvas.conf | tee /etc/redis/redis.conf
USER user
# We clean up the cloned repositories as they are usually mounted into the container
RUN rm -r /workspaces/greenbone


# RUN sudo apt-get clean && sudo rm -rf /var/lib/apt/lists/*

SHELL ["/bin/bash", "-c"]

RUN rustup component add rust-analyzer rust-src
ENV PATH="/home/user/.cargo/bin:${PATH}"
ENV PATH="/home/user/.local/bin:${PATH}"
RUN echo "alias start_redis='redis-server /etc/redis/redis.conf'" >> /home/user/.bashrc
ENV start_redis="redis-server /etc/redis/redis.conf"
WORKDIR /workspaces
CMD ["/bin/bash"]
87 changes: 87 additions & 0 deletions .devcontainer/Makefile
Original file line number Diff line number Diff line change
@@ -0,0 +1,87 @@
# TODO:
# - add update script
# - change install-nvim to adapt update script to also update neovim


# Get the UID and GID of the user those will be used within the Dockerfile to share the same id between host and container.
UID := $(shell id -u)
GID := $(shell id -g)
MF_DIR := $(dir $(abspath $(lastword $(MAKEFILE_LIST))))
# if podman exists, use it instead of docker
ifneq (,$(shell which podman))
CONTAINERR=podman
else
CONTAINERR=docker
endif
# disable docker hints, who needs that?
export DOCKER_CLI_HINTS=false

.PHONY: build

command-exists = $(CONTAINERR) exec -it openvas-dev command -v $(1) >/dev/null 2>&1 && echo "exists" || echo "not exists"
# @if [ "$$(basename $$SHELL)" = "fish" ]; then \
get-shell = $(basename $(notdir $(SHELL)))

build:
$(CONTAINERR) build \
--build-arg UID=$(UID) \
--build-arg GID=$(GID) \
-t openvas-dev:latest \
.

start:
$(CONTAINERR) start openvas-dev

create:
$(CONTAINERR) create -it \
--name openvas-dev \
-v $(HOME)/.ssh:/home/user/.ssh\
-v $(HOME)/.config:/home/user/.config\
-v $(HOME)/.gitconfig:/home/user/.gitconfig \
openvas-dev:latest

is-running:
$(CONTAINERR) ps -q --filter "name=openvas-dev" | grep -q .

enforce-running:
$(MAKE) is-running || $(MAKE) start || $(MAKE) create && $(MAKE) start

install-fish: enforce-running
$(CONTAINERR) exec -it openvas-dev /bin/bash -c "sudo apt update"
$(CONTAINERR) exec -it openvas-dev /bin/bash -c "sudo apt install -y fish"
# doesn't work because of attached tty on create there is no reinit of the shell
#$(CONTAINERR) exec -it openvas-dev /bin/bash -c "sudo chsh -s /usr/bin/fish user"

install-pyright: enforce-running
$(CONTAINERR) exec -it openvas-dev /bin/bash -c "pipx install pyright"


install-rg-fzf: enforce-running
$(CONTAINERR) exec -it openvas-dev /bin/bash -c "sudo apt update"
$(CONTAINERR) exec -it openvas-dev /bin/bash -c "sudo apt install -y ripgrep fzf"

install-nvim: install-rg-fzf
$(CONTAINERR) exec -it openvas-dev /bin/bash -c "sudo apt install -y ninja-build gettext cmake unzip curl build-essential nodejs"
$(CONTAINERR) exec -it openvas-dev /bin/bash -c "github-clone neovim/neovim"
$(CONTAINERR) exec -it openvas-dev /bin/bash -c "cd /workspaces/neovim/neovim && make CMAKE_BUILD_TYPE=RelWithDebInfo && sudo make install"


enter: enforce-running
@if $(call command-exists,fish); then \
$(MAKE) enter-fish; \
else \
$(MAKE) enter-bash; \
fi

enter-bash: enforce-running
$(CONTAINERR) exec -it openvas-dev /bin/bash

# TODO: detect running shell and use that
enter-fish: enforce-running
$(CONTAINERR) exec -it openvas-dev /usr/bin/fish

stop:
-$(CONTAINERR) stop openvas-dev

rm: stop
$(CONTAINERR) rm openvas-dev
10 changes: 10 additions & 0 deletions .devcontainer/build-cmake-project.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
#/bin/sh
[ -d "$1" ] && WORKD_DIR="$1" || (
echo "Usage: $0 <project-dir>"
exit 1
)
cd $WORKD_DIR
set -ex
cmake -B build -DCMAKE_EXPORT_COMPILE_COMMANDS=ON
cmake --build build --target install
sudo ldconfig
8 changes: 8 additions & 0 deletions .devcontainer/build-gvm-libs
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
#!/bin/bash
owner=${1:-greenbone}
if [ -d "/workspaces/$owner" ]; then
target_dir="/workspaces/$owner/gvm-libs"
else
target_dir="/workspaces/gvm-libs"
fi
/usr/local/bin/build-cmake-project.sh "$target_dir"
9 changes: 9 additions & 0 deletions .devcontainer/build-openvas
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
#!/bin/bash
owner=${1:-greenbone}
if [ -d "/workspaces/$owner" ]; then
target_dir="/workspaces/$owner/openvas-scanner"
else
target_dir="/workspaces/openvas-scanner"
fi

/usr/local/bin/build-cmake-project.sh "$target_dir"
3 changes: 3 additions & 0 deletions .devcontainer/devcontainer.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
{
"build": { "dockerfile": "Dockerfile" },
}
38 changes: 38 additions & 0 deletions .devcontainer/github-clone.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,38 @@
#!/bin/bash

if [ -z "$1" ]; then
echo "Error: Repository name is not provided."
exit 1
fi

IFS='/' read -r owner repo <<< "$1"

parent_dir="/workspaces"
if [ ! -d "$parent_dir" ]; then
echo "Parent directory '$parent_dir' does not exist. Creating it."
mkdir -p "$parent_dir"
fi

owner_dir="$parent_dir/$owner"
if [ ! -d "$owner_dir" ]; then
echo "Owner directory '$owner_dir' does not exist. Creating it."
mkdir -p "$owner_dir"
fi

target_dir="/workspaces/$1"

if [ -d "$target_dir" ]; then
echo "Error: Target directory '$target_dir' already exists."
exit 1
fi

if ls $HOME/.ssh/id_* &>/dev/null; then
if git clone [email protected]:$1.git "$target_dir"; then
echo "Cloning with SSH URL successful."
else
echo "Warning: Cloning with SSH URL failed. Falling back to HTTPS URL."
git clone https://github.com/$1.git "$target_dir"
fi
else
git clone https://github.com/$1.git "$target_dir"
fi
44 changes: 44 additions & 0 deletions .devcontainer/prepare-user-dirs.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,44 @@
#!/bin/sh
# This scripts creates the dirs defined in dirs and sets the rights to the given user and id.
# This script creates a user with a $UID as well as a group with $GID
# afterwards it creates set of directories, assigns ownership to a newly created user and group, and configures sudo permissions for the user.
# This is done to allow cmake --build build --target install to work without permission issues.

dirs="
/workspaces
/run/gvm
/var/log/gvm
/etc/openvas
/var/lib/openvas
/usr/local/lib
/usr/local/share/man/man1/
/usr/local/share/man/man8/
/usr/local/include/gvm
/usr/local/share/openvas
/usr/local/bin
/usr/local/sbin
/var/lib/openvas
/var/lib/notus
/var/lib/gvm
/var/lib/openvasd
/etc/openvasd
/run/redis
"

set -ex
groupadd --gid "$GID" "developer" || true
# for the case that the GID already existed when we tried to create developer
# this can happen when we reuse staff from a mac os host
group_name=$(getent group "$GID" | cut -d: -f1)

useradd --uid "$UID" --gid "$group_name" --shell /bin/bash --groups redis --create-home user

for dir in ${dirs[@]}; do
if [ ! -d $dir ]; then
mkdir -p $dir
fi
chown -R user:$group_name $dir
done
# allow user to run sudo without password since it is intented as development
# container it is assumed that the user wants to install or manipulate the container
echo "user ALL=(ALL) NOPASSWD: ALL" > /etc/sudoers.d/user
2 changes: 1 addition & 1 deletion .github/install-openvas-dependencies.sh
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@ apt-get update && apt-get install --no-install-recommends --no-install-suggests
libbsd-dev \
libgnutls30 \
libgssapi3-heimdal \
libkrb5-26-heimdal \
libkrb5-dev \
libasn1-8-heimdal \
libroken19-heimdal \
libhdb9-heimdal \
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
# ip_reverse_lookup

## NAME

**ip_reverse_lookup** - gets the host name of either the given IP address or the current target

## SYNOPSIS

*string* **ip_reverse_lookup**( *string* );

Takes an optional *string* parameter, which is the IP address to look up. If no parameter is given, the IP address of the current target is used.

## DESCRIPTION

This function uses the `gethostbyaddr` function to get the host name of the given IP address. If no IP address is given, the IP address of the current target is used.

## RETURN VALUE

Return the found host name or NULL if the host name could not be retrieved.
Original file line number Diff line number Diff line change
@@ -0,0 +1,38 @@
# krb5_error_code_to_string

## NAME

**krb5_error_code_to_string** - Returns a string representation of either the given code or the cached code.

## SYNOPSIS

*str* **krb5_error_code_to_string**(int);


## DESCRIPTION

Returns a string representation of either the given code or the cached code.

The cached code reflects the error code of the last krb5 function call.


## RETURN VALUE

Returns a human readable version of the result code.

## EXAMPLES

```nasl
login = string( get_kb_item( "KRB5/login_filled/0" ) );
password = string( get_kb_item( "KRB5/password_filled/0" ) );
realm = string( get_kb_item( "KRB5/realm_filled/0" ) );
kdc = string( get_kb_item( "KRB5/kdc_filled/0" ) );
host = ip_reverse_lookup(); # must be a domain name.

result = krb5_gss_prepare_context(realm: realm, kdc: kdc, host: host, service: 'cifs', user: login, password: passwod);
if (krb5_is_failure(result)) {
display(krb5_error_code_to_string(result));
}
display(krb5_error_code_to_string());
```

33 changes: 33 additions & 0 deletions doc/manual/nasl/built-in-functions/krb5/krb5_find_kdc.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
# krb5_find_kdc

## NAME

**krb5_find_kdc** - Find the KDC for a given realm

## SYNOPSIS

*string* **krb5_find_kdc**(realm: *string*);

**insstr** takes named argument `realm`.

## DESCRIPTION

This function opens the krb5.conf file (located either by environment variable KRB5_CONFIG or /etc/ktrb5.conf) and looks for an kdc entry for the given realm.


## RETURN VALUE

The found KDC or *NULL* if the KDC could not be found.

## ERRORS

Returns *NULL* if the realm is not found or the krb5.conf file could not be opened.

## EXAMPLES

```c#
kdc = insstr(realm: 'EXAMPLE.COM');
display(kdc);
```


Loading
Loading