feat(dgw): RDP proxy Kerberos credentials-injection

[Pavlo Myroniuk (TheBestTvarynka)]

Hi,

This PR consists of the following intermediate PRs:

• feat: RDP proxy server-side Kerberos support #1396
• feat(KdcProxy): Kerberos credentials injection support #1605
• fix(dgw): derive internal realm from gateway id #1621
• fix(dgw): rdp proxy: set Kerberos client hostname #1634

All together provide RDP proxy Kerberos credentials-injection support.

Configuring

Here is an example of my configuration:

  "__debug__": {
    "disable_token_validation": true,
    "enable_unstable": true,
    "kerberos": {
      "kerberos_server": {
        "users": [
          {
            "fqdn": "fake_user@603077ae-b66b-4256-ae48-a458db5b90b0.jet",
            "password": "fake_password",
            "salt": "603077ae-b66b-4256-ae48-a458db5b90b0.jetfake_user"
          }
        ],
        "krbtgt_key": [230, 176, 177, 188, 175, 216, 176, 149, 34, 213, 40, 102, 107, 175, 106, 164, 76, 187, 225, 146, 182, 58, 143, 28, 119, 5, 83, 229, 4, 209, 93, 237],
        "max_time_skew": 64,
        "ticket_decryption_key": [105, 224, 208, 190, 41, 253, 44, 134, 64, 29, 178, 11, 37, 172, 124, 169, 48, 202, 121, 255, 218, 220, 247, 114, 141, 182, 249, 108, 60, 251, 145, 17]
      },
      "kdc_url": "tcp://192.168.1.104:88"
    }
  },

1. The disable_token_validation is set only for testing purposes.
2. The enable_unstable flag must be set. The Kerberos credentials-injection will not work if this option is not enabled.
3. Fake credentials domain must be {gateway id}.jet.
4. The kdc_url field is optional: the sspi crate can resolve the real KDC via DNS, environment variables, etc.
5. krbtgt_key and ticket_decryption_key must be random 32-byte arrays.

Demo

FreeRDP

freerdp_rdp_proxy_demo.mp4

mstsc

mstscex_rdp_proxy_demo.mp4

[github-actions]

Let maintainers know that an action is required on their side

• Add the label release-required Please cut a new release (Devolutions Gateway, Devolutions Agent, Jetsocat, PowerShell module) when you request a maintainer to cut a new release (Devolutions Gateway, Devolutions Agent, Jetsocat, PowerShell module)

• Add the label release-blocker Follow-up is required before cutting a new release if a follow-up is required before cutting a new release

• Add the label publish-required Please publish libraries (`Devolutions.Gateway.Utils`, OpenAPI clients, etc) when you request a maintainer to publish libraries (Devolutions.Gateway.Utils, OpenAPI clients, etc.)

• Add the label publish-blocker Follow-up is required before publishing libraries if a follow-up is required before publishing libraries

[Pavlo Myroniuk (TheBestTvarynka)]

Benoît Cortier (@CBenoit), I re-tested this branch after merging all PRs. Everything works well (see demo videos in PR description). The PR is ready for review.

[Benoît Cortier (CBenoit)]

Looks like picky-krb is duplicated 🤔

[Pavlo Myroniuk (TheBestTvarynka)]

Benoît Cortier (@CBenoit), The problem is in the kdc crate. It uses the latest picky-krb version (https://github.com/Devolutions/sspi-rs/blob/82d8bba2a84bba54a6efb3abc0153cc160bf29aa/Cargo.toml#L76). Whereas ironrdp-* crates use sspi version that, in turn, uses picky-krb = 0.11.

I think this duplication will be removed automatically when we update ironrdp-* crates.

[Benoît Cortier (CBenoit)]

Okay, no need to worry then! Thank you

[Benoît Cortier (CBenoit)]

Awesome work! This is looking pretty good to me 💯

Can you just see what can be done for the duplicated dependencies? If it’s not trivial, we’ll just fix that via follow up PRs instead 🙂

[Pavlo Myroniuk (TheBestTvarynka)]

Can you just see what can be done for the duplicated dependencies? If it’s not trivial, we’ll just fix that via follow up PRs instead 🙂

sure. I will look into it

[Benoît Cortier (CBenoit)]

LGTM!