Class: Rex::Proto::LDAP::AuthAdapter::RexKerberos

Inherits:
Net::LDAP::AuthAdapter
  • Object
show all
Defined in:
lib/rex/proto/ldap/auth_adapter/rex_kerberos.rb,
lib/rex/proto/ldap/auth_adapter/rex_kerberos/encryptor.rb

Defined Under Namespace

Classes: Encryptor

Instance Method Summary collapse

Instance Method Details

#bind(auth) ⇒ Object 



9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
 
# File 'lib/rex/proto/ldap/auth_adapter/rex_kerberos.rb', line 9

def bind(auth)
  kerberos_authenticator = auth[:kerberos_authenticator]
  unless kerberos_authenticator
    raise Net::LDAP::BindingInformationInvalidError, 'Invalid binding information (missing kerberos authenticator)'
  end

  options = {}
  if @connection.socket.respond_to?(:peer_cert)
    options = {
      gss_channel_binding: Rex::Proto::Gss::ChannelBinding.from_tls_cert(
        @connection.socket.peer_cert
      ),
      # when TLS channel binding is in use, disable the sign and seal flags
      gss_flag_confidential: false,
      gss_flag_integrity: false
    }
  end

  kerberos_result = kerberos_authenticator.authenticate(options)
  initial_credential = kerberos_result[:security_blob]

  result = Net::LDAP::AuthAdapter::Sasl.new(@connection).bind(
    method: :sasl,
    mechanism: 'GSS-SPNEGO',
    initial_credential: initial_credential,
    challenge_response: true
  )

  if auth[:sign_and_seal]
    encryptor = Encryptor.new(kerberos_authenticator)
    encryptor.setup(@connection, kerberos_result, result.result[:serverSaslCreds])
  end

  result
end