2

Putty is able to do this, and I don't know how -- I would like to be able to do the same with SSH.NET or another .NET library.

Anyways -- when I'm on my windows system logged in as myself with my domain account, I can fire up putty, SSH to a machine and only get prompted by the machine I'm remoting into for my username, never my password -- yet putty seems to be able to log me in; I'm guessing, probably using some form of domain authentication.

Can SSH.NET do this, can any .NET library? I want to start a process in windows as a User using impersonation and then, from that process, SSH into a machine on behalf of that user, but I don't want to request or handle the user's password, for obvious security reasons.

Matt
  • 25,943
  • 66
  • 198
  • 303
  • 1
    Are you sure your PuTTY profile or desktop shortcut isn't using a private key and authenticating using the public/private key method supported by SSH? If the private key didn't have a password, this would exhibit the same behavior. – Joshua Jul 14 '14 at 23:42
  • I'm sure -- I was just able to make this work with Kerberos using SSPI as recommended below, though I just found a library that does it. (http://www.rebex.net/ssh-pack/default.aspx) – Matt Jul 15 '14 at 02:30
  • Matt - Are you able to provide an example of how you achieved this with SSPI? I'm currently using SSH.NET and trying to authenticate users using their windows credentials on a domain. – Tillman32 Jul 24 '15 at 14:58

1 Answers1

1

This sort of authentication is typically done using the Windows SSPI API, which wraps the various security service providers ala NTLM / Kerberos.

Callers of SSPI can obtain a handle to the current user's credentials and use this credential handle to ask a SSP to provide authentication tokens. The client sends tokens to the server, the server accepts those and sends tokens to the client, rinse repeat until both sides are happy.

As for the application developer, all you ever have to do is ask for these tokens, ferry them across your connection, and pump them into the appropriate SSPI call.

So typically:

  1. Client calls AcquireCredentialsHandle()
  2. Client calls InitializeSecurityContext(), providing no input tokens, returning an output token (an opaque byte array).
  3. Client sends those tokens to the server.
  4. Server calls AcceptSecurityContext(), providing the clients tokens as input, returning an output token.
  5. Server sends his tokens to client.

.. repeats until both functions indicate happy.

I posted the following question to learn how to do this directly: Client-server authentication - using SSPI?

Fortunately, I have a complete .Net wrapper for SSPI, along with some demo programs: NSspi.

Now, I'm not sure on exactly how this integrates into the SSH protocol, or the SSH server that you're using. From my understanding, SSH sessions start by advertising each side's supported authentication mechanism, and I'd estimate that the server is advertising a particular auth provider that is tied directly to SSPI, or maybe kerberos, and just expects you to perform the client side of the above SSPI authentication cycle. The trick would be figuring exactly what the server expects, and how to register a provider with your SSH client library that meets that expectation.

Community
  • 1
  • 1
antiduh
  • 11,853
  • 4
  • 43
  • 66