feat(pam): add NTLM and Kerberos auth support for MSSQL#245
Conversation
Gateway MSSQL proxy now supports NTLM (Windows Authentication) in addition to SQL auth. When AuthMethod is "ntlm", the proxy performs a 3-message NTLM handshake with the server (negotiate, challenge, authenticate) using go-ntlmssp, instead of sending SQL credentials in LOGIN7. The client-to-gateway leg is unchanged — clients always use SQL auth with dummy credentials, and the proxy injects the real NTLM auth on the server leg.
…x SSPI length sentinel Extract SSPI token before checking for error tokens — the NTLM challenge contains random binary that can match the 0xAA error byte. Also fix the SSPI length boundary: 0xFFFF is a sentinel per TDS spec, so use strict less-than.
go-ntlmssp uses splitNameForAuth to extract domain from the username. Without the DOMAIN\ prefix, the domain is empty in the NTLMv2 hash and authenticate message, which may fail on domain-member SQL Servers authenticating against a remote DC.
Gateway MSSQL proxy now supports Kerberos via gokrb5/v8. Obtains service ticket from KDC, wraps in SPNEGO, sends in LOGIN7. Handles mutual auth round-trip. Actionable error messages for KDC/SPN/clock issues.
…-auth-support-for-mssql-in-pam
…rt-for-mssql-in-pam' into saif/pam-227-kerberos-auth-support-for-ms-sql
Removed empty SSPI acknowledgement packet during Kerberos mutual auth — server sends LoginAck without needing it. Added dial timeout and i/o timeout patterns to wrapKerberosError for unreachable KDC.
|
💬 Discussion in Slack: #pr-review-cli-245-feat-pam-kerberos-authentication-for-mssql-proxy Posted by Review Police — reviews, comments, new commits, and CI failures will stream into this channel. |
|
| GitGuardian id | GitGuardian status | Secret | Commit | Filename | |
|---|---|---|---|---|---|
| 9387833 | Triggered | Generic Password | c15a998 | packages/pam/handlers/rdp/native/src/rdcleanpath.rs | View secret |
| 33062794 | Triggered | Generic CLI Secret | 28de0f5 | packages/cmd/login_status_test.go | View secret |
🛠 Guidelines to remediate hardcoded secrets
- Understand the implications of revoking this secret by investigating where it is used in your code.
- Replace and store your secrets safely. Learn here the best practices.
- Revoke and rotate these secrets.
- If possible, rewrite git history. Rewriting git history is not a trivial act. You might completely break other contributing developers' workflow and you risk accidentally deleting legitimate data.
To avoid such incidents in the future consider
- following these best practices for managing and storing secrets including API keys and other credentials
- install secret detection on pre-commit to catch secret before it leaves your machine and ease remediation.
🦉 GitGuardian detects secrets in your source code to help developers and security teams secure the modern development process. You are seeing this because you or someone else with access to this repository has authorized GitGuardian to scan your pull request.
|
| Filename | Overview |
|---|---|
| packages/pam/handlers/mssql/proxy.go | Adds NTLM and Kerberos authentication paths for MSSQL. SSRF risk: the backend-supplied kdcAddress is used to make outbound TCP connections without an allow-list. |
| packages/pam/handlers/mssql/tds.go | Adds ExtractSSPIToken, SSPIData field in Login7Message, and SSPI encoding logic. ExtractSSPIToken returns a suffix slice rather than the exact NTLM token boundary. |
| packages/pam/session/credentials.go | Adds Realm, KDCAddress, and SPN fields to PAMCredentials and maps them from the API response. Straightforward struct extension with no logic issues. |
| packages/api/model.go | Adds Realm, KDCAddress, and SPN JSON fields to PAMSessionCredentials. Clean, consistent with existing optional-field pattern. |
| packages/pam/pam-proxy.go | Wires Domain, Realm, KDCAddress, SPN, and AuthMethod credentials through to MssqlProxyConfig. No logic changes beyond field mapping. |
| go.mod | Adds github.com/jcmturner/gokrb5/v8 and github.com/Azure/go-ntlmssp as direct dependencies, plus the transitive jcmturner sub-modules. |
Reviews (1): Last reviewed commit: "fix(pam): remove empty SSPI ack + improv..." | Re-trigger Greptile
![greptile-apps[bot]](https://avatars.githubusercontent.com/in/867647?s=60&v=4){kind=small}
saifsmailbox98
changed the title
saifsmailbox98
changed the title
saifsmailbox98
changed the title
…n for krb5 config
…-auth-support-for-ms-sql # Conflicts: # go.mod # go.sum
2 participants
Description 📣
Adds NTLM and Kerberos authentication to the MSSQL PAM proxy. Both use the same TDS SSPI mechanism — different auth tokens in the same LOGIN7 field. The client-to-gateway leg is unchanged (dummy SQL auth); the gateway injects real auth on the server leg.
NTLM — 3-message challenge-response via
go-ntlmssp. Gateway sends negotiate, receives challenge, computes NTLMv2 response withDOMAIN\username. No third-party infrastructure needed.Kerberos — obtains TGT and service ticket from the KDC via
gokrb5/v8, wraps in SPNEGO, sends in LOGIN7. Builds krb5.conf in-memory from realm and KDC address fields. Supports DNS-based KDC discovery when KDC address is omitted. Handles SQL Server's mutual auth round-trip.Error messages are actionable for both methods — KDC unreachable, clock skew, invalid credentials, unknown SPN, etc. Input validation on realm and KDC address prevents injection into the krb5.conf template.
Companion backend PR: Infisical/infisical#6638
Type ✨
Tests 🛠️