From ea937ec538c189c2560e89cef2d8545ef9d4e1ab Mon Sep 17 00:00:00 2001 From: Philipp Eder Date: Thu, 24 Oct 2024 11:59:06 +0000 Subject: [PATCH 1/4] Add: krb5 credential To support krb5 a new credential service is required to get the `realm`, as well as `kdc` in addition to `username` and `password`. This adds: ``` scanuser mypass myrealm mykdc ``` --- ospd_openvas/preferencehandler.py | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) diff --git a/ospd_openvas/preferencehandler.py b/ospd_openvas/preferencehandler.py index 9c8c704f..bb8abced 100644 --- a/ospd_openvas/preferencehandler.py +++ b/ospd_openvas/preferencehandler.py @@ -32,6 +32,8 @@ OID_ESXI_AUTH = "1.3.6.1.4.1.25623.1.0.105058" OID_SNMP_AUTH = "1.3.6.1.4.1.25623.1.0.105076" OID_PING_HOST = "1.3.6.1.4.1.25623.1.0.100315" +# TODO: check me, check me, check me +OID_KRB5_AUTH = "1.3.6.1.4.1.25623.1.81.0" BOREAS_ALIVE_TEST = "ALIVE_TEST" BOREAS_ALIVE_TEST_PORTS = "ALIVE_TEST_PORTS" @@ -589,6 +591,9 @@ def build_credentials_as_prefs(self, credentials: Dict) -> List[str]: for credential in credentials.items(): service = credential[0] cred_params = credentials.get(service) + if not cred_params: + logger.warning("No credentials parameter found for service %s", service) + continue cred_type = cred_params.get('type', '') username = cred_params.get('username', '') password = cred_params.get('password', '') @@ -665,6 +670,28 @@ def build_credentials_as_prefs(self, credentials: Dict) -> List[str]: cred_prefs_list.append( f'{OID_SMB_AUTH}:2:password:SMB password:|||{password}' ) + elif service == 'krb5': + realm = cred_params.get('realm', '') + if not realm: + self.errors.append("Missing realm for Kerberos authentication.") + continue + kdc = cred_params.get('kdc', '') + if not kdc: + self.errors.append("Missing KDC for Kerberos authentication.") + continue + cred_prefs_list.append( + f'{OID_KRB5_AUTH}:1:entry:KRB5 login:|||{username}' + ) + cred_prefs_list.append( + f'{OID_KRB5_AUTH}:2:password:KRB5 password:|||{password}' + ) + cred_prefs_list.append( + f'{OID_KRB5_AUTH}:3:entry:KRB5 realm:|||{realm}' + ) + #TODO: add multiple kdcs + cred_prefs_list.append( + f'{OID_KRB5_AUTH}:4:entry:KRB5 kdc:|||{kdc}' + ) # Check service esxi elif service == 'esxi': cred_prefs_list.append( From 205ba37e9fab4edcfcecfbe7a9f7fd512f6a81f4 Mon Sep 17 00:00:00 2001 From: Philipp Eder Date: Mon, 18 Nov 2024 09:18:54 +0000 Subject: [PATCH 2/4] Verifies if smb and krb5 are set. Based on the differences when to use krb5 and when to use smb within the feed both are mutualy exclusive. Either use smb, when you have a older system, or krb5 but not both. --- ospd_openvas/preferencehandler.py | 28 +++++++++++++++++++++++----- 1 file changed, 23 insertions(+), 5 deletions(-) diff --git a/ospd_openvas/preferencehandler.py b/ospd_openvas/preferencehandler.py index bb8abced..3c5963bc 100644 --- a/ospd_openvas/preferencehandler.py +++ b/ospd_openvas/preferencehandler.py @@ -32,7 +32,6 @@ OID_ESXI_AUTH = "1.3.6.1.4.1.25623.1.0.105058" OID_SNMP_AUTH = "1.3.6.1.4.1.25623.1.0.105076" OID_PING_HOST = "1.3.6.1.4.1.25623.1.0.100315" -# TODO: check me, check me, check me OID_KRB5_AUTH = "1.3.6.1.4.1.25623.1.81.0" BOREAS_ALIVE_TEST = "ALIVE_TEST" @@ -588,11 +587,15 @@ def build_credentials_as_prefs(self, credentials: Dict) -> List[str]: added to the redis KB. """ cred_prefs_list = [] + krb5_set = False + smb_set = False for credential in credentials.items(): service = credential[0] cred_params = credentials.get(service) if not cred_params: - logger.warning("No credentials parameter found for service %s", service) + logger.warning( + "No credentials parameter found for service %s", service + ) continue cred_type = cred_params.get('type', '') username = cred_params.get('username', '') @@ -664,6 +667,12 @@ def build_credentials_as_prefs(self, credentials: Dict) -> List[str]: ) # Check servic smb elif service == 'smb': + if krb5_set: + self.errors.append( + "Kerberos and SMB credentials are mutually exclusive." + ) + continue + smb_set = True cred_prefs_list.append( f'{OID_SMB_AUTH}:1:entry:SMB login:|||{username}' ) @@ -671,13 +680,23 @@ def build_credentials_as_prefs(self, credentials: Dict) -> List[str]: f'{OID_SMB_AUTH}:2:password:SMB password:|||{password}' ) elif service == 'krb5': + if smb_set: + self.errors.append( + "Kerberos and SMB credentials are mutually exclusive." + ) + continue + krb5_set = True realm = cred_params.get('realm', '') if not realm: - self.errors.append("Missing realm for Kerberos authentication.") + self.errors.append( + "Missing realm for Kerberos authentication." + ) continue kdc = cred_params.get('kdc', '') if not kdc: - self.errors.append("Missing KDC for Kerberos authentication.") + self.errors.append( + "Missing KDC for Kerberos authentication." + ) continue cred_prefs_list.append( f'{OID_KRB5_AUTH}:1:entry:KRB5 login:|||{username}' @@ -688,7 +707,6 @@ def build_credentials_as_prefs(self, credentials: Dict) -> List[str]: cred_prefs_list.append( f'{OID_KRB5_AUTH}:3:entry:KRB5 realm:|||{realm}' ) - #TODO: add multiple kdcs cred_prefs_list.append( f'{OID_KRB5_AUTH}:4:entry:KRB5 kdc:|||{kdc}' ) From 377449e9f2a54d995e7067830e1b8b350206d3ea Mon Sep 17 00:00:00 2001 From: Philipp Eder Date: Tue, 10 Dec 2024 08:29:06 +0000 Subject: [PATCH 3/4] Fix: make error statement when SMB and KRB5 are defined more clear. --- ospd_openvas/preferencehandler.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ospd_openvas/preferencehandler.py b/ospd_openvas/preferencehandler.py index 3c5963bc..fabe607c 100644 --- a/ospd_openvas/preferencehandler.py +++ b/ospd_openvas/preferencehandler.py @@ -669,7 +669,7 @@ def build_credentials_as_prefs(self, credentials: Dict) -> List[str]: elif service == 'smb': if krb5_set: self.errors.append( - "Kerberos and SMB credentials are mutually exclusive." + "Disabled SMB: Kerberos and SMB credentials are mutually exclusive." ) continue smb_set = True @@ -682,7 +682,7 @@ def build_credentials_as_prefs(self, credentials: Dict) -> List[str]: elif service == 'krb5': if smb_set: self.errors.append( - "Kerberos and SMB credentials are mutually exclusive." + "Disabled KRB5: Kerberos and SMB credentials are mutually exclusive." ) continue krb5_set = True From 10cce578cd076120bc099306641cc0f99119ca83 Mon Sep 17 00:00:00 2001 From: Philipp Eder Date: Tue, 10 Dec 2024 09:19:31 +0000 Subject: [PATCH 4/4] Refactor: pylint requires more complexity 80 lw. --- ospd_openvas/preferencehandler.py | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/ospd_openvas/preferencehandler.py b/ospd_openvas/preferencehandler.py index fabe607c..8c70a32e 100644 --- a/ospd_openvas/preferencehandler.py +++ b/ospd_openvas/preferencehandler.py @@ -577,6 +577,11 @@ def prepare_scan_params_for_openvas(self, ospd_params: Dict[str, Dict]): if prefs_val: self.kbdb.add_scan_preferences(self.scan_id, prefs_val) + def disable_message(self, disabled: str) -> str: + """Return a string with the message for exclusive services.""" + disabled = f"Disabled {disabled}" + return disabled + ": KRB5 and SMB credentials are mutually exclusive." + def build_credentials_as_prefs(self, credentials: Dict) -> List[str]: """Parse the credential dictionary. Arguments: @@ -586,6 +591,7 @@ def build_credentials_as_prefs(self, credentials: Dict) -> List[str]: A list with the credentials in string format to be added to the redis KB. """ + cred_prefs_list = [] krb5_set = False smb_set = False @@ -668,9 +674,7 @@ def build_credentials_as_prefs(self, credentials: Dict) -> List[str]: # Check servic smb elif service == 'smb': if krb5_set: - self.errors.append( - "Disabled SMB: Kerberos and SMB credentials are mutually exclusive." - ) + self.errors.append(self.disable_message("SMB")) continue smb_set = True cred_prefs_list.append( @@ -681,9 +685,7 @@ def build_credentials_as_prefs(self, credentials: Dict) -> List[str]: ) elif service == 'krb5': if smb_set: - self.errors.append( - "Disabled KRB5: Kerberos and SMB credentials are mutually exclusive." - ) + self.errors.append(self.disable_message("KRB5")) continue krb5_set = True realm = cred_params.get('realm', '')