Retrieve credentials from windows credential manager - ruby

I was disappointed to know that my colleague said there is no ruby library which will help us to access windows credentials and store it somewhere (but python does) so that my ruby script can use it to authenticate. I looked around a little bit and found nothing, so is this true or do we have some way to do it.
My information was python can achieve this using win32cred.
[EDIT]: Would like to retrieve credentials from the Windows Credential manager
and if it cannot find them then I would want to launch the Credential Password dialog
which is the built in credential manager dialog and captures the username
and password and saves it to the credential manager.

use FFI to call the CryptProtectData/CryptUnProtectData methods https://github.com/ffi/ffi/wiki/Windows-Examples

Related

How to fix git error "Failed to enumerate credentials. [0x520]"

I'm using git over ssh on a remote machine that is running Windows 10. When I try to do a git pull, I get the error message in the title after entering my credentials.
Fixed by installing the latest version of git credential manager on chocolatey (not sure if this is necessary) and switching my git credential store to dpapi.
See https://github.com/GitCredentialManager/git-credential-manager/blob/main/docs/credstores.md#dpapi-protected-files for instructions on how to do so.
This could be illustrated by GitCredentialManager/git-credential-manager issue 325
The error you're seeing is related to the way that Windows handles "logon sessions" and "credential sets".
GCM Core uses the Windows Credential Manager (wincred.h) to store credentials safely on Windows.
We interact with wincred via the Windows APIs: CredRead, CredWrite, CredDelete, and CredEnumerate.
The error being returned in your case here is ERROR_NO_SUCH_LOGON_SESSION (0x520) which means:
The logon session does not exist or there is no credential set associated with this logon session.
Network logon sessions do not have an associated credential set.
The key part here is in bold.
When you connect via SSH, the sshd daemon/Windows service is running as the NT AUTHORITY\NETWORK SERVICE account (most likely/by default), which creates network logon sessions when an SSH client connects.
From some searching online, one workaround posted is to change the account that sshd runs as to be your real user, which would then have an associated credential set. Your milage may vary here depending on setup.
If you try to use the built-in cmdkey command for interacting credentials stores in the Windows Credential Manager, you'll see similar errors or messages like "saved for this login only".
Upgrading to the latest version of GCM comes with:
With the latest GCM Core release (v2.0.567) there is support on Windows to use a different credential store other than the Windows Credential Manager that shouldn't have the same remote-session limitations.
You can read more about the different options here: https://aka.ms/gcmcore-credstores
The specific store that may help this SSH scenario is the DPAPI-protected file store.
Credentials are protected using Windows DPAPI encryption (based on your current user account) and are written to files on disk (configurable; defaults to %USERPROFILE%\.gcm\dpapi_store).

Can WSL inherit windows auth credentials

I'm using WSL in an exclusively windows environment because of a number of tools that are only really available for Linux. I often connect to DBs programmatically and would like to be able to do that without specifying my login information. For example in Python through Windows I could do this:
import pymssql
con = pymssql.connect(server, port)
And that connection would go through without my having to specify any credentials because my AD account has access to the server, and pymssql will use windows auth when no credentials are specified.
In python running on WSL however that doesn't work, and so to make the same connection I would have to additionally pass the user and password parameters.
Is there any way to make WSL inherit windows authentication when running Linux processes?
I got you Fam!
Here is the solution : http://michaeljw.com/blog/post/keyring-r-python-windows/
Here is the Sauce:
Use the Windows Credential Manager to store the creds you want to use
https://support.microsoft.com/en-us/windows/accessing-credential-manager-1b5c916a-6a16-889f-8581-fc16e8165ac0
Here is the command for accessing the credential manager in Python:
keyring.get_password(u"[Domain or URI]", u"[username]")
As long as the user is in the cred manager, you should be able to use that command to variablize creds. You will probably have to play with it a bit to get it right, but it will work. Be sure to read the linked articles.
Enjoy

Windows Authentication in other applications (like Google-chrome)

I have a question about windows authentication in other application like Google chrome.
I know about LDAP and I think my question should be something else.
Example: When I want to see my saved password in Google Chrome, it asked me my windows password.
1- How Google chrome is able to identify me? is it something available by windows, if yes that means I can use it even in any windows application.
(Considering this link Microsoft API should get the password and verify it but how can we use this API in our application?).
2- Is it secure from any kind of attack to password?
is there any one who can answer me in detail or give me the links?
Appreciate in advanced.
On Windows, this is CredUIPromptForWindowsCredentials. On Mac this is AuthorizationCopyRights. See src/chrome/browser/password_manager/‌password_manager_util_win.cc
This could conceivably be a vector for a program to phish the user's password if the user is unable to distinguish between a system credential prompt and an ordinary window. But the whole point of this is that your web browser is storing many website passwords, and rather leaving them exposed on disk they are protected at the OS level with the user's login credentials.
One way to see the effect of this is with the Mac build of Chromium (possibly Windows as well, but I have not tested), since the app is not codesigned. When you download a new version, you get a system prompt to confirm access to "Chromium Safe Storage". So not only is Chrome using its discretion to divulge stored passwords and reauthenticate the user, the operating system also makes a policy decision based on the app's signature.

How does Bitvise SSH Server authenticate user without a password?

Since version 5.50 the Bitvise SSH Server allows connected client to authenticate to Windows user account without providing this user's Windows password. See here: https://www.bitvise.com/ssh-server-version-history
I've checked it myself - it does indeed.
My question is of pure curiosity: what kind of sorcery is this? Is there any WinAPI that allows such thing or is this some kind of clever hack? I always thought it is impossible to impersonate as other user without a password (as even when configuring Windows service or scheduled task to "run as user" it is neccessary to provide one).
IIRC, the SSH server in Cygwin does the same thing.
If you have the appropriate privileges you can create an access token with ZwCreateToken, no password required. Such a token has some limitations. For example, you can't access network resources without a password and some encrypted material isn't accessible.
There's an explanation and some sample code here.
Since version 5.50, Bitvise SSH Server comes with a Windows authentication package. An authentication package can enhance the Windows logon process in custom ways. When the SSH server needs to log you in, but does not have a password (e.g. because you logged in with a public key), it calls the authentication package to construct a logon token which closely resembles the logon token that would have been created by Windows. As arx has noted, a session created this way does not contain your authentication credentials, so side effects are that you can't access things like network resources and EFS.

Sending a password to a Windows Service

What is the best way to send a password to a Windows Service? Our application needs a password in order to start. I don't care that services are "normally" supposed to run without user interaction. Its good enough for us that an operator can start the application and then log off.
On a unix system, I would just echo the password over stdin but the service has no stdin.
Currently, we use the DPAPI to just store the password using CryptProtectData. While this, works, it presents other problems that are beginning to become troublesome.
I'm guessing that I'll need to use some form of IPC between the service and the application that is sending the password but I'm not sure which method is appropriate, if any.
Thanks
Two main options:
You could listen on a socket on startup and wait for the required password to be supplied (maybe embed an SSH server in there, so that the password cannot be snooped over the wire)
My preferred option would be to read the password from a configuration file (that can be secured to the minimum readership) or registry setting (again, sufficiently secure such that only your service and administrators can read/change it)
Thanks for responding Rowland.
You could listen on a socket on
startup and wait for the required
password to be supplied (maybe embed
an SSH server in there, so that the
password cannot be snooped over the
wire)
I considered that but without certificate verification, wouldn't that leave us open to a man in the middle attack?
My preferred option would be to read
the password from a configuration file
(that can be secured to the minimum
readership) or registry setting
(again, sufficiently secure such that
only your service and administrators
can read/change it)
We're trying to follow "defense in depth" as much as possible such that if an attacker compromised the machine, he would not able to access our application.
You can use kerberos mutual authentication. There are few options and examples there.
But just wondering. On a compromised machine, There may be a key logger. So typing the password is never secure if you want to maintain security in this environment. The same problem exist afaik for unix terminals.
DPAPI in UserMode is really the best option, and storing the encrypted data in a protected location, e.g. registry key with limited ACL.
What exactly were the problems that are beginning to be troublesome? Maybe we can just solve those...
What exactly were the problems that
are beginning to be troublesome? Maybe
we can just solve those...
Currently, the application runs as the Local System account.
Our application stores a number of credentials in an encrypted file and uses the DPAPI (in UserMode) for the encryption.
Thus, when the application is installed, the installer is run as the Local System account. We also have a set of tools that ship with the application, some of which need access to this encrypted file and thus, they too need to run as the Local System account.
By the time the application is installed and started, we're heavily dependent on that account.
We're running into problems because one of our users wants to use the application to access a shared network drive. The Local System account has no such privileges and we can't simply run our service as a different user because our encrypted information is protected under the Local System Account.
We've tried to avoid the process of setting up a user account just for our application because it is installed across many different customers and environments, all of whom have wildly different security policies.
You can access a remote drive from a service running under system account. However, you will need to have credentials & share information to connect to the remote machine. You can use the API wnetaddconnection to gain access. Probably your encrypted file can store this credential as well.

Resources