Share via

Windows OpenSSH SFTP Server Support for Kerberos Protocol Transition

Ken Onwere 21 Reputation points
2021-11-15T16:06:20.81+00:00

I wish to setup an SFTP Server front-end for file shares (virtual roots) located on backend hosts. Does the OpenSSH-based SFTP server available with the newer Windows Server OSes support the Kerberos Protocol Transition (KPT) feature? In addition, what are the known security vulnerabilities or threats associated with KPT?

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,284 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
5,994 questions
0 comments
Accepted answer
  1. Limitless Technology 39,426 Reputation points
    2021-11-16T08:50:32.563+00:00

    Hello KenOnwere

    Unfortunately Microsoft OpenSSH SFTP does not support KPT.

    Reference: https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh_server_configuration
    The following configuration options are not available in the OpenSSH version that ships in Windows Server 2019 and Windows 10 build 1809:
    ...
    KbdInteractiveAuthentication
    KerberosAuthentication
    KerberosGetAFSToken
    KerberosOrLocalPasswd
    KerberosTicketCleanup...

    -------------------------------------------------------------------------------------------------------------------------------------------------------------------

    --If the reply is helpful, please Upvote and Accept as answer--

    0 comments

2 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Pierre Audonnet - MSFT 10,166 Reputation points Microsoft Employee
    2021-11-16T03:19:46.813+00:00

    I can't speak about the SFTP/Open SSH part of your question.

    But regarding the second about the risks of Kerberos Protocol Transition, I can :) To allow protocol transition, you basically need to allow a system to impersonate an account without having to know any of the shared secrets usually necessary to authenticate. So you would have to highly trust the system allowed to perform protocol transition. This way to delegate authentication to a third party service (outside of the domain controllers) makes it a primary target for attackers wishing to perform credential thefts and other impersonation techniques. There are plenty of posts and videos available that described how protocol transition and delegation can be abused in general and other specific vulnerabilities found using Kerberos delegation (Sean Metcalf’s website is usually a good starting point). Note that delegation can be disabled on sensitive accounts to avoid those accounts from being abused from systems allowed to perform delegation. But mitigation is another conversation...

    0 comments
  2. Ken Onwere 21 Reputation points
    2021-11-16T22:51:01.49+00:00

    Thanks all for the feedback.

    0 comments