feat(pam): Kerberos authentication for MSSQL proxy

[saifsmailbox98]

Description 📣

Gateway MSSQL proxy can now authenticate with SQL Server using Kerberos. Obtains tickets from the KDC via gokrb5/v8, wraps in SPNEGO, and sends in LOGIN7 — same SSPI slot as NTLM. The client-to-gateway leg is unchanged (dummy SQL auth).

Builds krb5.conf in-memory from realm and KDC address fields. Supports DNS-based KDC discovery when KDC address is omitted. Handles SQL Server's mutual auth round-trip. Wraps gokrb5 errors into actionable messages (KDC unreachable, clock skew, invalid credentials, unknown SPN).

Companion backend PR: Infisical/infisical#6638

Type ✨

• Bug fix
• New feature
• Improvement
• Breaking change
• Documentation

Tests 🛠️

# Tested against a real Windows Server 2022 + AD DC + SQL Server on AWS
# Verified: Kerberos auth, DNS discovery, wrong password/SPN/KDC errors,
# INI injection prevention, multiple clients (sqlcmd, DataGrip),
# auth_scheme=KERBEROS confirmed via sys.dm_exec_connections

---

• I have read the contributing guide, agreed and acknowledged the code of conduct. 📝

[linear]

PAM-227

[infisical-review-police]

💬 Discussion in Slack: #pr-review-cli-245-feat-pam-kerberos-authentication-for-mssql-proxy

Posted by Review Police — reviews, comments, new commits, and CI failures will stream into this channel.

[gitguardian]

⚠️ GitGuardian has uncovered 4 secrets following the scan of your pull request.

Please consider investigating the findings and remediating the incidents. Failure to do so may lead to compromising the associated services or software components.

🔎 Detected hardcoded secrets in your pull request

GitGuardian id	GitGuardian status	Secret	Commit	Filename
9387833	Triggered	Generic Password	c15a998	packages/pam/handlers/rdp/native/src/rdcleanpath.rs	View secret
33062794	Triggered	Generic CLI Secret	c15a998	packages/cmd/login_status_test.go	View secret
33062794	Triggered	Generic CLI Secret	28de0f5	packages/cmd/login_status_test.go	View secret
9387833	Triggered	Generic Password	28de0f5	packages/pam/handlers/rdp/native/src/rdcleanpath.rs	View secret

🛠 Guidelines to remediate hardcoded secrets

1. Understand the implications of revoking this secret by investigating where it is used in your code.
2. Replace and store your secrets safely. Learn here the best practices.
3. Revoke and rotate these secrets.
4. If possible, rewrite git history. Rewriting git history is not a trivial act. You might completely break other contributing developers' workflow and you risk accidentally deleting legitimate data.

To avoid such incidents in the future consider

• following these best practices for managing and storing secrets including API keys and other credentials
• install secret detection on pre-commit to catch secret before it leaves your machine and ease remediation.

---

^{🦉 GitGuardian detects secrets in your source code to help developers and security teams secure the modern development process. You are seeing this because you or someone else with access to this repository has authorized GitGuardian to scan your pull request.}

[greptile-apps]

Greptile Summary

This PR adds Kerberos (and NTLM) authentication support to the MSSQL PAM proxy. When authMethod is "kerberos", the gateway obtains a TGS ticket from the KDC via gokrb5/v8, wraps it in SPNEGO, and sends it in the TDS LOGIN7 SSPI slot; the client-facing leg is unchanged.

• New auth paths: authenticateKerberos and authenticateNTLM are extracted alongside the existing authenticateSQL, each with a defer serverConn.Close() guard and appropriate multi-round-trip handling for Kerberos mutual auth.
• krb5.conf built in-memory: buildKrb5Config constructs the configuration from realm and kdcAddress credentials, with basic INI-injection filtering; DNS-based KDC discovery is used when kdcAddress is empty.
• New credential fields: Realm, KDCAddress, and SPN are added to the API model, session credentials struct, and proxy config; AuthMethod was already present.

Confidence Score: 3/5

The Kerberos path introduces an outbound connection to a backend-controlled host, which needs an allow-list before merging into a production gateway deployment.

The kdcAddress field flows from the backend API straight into a TCP dial with no network-scope enforcement. The gateway lives inside a private network, so a rogue or compromised backend can use that field to scan or contact internal hosts the gateway can reach. The rest of the changes — struct wiring, NTLM handshake, TDS encoding — look correct and the refactored defer serverConn.Close() pattern is a clean improvement over the previous scattered closes.

packages/pam/handlers/mssql/proxy.go — specifically buildKrb5Config and authenticateKerberos

Security Review

• SSRF via kdcAddress (packages/pam/handlers/mssql/proxy.go, buildKrb5Config): The KDC address is taken directly from backend-provided credentials with no allow-list or network-scope validation. A compromised backend can supply any internal host, causing the gateway to open TCP connections to that host on port 88, enabling internal network probing via the gateway.

Important Files Changed

Filename	Overview
packages/pam/handlers/mssql/proxy.go	Adds NTLM and Kerberos authentication paths for MSSQL. SSRF risk: the backend-supplied kdcAddress is used to make outbound TCP connections without an allow-list.
packages/pam/handlers/mssql/tds.go	Adds ExtractSSPIToken, SSPIData field in Login7Message, and SSPI encoding logic. ExtractSSPIToken returns a suffix slice rather than the exact NTLM token boundary.
packages/pam/session/credentials.go	Adds Realm, KDCAddress, and SPN fields to PAMCredentials and maps them from the API response. Straightforward struct extension with no logic issues.
packages/api/model.go	Adds Realm, KDCAddress, and SPN JSON fields to PAMSessionCredentials. Clean, consistent with existing optional-field pattern.
packages/pam/pam-proxy.go	Wires Domain, Realm, KDCAddress, SPN, and AuthMethod credentials through to MssqlProxyConfig. No logic changes beyond field mapping.
go.mod	Adds github.com/jcmturner/gokrb5/v8 and github.com/Azure/go-ntlmssp as direct dependencies, plus the transitive jcmturner sub-modules.

_{Reviews (1): Last reviewed commit: "fix(pam): remove empty SSPI ack + improv..." | Re-trigger Greptile}

[greptile-apps]

SSRF via backend-controlled KDC address

When kdcAddress is non-empty the gateway initiates a TCP connection to that host on port 88 as part of Kerberos ticket acquisition. Because kdcAddress originates from the Infisical backend (returned by CallPAMSessionCredentials), a compromised or rogue backend can direct the gateway to connect to any internal host — effectively using the gateway as an SSRF proxy. The gateway is typically deployed inside a private network segment, making this especially impactful: an attacker could probe internal services reachable from the gateway but not from the internet, or send Kerberos framing bytes to any service that happens to bind port 88. DNS-lookup mode (kdcAddress == "") is unaffected since no explicit host is dialled, but the explicit-KDC path has no allow-list or network-scope enforcement.

Context Used: Flag SSRF risks (source)

[greptile-apps]

ExtractSSPIToken returns a suffix instead of the exact token

payload[idx:] includes every byte from the NTLMSSP signature to the end of the combined TDS payload, not just the NTLM challenge message itself. In typical SQL Server SSPI responses the challenge token is the last item in the stream, so this works in practice. However, if the server follows the SSPI token with other TDS tokens (e.g., an ENVCHANGE), those extra bytes are silently appended to the slice passed to ntlmssp.ProcessChallenge. Most NTLM libraries read only the bytes they need and tolerate trailing data, but this is an implicit assumption that could break with future library versions or unusual server configurations.

[greptile-apps]

INI injection validation is missing whitespace and comment characters

The validation blocks \n, \r, [, ], {, }, and =, but allows tab and space characters. In krb5.conf format, kdc = host1.example.com\t with a trailing tab is unusual but typically harmless. More importantly, the # character (comment marker in krb5.conf) is not filtered. A kdcAddress value like kdc.example.com # attacker-note would embed a comment stub in the kdc = line; this is cosmetically wrong but also not exploitable since newlines are filtered. Nonetheless, tightening the allow-list to [A-Za-z0-9._:\-]+ for kdcAddress and [A-Za-z0-9._\-]+ for realm would eliminate ambiguity and future edge cases without losing any valid input.