Enable Kerberos Authentication for WinRM and Powershell exection on Windows Hosts

[Ian Clegg]

Hi All,

I think its great ansible is leveraging powershell and avoids unnecessary agents, but using basic authentication which forces local admin accounts on Windows wont cut it. Local Admin accounts are generally viewed as a security risk and a nightmare to manage. We've got 50K+ hosts deployed. As we know, Microsoft's WS-Man implementation, WinRM only supports domain credentials when using Negotiate, CredSSP and Kerberos. CredSSP enables 'double hop', but it will probably be the most work - pywinrm (already used by ansible) has working support for Kerberos (we've tested it)

Is anyone looking into plugging kerberos support into ansible for authenticating to Windows hosts?

Ian

[Michael DeHaan]

Hi Ian,

Yeah it was recently mentioned I think that Domain auth wasn't functional - and maybe pywinrm maybe needed tweaks to enable Kerb (not true?).

I'm VERY interested.

Is this something you might be interested in working on?

--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/df22cd58-359c-4342-8e21-fc278a65b954%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Ian Clegg]

Michael,

We have tested kerberos authentication over SSL with pywinrm. The domain controllers (acting KDCs) in the test configuration were 2008r2 and 2012r2, at 2003 functional level. Clients were 2008r2 and 2012r2. All worked fine with the latest MIT krb5 and python kerberos and pywinrm modules.

It's something we are starting to spike at the moment, but wanted to see if the feature is already being worked on/planned - don't want to mess with the product strategy

At the moment the user passes in a Windows username through 'ansible_ssh_user'. It would be possible to determine whether to use basic or kerberos by checking if this value is a UPN. This approach is used by the Win32 API's, see LogonUser (http://msdn.microsoft.com/en-gb/library/windows/desktop/aa378184(v=vs.85).aspx)

As an example:

ansible_ssh_user: iclegg  << implicitly uses basic auth since no kerberos realm is specified

ansible_ssh_pass: password123

ansible_ssh_port: 5986

ansible_connection: winrm

ansible_ssh_user: iclegg@realm << implicity uses Kerberos since this not a valid Windows username, but is a valid UPN ( '@' is reserved)

ansible_ssh_pass: password123

ansible_ssh_port: 5986

ansible_connection: winrm

I have not looked into how kerb is done with SSH, so this suggestion may not be consistent with it

Ian

[Michael DeHaan]

I'm totally not worried if it's not consistent for Windows/Linux and this seems great to me.

Seems ok to be handled differently and this approach seems good.

Basically our Linux kerb support now is "get a ticket", "don't supply any passwords", "should just work".

No concerns about messing with our plans at all - in a great sense, our job is to rally everyone and then facilitate everyone working on everything together - i.e. run this thing like a real OSS project :).   There's a lot of filtering in that, and we do have to develop a lot of things, but this direction seems very good for everyone.

If you're willing to fiddle with it and send us a PR (maybe also including the docsite/rst/*.rst notes about Windows Kerberos?), that would be absolutely fantastic!

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/cd39b936-03a6-499f-a930-5c39d632781e%40googlegroups.com.

[benno joy]

Hi Ian,

I just submitted a PR for this functionality "https://github.com/ansible/ansible/pull/8345" , maybe you can have a look and provide some feedbacks. or maybe you have a better way of implementation if so please feel free to replace it.

Thanks,

Benno

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/cd39b936-03a6-499f-a930-5c39d632781e%40googlegroups.com.

[Michael DeHaan]

Very timely!

Folks, if you could comment on the ticket with any thoughts/comments, that would be welcome.

I'm not sure if the user change above would require any changes in Ansible, seems like no?

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CAFUV_d4L%3DaRKWUqrk1bkymu5GNB%2BgtP32q2HnfKWBwQXzFbH7Q%40mail.gmail.com.

[Ian Clegg]

You are right Michael, a change to ansible would only be required if we could not address the underlying issue in pywinrm. We will discuss on the PR

Cheers!