[JIRA] [ec2-plugin] (JENKINS-33350) Does not support Amazon's automatic Windows admin password system

21 views
Skip to first unread message

jo.shields@xamarin.com (JIRA)

unread,
Mar 7, 2016, 4:59:05 AM3/7/16
to jenkinsc...@googlegroups.com
Jo Shields created an issue
 
Jenkins / Improvement JENKINS-33350
Does not support Amazon's automatic Windows admin password system
Issue Type: Improvement Improvement
Assignee: Francis Upton
Components: ec2-plugin
Created: 07/Mar/16 9:58 AM
Environment: Jenkins 1.651
ec2-plugin 1.31
Priority: Minor Minor
Reporter: Jo Shields

When Amazon spins up a Windows instance, it automatically sets the Administrator password to a per-instance strong password.

This password is available to downstream management software like Jenkins, by encrypting that password with the public key of the EC2 user (such that it can be decrypted by the private key). The `ec2-get-password` command in the EC2 CLI does this, as does the Java code here: http://frontier.town/2012/03/java-administrator-password-windows-ec2-instance/

ec2-plugin does not support this mechanism. Instead, the expectation is that you change the Administrator password to a known shared secret in the AMI's userdata, and hardcode that same shared secret in the "Windows Admin Password" field. This password is then identical for all instances of the same AMI, rather than being per-instance.

Sending the same password over and over via plain HTTP (the default for this plugin) is questionable security practice.

Add Comment Add Comment
 
This message was sent by Atlassian JIRA (v6.4.2#64017-sha1:e244265)
Atlassian logo

bek@monsterous.com (JIRA)

unread,
Mar 21, 2018, 12:51:03 AM3/21/18
to jenkinsc...@googlegroups.com
Brian Kruger commented on Improvement JENKINS-33350
 
Re: Does not support Amazon's automatic Windows admin password system

+1 for this as well, it would be incredibly useful.
This message was sent by Atlassian JIRA (v7.3.0#73011-sha1:3c73d0e)
Atlassian logo

justin.georgeson@halliburton.com (JIRA)

unread,
Mar 21, 2018, 10:07:03 AM3/21/18
to jenkinsc...@googlegroups.com

Jason Juang We couldn't get that to work either. We have resigned ourselves to either adding User data in the AMI config to add a local admin user or set the admin password, or build our AMI with a fixed local admin user.

jasjuang@gmail.com (JIRA)

unread,
Mar 21, 2018, 12:16:02 PM3/21/18
to jenkinsc...@googlegroups.com

Justin Georgeson Another problem I ran into is it is quite difficult to update the windows AMI. Say I have a collection of external libraries required to build my project in the AMI and I want to update it. I will create an instance of this AMI, update the libraries and then sysprep it to create a new AMI. However, there is a limitation in the numbers of sysprep I can do, so I had to create the AMI from scratch periodically which is quite troublesome compare to linux where you can create an image of an instance infinite amount of times. If I have a window server on 24/7 I won't run into the problem but it's too expensive to do so. Were you able to figure out a better solution?

jasjuang@gmail.com (JIRA)

unread,
Mar 21, 2018, 12:17:02 PM3/21/18
to jenkinsc...@googlegroups.com
Jason Juang edited a comment on Improvement JENKINS-33350
[~jg_lgc] Another problem I ran into is it is quite difficult to update the windows AMI. Say I have a collection of external libraries required to build my project in the AMI and I want to update it. I will create an instance of this AMI, update the libraries and then sysprep it to create a new AMI. However, there is a limitation in the numbers of sysprep I can do, so I had to create the AMI from scratch periodically which is quite troublesome compare to linux where you can create an image of an instance infinite amount of times. If I have a window server on 24/7 I won't run into the this problem but it's too expensive to do so. Were you able to figure out a better solution?

justin.georgeson@halliburton.com (JIRA)

unread,
Mar 21, 2018, 12:34:02 PM3/21/18
to jenkinsc...@googlegroups.com

We use Packer to build our AMIs.

raihaan.shouhell@autodesk.com (JIRA)

unread,
Jun 28, 2019, 1:40:02 PM6/28/19
to jenkinsc...@googlegroups.com
Raihaan Shouhell assigned an issue to Raihaan Shouhell
 
Change By: Raihaan Shouhell
Assignee: Francis Upton Raihaan Shouhell
This message was sent by Atlassian Jira (v7.11.2#711002-sha1:fdc329d)

raihaan.shouhell@autodesk.com (JIRA)

unread,
Jun 28, 2019, 1:40:02 PM6/28/19
to jenkinsc...@googlegroups.com
Raihaan Shouhell started work on Improvement JENKINS-33350
 
Change By: Raihaan Shouhell
Status: Open In Progress

raihaan.shouhell@autodesk.com (JIRA)

unread,
Jul 7, 2019, 11:13:04 PM7/7/19
to jenkinsc...@googlegroups.com
Change By: Raihaan Shouhell
Status: In Progress Fixed but Unreleased
Resolution: Fixed

raihaan.shouhell@autodesk.com (JIRA)

unread,
Jul 7, 2019, 11:14:01 PM7/7/19
to jenkinsc...@googlegroups.com

bittebrown@gmail.com (JIRA)

unread,
Aug 2, 2019, 9:12:03 AM8/2/19
to jenkinsc...@googlegroups.com

Do you know when this fix will be in a release?

bittebrown@gmail.com (JIRA)

unread,
Aug 2, 2019, 9:15:04 AM8/2/19
to jenkinsc...@googlegroups.com
Tim Brown edited a comment on Improvement JENKINS-33350
Do you know when this fix will be in a release?


As a workaround we are trying to set this in the Advanced > Userdata field:

```
<powershell>
# Set administrator password
net user Administrator yourpassword
wmic useraccount where "name='Administrator'" set PasswordExpires=FALSE
# Configure and restart the WinRM Service; Enable the required firewall exception
Stop-Service -Name WinRM
Set-Service -Name WinRM -StartupType Automatic
netsh advfirewall firewall set rule name="Windows Remote Management (HTTP-In)" new action=allow localip=any remoteip=any
Start-Service -Name WinRM
</powershell>
```

bittebrown@gmail.com (JIRA)

unread,
Aug 2, 2019, 9:17:02 AM8/2/19
to jenkinsc...@googlegroups.com
Tim Brown edited a comment on Improvement JENKINS-33350
Do you know when this fix will be in a release?

As a workaround we are trying to set this in the Advanced > Userdata field:
{code:xml}
```
 <powershell>
# Set administrator password
net user Administrator yourpassword
wmic useraccount where "name='Administrator'" set PasswordExpires=FALSE
# Configure and restart the WinRM Service; Enable the required firewall exception
Stop-Service -Name WinRM
Set-Service -Name WinRM -StartupType Automatic
netsh advfirewall firewall set rule name="Windows Remote Management (HTTP-In)" new action=allow localip=any remoteip=any
Start-Service -Name WinRM
</powershell>
``` {code}

bittebrown@gmail.com (JIRA)

unread,
Aug 2, 2019, 9:34:02 AM8/2/19
to jenkinsc...@googlegroups.com
Tim Brown edited a comment on Improvement JENKINS-33350
Do you know when this fix will be in a release?
*Update 1*
As a workaround we are trying to set this in the Advanced > Userdata field:
{code:xml}
<powershell>
# Set administrator password
net user Administrator yourpassword
wmic useraccount where "name='Administrator'" set PasswordExpires=FALSE
# Configure and restart the WinRM Service; Enable the required firewall exception
Stop-Service -Name WinRM
Set-Service -Name WinRM -StartupType Automatic
netsh advfirewall firewall set rule name="Windows Remote Management (HTTP-In)" new action=allow localip=any remoteip=any
Start-Service -Name WinRM
</powershell>
{code}

*Update 2*
Even adding the Userdata doesn't connect properly. Even though I can connect using the below python script connects with the same credentials.

{code:python}
import sys
import winrm

session = winrm.Session(sys.argv[1], auth=('Administrator', sys.argv[2]))
response = session.run_cmd('ipconfig', ['/all'])
print(response.std_out)
{code}

raihaan.shouhell@autodesk.com (JIRA)

unread,
Aug 18, 2019, 11:09:05 PM8/18/19
to jenkinsc...@googlegroups.com
Change By: Raihaan Shouhell
Status: Fixed but Unreleased Resolved
Released As: 1.45

raihaan.shouhell@autodesk.com (JIRA)

unread,
Aug 18, 2019, 11:09:06 PM8/18/19
to jenkinsc...@googlegroups.com
Reply all
Reply to author
Forward
0 new messages