CredSSP support added to WINRM
570 views
Skip to first unread message
Espen Blikstad
Oct 2, 2015, 4:32:02 AM10/2/15
to rundeck-discuss
Hi
My testing of CredSSP support in the WINRM is done. I'm running a lot of Powershell scripts on Windows servers and the scripts are accessing remote resources from the remote nodes.
I'm unable to create a new branch of the WINRM plugin on Github due to a bug in the Overthere library (no response to bug post yet).
The source and binary is shared on my Google Drive: https://drive.google.com/open?id=0ByCMV1mUgxAMem1fTHBObG12RGM
The WINRM plugin only support CredSSP when Rundeck runs on a Windows server. Put the following lines in you project config (winrm-allow-delegate and winrm-type are new settings).
project.winrm-allow-delegate=true
project.winrm-auth-type=kerberos
project.winrm-cert-trust=all
project.winrm-is-domain-user=true
project.winrm-password-storage-path=keys/user.password
project.winrm-protocol=https
project.winrm-type=WINRM_NATIVE
project.winrm-user=us...@domain.com
The WINRM supports CredSSP by using the winrs.exe client instead of using the opensource implementation of the WINRM protocol. You obviously have to set up CredSSP in Windows before trying it from Rundeck.
Support for CredSSP from a Linux instance of Rundeck is possible with a few more lines of code in the WINRM plugin. The overthere plugin supports using a "proxy" server.
Mayank Desai
Nov 18, 2015, 2:42:57 PM11/18/15
to rundeck-discuss
Could you please provide more details of what you are saying? I am also exploring options for using WINRM_NATIVE mode which is supported by Overthere. However, so far I have not been able to get the updated code to work. Is your code providing the support for using WINRM_NATIVE?
I am not familiar with CredSSP and how to utilize it so maybe you can provide more details on it. My use case requires me to use native mode with Kerberos auth.
Thanks,
Espen Blikstad
Nov 20, 2015, 6:25:07 AM11/20/15
to rundeck...@googlegroups.com
I have modified the WINRM Rundeck plugin to support CredSSP. The WINRM_NATIVE mode has been modified to use the Windows winrs.exe client to perform remote operations (the unmodified plugin uses an open source implementation of the WinRM protocol which
does not support CredSSP).
First you need to use my modified WINRM plugin and configure project settings in Rundeck.
Then you need to setup CredSSP support in Windows.
Depending your Windows version you may use Powershell to configure CredSSP (client-Rundeck, server-remote server). This requires a computer certificate on your remote server.
Enable-WSManCredSSP -Role client -DelegateComputer *
Enable-WSManCredSSP -Role server
Test WinRM from your Rundeck server to your remote server before trying any Rundeck jobs.
Example:
winrs.exe -r:myserver -ad -u:username -p:password ipconfig.exe
CredSSP is a method WinRM uses to transport username and password safely to your remote server. When authenticating with your remote server using “fresh” credentials, delegation is allowed and your remote server can perform remote operations.
My Rundeck project has been postponed, but I’m continuing my work soon and will provide better documentation. I’m implementing Rundeck in a Windows only environment and its going to be very valuable to us.
Regards,
Espen Blikstad
--
You received this message because you are subscribed to a topic in the Google Groups "rundeck-discuss" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/rundeck-discuss/YV7IPZAK1Fw/unsubscribe.
To unsubscribe from this group and all its topics, send an email to rundeck-discu...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/rundeck-discuss/7fef94f4-5c9f-4ed4-87c2-ccb2011aba53%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
You received this message because you are subscribed to a topic in the Google Groups "rundeck-discuss" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/rundeck-discuss/YV7IPZAK1Fw/unsubscribe.
To unsubscribe from this group and all its topics, send an email to rundeck-discu...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/rundeck-discuss/7fef94f4-5c9f-4ed4-87c2-ccb2011aba53%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Mayank Desai
Nov 20, 2015, 9:56:17 AM11/20/15
to rundeck-discuss
Ok, so can you provide some details around "I'm unable to create a new branch of the WINRM plugin on Github due to a bug in the Overthere library"
I am asking because I looked at your code and I tried to use it to compile my own jar but I am still getting the same error I was getting before.
Failed dispatching to node test: java.lang.IllegalArgumentException: Unknown connection protocol local
Did you encounter this issue? If so how did you resolve it? I am just trying to figure out if there is a code issue in Overthere or not?
Thanks and great job in getting the plugin working.
Espen Blikstad
Nov 20, 2015, 11:55:08 AM11/20/15
to rundeck...@googlegroups.com
Yes I encountered this problem and it’s caused by a bug in the scannit library that overthere uses. I had to patch the overthere lib to get the plugin to work.
Regards,
Espen Blikstad
Mayank Desai
Nov 20, 2015, 12:03:30 PM11/20/15
to rundeck-discuss
Awesome! Not really a programmer but I have learned it in school days so for a second there I was left with my head scratching and thinking maybe I don't know programming!
Thanks for the confirmation. Is it possible for you to share the code/work around for that bug?
Reply all
Reply to author
Forward
0 new messages