Add support for encrypted WinRM #43
Comments
|
Hi Barak, Thx for the feature request. We have no plans to add this feature ourselves on the short term, but a pull request is always welcome! BTW, I assume you are talking about WinRM here? That's what you were referring to in issue #41 too. Regards, Vincent. |
|
Yes, I am referring to WinRM. The issue is pretty much the same - how can you remote control a windows VM running on Amazon EC2, using the Amazon default image. Was considering using this: https://github.com/zenchild/WinRM |
|
Hi barak, Thx for the pointers. It might well be that we'll be addressing this issue sooner than I had thought. We're going to need support for WinRM to Windows domain accounts for a customer of ours. Seems I'm gonna have to set up a Windows image with a domain controller. :-/ Regards, Vincent. On 12 mei 2012, at 23:52, "barakm" reply@reply.github.com wrote:
|
|
Those are always fun to setup... Good luck! Looking forward to seeing this in action.
|
|
By the way, will this work with non-domain accounts, like local accounts? |
|
Hi, I'm also interested in using WinRM with Active Directory authentication. I am working on a plugin for rundeck https://github.com/dtolabs/rundeck |
|
Hi Barak, The current WinRM functionality certainly works with local Windows accounts. But is that what you were asking? Regards, Vincent. |
|
I am referring to using HTTP encryption, authenticated to a local account |
|
Hi Barak, Aha, like that. I guess that when we add support for HTTP encryption it can also be used for local accounts. We'll find out when we start work on it. It's still pending because of other priorities on our side. Regards, Vincent. |
|
Hi Vincent, Do you have any milestone for supporting HTTP encryption for domain/local accounts? regards, |
|
Hi Neerav, Not yet. We have just defined a Overthere 2.1.0 milestone and while that does include a number of enhancements to the WinRM implementation in Overthere, XML encryption is not in there. A pull request is always welcome of course. :-) Regards, Vincent. |
|
Hi, Any update on this? HTTP encryption would be a huge help to anyone use Amazon EC2. Barak |
|
Hi Barak, It's still on my wish list but I still haven't found the time to work on this. :-( Regards, Vincent. |
|
This is my 'once in a couple of months' check on this issue :) |
|
Hi Barak, Same as last time; I'd love to add this but I've been busy and still am busy with a lot of other things. I did have a look at how to invoke Kerberos to encrypt the payload during a long flight last week. I found out I'd have to rewrite the way Kerberos is used in Overthere quite a bit though. :-/ Regards, Vincent. |
|
Thanks for the update. |
|
Hi all, Just a quick note to let you know I am now working on implementing this issue. It's a tough nut to crack, but I'm making progress. Hope to have something working soon... Regards, Vincent. |
|
Excellent news! If you need help testing, let me know. |
|
Hi Barak, It turns out that implementing Kerberos encryption is not so easy. I've found out how to encrypt the data but now I've gotta figure out how to send that binary data over the HTTP(S) channel. It's tough going... :-( My short-term solution is to implement #12. The downside is that it will only work for Windows clients though... Regards, Vincent. |
|
Unfortunate. With Cloudify, we have resorted to using powershell (as an external process) which also means that the client has to be windows. |
|
Hello Vincent, Any progress on this issue? Regards, |
|
👍 |
|
Do anyone have any status on this issue? This issue is old, but I suspect it is still valid? Setting |
|
Looking forward to this one too. |
|
I would also love to see this. When pushed I use an SSH client on the windows box right now, not pretty but works. |
|
Unfortunately there is no progress to report on this. Implementing support for Kerberos encryption (and for CredSSP, see #78) is very tough. The protocols are not very clearly described in the relevant Microsoft documentation. Back in 2013 I got as far as encrypting a block with the Kerberos session key (the works is sitting on branch kerberos-encryption) but then got stuck because I couldn't figure out how to marshall it. Maybe the work done on the Ruby WinRM library will help here. Unfortunately I don't know when I'll get around to fixing this myself. :-( Issue #12 has solved a lot of my use cases. But pull requests are welcome. :-) |
|
👎 sad to hear it ! |
|
man I need this so bad right now too time to start digging |
|
looks like encryption isnt too bad with the java GSS library the ruby plugin is simply using libgss |
|
Tried that, unfortunately, the java gss libray is missing the extension for IOV wrapping... |
|
@hierynomus But it seems like winrb doesn't support linux, you need to run on windows and run Enable-PSRemoting on powershell which doesn't yet implemented on Linux powershell. |
|
thats not true, we use the winrm client with encryption with rubyntlm with jruby all the time. works great on linux! Would prefer to use overthere encryption instead because ummm jruby... |
This is the default behavior for Windows VMs on EC2.
At the moment, we have to log in to the machines, using either RDP of Powershell, and change the authentication and encryption settings.
The text was updated successfully, but these errors were encountered: