Open ca5ua1 opened 1 year ago
May be of interest: I get a similar error when using bolt to connect to a server (that gives the same error when using evil-winrm):
$ nix run nixpkgs#puppet-bolt -- command run 'pwd' --targets winrm://10.10.9.89 --user Administrator --password-prompt --no-ssl
Please enter your password:
Started on winrm://10.10.9.89...
Failed on winrm://10.10.9.89:
Failed to connect to http://10.10.9.89:5985/wsman: Digest initialization failed: initialization error
Failed on 1 target: winrm://10.10.9.89
Ran on 1 target in 0.14 sec
$ nix-info -m
- system: `"x86_64-linux"`
- host os: `Linux 6.6.0, NixOS, 23.05 (Stoat), 23.05.20231101.34bdaaf`
- multi-user?: `yes`
- sandbox: `yes`
- version: `nix-env (Nix) 2.15.3`
- channels(root): `"nixos"`
- nixpkgs: `/nix/var/nix/profiles/per-user/root/channels/nixos`
It seems that openssl has moved md4 to legacy. I can enable md4 from the command line (nix run nixpkgs#openssl -- -provider legacy md4
), but I have not yet found a way to enable it in the openssl.cnf or settings being used inside the evil-winrm derivation.
Workaround found. Create a file with the following contents (which enables automatically loading the legacy provider):
openssl_conf = openssl_init
[openssl_init]
providers = provider_sect
[provider_sect]
default = default_sect
legacy = legacy_sect
[default_sect]
activate = 1
[legacy_sect]
activate = 1
Now call evil-winrm with OPENSSL_CONF set to the name of the file just created, and the md4 hash can be used.
Here is a workaround to fix this issue:
{ config, lib, pkgs, modulesPath, ... }:
{
# List packages installed in system profile. To search, run:
# $ nix search wget
environment.systemPackages = with pkgs; [
(let
openssl_conf = pkgs.writeText "openssl.conf" ''
openssl_conf = openssl_init
[openssl_init]
providers = provider_sect
[provider_sect]
default = default_sect
legacy = legacy_sect
[default_sect]
activate = 1
[legacy_sect]
activate = 1
'';
in
pkgs.evil-winrm.overrideAttrs (o: {
nativeBuildInputs = o.nativeBuildInputs ++ [ pkgs.makeWrapper ];
postFixup =
(o.postFixup or "")
+ ''
wrapProgram $out/bin/evil-winrm \
--prefix OPENSSL_CONF : ${openssl_conf.outPath}
'';
}))
];
}
It might be a better idea to create a nix overlay for this tho.
This issue can be fixed via the following pull request: https://github.com/NixOS/nixpkgs/pull/324530
I just turned the fix into an overlay
final: prev:
{
evil-winrm-patched = prev.evil-winrm.overrideAttrs (oldAttrs: rec {
nativeBuildInputs = oldAttrs.nativeBuildInputs or [] ++ [ prev.makeWrapper ];
openssl_conf = prev.writeText "openssl.conf" ''
openssl_conf = openssl_init
[openssl_init]
providers = provider_sect
[provider_sect]
default = default_sect
legacy = legacy_sect
[default_sect]
activate = 1
[legacy_sect]
activate = 1
'';
postFixup = ''
${oldAttrs.postFixup or ""}
wrapProgram $out/bin/evil-winrm \
--prefix OPENSSL_CONF : ${openssl_conf}
'';
});
}
Describe the bug
Evil-WinRM package fails to login to remote windows machine
Steps To Reproduce
Steps to reproduce the behavior:
nix-shell -p evil-winrm
evil-winrm -i IP_WINDOWS_MACHINE -u administrator -p pass
Expected behavior
Successful login to Windows machine
Screenshots
Additional context
Installing via
gem install evil-winrm
produce same errorMetadata
Please run
nix-shell -p nix-info --run "nix-info -m"
and paste the result.