search

awslabs / aws-lambda-powershell-runtime

This new PowerShell custom runtime for AWS Lambda makes it even easier to run Lambda functions written in PowerShell to process events.
Apache License 2.0
57 stars 17 forks source link

Add `PSWSMan` and document PowerShell remoting to Windows hosts #32

Open briantist opened 4 months ago

briantist commented 4 months ago

Resolves #22 Resolves #3

My original comment https://github.com/awslabs/aws-lambda-powershell-runtime/issues/22#issuecomment-1967776323 turned out to be partially wrong. It seems we can get remoting working quite nicely with Kerberos using only PSWSMan, which is a very small add.

I've written up some documentation which I stuck in a separate readme.

This is in the first commit: https://github.com/awslabs/aws-lambda-powershell-runtime/pull/32/commits/678e584119597cd3a4a610b48f61121a90bce878

TODOs:

For NTLM, I believe we need https://github.com/gssapi/gss-ntlmssp and as far as I can tell there are no pre-built binaries. I was able to get it built from source in al2023, but installing it brings in a lot of other dependencies and adds a few hundred MB to the image size.

As a result, I built is a new image so that it could be used more optionally.

That work is in the second commit: https://github.com/awslabs/aws-lambda-powershell-runtime/pull/32/commits/b9cfde3d1707c27aa549c82c10215b7d138b7b21

The thing is, I can't actually get NTLM auth working.

If we try in the original runtime for example (or even the one with PSWSMan) to use NTLM auth with credentials like DOMAIN\user, it fails pretty quickly with an error like this:

OpenError: [server01.ad.contoso.com] Connecting to remote server server01.ad.contoso.com failed with the following error message : acquiring creds with username only failed No credentials were supplied, or the credentials were unavailable or inaccessible SPNEGO cannot find mechanisms to negotiate For more information, see the about_Remote_Troubleshooting Help topic.

If I use the image above with gss-ntlmssp installed, it just hangs forever, so.. it changed something, but I get no output at all so I'm pretty stuck.

We can split this into two PRs, or maybe the community can come up with an answer for the NTLM stuff. I wonder if @jborean93 might have any ideas? 👀

Let me know what you all think!

jborean93 commented 4 months ago

It is very likely that the images are using a version of OpenSSL that is disabling legacy providers that is required by NTLM (RC4/MD4/etc). See https://github.com/jborean93/omi/issues/71#issuecomment-1930883087 for some more information when I last tracked this down.

Just as an FYI it might be a good idea to pin the version of PSWSMan or at least put a major version ceiling. I've been hoping to push a new major version based on a pure C# library under PSWSMan to avoid the mess that is libmi and while it hasn't been released yet it supports more features than libmi and provides a better experience when it comes to error messages and things like authentication support.

briantist commented 4 months ago

Thanks for the tip @jborean93 , I was able to go through some of those troubleshooting steps.

The python snippet worked without me needing to enable any legacy providers.

So I moved on to enabling debug logging for OMI. With the logs being generated I found a few interesting things: