Add support for encrypted WinRM

[barakm]

This is the default behavior for Windows VMs on EC2. At the moment, we have to log in to the machines, using either RDP of Powershell, and change the authentication and encryption settings.

[vpartington]

Hi Barak,

Thx for the feature request. We have no plans to add this feature ourselves on the short term, but a pull request is always welcome!

BTW, I assume you are talking about WinRM here? That's what you were referring to in issue #41 too.

Regards, Vincent.

[barakm]

Yes, I am referring to WinRM. The issue is pretty much the same - how can you remote control a windows VM running on Amazon EC2, using the Amazon default image. I had a look at how to implement the HTTP encryption, but it is not really my expertise.

Was considering using this: https://github.com/zenchild/WinRM but they only support HTTP encryption with Active Directory authentication, not NTLM.

[vpartington]

Hi barak,

Thx for the pointers. It might well be that we'll be addressing this issue sooner than I had thought. We're going to need support for WinRM to Windows domain accounts for a customer of ours.

Seems I'm gonna have to set up a Windows image with a domain controller. :-/

Regards, Vincent.

On 12 mei 2012, at 23:52, "barakm" reply@reply.github.com wrote:

Yes, I am referring to WinRM. The issue is pretty much the same - how can you remote control a windows VM running on Amazon EC2, using the Amazon default image. I had a look at how to implement the HTTP encryption, but it is not really my expertise.

Was considering using this: https://github.com/zenchild/WinRM but they only support HTTP encryption with Active Directory authentication, not NTLM.

---

Reply to this email directly or view it on GitHub: https://github.com/xebialabs/overthere/issues/43#issuecomment-5674417

[barakm]

Those are always fun to setup... Have not tried it on ec2 yet.

Good luck! Looking forward to seeing this in action. On May 21, 2012 7:10 PM, "Vincent Partington" < reply@reply.github.com> wrote:

Hi barak,

Thx for the pointers. It might well be that we'll be addressing this issue sooner than I had thought. We're going to need support for WinRM to Windows domain accounts for a customer of ours.

Seems I'm gonna have to set up a Windows image with a domain controller. :-/

Regards, Vincent.

On 12 mei 2012, at 23:52, "barakm" reply@reply.github.com wrote:

Yes, I am referring to WinRM. The issue is pretty much the same - how can you remote control a windows VM running on Amazon EC2, using the Amazon default image. I had a look at how to implement the HTTP encryption, but it is not really my expertise.

Was considering using this: https://github.com/zenchild/WinRM but they only support HTTP encryption with Active Directory authentication, not NTLM.

---

Reply to this email directly or view it on GitHub: https://github.com/xebialabs/overthere/issues/43#issuecomment-5674417

---

Reply to this email directly or view it on GitHub: https://github.com/xebialabs/overthere/issues/43#issuecomment-5826573

[barakm]

By the way, will this work with non-domain accounts, like local accounts?

[gschueler]

Hi, I'm also interested in using WinRM with Active Directory authentication. I am working on a plugin for rundeck https://github.com/dtolabs/rundeck

[vpartington]

Hi Barak,

The current WinRM functionality certainly works with local Windows accounts. But is that what you were asking?

Regards, Vincent.

[barakm]

I am referring to using HTTP encryption, authenticated to a local account

[vpartington]

Hi Barak,

Aha, like that. I guess that when we add support for HTTP encryption it can also be used for local accounts. We'll find out when we start work on it.

It's still pending because of other priorities on our side.

Regards, Vincent.

[neeravsv]

Hi Vincent,

Do you have any milestone for supporting HTTP encryption for domain/local accounts?

regards, Neerav

[vpartington]

Hi Neerav,

Not yet. We have just defined a Overthere 2.1.0 milestone and while that does include a number of enhancements to the WinRM implementation in Overthere, XML encryption is not in there.

A pull request is always welcome of course. :-)

Regards, Vincent.

[barakm]

Hi,

Any update on this? HTTP encryption would be a huge help to anyone use Amazon EC2.

Barak

[vpartington]

Hi Barak,

It's still on my wish list but I still haven't found the time to work on this. :-(

Regards, Vincent.

[barakm]

This is my 'once in a couple of months' check on this issue :) Getting overthere to work out of the box on the default ec2 windows box would be incredibly useful.

[vpartington]

Hi Barak,

Same as last time; I'd love to add this but I've been busy and still am busy with a lot of other things. I did have a look at how to invoke Kerberos to encrypt the payload during a long flight last week. I found out I'd have to rewrite the way Kerberos is used in Overthere quite a bit though. :-/

Regards, Vincent.

[barakm]

Thanks for the update.

[vpartington]

Hi all,

Just a quick note to let you know I am now working on implementing this issue. It's a tough nut to crack, but I'm making progress. Hope to have something working soon...

Regards, Vincent.

[barakm]

Excellent news! If you need help testing, let me know.

[vpartington]

Hi Barak,

It turns out that implementing Kerberos encryption is not so easy. I've found out how to encrypt the data but now I've gotta figure out how to send that binary data over the HTTP(S) channel. It's tough going... :-(

My short-term solution is to implement #12. The downside is that it will only work for Windows clients though...

Regards, Vincent.

[barakm]

Unfortunate. With Cloudify, we have resorted to using powershell (as an external process) which also means that the client has to be windows.

[bpons]

Hello Vincent,

Any progress on this issue? We'd LOVE to be able to run deployit on RHEL at BdF... (Actually it works when setting allowunencrypted to true on WinRM, but there's no way the security is going to let us do that ;-) )

Regards, Bernard

[radiumx3]

:+1:

[xeor]

Do anyone have any status on this issue? This issue is old, but I suspect it is still valid? Setting allowunencrypted isn't really an option for (I think), many people. Is there any work-around?

[barakm]

Looking forward to this one too. There seems to be some progress on this subject here: https://github.com/WinRb/WinRM/pull/144

[tperryba]

I would also love to see this. When pushed I use an SSH client on the windows box right now, not pretty but works.

[vpartington]

Unfortunately there is no progress to report on this. Implementing support for Kerberos encryption (and for CredSSP, see #78) is very tough. The protocols are not very clearly described in the relevant Microsoft documentation.

Back in 2013 I got as far as encrypting a block with the Kerberos session key (the works is sitting on branch kerberos-encryption) but then got stuck because I couldn't figure out how to marshall it. Maybe the work done on the Ruby WinRM library will help here.

Unfortunately I don't know when I'll get around to fixing this myself. :-( Issue #12 has solved a lot of my use cases. But pull requests are welcome. :-)

[radiumx3]

:-1: sad to hear it !

[davydotcom]

man I need this so bad right now too time to start digging

[davydotcom]

looks like encryption isnt too bad with the java GSS library the ruby plugin is simply using libgss

[bpons]

Tried that, unfortunately, the java gss libray is missing the extension for IOV wrapping... see there : http://web.mit.edu/kerberos/krb5-1.12/doc/appdev/gssapi.html (IOV message wrapping) (Could be done with JNI or JNA, i guess, but i stopped there my experiments, i'm also missing time right now to try this... )

[hierynomus]

The Ruby guys now did it.

https://github.com/WinRb/WinRM/blob/master/lib/winrm/http/transport.rb#L192 https://github.com/WinRb/WinRM/blob/master/lib/winrm/http/transport.rb#L111 https://github.com/WinRb/rubyntlm/blob/master/lib/net/ntlm/client/session.rb#L80

[digz6666]

@hierynomus But it seems like winrb doesn't support linux, you need to run on windows and run Enable-PSRemoting on powershell which doesn't yet implemented on Linux powershell.

[davydotcom]

thats not true, we use the winrm client with encryption with rubyntlm with jruby all the time. works great on linux! Would prefer to use overthere encryption instead because ummm jruby...