use NTLM/Negotiate authentication over basic authentication

This commit is contained in:
Matt Wrock 2016-01-24 10:38:22 -08:00
parent b3925486bd
commit 7ef4ae9e10
5 changed files with 32 additions and 20 deletions

View File

@ -12,6 +12,7 @@ module VagrantPlugins
attr_accessor :transport attr_accessor :transport
attr_accessor :ssl_peer_verification attr_accessor :ssl_peer_verification
attr_accessor :execution_time_limit attr_accessor :execution_time_limit
attr_accessor :basic_auth_only
def initialize def initialize
@username = UNSET_VALUE @username = UNSET_VALUE
@ -25,12 +26,13 @@ module VagrantPlugins
@transport = UNSET_VALUE @transport = UNSET_VALUE
@ssl_peer_verification = UNSET_VALUE @ssl_peer_verification = UNSET_VALUE
@execution_time_limit = UNSET_VALUE @execution_time_limit = UNSET_VALUE
@basic_auth_only = UNSET_VALUE
end end
def finalize! def finalize!
@username = "vagrant" if @username == UNSET_VALUE @username = "vagrant" if @username == UNSET_VALUE
@password = "vagrant" if @password == UNSET_VALUE @password = "vagrant" if @password == UNSET_VALUE
@transport = :plaintext if @transport == UNSET_VALUE @transport = :negotiate if @transport == UNSET_VALUE
@host = nil if @host == UNSET_VALUE @host = nil if @host == UNSET_VALUE
is_ssl = @transport == :ssl is_ssl = @transport == :ssl
@port = (is_ssl ? 5986 : 5985) if @port == UNSET_VALUE @port = (is_ssl ? 5986 : 5985) if @port == UNSET_VALUE
@ -40,6 +42,7 @@ module VagrantPlugins
@timeout = 1800 if @timeout == UNSET_VALUE @timeout = 1800 if @timeout == UNSET_VALUE
@ssl_peer_verification = true if @ssl_peer_verification == UNSET_VALUE @ssl_peer_verification = true if @ssl_peer_verification == UNSET_VALUE
@execution_time_limit = "PT2H" if @execution_time_limit == UNSET_VALUE @execution_time_limit = "PT2H" if @execution_time_limit == UNSET_VALUE
@basic_auth_only = false if @basic_auth_only == UNSET_VALUE
end end
def validate(machine) def validate(machine)
@ -56,6 +59,9 @@ module VagrantPlugins
unless @ssl_peer_verification == true || @ssl_peer_verification == false unless @ssl_peer_verification == true || @ssl_peer_verification == false
errors << "winrm.ssl_peer_verification must be a boolean." errors << "winrm.ssl_peer_verification must be a boolean."
end end
unless @basic_auth_only == true || @basic_auth_only == false
errors << "winrm.basic_auth_only must be a boolean."
end
{ "WinRM" => errors } { "WinRM" => errors }
end end

View File

@ -181,7 +181,7 @@ module VagrantPlugins
case @config.transport.to_sym case @config.transport.to_sym
when :ssl when :ssl
"https://#{@host}:#{@port}/wsman" "https://#{@host}:#{@port}/wsman"
when :plaintext when :plaintext, :negotiate
"http://#{@host}:#{@port}/wsman" "http://#{@host}:#{@port}/wsman"
else else
raise Errors::WinRMInvalidTransport, transport: @config.transport raise Errors::WinRMInvalidTransport, transport: @config.transport
@ -193,7 +193,7 @@ module VagrantPlugins
pass: @password, pass: @password,
host: @host, host: @host,
port: @port, port: @port,
basic_auth_only: true, basic_auth_only: @config.basic_auth_only,
no_ssl_peer_verification: !@config.ssl_peer_verification } no_ssl_peer_verification: !@config.ssl_peer_verification }
end end
end #WinShell class end #WinShell class

View File

@ -14,6 +14,7 @@ describe VagrantPlugins::CommunicatorWinRM::WinRMShell do
c.password = 'password' c.password = 'password'
c.max_tries = 3 c.max_tries = 3
c.retry_delay = 0 c.retry_delay = 0
c.basic_auth_only = false
c.finalize! c.finalize!
end end
} }
@ -69,7 +70,19 @@ describe VagrantPlugins::CommunicatorWinRM::WinRMShell do
end end
end end
context "when transport is :negotiate" do
it "should create winrm endpoint address using http" do
expect(subject.send(:endpoint)).to eq("http://localhost:5985/wsman")
end
end
context "when transport is :plaintext" do context "when transport is :plaintext" do
let(:config) {
VagrantPlugins::CommunicatorWinRM::Config.new.tap do |c|
c.transport = :plaintext
c.finalize!
end
}
it "should create winrm endpoint address using http" do it "should create winrm endpoint address using http" do
expect(subject.send(:endpoint)).to eq("http://localhost:5985/wsman") expect(subject.send(:endpoint)).to eq("http://localhost:5985/wsman")
end end
@ -80,7 +93,7 @@ describe VagrantPlugins::CommunicatorWinRM::WinRMShell do
it "should create endpoint options" do it "should create endpoint options" do
expect(subject.send(:endpoint_options)).to eq( expect(subject.send(:endpoint_options)).to eq(
{ user: "username", pass: "password", host: "localhost", port: 5985, { user: "username", pass: "password", host: "localhost", port: 5985,
basic_auth_only: true, no_ssl_peer_verification: false }) basic_auth_only: false, no_ssl_peer_verification: false })
end end
end end

View File

@ -29,8 +29,8 @@ Gem::Specification.new do |s|
s.add_dependency "rb-kqueue", "~> 0.2.0" s.add_dependency "rb-kqueue", "~> 0.2.0"
s.add_dependency "rest-client", ">= 1.6.0", "< 2.0" s.add_dependency "rest-client", ">= 1.6.0", "< 2.0"
s.add_dependency "wdm", "~> 0.1.0" s.add_dependency "wdm", "~> 0.1.0"
s.add_dependency "winrm", "~> 1.3" s.add_dependency "winrm", "~> 1.6"
s.add_dependency "winrm-fs", "~> 0.2.2" s.add_dependency "winrm-fs", "~> 0.3.0"
# We lock this down to avoid compilation issues. # We lock this down to avoid compilation issues.
s.add_dependency "nokogiri", "= 1.6.3.1" s.add_dependency "nokogiri", "= 1.6.3.1"

View File

@ -51,21 +51,14 @@ to use port 4567 to talk to the guest if there is no other option.
<hr> <hr>
`config.winrm.execution_time_limit` - The maximum duration that a WinRM `config.winrm.transport` - The transport used for WinRM communication. Valid settings include: `:negotiate`, `ssl`, and `:plaintext`. The default is `:negotiate`.
task can execute for. This defaults to two hours. The format of this value
must be in this [Microsoft-documented format](https://msdn.microsoft.com/en-us/library/aa382678.aspx).
<hr> <hr>
<strong>Warning:</strong> In order for Vagrant to communicate with a Windows `config.winrm.basic_auth_only` - Whether to use Basic Authentication. Defaults to `false`. If set to `true` you should also use the `:plaintext` transport setting and the Windows machine must be confiured appropriately. <strong>Note:</strong> It is strongly recommended that you only use basic authentication for debugging purposes. Credentials will be transferred in plain text.
guest, you must allow unencrypted WinRM connections on the guest machine
itself. Some public boxes already have this configured, but if you are
attempting to `vagrant up` a Windows box and the command hangs at
`Waiting for WinRM to become available...`, then you will need to run the
commands below on the guest machine itself, at the box setup stage,
after provisioning, or through a start up script.
``` <hr>
Set-Item WSMan:\localhost\Service\AllowUnencrypted -Value True
Set-Item WSMan:\localhost\Service\Auth\Basic -Value True `config.winrm.execution_time_limit` - The maximum duration that a WinRM
``` task can execute for. This defaults to two hours. The format of this value
must be in this [Microsoft-documented format](https://msdn.microsoft.com/en-us/library/aa382678.aspx).