use NTLM/Negotiate authentication over basic authentication
This commit is contained in:
parent
b3925486bd
commit
7ef4ae9e10
|
@ -12,6 +12,7 @@ module VagrantPlugins
|
||||||
attr_accessor :transport
|
attr_accessor :transport
|
||||||
attr_accessor :ssl_peer_verification
|
attr_accessor :ssl_peer_verification
|
||||||
attr_accessor :execution_time_limit
|
attr_accessor :execution_time_limit
|
||||||
|
attr_accessor :basic_auth_only
|
||||||
|
|
||||||
def initialize
|
def initialize
|
||||||
@username = UNSET_VALUE
|
@username = UNSET_VALUE
|
||||||
|
@ -25,12 +26,13 @@ module VagrantPlugins
|
||||||
@transport = UNSET_VALUE
|
@transport = UNSET_VALUE
|
||||||
@ssl_peer_verification = UNSET_VALUE
|
@ssl_peer_verification = UNSET_VALUE
|
||||||
@execution_time_limit = UNSET_VALUE
|
@execution_time_limit = UNSET_VALUE
|
||||||
|
@basic_auth_only = UNSET_VALUE
|
||||||
end
|
end
|
||||||
|
|
||||||
def finalize!
|
def finalize!
|
||||||
@username = "vagrant" if @username == UNSET_VALUE
|
@username = "vagrant" if @username == UNSET_VALUE
|
||||||
@password = "vagrant" if @password == UNSET_VALUE
|
@password = "vagrant" if @password == UNSET_VALUE
|
||||||
@transport = :plaintext if @transport == UNSET_VALUE
|
@transport = :negotiate if @transport == UNSET_VALUE
|
||||||
@host = nil if @host == UNSET_VALUE
|
@host = nil if @host == UNSET_VALUE
|
||||||
is_ssl = @transport == :ssl
|
is_ssl = @transport == :ssl
|
||||||
@port = (is_ssl ? 5986 : 5985) if @port == UNSET_VALUE
|
@port = (is_ssl ? 5986 : 5985) if @port == UNSET_VALUE
|
||||||
|
@ -40,6 +42,7 @@ module VagrantPlugins
|
||||||
@timeout = 1800 if @timeout == UNSET_VALUE
|
@timeout = 1800 if @timeout == UNSET_VALUE
|
||||||
@ssl_peer_verification = true if @ssl_peer_verification == UNSET_VALUE
|
@ssl_peer_verification = true if @ssl_peer_verification == UNSET_VALUE
|
||||||
@execution_time_limit = "PT2H" if @execution_time_limit == UNSET_VALUE
|
@execution_time_limit = "PT2H" if @execution_time_limit == UNSET_VALUE
|
||||||
|
@basic_auth_only = false if @basic_auth_only == UNSET_VALUE
|
||||||
end
|
end
|
||||||
|
|
||||||
def validate(machine)
|
def validate(machine)
|
||||||
|
@ -56,6 +59,9 @@ module VagrantPlugins
|
||||||
unless @ssl_peer_verification == true || @ssl_peer_verification == false
|
unless @ssl_peer_verification == true || @ssl_peer_verification == false
|
||||||
errors << "winrm.ssl_peer_verification must be a boolean."
|
errors << "winrm.ssl_peer_verification must be a boolean."
|
||||||
end
|
end
|
||||||
|
unless @basic_auth_only == true || @basic_auth_only == false
|
||||||
|
errors << "winrm.basic_auth_only must be a boolean."
|
||||||
|
end
|
||||||
|
|
||||||
{ "WinRM" => errors }
|
{ "WinRM" => errors }
|
||||||
end
|
end
|
||||||
|
|
|
@ -181,7 +181,7 @@ module VagrantPlugins
|
||||||
case @config.transport.to_sym
|
case @config.transport.to_sym
|
||||||
when :ssl
|
when :ssl
|
||||||
"https://#{@host}:#{@port}/wsman"
|
"https://#{@host}:#{@port}/wsman"
|
||||||
when :plaintext
|
when :plaintext, :negotiate
|
||||||
"http://#{@host}:#{@port}/wsman"
|
"http://#{@host}:#{@port}/wsman"
|
||||||
else
|
else
|
||||||
raise Errors::WinRMInvalidTransport, transport: @config.transport
|
raise Errors::WinRMInvalidTransport, transport: @config.transport
|
||||||
|
@ -193,7 +193,7 @@ module VagrantPlugins
|
||||||
pass: @password,
|
pass: @password,
|
||||||
host: @host,
|
host: @host,
|
||||||
port: @port,
|
port: @port,
|
||||||
basic_auth_only: true,
|
basic_auth_only: @config.basic_auth_only,
|
||||||
no_ssl_peer_verification: !@config.ssl_peer_verification }
|
no_ssl_peer_verification: !@config.ssl_peer_verification }
|
||||||
end
|
end
|
||||||
end #WinShell class
|
end #WinShell class
|
||||||
|
|
|
@ -14,6 +14,7 @@ describe VagrantPlugins::CommunicatorWinRM::WinRMShell do
|
||||||
c.password = 'password'
|
c.password = 'password'
|
||||||
c.max_tries = 3
|
c.max_tries = 3
|
||||||
c.retry_delay = 0
|
c.retry_delay = 0
|
||||||
|
c.basic_auth_only = false
|
||||||
c.finalize!
|
c.finalize!
|
||||||
end
|
end
|
||||||
}
|
}
|
||||||
|
@ -69,7 +70,19 @@ describe VagrantPlugins::CommunicatorWinRM::WinRMShell do
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
context "when transport is :negotiate" do
|
||||||
|
it "should create winrm endpoint address using http" do
|
||||||
|
expect(subject.send(:endpoint)).to eq("http://localhost:5985/wsman")
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
context "when transport is :plaintext" do
|
context "when transport is :plaintext" do
|
||||||
|
let(:config) {
|
||||||
|
VagrantPlugins::CommunicatorWinRM::Config.new.tap do |c|
|
||||||
|
c.transport = :plaintext
|
||||||
|
c.finalize!
|
||||||
|
end
|
||||||
|
}
|
||||||
it "should create winrm endpoint address using http" do
|
it "should create winrm endpoint address using http" do
|
||||||
expect(subject.send(:endpoint)).to eq("http://localhost:5985/wsman")
|
expect(subject.send(:endpoint)).to eq("http://localhost:5985/wsman")
|
||||||
end
|
end
|
||||||
|
@ -80,7 +93,7 @@ describe VagrantPlugins::CommunicatorWinRM::WinRMShell do
|
||||||
it "should create endpoint options" do
|
it "should create endpoint options" do
|
||||||
expect(subject.send(:endpoint_options)).to eq(
|
expect(subject.send(:endpoint_options)).to eq(
|
||||||
{ user: "username", pass: "password", host: "localhost", port: 5985,
|
{ user: "username", pass: "password", host: "localhost", port: 5985,
|
||||||
basic_auth_only: true, no_ssl_peer_verification: false })
|
basic_auth_only: false, no_ssl_peer_verification: false })
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
|
@ -29,8 +29,8 @@ Gem::Specification.new do |s|
|
||||||
s.add_dependency "rb-kqueue", "~> 0.2.0"
|
s.add_dependency "rb-kqueue", "~> 0.2.0"
|
||||||
s.add_dependency "rest-client", ">= 1.6.0", "< 2.0"
|
s.add_dependency "rest-client", ">= 1.6.0", "< 2.0"
|
||||||
s.add_dependency "wdm", "~> 0.1.0"
|
s.add_dependency "wdm", "~> 0.1.0"
|
||||||
s.add_dependency "winrm", "~> 1.3"
|
s.add_dependency "winrm", "~> 1.6"
|
||||||
s.add_dependency "winrm-fs", "~> 0.2.2"
|
s.add_dependency "winrm-fs", "~> 0.3.0"
|
||||||
|
|
||||||
# We lock this down to avoid compilation issues.
|
# We lock this down to avoid compilation issues.
|
||||||
s.add_dependency "nokogiri", "= 1.6.3.1"
|
s.add_dependency "nokogiri", "= 1.6.3.1"
|
||||||
|
|
|
@ -51,21 +51,14 @@ to use port 4567 to talk to the guest if there is no other option.
|
||||||
|
|
||||||
<hr>
|
<hr>
|
||||||
|
|
||||||
`config.winrm.execution_time_limit` - The maximum duration that a WinRM
|
`config.winrm.transport` - The transport used for WinRM communication. Valid settings include: `:negotiate`, `ssl`, and `:plaintext`. The default is `:negotiate`.
|
||||||
task can execute for. This defaults to two hours. The format of this value
|
|
||||||
must be in this [Microsoft-documented format](https://msdn.microsoft.com/en-us/library/aa382678.aspx).
|
|
||||||
|
|
||||||
<hr>
|
<hr>
|
||||||
|
|
||||||
<strong>Warning:</strong> In order for Vagrant to communicate with a Windows
|
`config.winrm.basic_auth_only` - Whether to use Basic Authentication. Defaults to `false`. If set to `true` you should also use the `:plaintext` transport setting and the Windows machine must be confiured appropriately. <strong>Note:</strong> It is strongly recommended that you only use basic authentication for debugging purposes. Credentials will be transferred in plain text.
|
||||||
guest, you must allow unencrypted WinRM connections on the guest machine
|
|
||||||
itself. Some public boxes already have this configured, but if you are
|
|
||||||
attempting to `vagrant up` a Windows box and the command hangs at
|
|
||||||
`Waiting for WinRM to become available...`, then you will need to run the
|
|
||||||
commands below on the guest machine itself, at the box setup stage,
|
|
||||||
after provisioning, or through a start up script.
|
|
||||||
|
|
||||||
```
|
<hr>
|
||||||
Set-Item WSMan:\localhost\Service\AllowUnencrypted -Value True
|
|
||||||
Set-Item WSMan:\localhost\Service\Auth\Basic -Value True
|
`config.winrm.execution_time_limit` - The maximum duration that a WinRM
|
||||||
```
|
task can execute for. This defaults to two hours. The format of this value
|
||||||
|
must be in this [Microsoft-documented format](https://msdn.microsoft.com/en-us/library/aa382678.aspx).
|
||||||
|
|
Loading…
Reference in New Issue