use NTLM/Negotiate authentication over basic authentication

This commit is contained in:
Matt Wrock 2016-01-24 10:38:22 -08:00
parent b3925486bd
commit 7ef4ae9e10
5 changed files with 32 additions and 20 deletions

View File

@ -12,6 +12,7 @@ module VagrantPlugins
attr_accessor :transport
attr_accessor :ssl_peer_verification
attr_accessor :execution_time_limit
attr_accessor :basic_auth_only
def initialize
@username = UNSET_VALUE
@ -25,12 +26,13 @@ module VagrantPlugins
@transport = UNSET_VALUE
@ssl_peer_verification = UNSET_VALUE
@execution_time_limit = UNSET_VALUE
@basic_auth_only = UNSET_VALUE
end
def finalize!
@username = "vagrant" if @username == UNSET_VALUE
@password = "vagrant" if @password == UNSET_VALUE
@transport = :plaintext if @transport == UNSET_VALUE
@transport = :negotiate if @transport == UNSET_VALUE
@host = nil if @host == UNSET_VALUE
is_ssl = @transport == :ssl
@port = (is_ssl ? 5986 : 5985) if @port == UNSET_VALUE
@ -40,6 +42,7 @@ module VagrantPlugins
@timeout = 1800 if @timeout == UNSET_VALUE
@ssl_peer_verification = true if @ssl_peer_verification == UNSET_VALUE
@execution_time_limit = "PT2H" if @execution_time_limit == UNSET_VALUE
@basic_auth_only = false if @basic_auth_only == UNSET_VALUE
end
def validate(machine)
@ -56,6 +59,9 @@ module VagrantPlugins
unless @ssl_peer_verification == true || @ssl_peer_verification == false
errors << "winrm.ssl_peer_verification must be a boolean."
end
unless @basic_auth_only == true || @basic_auth_only == false
errors << "winrm.basic_auth_only must be a boolean."
end
{ "WinRM" => errors }
end

View File

@ -181,7 +181,7 @@ module VagrantPlugins
case @config.transport.to_sym
when :ssl
"https://#{@host}:#{@port}/wsman"
when :plaintext
when :plaintext, :negotiate
"http://#{@host}:#{@port}/wsman"
else
raise Errors::WinRMInvalidTransport, transport: @config.transport
@ -193,7 +193,7 @@ module VagrantPlugins
pass: @password,
host: @host,
port: @port,
basic_auth_only: true,
basic_auth_only: @config.basic_auth_only,
no_ssl_peer_verification: !@config.ssl_peer_verification }
end
end #WinShell class

View File

@ -14,6 +14,7 @@ describe VagrantPlugins::CommunicatorWinRM::WinRMShell do
c.password = 'password'
c.max_tries = 3
c.retry_delay = 0
c.basic_auth_only = false
c.finalize!
end
}
@ -69,7 +70,19 @@ describe VagrantPlugins::CommunicatorWinRM::WinRMShell do
end
end
context "when transport is :negotiate" do
it "should create winrm endpoint address using http" do
expect(subject.send(:endpoint)).to eq("http://localhost:5985/wsman")
end
end
context "when transport is :plaintext" do
let(:config) {
VagrantPlugins::CommunicatorWinRM::Config.new.tap do |c|
c.transport = :plaintext
c.finalize!
end
}
it "should create winrm endpoint address using http" do
expect(subject.send(:endpoint)).to eq("http://localhost:5985/wsman")
end
@ -80,7 +93,7 @@ describe VagrantPlugins::CommunicatorWinRM::WinRMShell do
it "should create endpoint options" do
expect(subject.send(:endpoint_options)).to eq(
{ user: "username", pass: "password", host: "localhost", port: 5985,
basic_auth_only: true, no_ssl_peer_verification: false })
basic_auth_only: false, no_ssl_peer_verification: false })
end
end

View File

@ -29,8 +29,8 @@ Gem::Specification.new do |s|
s.add_dependency "rb-kqueue", "~> 0.2.0"
s.add_dependency "rest-client", ">= 1.6.0", "< 2.0"
s.add_dependency "wdm", "~> 0.1.0"
s.add_dependency "winrm", "~> 1.3"
s.add_dependency "winrm-fs", "~> 0.2.2"
s.add_dependency "winrm", "~> 1.6"
s.add_dependency "winrm-fs", "~> 0.3.0"
# We lock this down to avoid compilation issues.
s.add_dependency "nokogiri", "= 1.6.3.1"

View File

@ -51,21 +51,14 @@ to use port 4567 to talk to the guest if there is no other option.
<hr>
`config.winrm.execution_time_limit` - The maximum duration that a WinRM
task can execute for. This defaults to two hours. The format of this value
must be in this [Microsoft-documented format](https://msdn.microsoft.com/en-us/library/aa382678.aspx).
`config.winrm.transport` - The transport used for WinRM communication. Valid settings include: `:negotiate`, `ssl`, and `:plaintext`. The default is `:negotiate`.
<hr>
<strong>Warning:</strong> In order for Vagrant to communicate with a Windows
guest, you must allow unencrypted WinRM connections on the guest machine
itself. Some public boxes already have this configured, but if you are
attempting to `vagrant up` a Windows box and the command hangs at
`Waiting for WinRM to become available...`, then you will need to run the
commands below on the guest machine itself, at the box setup stage,
after provisioning, or through a start up script.
`config.winrm.basic_auth_only` - Whether to use Basic Authentication. Defaults to `false`. If set to `true` you should also use the `:plaintext` transport setting and the Windows machine must be confiured appropriately. <strong>Note:</strong> It is strongly recommended that you only use basic authentication for debugging purposes. Credentials will be transferred in plain text.
```
Set-Item WSMan:\localhost\Service\AllowUnencrypted -Value True
Set-Item WSMan:\localhost\Service\Auth\Basic -Value True
```
<hr>
`config.winrm.execution_time_limit` - The maximum duration that a WinRM
task can execute for. This defaults to two hours. The format of this value
must be in this [Microsoft-documented format](https://msdn.microsoft.com/en-us/library/aa382678.aspx).