Windows folks: help test the new pywinrm beta!

We’re pleased to announce the release of pywinrm 0.3.0 beta 1, and hoping our friends that manage Windows with Ansible will put it through its paces…

The marquee feature on this release enables HTTP message encryption on NTLM, Kerberos, and CredSSP (in conjunction with updates to several other upstream projects). This means that it’s no longer necessary to use certificates to securely manage Windows hosts with Ansible. In addition, CBT support has been added to each of these for additional security when using HTTPS. Error handling has also been improved, so most of the dreaded 500 “Bad HTTP Response” errors will now include a lot more detail as to what went wrong. There have also been a number of bugfixes, including fixes to the service and CA path overrides, better suppression of InsecureRequestWarnings on some OSs, and plenty of others. Also gotta throw out huge props to community-member-turned-Red-Hatter Jordan Borean for navigating the Microsoft specs and doing a lot of trial-and-error to get CredSSP and NTLM support for this working.

If you want to try it out:

First, ensure that the Apple kerberos library is not installed in the Python environment where you run Ansible (assuming you want to include Kerberos in your testing- if not, just omit any references to kerberos):

this should fail saying it’s not installed

pip uninstall kerberos

Then install the latest bits:

this assumes a relatively recent version of pip (probably 8+) and setuptools

pip install pywinrm[kerberos,credssp] --pre --upgrade

Afterward:
pip list

should include the following:
pywinrm 0.3.0b1
pykerberos 1.2.1b1
requests-kerberos 0.12.0b1
ntlm-auth 1.0.6
requests-ntlm 1.1.0
requests-credssp 0.1.0

At this point, you should be able to use port 5985 on any Windows host with a “normal” HTTP listener configured and have a secure message-encrypted channel to work in. This can be verified in a few different ways:

  • ensure that AllowUnencrypted support is disabled on the target WIndows host via Set-Item wsman:\localhost\Service\AllowUnencrypted $false (this is the default, and will cause the server to fail on cleartext messages)
  • force message encryption via the new winrm connection var ansible_winrm_message_encryption=always. This setting is not necessary to specify under normal conditions (message encryption will always be used on HTTP endpoints if possible), but this setting will cause the connection to fail if message encryption can’t be used.
  • insert a sniffing HTTP proxy before your Ansible (eg Postman, Fiddler) by running HTTP_PROXY=http://your-proxy-here:8888/ ansible yourhost … - when you inspect the traffic, instead of unencrypted SOAP/XML, you should see mostly encrypted binary “garbage” instead.

Please let us know of any issues you encounter- we’re hoping to do a final release on these components within the next couple of weeks.

Thanks, and happy management!

Matt Davis
Ansible Core Engineering

Thanks for this, that's great news.

Congratulations to you and Jordan for getting this done.

Looking forward to giving this a go as soon as I can.

Jon