-
Notifications
You must be signed in to change notification settings - Fork 70
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Double-Hop Solution: Pass Credentials #107
Conversation
Hi @gramsa49, I think your approach will work, but I will need a few more weeks before I merge this because I need to alter it slightly. We have already started adding too many parameters around establishing and running WinRM commands and I'd like to make it easier to use. |
That's great news! Let me know if there is anything I can do to assist. |
I've personally been using a build of the gramsa49:main provider for this solution, and it's been working great. Thank you @gramsa49 ! |
Is there any chance to move forward this PR? |
BTW, @juneeighteen can you share how you integrated the gramsa49:main provider? |
Hi everyone, thanks for your interest and your feedback! This hasn't been merged yet because the approach used doesn't work out of the box for some of the resources supported by the provider. I am working on getting fixing the ones that don't work and once it's done I'll update this PR. Again, thanks for your interest :) |
Curious which ones if you don't mind sharing. I couldn't thoroughly test every resource type and data source, but I did attempt to update the code path in a way that would include all resources and data sources. |
Sure! The GPO related resources failed because the related powershell commands don't use the There are also a few cases where we pipe one command to another like for example the Delete() method for the OU resource that calls something like this: In this case the -Credentials parameter needs to be passed in each of the commands. |
@luis-garza , Sure...
|
Thanks @juneeighteen, I was able to build it, and the double hop connection works as a charm! But testing it I've faced some inconsistencies creating ad_computer objects...
Looking forward for the merge |
@juneeighteen, @luis-garza, @gramsa49 I pushed #117 that extends this PR. |
I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. |
Description
Added new parameter, winrm_pass_credenitials, to the provider configuration to enable passing Active Directory credentials to the remote WinRM server. This works around the double-hop issue posed when not connecting directly to the Active Directory Domain Controller by creating a 'System.Management.Automation.PSCredential' in the remote PowerShell session.
I coded this capability to require the https protocol to ensure the credentials are passed securely over the wire. I first explored using Kerberos message encryption, but this does not look to be possible with the Go Kerberos client.
The method adopted by this patch is the least intrusive (easiest to adopt) in that it does not require alteration or management of special configurations on the non-AD DC WindRM host.
The credentials passed to the remote secure shell are redacted from the Terraform DEBUG logs. Only the -AD command is logged with '-Credential $Credential' shown at the end of the command being run. This also applies to the 'encoded command' log.
References
Closes #99
https://docs.microsoft.com/en-us/powershell/scripting/learn/remoting/ps-remoting-second-hop?view=powershell-7.1
Community Note