Skip to content

Explicitly disallow Basic Auth over HTTP with PSRP on Linux #6779

New issue
New issue
Closed
#6890
#6787
Closed
Explicitly disallow Basic Auth over HTTP with PSRP on Linux#6779
#6890
#6787
Assignees
dantraMSFT
Labels
Breaking-Changebreaking change that may affect usersCommittee-ReviewedPS-Committee has reviewed this and made a decisionResolution-FixedThe issue is fixed.WG-RemotingPSRP issues with any transport layer
@dantraMSFT

Description

@dantraMSFT
dantraMSFT
opened on Apr 30, 2018

A security review of the proposed fix for PowerShell/psl-omi-provider#114 (Basic Auth over HTTP does not work from PowerShell) has determined that Basic Auth over HTTP should not be supported Linux. the primary reasons include:

1: Both credentials and payload are sent un-encrypted.
2: Neither the client nor the server (omi) provide a method for disabling this combination.
3: It's too easy for users to use PSRP in an insecure manner.

As the above issue implies, this combination is currently broken in PowerShell on Linux. Instead of fixing it, the proposed change is to explicitly disable it and report a more appropriate error message.

The recommendation going forward will be to use Negotiate which results in the following:

From the OMI/Setup NTLM doc...

  • The password is hashed using an irreversable algorithm, so the password is more secure than Basic.
  • The client and server support encryption of your data over http connections, so SSL certificates are not required.

Metadata

Metadata

Assignees

Labels

Breaking-Changebreaking change that may affect usersCommittee-ReviewedPS-Committee has reviewed this and made a decisionResolution-FixedThe issue is fixed.WG-RemotingPSRP issues with any transport layer

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions