Skip to content

Set WSMAN_OPTION_UNENCRYPTED_MESSAGES when Basic auth is used over HTTP #6706

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
dantraMSFT wants to merge 2 commits into from
Closed

Set WSMAN_OPTION_UNENCRYPTED_MESSAGES when Basic auth is used over HTTP #6706

dantraMSFT wants to merge 2 commits into from

Conversation

@dantraMSFT
Copy link
Contributor

@dantraMSFT dantraMSFT commented Apr 23, 2018

PR Summary

This changes ensure WSMAN_OPTION_UNENCRYPTED_MESSAGES is set when using Basic auth over HTTP. On Linux and macOS, not setting this option explicitly fails the connection request.

PR Checklist

@dantraMSFT dantraMSFT requested a review from mirichmo as a code owner April 23, 2018 21:50
PaulHigin
PaulHigin suggested changes Apr 24, 2018
View reviewed changes
src/System.Management.Automation/engine/remoting/fanin/WSManTransportManager.cs
SetWSManSessionOption(WSManNativeApi.WSManSessionOption.WSMAN_OPTION_USE_SSL, 1);
}
if (connectionInfo.NoEncryption)
if (connectionInfo.NoEncryption ||
Copy link
Contributor

@PaulHigin PaulHigin Apr 24, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

After thinking about this I am uncomfortable making PSRP messages non-encrypted by default for Basic auth. Basic auth is not recommended but I am sure many customers use it, and may rely on PSRP messages being encrypted.

Copy link
Contributor Author

@dantraMSFT dantraMSFT Apr 24, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@PaulHigin: I limited the change to UNIX. PSRP/MI don't support encryption over HTTP like PSRP/WIndows/WSMan does.

@dantraMSFT
Copy link
Contributor Author

dantraMSFT commented Apr 24, 2018

FYI: The -workingdirectory test failure is being addressed with PR #6723

@SteveL-MSFT
Copy link
Member

SteveL-MSFT commented Apr 24, 2018

I'm concerned about this being enabled by default on Unix. On Windows, the user needs to enable AllowUnencrypted for both the client and server to work and is only intended for developer use. Basic auth over unencrypted HTTP means the creds are in plain text over the wire. Seems like we should make the user specify explicitly they are ok with this somehow.

SteveL-MSFT
SteveL-MSFT requested changes Apr 24, 2018
View reviewed changes
Copy link
Member

@SteveL-MSFT SteveL-MSFT left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should be explicitly opt-in

@dantraMSFT
Copy link
Contributor Author

dantraMSFT commented Apr 25, 2018

@SteveL-MSFT : What do you mean by explicitly opt-in? Right now, it's not possible at all from Linux because flags are not set appropriately. of course, it's till not possible from Linux to Windows without configuring the WSMan settings appropriately.

Are you suggesting that we replace the -UseSLL and have -AllowUnencrypted?

@SteveL-MSFT
Copy link
Member

SteveL-MSFT commented Apr 25, 2018

@dantraMSFT not replace, but perhaps add that switch

@dantraMSFT
Copy link
Contributor Author

dantraMSFT commented Apr 25, 2018

On Linux, encryption over HTTP is simply not supported and we would need to introduce a breaking change to require an explicit opt-in. I think there's one of three approaches

1: The user would have to explicitly select -UseSSL or -AllowUnencrypted since selecting need is an unsupported state.

2: -UseSSL would need to be the default behavior.

3: Change OMI to have a policy that needs to be explicitly enabled, such as we have with WSMan::localhost\Service\AllowUnencrypted.

@paulcallen
Copy link
Contributor

paulcallen commented Apr 25, 2018

encryption over HTTP is only supported with Kerberos, NTML and CredSSP (the last one not supported on Linux)

@dantraMSFT
Copy link
Contributor Author

dantraMSFT commented May 3, 2018

Closing due to #6787 (Disallow Basic Auth over HTTP on Unix)

@dantraMSFT dantraMSFT closed this May 3, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@SteveL-MSFT SteveL-MSFT SteveL-MSFT requested changes

@paulcallen paulcallen Awaiting requested review from paulcallen

@mirichmo mirichmo Awaiting requested review from mirichmo

+1 more reviewer

@PaulHigin PaulHigin PaulHigin approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@dantraMSFT @SteveL-MSFT @paulcallen @PaulHigin