Skip to content

Add SkipCA and SkipCN check requirement to WinRM/OMI HTTPS connection #8279

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
adityapatwardhan merged 12 commits into from
Nov 28, 2018
Merged

Add SkipCA and SkipCN check requirement to WinRM/OMI HTTPS connection #8279

adityapatwardhan merged 12 commits into from
Nov 28, 2018

Conversation

@PaulHigin
Copy link
Contributor

@PaulHigin PaulHigin commented Nov 15, 2018

PR Summary

OMI does not support server certificate validation, so this change is to add a requirement that -SkipCACheck and -SkipCNCheck options are specified before a connection is allowed. This way users will be aware that no server certificate validation is performed.

This only applies to PSCore6 remoting clients on non-Windows platforms, when creating a remote session to a Windows machine via WinRM\OMI.

This is a breaking change because these skip check options are now required. If the skip check options are not included then the connection will be denied.

Examples:

# On a Linux or MacOS machine
New-PSSession -Cn <WindowsMachine> -Credential $cred -Authentication Basic -UseSSL
New-PSSession : HTTPS on Unix does not support CA or CN checks. Use the PSSessionOption -SkipCACheck and -SkipCNCheck if you are certain of the server you are connecting to.
At line:1 char:1
+ New-PSSession -cn paulhig-2 -Credential $cred -Authentication Basic - ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo          : ResourceUnavailable: (:) [New-PSSession], PSRemotingTransportException
+ FullyQualifiedErrorId : System.Management.Automation.Remoting.PSRemotingDataStructureException,Microsoft.PowerShell.Commands.NewPSSessionCommand

$so = New-PSSessionOption -SkipCACheck -SkipCNCheck
$session = New-PSSession -Cn <WindowsMachine> -Credential $cred -Authentication Basic -UseSSL -SessionOption $so

Enter-PSSession -Cn <WindowsMachine> -Credential $cred -Authentication Basic -UseSSL -SessionOption $so

PR Checklist

@PaulHigin PaulHigin added WG-Remoting PSRP issues with any transport layer Breaking-Change breaking change that may affect users labels Nov 15, 2018
SteveL-MSFT
SteveL-MSFT requested changes Nov 15, 2018
View reviewed changes
@adityapatwardhan
Copy link
Member

adityapatwardhan commented Nov 15, 2018

@PaulHigin Please resolve merge conflict.

Also, enable tests here for non-windows: https://github.com/PowerShell/PowerShell/blob/master/test/powershell/engine/Remoting/SessionOption.Tests.ps1

adityapatwardhan
adityapatwardhan requested changes Nov 15, 2018
View reviewed changes
Copy link
Member

@adityapatwardhan adityapatwardhan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please enable SessionOption tests.

@adityapatwardhan adityapatwardhan added the Documentation Needed in this repo Documentation is needed in this repo label Nov 15, 2018
@PaulHigin
Copy link
Contributor Author

PaulHigin commented Nov 16, 2018

SessionOption.Tests.ps1 contains tests for WSMan SessionOption object, which we do not expose for non-Windows platforms. But I'll add tests for New-PSSessionOption.

@iSazonov
Copy link
Collaborator

iSazonov commented Nov 16, 2018

PowerShell Committee for the breaking change?

@iSazonov iSazonov added the CL-Engine Indicates that a PR should be marked as an engine change in the Change Log label Nov 16, 2018
@TravisEz13 TravisEz13 added the Review - Committee The PR/Issue needs a review from the PowerShell Committee label Nov 16, 2018
@TravisEz13
Copy link
Member

TravisEz13 commented Nov 16, 2018

Adding the committee to review the breaking change

adityapatwardhan
adityapatwardhan requested changes Nov 20, 2018
View reviewed changes
iSazonov
iSazonov reviewed Nov 21, 2018
View reviewed changes
test/powershell/engine/Remoting/PSSession.Tests.ps1 Outdated
throw "No Exception!"
}
catch {
$_.Exception.ErrorCode | Should -Be $expectedErrorCode
Copy link
Collaborator

@iSazonov iSazonov Nov 21, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We can use new Pester features:

$exc = { & $scriptBlock } | Should -Throw -ErrorId "..." -PassThru
$exc.Exception.ErrorCode | Should -Be $expectedErrorCode

Copy link
Contributor Author

@PaulHigin PaulHigin Nov 26, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I like this pattern, however the ErrorId is not being checked. At least in my current version of Pester (4.4.2).

Copy link
Collaborator

@iSazonov iSazonov Nov 26, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sample from the repo

PowerShell/test/powershell/Language/Classes/Scripting.Classes.Attributes.Tests.ps1

Lines 270 to 274 in 43e0394

It 'Empty dynamically generated set throws in C#' {
$exc = {
Get-TestValidateSet5 -Param1 "TestString1" -ErrorAction Stop
} | Should -Throw -ErrorId "ParameterArgumentValidationError,Test.Language.TestValidateSetCommand5" -PassThru
$exc.Exception.InnerException.ErrorRecord.FullyQualifiedErrorId | Should -BeExactly "ValidateSetGeneratedValidValuesListIsNull"

TravisEz13
TravisEz13 reviewed Nov 26, 2018
View reviewed changes
src/System.Management.Automation/resources/RemotingErrorIdStrings.resx Outdated
<value>Host system does not have the correct version of Hyper-V schema.</value>
</data>
<data name="UnixOnlyHttpsWithoutSkipCACheckNotSupported" xml:space="preserve">
<value>HTTPS on Unix does not currently support CA or CN checks. Use the PSSessionOption -SkipCACheck and -SkipCNCheck if you are certain of the server you are connecting to.</value>
Copy link
Member

@TravisEz13 TravisEz13 Nov 26, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
<value>HTTPS on Unix does not currently support CA or CN checks. Use the PSSessionOption -SkipCACheck and -SkipCNCheck if you are certain of the server you are connecting to.</value>
<value>HTTPS on Unix does not currently support CA or CN checks. Use the PSSessionOption -SkipCACheck and -SkipCNCheck if you are certain you trust the server you are connecting to and the network in between.</value>

TravisEz13
TravisEz13 requested changes Nov 26, 2018
View reviewed changes
Copy link
Member

@TravisEz13 TravisEz13 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One comment about the message

adityapatwardhan
adityapatwardhan requested changes Nov 27, 2018
View reviewed changes
@adityapatwardhan
Copy link
Member

adityapatwardhan commented Nov 28, 2018

I thought -cn would flag a PSScriptAnalyzer error, but verified that it does not. So signing off.

@adityapatwardhan adityapatwardhan merged commit 0657163 into PowerShell:master Nov 28, 2018
@adityapatwardhan
Copy link
Member

adityapatwardhan commented Nov 28, 2018

@PowerShell/powershell-committee I did not realize this was marked for committee review. If this does not pass review, I will revert.

@TravisEz13
Copy link
Member

TravisEz13 commented Nov 28, 2018

@PowerShell/powershell-committee Also, consider if this should be back-ported to 6.1 and 6.0?

iSazonov pushed a commit to iSazonov/PowerShell that referenced this pull request Nov 29, 2018
@PaulHigin @iSazonov
Add SkipCA and SkipCN check requirement to WinRM/OMI HTTPS connection (
e4825ab 
…PowerShell#8279)
@PaulHigin PaulHigin deleted the Unix_SkipCA_Fix branch August 5, 2019 21:41
@joeyaiello joeyaiello removed the Review - Committee The PR/Issue needs a review from the PowerShell Committee label Mar 11, 2020
@iSazonov iSazonov mentioned this pull request Jan 16, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@iSazonov iSazonov iSazonov left review comments

@TravisEz13 TravisEz13 TravisEz13 approved these changes

@SteveL-MSFT SteveL-MSFT SteveL-MSFT approved these changes

@adityapatwardhan adityapatwardhan adityapatwardhan approved these changes

Assignees

@adityapatwardhan adityapatwardhan

Labels

Breaking-Change breaking change that may affect users CL-Engine Indicates that a PR should be marked as an engine change in the Change Log Documentation Needed in this repo Documentation is needed in this repo WG-Remoting PSRP issues with any transport layer

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@PaulHigin @adityapatwardhan @iSazonov @TravisEz13 @SteveL-MSFT @joeyaiello