Linux 如何识别WinRM部署的当前传输、身份验证、通道和消息加密类型?
我很难弄清楚在现有WinRM部署中使用了哪些机制 WinRM通过Windows域中的组策略对象配置,并应用于一组Windows端点。它可以从Linux和Python库“pywinrm”中使用,也可以从Windows和Powershell远程处理中使用 GPO允许在Windows主机上自动配置WinRM侦听器。文档说明WinRM defaut的初始身份验证机制是Kerberos,这在域环境中很好,并且生成票证非常困难 奇怪的是,即使在每个Windows端点上配置了HTTP和HTTPs侦听器,在Linux客户端(Ansible驻留的位置)上发出tcpdump也不会显示tcp 5985(WinRM“HTTP”侦听器的目标端口)的通信量,而是在对Windows主机发出Ansible命令时,将通信量定向到SSL WinRM端口(tcp 5986)(见下文) AnsibleLinux 如何识别WinRM部署的当前传输、身份验证、通道和消息加密类型?,linux,windows,ansible,kerberos,winrm,Linux,Windows,Ansible,Kerberos,Winrm,我很难弄清楚在现有WinRM部署中使用了哪些机制 WinRM通过Windows域中的组策略对象配置,并应用于一组Windows端点。它可以从Linux和Python库“pywinrm”中使用,也可以从Windows和Powershell远程处理中使用 GPO允许在Windows主机上自动配置WinRM侦听器。文档说明WinRM defaut的初始身份验证机制是Kerberos,这在域环境中很好,并且生成票证非常困难 奇怪的是,即使在每个Windows端点上配置了HTTP和HTTPs侦听器,在Li
# Ansible command issued from Ansible client machine (Linux)
ansible -m win_ping --vault-id vault@prompt host.domain.tld
host.tld | SUCCESS => {
"changed": false,
"ping": "pong"
}
# Ansible configuration for Windows hosts group on Ansible client machine (Linux)
ansible_connection: winrm
ansible_winrm_scheme: https
ansible_winrm_transport: kerberos
ansible_winrm_server_cert_validation: ignore
ansible_winrm_operation_timeout_sec: 60
ansible_winrm_read_timeout_sec: 70
ansible_user: user@DOMAIN.TLD
ansible_password: XXXXXXXXXXXXXXXXXXX
ansible_port: 5986
# Traffic detected here on Ansible client machine (Linux)
tcpdump -vv -i ensXXX dst 10.10.10.10 and dst port 5986
# No traffic visible here on Ansible client machine (Linux)
tcpdump -vv -i ensXXX dst 10.10.10.10 and dst port 5985
# No traffic visible here on Django client machine (Linux)
tcpdump -vv -i ensXXX dst 10.10.10.11 and dst port 5986
# Traffic visible here on Django client machine (Linux)
tcpdump -vv -i ensXXX dst 10.10.10.11 and dst port 5985
网络捕获
# Ansible command issued from Ansible client machine (Linux)
ansible -m win_ping --vault-id vault@prompt host.domain.tld
host.tld | SUCCESS => {
"changed": false,
"ping": "pong"
}
# Ansible configuration for Windows hosts group on Ansible client machine (Linux)
ansible_connection: winrm
ansible_winrm_scheme: https
ansible_winrm_transport: kerberos
ansible_winrm_server_cert_validation: ignore
ansible_winrm_operation_timeout_sec: 60
ansible_winrm_read_timeout_sec: 70
ansible_user: user@DOMAIN.TLD
ansible_password: XXXXXXXXXXXXXXXXXXX
ansible_port: 5986
# Traffic detected here on Ansible client machine (Linux)
tcpdump -vv -i ensXXX dst 10.10.10.10 and dst port 5986
# No traffic visible here on Ansible client machine (Linux)
tcpdump -vv -i ensXXX dst 10.10.10.10 and dst port 5985
# No traffic visible here on Django client machine (Linux)
tcpdump -vv -i ensXXX dst 10.10.10.11 and dst port 5986
# Traffic visible here on Django client machine (Linux)
tcpdump -vv -i ensXXX dst 10.10.10.11 and dst port 5985
在WinRM端,配置如下:
WinRM服务配置
# Global service configuration (Windows endpoint)
winrm get winrm/config/Service
Service
RootSDDL = XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
MaxConcurrentOperations = 4294967295
MaxConcurrentOperationsPerUser = 1500
EnumerationTimeoutms = 240000
MaxConnections = 300
MaxPacketRetrievalTimeSeconds = 120
AllowUnencrypted = false [Source="GPO"]
Auth
Basic = true [Source="GPO"]
Kerberos = true
Negotiate = true
Certificate = false
CredSSP = true [Source="GPO"]
CbtHardeningLevel = Relaxed
DefaultPorts
HTTP = 5985
HTTPS = 5986
IPv4Filter = * [Source="GPO"]
IPv6Filter [Source="GPO"]
EnableCompatibilityHttpListener = false [Source="GPO"]
EnableCompatibilityHttpsListener = false
CertificateThumbprint
AllowRemoteAccess = true [Source="GPO"]
# Code extract
winrm_session = winrm.Session(self.server, auth=(self.principal, self.password), transport=self.transport, server_cert_validation='ignore')
command = "gci"
run_ps = winrm_session.run_ps(command)
winrm_output = run_ps.std_out.decode('unicode-escape').encode('utf8')
winrm_output_json = json.loads(winrm_output)
WinRM侦听器
# winrm listener configuration (Windows endpoint)
winrm enumerate winrm/config/listener
Listener [Source="GPO"]
Address = *
Transport = HTTP
Port = 5985
Hostname
Enabled = true
URLPrefix = wsman
CertificateThumbprint
ListeningOn = 127.0.0.1, 10.10.10.10
Listener
Address = *
Transport = HTTPS
Port = 5986
Hostname = HOST.TLD
Enabled = true
URLPrefix = wsman
CertificateThumbprint = XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
ListeningOn = 127.0.0.1, 10.10.10.10
另一方面,我有一个基于Django的Web应用程序,它依赖于pywinrm从Linux服务器对Windows主机进行查询,这次WinRM流量似乎被定向到Windows端点上的非SSL TCP端口5985:
Django应用程序
# Global service configuration (Windows endpoint)
winrm get winrm/config/Service
Service
RootSDDL = XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
MaxConcurrentOperations = 4294967295
MaxConcurrentOperationsPerUser = 1500
EnumerationTimeoutms = 240000
MaxConnections = 300
MaxPacketRetrievalTimeSeconds = 120
AllowUnencrypted = false [Source="GPO"]
Auth
Basic = true [Source="GPO"]
Kerberos = true
Negotiate = true
Certificate = false
CredSSP = true [Source="GPO"]
CbtHardeningLevel = Relaxed
DefaultPorts
HTTP = 5985
HTTPS = 5986
IPv4Filter = * [Source="GPO"]
IPv6Filter [Source="GPO"]
EnableCompatibilityHttpListener = false [Source="GPO"]
EnableCompatibilityHttpsListener = false
CertificateThumbprint
AllowRemoteAccess = true [Source="GPO"]
# Code extract
winrm_session = winrm.Session(self.server, auth=(self.principal, self.password), transport=self.transport, server_cert_validation='ignore')
command = "gci"
run_ps = winrm_session.run_ps(command)
winrm_output = run_ps.std_out.decode('unicode-escape').encode('utf8')
winrm_output_json = json.loads(winrm_output)
网络捕获
# Ansible command issued from Ansible client machine (Linux)
ansible -m win_ping --vault-id vault@prompt host.domain.tld
host.tld | SUCCESS => {
"changed": false,
"ping": "pong"
}
# Ansible configuration for Windows hosts group on Ansible client machine (Linux)
ansible_connection: winrm
ansible_winrm_scheme: https
ansible_winrm_transport: kerberos
ansible_winrm_server_cert_validation: ignore
ansible_winrm_operation_timeout_sec: 60
ansible_winrm_read_timeout_sec: 70
ansible_user: user@DOMAIN.TLD
ansible_password: XXXXXXXXXXXXXXXXXXX
ansible_port: 5986
# Traffic detected here on Ansible client machine (Linux)
tcpdump -vv -i ensXXX dst 10.10.10.10 and dst port 5986
# No traffic visible here on Ansible client machine (Linux)
tcpdump -vv -i ensXXX dst 10.10.10.10 and dst port 5985
# No traffic visible here on Django client machine (Linux)
tcpdump -vv -i ensXXX dst 10.10.10.11 and dst port 5986
# Traffic visible here on Django client machine (Linux)
tcpdump -vv -i ensXXX dst 10.10.10.11 and dst port 5985
为什么即使Kerberos用于初始身份验证,稍后用于消息传输,WinRM通信也会定向到TCP端口5986(SSL)或TCP端口5985?如何确定用于特定WinRM查询的身份验证、传输等
在对防火墙规则进行故障排除期间,我发现了来自Ansible的WinRM流量和来自Django/pywinrm的WinRM流量之间的差异,该防火墙规则似乎阻止WinRM查询,这取决于它是来自Ansible还是Django/pywinrm