Commit Graph

72 Commits (2aa81bf05db0fa55a1c79263896787ac69cb7d5e)

Author SHA1 Message Date
David Norman 7963279fc2 Generate SHA256 signed certificates for WinRM (#36668)
* Generate SHA256 signed certificates

Vulnerability scanners are increasingly reporting SHA-1 signed certificates as a vulnerability on servers. Before this change, -ForceNewSSLCert generates a signature algorithm that openssl shows as sha1WthRSAEncryption for WinRM port 5986. After, this forces certificates to be signed with SHA256, which openssl shows sha256WithRSAEncryption.

Some example SHA-1 deprecations include:
- https://docs.microsoft.com/en-us/security-updates/SecurityAdvisories/2017/4010323
- https://blog.mozilla.org/security/2014/09/23/phasing-out-certificates-with-sha-1-based-signature-algorithms/

Also note that RDP 3389 on Windows 2016 also defaults to a SHA256 certificate.

The specifics were merged from a script mod I found at https://gallery.technet.microsoft.com/scriptcenter/PowerShell-script-to-7a0321b7 intended for Exchange. It also includes a mod to add an alternate DNS listing so the cert contains CN=HOSTNAME plus now also an alternative of the FQDN.

I tested this change on Windows 2008R2, 2012R2, and 2016 Datacenter.

* Keep WinRM cert key length at 4096.

* Remove WinRM cert exportpolicy setting.
7 years ago
John Bond d72587084b Update example uptime script to provide correct type for explicit individual hosts (#34740) 7 years ago
Matt Clay 797664d9cb Python 2.6 `str.format()` compatibility fixes. 7 years ago
Erwan Quélin e3b49a7aeb Added possibility to disable basic auth (#33224) 7 years ago
Matt Davis 853fa8223a avoid use of Write-Host in config script 7 years ago
Matt Davis 898eead48f
add GlobalHttpFirewallAccess arg (#34124) 7 years ago
Dag Wieers 1140d6ecd7
Explain -EnableCredSSP in header
The new Windows documentation references the top of this file for a list and explanation of options, however `-EnableCredSSP` was missing from this list.
7 years ago
Matt Martz 2b08e00a54 Update uptime.py example script with changes to the API. Fixes #31229 7 years ago
Simon Liddicott 3ceeb5124e Set startup type to automatic before attempting to start the service. Otherwise it will fail if the service is disabled. (#27751) 7 years ago
Toshio Kuratomi 87a192fe66 Fix one name in module error due to rewritten VariableManager 7 years ago
Abhijeet Kasurde b89cb95609 Fix spelling mistakes (comments only) (#25564)
Original Author : klemens <ka7@github.com>

Taking over previous PR as per
https://github.com/ansible/ansible/pull/23644#issuecomment-307334525

Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
8 years ago
Dag Wieers ea27baf7ff examples/: PEP8 compliancy (#24682)
- Make PEP8 compliant
8 years ago
Nicolas Simond a40450d40a ConfigureRemotingForAnsible: RSA 1024 to RSA 4096 (#23684) 8 years ago
David PHAM-VAN 6a0fb4e3b6 Remove useless # in comment (#21609) 8 years ago
Matt Davis ba353b0f8f fix ambiguous cert selection in WinRM enable script (#21263)
Rather than trying to guess which cert we just generated,   parse the generated cert data and extract the thumbprint directly.
8 years ago
Jordan Borean 719e1840da Added info on ntlm and credssp, updated configure script for credssp (#21175) 8 years ago
Dag Wieers 6de1f22c15 Add missing support for -CertValidityDays (#21009)
* Add missing support for -CertValidityDays

For some reason the -CertValidityDays option was not being used in the certificates we created.

This fixes #10439

* Possible fix

* We cannot use New-SelfSignedCertificate on 2012R2 and earlier

As suggested by @jhawkesworth
8 years ago
Dag Wieers 28060a4c47 Improve inline docs (#21029) 8 years ago
Matt Clay 10d9318de7 PEP 8 indent cleanup. (#20800)
* PEP 8 E121 cleanup.

* PEP 8 E126 cleanup.

* PEP 8 E122 cleanup.
8 years ago
Dag Wieers c94c53e8a4 Ensure that the script is run with elevated privileges (#20669)
* Ensure that the script is run with elevated privileges

This fixes #20654

* Implement our own check for elevated privileges
8 years ago
Dag Wieers e64ef8b0ab Small fix for running using Invoke-Expression
A small fix suggested by a user for running ConfigureRemotingForAnsible.

This fixes #20512
8 years ago
Dag Wieers de21038feb Enable -Verbose and log to EventLog (#19909)
Instead of asking the user to type something prior to running the script, why not allow -Verbose on the command line directly.
Also log important events to EventLog, so that it can be traced e.g. when running via RunOnce mechanism.

The documentation is updated as well.
8 years ago
TaoBeier 6ec0369c26 fix indent (#20071) 8 years ago
Matt Clay 75c281debc Fix compile errors in scripts. 8 years ago
Matt Clay 0d46805979 Clean up shebangs for various files.
- Remove shebangs from:
  - ini files
  - unit tests
  - module_utils
  - plugins
  - module_docs_fragments
  - non-executable Makefiles
- Change non-modules from '/usr/bin/python' to '/usr/bin/env python'.
- Change '/bin/env' to '/usr/bin/env'.

Also removed main functions from unit tests (since they no longer
have a shebang) and fixed a python 3 compatibility issue with
update_bundled.py so it does not need to specify a python 2 shebang.

A script was added to check for unexpected shebangs in files.
This script is run during CI on Shippable.
8 years ago
nitzmahone ee080eddb5 adjust WinRM service configuration message text
fixes #17478
8 years ago
jlehtniemi-broadsoft 5864ae50c6 Start WinRM service automatically on reboot 8 years ago
Brian Coca 81a4164207 old yaml format has been long gone
script is not compatible with new yaml format so removing it to avoid confusion

(cherry picked from commit 52099224e632fe0a8b076774b22723fb73d19ea0)
8 years ago
Shota 47f715fb37 Fix some typos (#16498) 9 years ago
Cryptophobia 76a519fddc Update to ConfigureRemotingForAnsible.ps1 9 years ago
Matt Davis 840cda741d Merge pull request #12363 from breathe/devel
allow ConfigureRemotingForAnsible.ps1 script from public zone
9 years ago
Michael Crilly e9fe5f201f $SubjectName variable unused; clean up
Having used this script several times today, I came to notice the $SubjectName variable, being passed in via the CLI, is essentially ignored when generating the SSL certificates, rendering it useless. I believe it's a good idea to have it in place, so I've updated the script to reflect this.

I also cleaned up some random new lines throughout the file, and expanded on a comment.

It might be worth going a step further and commenting the file fully, as most people reviewing this file won't be familiar with PowerShell (like I wasn't unitl a few days ago). It could be helpful.
9 years ago
b4ldr 439baf004e update uptime script to use version 2.0 of the api 9 years ago
Nathaniel Cohen 8b6f8ff928 Document -SkipNetworkProfileCheck switch 9 years ago
Nathaniel Cohen be452c1b27 allow ConfigureRemotingForAnsible.ps1 script to function from 'public' adapters
The current script fails on machines which have network interfaces designated
as connected to "Public" networks (choices for network designation being
Private, Domain, Public).  This commit changes the script to NOT prevent winrm
initialization when device is connected to a "Public" network.
9 years ago
Marius Gedminas 823677b490 Replace .iteritems() with six.iteritems()
Replace .iteritems() with six.iteritems() everywhere except in
module_utils (because there's no 'six' on the remote host).  And except
in lib/ansible/galaxy/data/metadata_template.j2, because I'm not sure
six is available there.
9 years ago
nitzmahone 74694b2b0d moved WinRM setup script test after config 9 years ago
Willem Pienaar ac28652602 Fixed error handling for the enabling of PS Remoting 10 years ago
Chris Church 116109468c Merge pull request #9481 from cipress/patch-1
fixes powershell upgrade script to work on different System architectures.
10 years ago
Chris Church 2f7348fddf Update firewall rules, error handling, other comment/whitespace cleanup. 10 years ago
cipress c1fc0ca4fd Found issue on different System architecture.
On x86 systems doesn't work so, starting by the line 63 we check if the architecture is x86 or x64.
10 years ago
nathansoz f0004b1604 $powershellpath is called as ".$powershellpath"
$powershell path is set to "C:\powershell" at line 27. This is fine, but on line 82 $powershellpath is called as ".$powershellpath\$filename". Because the path at line 27 is absolute, a period preceding the $powershellpath is not required at 82. It actually causes an error:

Start-Process : This command cannot be executed due to the error: Unknown error (0x80041002).
At C:\users\Nathan Sosnovske\Documents\ps2to3.ps1:81 char:14

Start-Process <<<< -FilePath ".$powershellpath\$filename" -ArgumentList /quiet
CategoryInfo : InvalidOperation: (:) [Start-Process], InvalidOperationException
FullyQualifiedErrorId : InvalidOperationException,Microsoft.PowerShell.Commands.StartProcessCommand
Removing the period on line 82 before $powershellpath fixes this error.
10 years ago
Trond Hindenes d568966e2c Added script for configuring winrm for Ansible
The script can be used to set up a windows host with WinRM with the least possible effort.
11 years ago
Matt Martz 2316b7785c Make sure the doc stubs for windows modules have proper license headers 11 years ago
Chris Church 2654f7b200 Add copyright header to main winrm test playbook. 11 years ago
Chris Church 43236ca0ed Add basic tests for win_get_url and win_msi modules. 11 years ago
Don Schenck 618b47cd77 Added -Wait flag to Start-Process
Must wait in order for script to be available
11 years ago
Don Schenck 9c4220832a Start-Process
Debugging
11 years ago
Don Schenck 8012fdc448 Start-Process line was wrong
Fixed
11 years ago
Don Schenck e2f5d40a6b Changed launch
Using Start-Process
11 years ago