Comments (3)
Hi!
I tested the latest release against our own test server:
./check_by_powershell-linux-amd64 --version
check_by_powershell version 0.2.0 - 72488a89b2e9fcf36e244b3394687e23838af55f
Test1:
./check_by_powershell-linux-amd64 --host 'IP' --auth NTLM --user 'DOMAIN\\USR' --password 'PWD' --icingacmd 'Invoke-IcingaCheckCPU'
./check_by_powershell-linux-amd64 --host 'FQDN' --auth NTLM --user 'DOMAIN\\USR' --password 'PWD' --icingacmd 'Invoke-IcingaCheckCPU'
Here we get the following error:
UNKNOWN - execution failed: execution of remote cmd failed: http response error: 401 - invalid content type
Test2:
./check_by_powershell-linux-amd64 --host 'IP' --auth NTLM --user 'DOMAIN\USR' --password 'PWD' --icingacmd 'Invoke-IcingaCheckCPU'
./check_by_powershell-linux-amd64 --host 'IP' --auth NTLM --user 'USR' --password 'PWD' --icingacmd 'Invoke-IcingaCheckCPU'
./check_by_powershell-linux-amd64 --host 'FQDN' --auth NTLM --user 'DOMAIN\USR' --password 'PWD' --icingacmd 'Invoke-IcingaCheckCPU'
./check_by_powershell-linux-amd64 --host 'FQDN' --auth NTLM --user 'USR' --password 'PWD' --icingacmd 'Invoke-IcingaCheckCPU'
With the other spelling of the user we get this message:
UNKNOWN - execution failed: execution of remote cmd failed: Command has already been closed
We will investigate this with our colleagues.
from check_by_powershell.
This issue is only related to TLS Client Certificate authentication, and not any other TLS topic
from check_by_powershell.
We are currently testing out check_by_powershell
in an attempt to migrate from NSClient++ and we have done some tests with certificate based auth - might be useful information for you so I'll post our results here..
All tests were made with the following version
check_by_powershell version 0.3.0
Certificate based auth is possible as long as you are connecting to a server that does not have TLS 1.3 activated. Windows Server 2022 is the only OS (right now) that have TLS 1.3 support and is enabled by default. When using TLS 1.3 the following error occurs
[user@server ~]# /home/user/check_by_powershell -H server2022.fqdn -p 5986 --cmd whoami --auth TLS --ca /home/user/ca.pem --cert /home/user/cert.pem --key /home/user/key.pem
WARN[0000] auth type is TLS, but TLS certificates are supplied
UNKNOWN - execution failed: execution of remote cmd failed: unknown error Post "https://server2022.fqdn:5986/wsman": read tcp [client-ip]:26210->[server-ip]:5986: read: connection reset by peer
The problem seems to reside within Windows and only when connecting using certificate. When using basic auth to connect to a TLS 1.3-activated server it all works fine.
[user@server~]# /home/user/check_by_powershell -H server2022.fqdn -p 5986 -U icingauser -P icingapass --cmd whoami --auth=basic --ca /home/user/ca.pem
server2022.fqdn\icingauser
And when using certificate based auth when TLS 1.3 has been disabled on the server
[user@server ~]# /home/user/check_by_powershell -H server2022.fqdn -p 5986 --cmd whoami --auth TLS --ca /home/user/ca.pem --cert /home/user/cert.pem --key /home/user/key.pem
WARN[0000] auth type is TLS, but TLS certificates are supplied
server2022.fqdn\icingauser
When investigating network traffic using wireshark it tries to use TLS 1.3 but server downgrades to TLS 1.2 and communication continues. No errors there, but for some reason the server terminates the session when using TLS 1.3 and certificate based auth.
To make check_by_powershell
work with certificate based authentication on Windows Server 2022, you need to disable TLS 1.3. This can be done by modifying the registry
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server' -Force
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client' -Force
New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server' -name 'Enabled' -value '0' –PropertyType 'DWORD'
New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server' -name 'DisabledByDefault' -value '1' –PropertyType 'DWORD'
New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client' -name 'Enabled' -value '0' –PropertyType 'DWORD'
New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client' -name 'DisabledByDefault' -value '1' –PropertyType 'DWORD'
A workaround could also be to make create a new parameter to force TLS 1.2. We did the tests with the winrm library rebuilt with MinVersion and MaxVersion set to TLS 1.2. But I think that the main issue is with Microsoft.. But it would be awesome if a newer release added the tls parameter
Another thing to mention is the warning that sould not occur when using auth TLS
. WARN[0000] auth type is TLS, but TLS certificates are supplied
from check_by_powershell.
Related Issues (12)
- Review, improve and test SSH connection
- Copyright Header HOT 1
- Default to NTLM auth
- Check configuration not visible in IcingaWeb2 HOT 1
- Support Powershell Remoting and JEA HOT 1
- No public/private key auth for SSH? HOT 1
- Rename the plugin HOT 5
- Auth Type NTLM is checked to match for NTML
- Enhancement: Usefull error messages
- results for different authentication methods with powershell methods HOT 2
- UNKNOWN - "http response error: 401 - invalid content type HOT 20
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from check_by_powershell.