GithubHelp home page GithubHelp logo

Comments (3)

K0nne avatar K0nne commented on May 29, 2024

Hi!

I tested the latest release against our own test server:

./check_by_powershell-linux-amd64 --version
check_by_powershell version 0.2.0 - 72488a89b2e9fcf36e244b3394687e23838af55f

Test1:

./check_by_powershell-linux-amd64 --host 'IP' --auth NTLM --user 'DOMAIN\\USR' --password 'PWD'  --icingacmd 'Invoke-IcingaCheckCPU'
./check_by_powershell-linux-amd64 --host 'FQDN' --auth NTLM --user 'DOMAIN\\USR' --password 'PWD'  --icingacmd 'Invoke-IcingaCheckCPU'

Here we get the following error:

UNKNOWN - execution failed: execution of remote cmd failed: http response error: 401 - invalid content type

Test2:

./check_by_powershell-linux-amd64 --host 'IP' --auth NTLM --user 'DOMAIN\USR' --password 'PWD'  --icingacmd 'Invoke-IcingaCheckCPU'
./check_by_powershell-linux-amd64 --host 'IP' --auth NTLM --user 'USR' --password 'PWD'  --icingacmd 'Invoke-IcingaCheckCPU'
./check_by_powershell-linux-amd64 --host 'FQDN' --auth NTLM --user 'DOMAIN\USR' --password 'PWD'  --icingacmd 'Invoke-IcingaCheckCPU'
./check_by_powershell-linux-amd64 --host 'FQDN' --auth NTLM --user 'USR' --password 'PWD'  --icingacmd 'Invoke-IcingaCheckCPU'

With the other spelling of the user we get this message:
UNKNOWN - execution failed: execution of remote cmd failed: Command has already been closed

We will investigate this with our colleagues.

from check_by_powershell.

lazyfrosch avatar lazyfrosch commented on May 29, 2024

This issue is only related to TLS Client Certificate authentication, and not any other TLS topic

from check_by_powershell.

brajjan avatar brajjan commented on May 29, 2024

We are currently testing out check_by_powershell in an attempt to migrate from NSClient++ and we have done some tests with certificate based auth - might be useful information for you so I'll post our results here..

All tests were made with the following version
check_by_powershell version 0.3.0

Certificate based auth is possible as long as you are connecting to a server that does not have TLS 1.3 activated. Windows Server 2022 is the only OS (right now) that have TLS 1.3 support and is enabled by default. When using TLS 1.3 the following error occurs

[user@server ~]# /home/user/check_by_powershell -H server2022.fqdn -p 5986 --cmd whoami --auth TLS --ca /home/user/ca.pem --cert /home/user/cert.pem --key /home/user/key.pem
WARN[0000] auth type is TLS, but TLS certificates are supplied
UNKNOWN - execution failed: execution of remote cmd failed: unknown error Post "https://server2022.fqdn:5986/wsman": read tcp [client-ip]:26210->[server-ip]:5986: read: connection reset by peer

The problem seems to reside within Windows and only when connecting using certificate. When using basic auth to connect to a TLS 1.3-activated server it all works fine.

[user@server~]# /home/user/check_by_powershell -H server2022.fqdn -p 5986 -U icingauser -P icingapass --cmd whoami --auth=basic --ca /home/user/ca.pem
server2022.fqdn\icingauser

And when using certificate based auth when TLS 1.3 has been disabled on the server

[user@server ~]# /home/user/check_by_powershell -H server2022.fqdn -p 5986 --cmd whoami --auth TLS --ca /home/user/ca.pem --cert /home/user/cert.pem --key /home/user/key.pem
WARN[0000] auth type is TLS, but TLS certificates are supplied
server2022.fqdn\icingauser

When investigating network traffic using wireshark it tries to use TLS 1.3 but server downgrades to TLS 1.2 and communication continues. No errors there, but for some reason the server terminates the session when using TLS 1.3 and certificate based auth.

To make check_by_powershell work with certificate based authentication on Windows Server 2022, you need to disable TLS 1.3. This can be done by modifying the registry

New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server' -Force
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client' -Force
New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server' -name 'Enabled' -value '0' –PropertyType 'DWORD'
New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server' -name 'DisabledByDefault' -value '1' –PropertyType 'DWORD'
New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client' -name 'Enabled' -value '0' –PropertyType 'DWORD'
New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client' -name 'DisabledByDefault' -value '1' –PropertyType 'DWORD'

A workaround could also be to make create a new parameter to force TLS 1.2. We did the tests with the winrm library rebuilt with MinVersion and MaxVersion set to TLS 1.2. But I think that the main issue is with Microsoft.. But it would be awesome if a newer release added the tls parameter

Another thing to mention is the warning that sould not occur when using auth TLS. WARN[0000] auth type is TLS, but TLS certificates are supplied

from check_by_powershell.

Related Issues (12)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.