WARNING: You are using ‘–winrm-authentication-protocol negotiate’ with
’–winrm-transport plaintext’ on a non-Windows system which results in
unencrypted traffic. To avoid this warning and secure communication,
use ‘–winrm-transport ssl’ instead of the plaintext transport,
or execute this command from a Windows system which enables encrypted
communication over plaintext with the negotiate authentication protocol.
I’ve been using knife winrm to run chef-client for my Windows systems. I’m seeing this in chef-client v12.5.1.
Just to confirm Chris, are you running that from Mac or Linux? The message
is correct – your traffic is not encrypted. If you’re just using it for
local testing with a VM on the same system, that’s probably fine. If you’re
talking to a remote system, you should consider configuring your remote
node with an SSL WinRM listener and use the SSL transport to communicate
with it. Or if you can run the command from a Windows system, you’ll
knife-windows will use features of Windows auth libraries to encrypt your
Note that if you had been using older versions of knife-windows without
this message in the past, you were probably doing one of two things:
Using unencrypted traffic via the basic, rather than negotiate,
authentication mechanism. In the old knife-windows (prior to 1.0.0), the
default was ‘basic’, and would work as long as you configured basic auth on
your remote system. The default has been changed to ‘negotiate’, which is
more secure (credentials aren’t passed in clear text for instance).
a. You can revert to the old behavior of basic by specifying --winrm-authentication-protocol basic on the knife-windows command line –
I believe that also makes the warning go away, though ideally it should
probably give a similar warning since basic is actually even less secure
than negotiate (the credentials themselves are clear text with basic).
b. So I don’t recommend reverting to basic J
You could have been running from a Windows laptop – this uses the
negotiate protocol when you use the plaintext (not ssl) transport, AND
encrypts the traffic – encrypting the traffic is not currently feasible
outside of Windows because the implementation of encryption via neogitate
does not exist outside of the Windows platform.
So the things that changed recently are:
Knife-windows 1.0.0 and later default to the negotiate protocol
(more secure) on all platforms
Error messages were added to discourage the use of unencrypted
traffic and encourage users to adopt safer configurations.