Do I need to worry about this?

Chris_F · October 21, 2015, 3:27pm

WARNING: You are using ‘–winrm-authentication-protocol negotiate’ with
’–winrm-transport plaintext’ on a non-Windows system which results in
unencrypted traffic. To avoid this warning and secure communication,
use ‘–winrm-transport ssl’ instead of the plaintext transport,
or execute this command from a Windows system which enables encrypted
communication over plaintext with the negotiate authentication protocol.

I’ve been using knife winrm to run chef-client for my Windows systems. I’m seeing this in chef-client v12.5.1.

Chris

A_Edwards · October 21, 2015, 3:44pm

Just to confirm Chris, are you running that from Mac or Linux? The message
is correct – your traffic is not encrypted. If you’re just using it for
local testing with a VM on the same system, that’s probably fine. If you’re
talking to a remote system, you should consider configuring your remote
node with an SSL WinRM listener and use the SSL transport to communicate
with it. Or if you can run the command from a Windows system, you’ll
knife-windows will use features of Windows auth libraries to encrypt your
traffic.

Note that if you had been using older versions of knife-windows without
this message in the past, you were probably doing one of two things:

  Using unencrypted traffic via the basic, rather than negotiate,

authentication mechanism. In the old knife-windows (prior to 1.0.0), the
default was ‘basic’, and would work as long as you configured basic auth on
your remote system. The default has been changed to ‘negotiate’, which is
more secure (credentials aren’t passed in clear text for instance).

a. You can revert to the old behavior of basic by specifying
--winrm-authentication-protocol basic on the knife-windows command line –
I believe that also makes the warning go away, though ideally it should
probably give a similar warning since basic is actually even less secure
than negotiate (the credentials themselves are clear text with basic).

b. So I don’t recommend reverting to basic J

  You could have been running from a Windows laptop – this uses the

negotiate protocol when you use the plaintext (not ssl) transport, AND
encrypts the traffic – encrypting the traffic is not currently feasible
outside of Windows because the implementation of encryption via neogitate
does not exist outside of the Windows platform.

So the things that changed recently are:

  Knife-windows 1.0.0 and later default to the negotiate protocol

(more secure) on all platforms

  Error messages were added to discourage the use of unencrypted

traffic and encourage users to adopt safer configurations.

github.com

chef/knife-windows/blob/v1.0.0/RELEASE_NOTES.md#negotiate-as-the-default-authentication-protocol

<!---
This file is reset every time a new release is done. The contents of this file are for the currently unreleased version.

Example Note:

## Example Heading
Details about the thing that changed that needs to get included in the Release Notes in markdown.
-->
# knife-windows 1.0.0 release notes:
This release of knife-windows includes new features to improve authentication,
simplify use of the WinRM SSL transport, install and download Chef
Client during bootstrap, and addresses compatibility issues with Chef Client 12.0.

You can install the new features using the `gem` command:

    gem install knife-windows

Due to dependency conflicts, to use knife-windows 1.0.0+ with ChefDK
0.6.2, you must also upgrade chef-provisioning to 1.2.0+ and update
the line referencing chef-provisioning in

This file has been truncated. show original

github.com

chef/knife-windows/blob/v1.0.0/README.md#platform-winrm-authentication-support

Knife Windows Plugin
====================
[![Build Status Master](https://travis-ci.org/chef/knife-windows.svg?branch=master)](https://travis-ci.org/chef/knife-windows)
[![Build Status Master](https://ci.appveyor.com/api/projects/status/github/chef/knife-windows?branch=master&svg=true&passingText=master%20-%20Ok&pendingText=master%20-%20Pending&failingText=master%20-%20Failing)](https://ci.appveyor.com/project/Chef/knife-windows/branch/master)

This plugin adds additional functionality to the Chef Knife CLI tool for
configuring / interacting with nodes running Microsoft Windows:

* Bootstrap of nodes via the [Windows Remote Management (WinRM)](http://msdn.microsoft.com/en-us/library/aa384426\(v=VS.85\).aspx) or SSH protocols
* Remote command execution using the WinRM protocol
* Utilities to configure WinRM SSL endpoints on managed nodes

## Subcommands

This plugin provides the following Knife subcommands. Specific command options can be found by invoking the subcommand with a `--help` flag

### knife winrm

The `winrm` subcommand allows you to invoke commands in parallel on a subset of the nodes in your infrastructure. The `winrm` subcommand uses the same syntax as the [search subcommand](https://docs.chef.io/knife_search.html); you could could find the uptime of all your web servers using the command:

This file has been truncated. show original

Topic		Replies	Views
Knife-windows 1.0.0.rc.0 Chef Infra (archive)	0	314	June 4, 2015
Released knife-windows 1.2.0 Chef Infra (archive)	0	476	January 26, 2016
[RESOLVED] Knife bootstrap Windows 2012 Chef Infra (archive)	1	571	August 10, 2018
How to manage Windows nodes from OS X while keeping an encrypted connection? Chef Infra (archive)	0	233	February 2, 2012
Knife winrm ssl verification Chef Infra (archive)	0	216	August 7, 2013

Do I need to worry about this?

Related Topics