Knife winrm via ssh gateway?

Hi there,

I am using the knife-windows plugin; it looks like I can bootstrap nodes through an ssh gateway, but I cannot execute a winrm command through an ssh gateway. Is that understanding correct? So the subcommand “knife winrm” has no ssh gateway option? I’m double checking because the rest of the knife-windows plugin seems to support ssh gateways.

If so, if the maintainers of the gem see this email can we work together so I can submit a patch that will allow this?

Thanks

James

The knife-windows plugin allows you to bootstrap Windows nodes via WinRM or via SSH. If you are using SSH as the transport, you can use an SSH gateway, but if you are using WinRM to bootstrap there is not such an option. The same story exists for executing commands via WinRM through knife.

If you’d like to submit a pull request to add support for a WinRM gateway (which is possible, just not a common scenario in my experience), the project is https://github.com/opscode/knife-windows and is under active development. One downside of a WinRM gateway is if you might have to inject a username and password into the remote session, possibly exposing that password in memory in that process. If you have Kerberos delegation configured from the trusted gateway to the target node, that may be avoidable, but otherwise you might hit second-hop issues with the security context of the WinRM session.

Steve

Steven Murawski
Community Software Development Engineer @ Chef
Microsoft MVP - PowerShell
http://stevenmurawski.com

On January 9, 2015 at 10:30:56 AM, James Harrison (jharrison@alteryx.com) wrote:

Hi there,

I am using the knife-windows plugin; it looks like I can bootstrap nodes through an ssh gateway, but I cannot execute a winrm command through an ssh gateway. Is that understanding correct? So the subcommand “knife winrm” has no ssh gateway option? I’m double checking because the rest of the knife-windows plugin seems to support ssh gateways.

If so, if the maintainers of the gem see this email can we work together so I can submit a patch that will allow this?

Thanks

James

HI Steven,

If you take a look at the knife windows bootstrap subcommand, you’ll note that you can use an ssh gateway as a tunnel through which you can execute winrm commands; that’s the kind of support I was thinking about for the knife winrm subcommand.

Thanks for the pointer on the cookbook! I’ll probably throw something together to allow ssh tunnels and see if the opscode folks think it’s useful.

Best

James

From: Steven Murawski [mailto:steven.murawski@gmail.com]
Sent: Monday, January 12, 2015 12:57 PM
To: James Harrison; chef@lists.opscode.com
Subject: Re: [chef] knife winrm via ssh gateway?

The knife-windows plugin allows you to bootstrap Windows nodes via WinRM or via SSH. If you are using SSH as the transport, you can use an SSH gateway, but if you are using WinRM to bootstrap there is not such an option. The same story exists for executing commands via WinRM through knife.

If you’d like to submit a pull request to add support for a WinRM gateway (which is possible, just not a common scenario in my experience), the project is https://github.com/opscode/knife-windows and is under active development. One downside of a WinRM gateway is if you might have to inject a username and password into the remote session, possibly exposing that password in memory in that process. If you have Kerberos delegation configured from the trusted gateway to the target node, that may be avoidable, but otherwise you might hit second-hop issues with the security context of the WinRM session.

Steve

Steven Murawski
Community Software Development Engineer @ Chef
Microsoft MVP - PowerShell
http://stevenmurawski.comhttp://stevenmurawski.com/

On January 9, 2015 at 10:30:56 AM, James Harrison (jharrison@alteryx.commailto:jharrison@alteryx.com) wrote:
Hi there,

I am using the knife-windows plugin; it looks like I can bootstrap nodes through an ssh gateway, but I cannot execute a winrm command through an ssh gateway. Is that understanding correct? So the subcommand “knife winrm” has no ssh gateway option? I’m double checking because the rest of the knife-windows plugin seems to support ssh gateways.

If so, if the maintainers of the gem see this email can we work together so I can submit a patch that will allow this?

Thanks

James

James,

So, if you do knife bootstrap windows --help, you see a parameter for SSH tunnels, but the minute to you knife bootstrap windows winrm --help, you don’t.

WinRM gateways, in my experience, haven’t been much of a thing. Now, if you are talking about relaying WinRM via SSH forwarding, that’s another ball of wax.

But, by all means, if you can put together some example code - a pull request would be great. If you can’t (or don’t have time) still feel free to file an issue directly against the knife-windows project.

Steve

Steven Murawski
Community Software Development Engineer @ Chef
Microsoft MVP - PowerShell
http://stevenmurawski.com

On January 12, 2015 at 3:27:32 PM, James Harrison (jharrison@alteryx.com) wrote:

HI Steven,

If you take a look at the knife windows bootstrap subcommand, you’ll note that you can use an ssh gateway as a tunnel through which you can execute winrm commands; that’s the kind of support I was thinking about for the knife winrm subcommand.

Thanks for the pointer on the cookbook! I’ll probably throw something together to allow ssh tunnels and see if the opscode folks think it’s useful.

Best

James

From: Steven Murawski [mailto:steven.murawski@gmail.com]
Sent: Monday, January 12, 2015 12:57 PM
To: James Harrison; chef@lists.opscode.com
Subject: Re: [chef] knife winrm via ssh gateway?

The knife-windows plugin allows you to bootstrap Windows nodes via WinRM or via SSH. If you are using SSH as the transport, you can use an SSH gateway, but if you are using WinRM to bootstrap there is not such an option. The same story exists for executing commands via WinRM through knife.

If you’d like to submit a pull request to add support for a WinRM gateway (which is possible, just not a common scenario in my experience), the project is https://github.com/opscode/knife-windows and is under active development. One downside of a WinRM gateway is if you might have to inject a username and password into the remote session, possibly exposing that password in memory in that process. If you have Kerberos delegation configured from the trusted gateway to the target node, that may be avoidable, but otherwise you might hit second-hop issues with the security context of the WinRM session.

Steve

Steven Murawski

Community Software Development Engineer @ Chef

Microsoft MVP - PowerShell
http://stevenmurawski.com

On January 9, 2015 at 10:30:56 AM, James Harrison (jharrison@alteryx.com) wrote:

Hi there,

I am using the knife-windows plugin; it looks like I can bootstrap nodes through an ssh gateway, but I cannot execute a winrm command through an ssh gateway. Is that understanding correct? So the subcommand “knife winrm” has no ssh gateway option? I’m double checking because the rest of the knife-windows plugin seems to support ssh gateways.

If so, if the maintainers of the gem see this email can we work together so I can submit a patch that will allow this?

Thanks

James