psrp - auth options (#54705)
This commit is contained in:
parent
524160d8d1
commit
e56fb48873
2 changed files with 102 additions and 0 deletions
2
changelogs/fragments/psrp-options.yaml
Normal file
2
changelogs/fragments/psrp-options.yaml
Normal file
|
@ -0,0 +1,2 @@
|
||||||
|
bugfixes:
|
||||||
|
- psrp - Explicitly documented the extra auth options that could have been passed in - https://github.com/ansible/ansible/issues/54664
|
|
@ -157,6 +157,87 @@ options:
|
||||||
type: bool
|
type: bool
|
||||||
default: 'no'
|
default: 'no'
|
||||||
|
|
||||||
|
# auth options
|
||||||
|
certificate_key_pem:
|
||||||
|
description:
|
||||||
|
- The local path to an X509 certificate key to use with certificate auth.
|
||||||
|
vars:
|
||||||
|
- name: ansible_psrp_certificate_key_pem
|
||||||
|
certificate_pem:
|
||||||
|
description:
|
||||||
|
- The local path to an X509 certificate to use with certificate auth.
|
||||||
|
vars:
|
||||||
|
- name: ansible_psrp_certificate_pem
|
||||||
|
credssp_auth_mechanism:
|
||||||
|
description:
|
||||||
|
- The sub authentication mechanism to use with CredSSP auth.
|
||||||
|
- When C(auto), both Kerberos and NTLM is attempted with kerberos being
|
||||||
|
preferred.
|
||||||
|
choices:
|
||||||
|
- auto
|
||||||
|
- kerberos
|
||||||
|
- ntlm
|
||||||
|
default: auto
|
||||||
|
vars:
|
||||||
|
- name: ansible_psrp_credssp_auth_mechanism
|
||||||
|
credssp_disable_tlsv1_2:
|
||||||
|
description:
|
||||||
|
- Disables the use of TLSv1.2 on the CredSSP authentication channel.
|
||||||
|
- This should not be set to C(yes) unless dealing with a host that does not
|
||||||
|
have TLSv1.2.
|
||||||
|
default: no
|
||||||
|
type: bool
|
||||||
|
vars:
|
||||||
|
- name: ansible_psrp_credssp_disable_tlsv1_2
|
||||||
|
credssp_minimum_version:
|
||||||
|
description:
|
||||||
|
- The minimum CredSSP server authentication version that will be accepted.
|
||||||
|
- Set to C(5) to ensure the server has been patched and is not vulnerable
|
||||||
|
to CVE 2018-0886.
|
||||||
|
default: 2
|
||||||
|
type: int
|
||||||
|
vars:
|
||||||
|
- name: ansible_psrp_credssp_minimum_version
|
||||||
|
negotiate_delegate:
|
||||||
|
description:
|
||||||
|
- Allow the remote user the ability to delegate it's credentials to another
|
||||||
|
server, i.e. credential delegation.
|
||||||
|
- Only valid when Kerberos was the negotiated auth or was explicitly set as
|
||||||
|
the authentication.
|
||||||
|
- Ignored when NTLM was the negotiated auth.
|
||||||
|
vars:
|
||||||
|
- name: ansible_psrp_negotiate_delegate
|
||||||
|
negotiate_hostname_override:
|
||||||
|
description:
|
||||||
|
- Override the remote hostname when searching for the host in the Kerberos
|
||||||
|
lookup.
|
||||||
|
- This allows Ansible to connect over IP but authenticate with the remote
|
||||||
|
server using it's DNS name.
|
||||||
|
- Only valid when Kerberos was the negotiated auth or was explicitly set as
|
||||||
|
the authentication.
|
||||||
|
- Ignored when NTLM was the negotiated auth.
|
||||||
|
vars:
|
||||||
|
- name: ansible_psrp_negotiate_hostname_override
|
||||||
|
negotiate_send_cbt:
|
||||||
|
description:
|
||||||
|
- Send the Channel Binding Token (CBT) structure when authenticating.
|
||||||
|
- CBT is used to provide extra protection against Man in the Middle C(MitM)
|
||||||
|
attacks by binding the outer transport channel to the auth channel.
|
||||||
|
- CBT is not used when using just C(HTTP), only C(HTTPS).
|
||||||
|
default: yes
|
||||||
|
type: bool
|
||||||
|
vars:
|
||||||
|
- name: ansible_psrp_negotiate_send_cbt
|
||||||
|
negotiate_service:
|
||||||
|
description:
|
||||||
|
- Override the service part of the SPN used during Kerberos authentication.
|
||||||
|
- Only valid when Kerberos was the negotiated auth or was explicitly set as
|
||||||
|
the authentication.
|
||||||
|
- Ignored when NTLM was the negotiated auth.
|
||||||
|
default: WSMAN
|
||||||
|
vars:
|
||||||
|
- name: ansible_psrp_negotiate_service
|
||||||
|
|
||||||
# protocol options
|
# protocol options
|
||||||
operation_timeout:
|
operation_timeout:
|
||||||
description:
|
description:
|
||||||
|
@ -537,6 +618,16 @@ if ($bytes_read -gt 0) {
|
||||||
self._psrp_reconnection_retries = int(self.get_option('reconnection_retries'))
|
self._psrp_reconnection_retries = int(self.get_option('reconnection_retries'))
|
||||||
self._psrp_reconnection_backoff = float(self.get_option('reconnection_backoff'))
|
self._psrp_reconnection_backoff = float(self.get_option('reconnection_backoff'))
|
||||||
|
|
||||||
|
self._psrp_certificate_key_pem = self.get_option('certificate_key_pem')
|
||||||
|
self._psrp_certificate_pem = self.get_option('certificate_pem')
|
||||||
|
self._psrp_credssp_auth_mechanism = self.get_option('credssp_auth_mechanism')
|
||||||
|
self._psrp_credssp_disable_tlsv1_2 = self.get_option('credssp_disable_tlsv1_2')
|
||||||
|
self._psrp_credssp_minimum_version = self.get_option('credssp_minimum_version')
|
||||||
|
self._psrp_negotiate_send_cbt = self.get_option('negotiate_send_cbt')
|
||||||
|
self._psrp_negotiate_delegate = self.get_option('negotiate_delegate')
|
||||||
|
self._psrp_negotiate_hostname_override = self.get_option('negotiate_hostname_override')
|
||||||
|
self._psrp_negotiate_service = self.get_option('negotiate_service')
|
||||||
|
|
||||||
supported_args = []
|
supported_args = []
|
||||||
for auth_kwarg in AUTH_KWARGS.values():
|
for auth_kwarg in AUTH_KWARGS.values():
|
||||||
supported_args.extend(auth_kwarg)
|
supported_args.extend(auth_kwarg)
|
||||||
|
@ -558,6 +649,15 @@ if ($bytes_read -gt 0) {
|
||||||
no_proxy=self._psrp_ignore_proxy,
|
no_proxy=self._psrp_ignore_proxy,
|
||||||
max_envelope_size=self._psrp_max_envelope_size,
|
max_envelope_size=self._psrp_max_envelope_size,
|
||||||
operation_timeout=self._psrp_operation_timeout,
|
operation_timeout=self._psrp_operation_timeout,
|
||||||
|
certificate_key_pem=self._psrp_certificate_key_pem,
|
||||||
|
certificate_pem=self._psrp_certificate_pem,
|
||||||
|
credssp_auth_mechanism=self._psrp_credssp_auth_mechanism,
|
||||||
|
credssp_disable_tlsv1_2=self._psrp_credssp_disable_tlsv1_2,
|
||||||
|
credssp_minimum_version=self._psrp_credssp_minimum_version,
|
||||||
|
negotiate_send_cbt=self._psrp_negotiate_send_cbt,
|
||||||
|
negotiate_delegate=self._psrp_negotiate_delegate,
|
||||||
|
negotiate_hostname_override=self._psrp_negotiate_hostname_override,
|
||||||
|
negotiate_service=self._psrp_negotiate_service,
|
||||||
)
|
)
|
||||||
|
|
||||||
# Check if PSRP version supports newer read_timeout argument (needs pypsrp 0.3.0+)
|
# Check if PSRP version supports newer read_timeout argument (needs pypsrp 0.3.0+)
|
||||||
|
|
Loading…
Reference in a new issue