Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Added warning to psexec module #53690

Closed
wants to merge 4 commits into
base: devel
from

Conversation

Projects
None yet
3 participants
@Wilk42
Copy link

Wilk42 commented Mar 12, 2019

Update notes on psexec to include a security warning

+label: docsite_pr

SUMMARY

Documentation update to include security warning.

ISSUE TYPE
  • Docs Pull Request
COMPONENT NAME

psexec allows the use of psexec on windows machines.

ADDITIONAL INFORMATION

This is documented on https://github.com/jborean93/pypsexec which is referenced in the doc, however because of the security implications, it should be included on the module page.

Added warning to psexec module
Update notes on psexec to include a security warning

+label: docsite_pr
@ansibot

This comment has been minimized.

Copy link
Contributor

ansibot commented Mar 12, 2019

The test ansible-test sanity --test pep8 [explain] failed with 2 errors:

lib/ansible/modules/commands/psexec.py:206:161: E501 line too long (361 > 160 characters)
lib/ansible/modules/commands/psexec.py:206:362: W291 trailing whitespace

click here for bot help

@ansibot

This comment has been minimized.

Copy link
Contributor

ansibot commented Mar 12, 2019

Wilk42 added some commits Mar 12, 2019

updated psexec
Updated warning about security, fixed pep8 issue
@@ -203,6 +203,9 @@
see U(https://support.microsoft.com/en-us/help/951016/description-of-user-account-control-and-remote-restrictions-in-windows).
- For more information on this module and the various host requirements, see
U(https://github.com/jborean93/pypsexec).
- Warning for use on hosts running Windows 7, Server 2008, or Server 2008 R2.

This comment has been minimized.

@jborean93

jborean93 Mar 12, 2019

Contributor

I'm ok with adding another warning but in reality this is already stated in the encrypt option description. Encryption is set to True by default and the module will fail if running on an older host that does not support SMB 3.x. They would have to explicitly set encrypt: no to get this working and therefore explicitly stating they don't care about encryption.

The docs even state

When setting to C(no), the packets are in plaintext and can be seen by anyone sniffing the network, any process options are included in this

Lastly the last sentence is somewhat not true

Updated Windows 2012 machines and newer using Psexec 2.1 and SMB 3.x do have their traffic encrypted.

All Server 2012 hosts have SMB 3.x installed so the updated part is not needed. This module uses an executable called PAExec which is an open source and distributable version of PsExec. Unfortunately it never implemented the encryption component of the service init payload which is why things are uncrypted without SMB 3.

This comment has been minimized.

@Wilk42

Wilk42 Mar 19, 2019

Author

I've removed the warning on 2012 machines as you advised, from what I had read they needed Psexec 2.1 as well, but that is likely for windows to windows as it was a warning from Microsoft.

Main reason for the change was that while it was in the documentation had come accross two clients using this module without realizing that it was passing passwords in plaintext. Just thought the information needed to be highlighted more.

This comment has been minimized.

@jborean93

jborean93 Mar 19, 2019

Contributor

from what I had read they needed Psexec 2.1 as well

This module does not use PsExec at all, it uses PAExec which is an open source and attributable binary that is like PsExec. The encryption support added in PsExec 2.1 is purely a PsExec specific function and is outside the scope of SMB.

Main reason for the change was that while it was in the documentation had come accross two clients using this module without realizing that it was passing passwords in plaintext

Honestly I don't see how, they need to explcitly set encrypt: no for this to happen, you would assume if you did that then you know things are not encrypted.

This comment has been minimized.

@Wilk42

Wilk42 Mar 20, 2019

Author

Going to get wireshark captures, will repopen when I have more information. Microsoft says it wouldn't be possible for the host to do it, and I tend to believe them on that, and its not to do with the paexec on the control node.

Removed warning on 2012 machines
Removed warning on 2012 machines

@Wilk42 Wilk42 closed this Mar 20, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.