Cannot run against remote WinRM SSL systems

[troyready]

When I attempt to run a simple inspec file (just contains the port 80 should not not be open example from the readme), I get the following error:

troyready@myworkstation:~/myscripts$ ~/.chefdk/gem/ruby/2.1.0/bin/inspec exec inspec_recent_patching.rb -b winrm --user Administrator --host mywinhost.myorg.com --password "mypa33w#rd" --ssl --self-signed
/opt/chefdk/embedded/lib/ruby/gems/2.1.0/gems/winrm-1.3.4/lib/winrm/http/response_handler.rb:57:in `raise_if_auth_error': WinRM::WinRMAuthorizationError (WinRM::WinRMAuthorizationError)
    from /opt/chefdk/embedded/lib/ruby/gems/2.1.0/gems/winrm-1.3.4/lib/winrm/http/response_handler.rb:50:in `raise_if_error'
    from /opt/chefdk/embedded/lib/ruby/gems/2.1.0/gems/winrm-1.3.4/lib/winrm/http/response_handler.rb:35:in `parse_to_xml'
    from /opt/chefdk/embedded/lib/ruby/gems/2.1.0/gems/winrm-1.3.4/lib/winrm/http/transport.rb:50:in `send_request'
    from /opt/chefdk/embedded/lib/ruby/gems/2.1.0/gems/winrm-1.3.4/lib/winrm/winrm_service.rb:430:in `send_message'
    from /opt/chefdk/embedded/lib/ruby/gems/2.1.0/gems/winrm-1.3.4/lib/winrm/winrm_service.rb:126:in `open_shell'
    from /opt/chefdk/embedded/lib/ruby/gems/2.1.0/gems/winrm-transport-1.0.2/lib/winrm/transport/command_executor.rb:78:in `open'
    from /home/troyready/.chefdk/gem/ruby/2.1.0/gems/r-train-0.9.1/lib/train/transports/winrm_connection.rb:158:in `block in establish_shell'
    from /home/troyready/.chefdk/gem/ruby/2.1.0/gems/r-train-0.9.1/lib/train/transports/winrm_connection.rb:212:in `retryable'
    from /home/troyready/.chefdk/gem/ruby/2.1.0/gems/r-train-0.9.1/lib/train/transports/winrm_connection.rb:156:in `establish_shell'
    from /home/troyready/.chefdk/gem/ruby/2.1.0/gems/r-train-0.9.1/lib/train/transports/winrm_connection.rb:238:in `session'
    from /home/troyready/.chefdk/gem/ruby/2.1.0/gems/r-train-0.9.1/lib/train/transports/winrm_connection.rb:66:in `run_command'
    from /home/troyready/.chefdk/gem/ruby/2.1.0/gems/r-train-0.9.1/lib/train/extras/os_detect_windows.rb:60:in `detect_windows'
    from /home/troyready/.chefdk/gem/ruby/2.1.0/gems/r-train-0.9.1/lib/train/extras/os_common.rb:105:in `detect_family_type'
    from /home/troyready/.chefdk/gem/ruby/2.1.0/gems/r-train-0.9.1/lib/train/extras/os_common.rb:78:in `detect_family'
    from /home/troyready/.chefdk/gem/ruby/2.1.0/gems/r-train-0.9.1/lib/train/extras/os_common.rb:26:in `initialize'
    from /home/troyready/.chefdk/gem/ruby/2.1.0/gems/r-train-0.9.1/lib/train/transports/winrm_connection.rb:254:in `initialize'
    from /home/troyready/.chefdk/gem/ruby/2.1.0/gems/r-train-0.9.1/lib/train/transports/winrm_connection.rb:54:in `new'
    from /home/troyready/.chefdk/gem/ruby/2.1.0/gems/r-train-0.9.1/lib/train/transports/winrm_connection.rb:54:in `os'
    from /home/troyready/.chefdk/gem/ruby/2.1.0/gems/inspec-0.9.1/lib/resources/os.rb:16:in `[]'
    from /home/troyready/.chefdk/gem/ruby/2.1.0/gems/inspec-0.9.1/lib/resources/port.rb:26:in `initialize'
    from /home/troyready/.chefdk/gem/ruby/2.1.0/gems/inspec-0.9.1/lib/inspec/plugins/resource.rb:23:in `initialize'
    from /home/troyready/.chefdk/gem/ruby/2.1.0/gems/inspec-0.9.1/lib/inspec/profile_context.rb:74:in `new'
    from /home/troyready/.chefdk/gem/ruby/2.1.0/gems/inspec-0.9.1/lib/inspec/profile_context.rb:74:in `block (3 levels) in create_inner_dsl'
    from inspec_recent_patching.rb:1:in `load'
    from /home/troyready/.chefdk/gem/ruby/2.1.0/gems/inspec-0.9.1/lib/inspec/profile_context.rb:31:in `instance_eval'
    from /home/troyready/.chefdk/gem/ruby/2.1.0/gems/inspec-0.9.1/lib/inspec/profile_context.rb:31:in `load'
    from /home/troyready/.chefdk/gem/ruby/2.1.0/gems/inspec-0.9.1/lib/inspec/runner.rb:76:in `add_content'
    from /home/troyready/.chefdk/gem/ruby/2.1.0/gems/inspec-0.9.1/lib/inspec/runner.rb:57:in `block in add_tests'
    from /home/troyready/.chefdk/gem/ruby/2.1.0/gems/inspec-0.9.1/lib/inspec/runner.rb:56:in `each'
    from /home/troyready/.chefdk/gem/ruby/2.1.0/gems/inspec-0.9.1/lib/inspec/runner.rb:56:in `add_tests'
    from /home/troyready/.chefdk/gem/ruby/2.1.0/gems/inspec-0.9.1/bin/inspec:77:in `exec'
    from /opt/chefdk/embedded/lib/ruby/gems/2.1.0/gems/thor-0.19.1/lib/thor/command.rb:27:in `run'
    from /opt/chefdk/embedded/lib/ruby/gems/2.1.0/gems/thor-0.19.1/lib/thor/invocation.rb:126:in `invoke_command'
    from /opt/chefdk/embedded/lib/ruby/gems/2.1.0/gems/thor-0.19.1/lib/thor.rb:359:in `dispatch'
    from /opt/chefdk/embedded/lib/ruby/gems/2.1.0/gems/thor-0.19.1/lib/thor/base.rb:440:in `start'
    from /home/troyready/.chefdk/gem/ruby/2.1.0/gems/inspec-0.9.1/bin/inspec:109:in `<top (required)>'
    from /home/troyready/.chefdk/gem/ruby/2.1.0/bin/inspec:23:in `load'
    from /home/troyready/.chefdk/gem/ruby/2.1.0/bin/inspec:23:in `<main>'

I tried connecting directly with train though and I don't experience any errors:

require 'train'
train = Train.create(
  'winrm',
  host: 'mywinhost.myorg.com',
  user: 'Administrator',
  password: 'mypa33w#rd',
  ssl: true,
  self_signed: true
)
conn = train.connection
puts conn.run_command('ipconfig /all').stdout
conn.close

(^ outputs my ip info as expected)

I've tried debugging this for a bit and didn't come up with anything conclusive. Would greatly appreciate any advice/direction on troubleshooting it / improving the project.

[chris-rock]

Hi @troyready Thanks for the request. Could you do me a favor and try to output the config that is sent to train. See https://github.com/chef/inspec/blob/master/lib/inspec/backend.rb#L16 and add a p config to output the parameters that are sent to train.

[troyready]

Sure:

{"sudo"=>false, "sudo_options"=>"", "ssl"=>true, "self_signed"=>true, "format"=>"progress", "backend"=>"winrm", "user"=>"Administrator", "host"=>"mywinhost.myorg.com", "password"=>"mypa33w#rd", "logger"=>#<Logger:0x000000022a3b20 @progname=nil, @level=0, @default_formatter=#<Logger::Formatter:0x000000022a3a08 @datetime_format=nil>, @formatter=nil, @logdev=nil>}

[chris-rock]

@troyready That looks pretty good. Which Windows version are you using? Could you share the configuration that you have used for winrm?

[troyready]

Sure -- the one I've been testing is a Server 2012 system:

C:\Windows\system32>winrm get winrm/config
Config
    MaxEnvelopeSizekb = 500
    MaxTimeoutms = 1800000
    MaxBatchItems = 32000
    MaxProviderRequests = 4294967295
    Client
        NetworkDelayms = 5000
        URLPrefix = wsman
        AllowUnencrypted = false
        Auth
            Basic = true
            Digest = true
            Kerberos = true
            Negotiate = true
            Certificate = true
            CredSSP = false
        DefaultPorts
            HTTP = 5985
            HTTPS = 5986
        TrustedHosts
    Service
        RootSDDL = O:NSG:BAD:P(A;;GA;;;BA)(A;;GR;;;IU)S:P(AU;FA;GA;;;WD)(AU;SA;GXGW;;;WD)
        MaxConcurrentOperations = 4294967295
        MaxConcurrentOperationsPerUser = 1500
        EnumerationTimeoutms = 240000
        MaxConnections = 300
        MaxPacketRetrievalTimeSeconds = 120
        AllowUnencrypted = false
        Auth
            Basic = true
            Kerberos = true
            Negotiate = true
            Certificate = false
            CredSSP = false
            CbtHardeningLevel = Relaxed
        DefaultPorts
            HTTP = 5985
            HTTPS = 5986
        IPv4Filter = * [Source="GPO"]
        IPv6Filter = * [Source="GPO"]
        EnableCompatibilityHttpListener = false
        EnableCompatibilityHttpsListener = false
        CertificateThumbprint
        AllowRemoteAccess = true [Source="GPO"]
    Winrs
        AllowRemoteShellAccess = true
        IdleTimeout = 7200000
        MaxConcurrentUsers = 10
        MaxShellRunTime = 2147483647
        MaxProcessesPerShell = 25
        MaxMemoryPerShellMB = 300
        MaxShellsPerUser = 30

C:\Windows\system32>winrm e winrm/config/listener
Listener [Source="GPO"]
    Address = *
    Transport = HTTP
    Port = 5985
    Hostname
    Enabled = true
    URLPrefix = wsman
    CertificateThumbprint
    ListeningOn = 192.168.0.150, 127.0.0.1, ::1, fe80::5efe:192.168.0.150%13,
fe80::8d9:f26b:f17f:608e%12

Listener
    Address = *
    Transport = HTTPS
    Port = 5986
    Hostname = *.mysubdomain.myorg.com
    Enabled = true
    URLPrefix = wsman
    CertificateThumbprint = a0 99 15 8c 40 82 c8 fd 12 e8 44 b1 49 08 90 98 63 ea 78 c5
    ListeningOn = 192.168.0.150, 127.0.0.1, ::1, fe80::5efe:192.168.0.150%13, fe80::8d9:f26b:f17f:608e%12

[troyready]

I've been testing this today a bit and I haven't been able to reproduce it in test-kitchen (everything works maddeningly fine). It seems that there's something specific to our domain-bound systems that's causing the issue. I'll keep investigating, but would of course appreciate any guidance in troubleshooting if you find the time.

[chris-rock]

@troyready As I got you, the system is working well with train. Please try to run inspec in shell mode. Let's see what error you get there.

bundle exec bin/inspec shell --host 54.29.103.59 --user Administrator --password pA$$w0rd --backend winrm --ssl --self-signed 

Welcome to the interactive Inspec Shell
To find out how to use it, type: usage

[1] pry(#<#<Class:0x007fce599edd90>>)> os[:family]
=> "windows"

[troyready]

Oh geez, this has ended up being user error, and it wasn't being displayed here because I was obfuscating the password being used. So sorry for bugging you with it.

It turned out that our password contained the string $4%& -- the ampersand was handled by putting quotes around the password, but the $4 was just being dropped silently (and I didn't notice the discrepancy in the size of the password when we were debugging the config before). Inspec is working properly for me now when I escape the password like \$4%\&

[chris-rock]

Thanks for sharing the finding @troyready. I am very happy that you resolved the issue. Do not hesitate to add a new issue if you find something that does not work as expected.