awx-ee
awx-ee copied to clipboard
ansible
AWX 21.12.0 error : credssp: requests auth method is credssp, but requests-credssp is not installed
Please confirm the following
- [X] I agree to follow this project's code of conduct.
- [X] I have checked the current issues for duplicates.
- [X] I understand that AWX is open source software provided for free and that I might not receive a timely response.
Bug Summary
Cannot use authentification CredSSP for Windows with last 'awx-ee'
AWX version
21.12.0
Select the relevant components
- [ ] UI
- [ ] API
- [ ] Docs
- [ ] Collection
- [ ] CLI
- [ ] Other
Installation method
minikube
Modifications
no
Ansible version
No response
Operating system
Debian 11
Web browser
Firefox
Steps to reproduce
Hello there, After upgrading from AWX 21.11 to 21.12.0 today, I cant use 'awx-ee' image '21.12.0' and 'latest' for windows authentification. Here the output :
{
"unreachable": true,
"msg": "credssp: requests auth method is credssp, but requests-credssp is not installed",
"changed": false
}
Any idea ?
If I set quay.io/ansible/awx-ee:21.11.0 for use olding image, it works perfectly.
Actual results
{
"unreachable": true,
"msg": "credssp: requests auth method is credssp, but requests-credssp is not installed",
"changed": false
}
Additional information
No response
Since 21.12.0 same problem here. Files seem not missing: /var/lib/rancher/k3s/agent/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/86/fs/usr/local/lib/python3.9/site-packages/spnego/_credssp.py /var/lib/rancher/k3s/agent/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/86/fs/usr/local/lib/python3.9/site-packages/spnego/_credssp_structures.py /var/lib/rancher/k3s/agent/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/86/fs/usr/local/lib/python3.9/site-packages/spnego/pycache/_credssp_structures.cpython-39.pyc /var/lib/rancher/k3s/agent/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/86/fs/usr/local/lib/python3.9/site-packages/spnego/pycache/_credssp.cpython-39.pyc
AWX-EE 21.11.0 uses the ansible-runner (v2.12) container as the base. In the bindep.txt it seems that it installs the requests rpm package.
# bindep.txt
python38-requests [platform:centos-8 platform:rhel-8]
This was lost with the transition to AWX-EE 21.12.0, which is based on centos:9-stream (as ansible-runner images were never updated).
See:
Perhaps this package should be added back to the EE?
# bindep.txt Example
python3-requests [platform:centos-9]
This installs python3-requests in addition to the following dependencies:
-
python3-chardet -
python3-idna -
python3-pysocks -
python3-six -
python3-urllib3
This could potentially render some of the entries in awx-ee/_build/requirements.txt redundant.
Same issue here too, CreddSSP is pretty essential for setting up Windows VMs from scratch if you want to keep WinRM connections encrypted and secure.
@relrod no news about this issue ? :) Same problem with 22.6.0 today, CredSSP are so essential for us
I ended up constructed another Execution Environment (EE) to include credssp and windows collection.
I put the following in requirements.txt for credssp before build the EE. You need to modify other related files to include other functions you need.
example-pypi-package pywinrm pykerberos requests requests-credssp requests-kerberos pyVmomi
ref: https://github.com/kurokobo/awx-on-k3s/tree/main/builder
As a workaround until upstream fixes this, installing the requests-credssp python package inside of the container resolves this issue for me. The package is also installed in quay.io/ansible/awx-ee:21.11.0.
I have the same problem. I add requests-credssp in the list of pip and that fix the problem.
Hello, Same issue here, why you can't just add this pip module on the AWX EE image ? We have to workarround that with quay.io/ansible/awx-ee:21.11.0
credssp has known security risks with MITM attacks so likely not something you’d normally want to use.
But if you do I’d recommend using docker to pull the awx-ee from their quay repo as your base image and then add a line at the end that runs your credssp installation then push to your own container service and use this as your EE
On Fri, Jan 12, 2024 at 3:36 AM Rick Elrod @.***> wrote:
I think we would take a PR for this if someone would like to submit one.
— Reply to this email directly, view it on GitHub https://github.com/ansible/awx-ee/issues/183#issuecomment-1888844909, or unsubscribe https://github.com/notifications/unsubscribe-auth/AVNVYVXG532FWPTUUBPDTQLYOEG2BAVCNFSM6AAAAAAVMIGFT6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQOBYHA2DIOJQHE . You are receiving this because you are subscribed to this thread.Message ID: @.***>
credssp has known security risks with MITM attacks so likely not something you’d normally want to use. But if you do I’d recommend using docker to pull the awx-ee from their quay repo as your base image and then add a line at the end that runs your credssp installation then push to your own container service and use this as your EE … On Fri, Jan 12, 2024 at 3:36 AM Rick Elrod @.> wrote: I think we would take a PR for this if someone would like to submit one. — Reply to this email directly, view it on GitHub <#183 (comment)>, or unsubscribe https://github.com/notifications/unsubscribe-auth/AVNVYVXG532FWPTUUBPDTQLYOEG2BAVCNFSM6AAAAAAVMIGFT6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQOBYHA2DIOJQHE . You are receiving this because you are subscribed to this thread.Message ID: @.>
I welcome the information about a potential security thread in credssp. However it looks like the vulnerability has long been patched by Microsoft (https://support.microsoft.com/en-us/topic/credssp-updates-for-cve-2018-0886-5cbf9e5f-dc6d-744f-9e97-7ba400d6d3ea). I could not find any other information about currently active vulnerabilites in credssp. If you happen to know of any, I'd like to know of them.