Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AWX 21.12.0 error : credssp: requests auth method is credssp, but requests-credssp is not installed #183

Open
3 of 9 tasks
clementbey opened this issue Feb 24, 2023 · 21 comments · May be fixed by #233
Open
3 of 9 tasks

AWX 21.12.0 error : credssp: requests auth method is credssp, but requests-credssp is not installed #183

clementbey opened this issue Feb 24, 2023 · 21 comments · May be fixed by #233
Assignees
@relrod

Comments

@clementbey
Copy link

clementbey commented Feb 24, 2023
edited
Loading

Please confirm the following

  • I agree to follow this project's code of conduct.
  • I have checked the current issues for duplicates.
  • I understand that AWX is open source software provided for free and that I might not receive a timely response.

Bug Summary

Cannot use authentification CredSSP for Windows with last 'awx-ee'

AWX version

21.12.0

Select the relevant components

  • UI
  • API
  • Docs
  • Collection
  • CLI
  • Other

Installation method

minikube

Modifications

no

Ansible version

No response

Operating system

Debian 11

Web browser

Firefox

Steps to reproduce

Hello there,
After upgrading from AWX 21.11 to 21.12.0 today, I cant use 'awx-ee' image '21.12.0' and 'latest' for windows authentification.
Here the output :

{
  "unreachable": true,
  "msg": "credssp: requests auth method is credssp, but requests-credssp is not installed",
  "changed": false
}

Any idea ?
If I set quay.io/ansible/awx-ee:21.11.0 for use olding image, it works perfectly.

Actual results

{
  "unreachable": true,
  "msg": "credssp: requests auth method is credssp, but requests-credssp is not installed",
  "changed": false
}

Additional information

No response
@Vosone
Copy link

Vosone commented Feb 27, 2023

Have same.

@soeren-marnitz
Copy link

we have the same issue.
Fallback to Version 21.11.0 works perfect

@fosterseth fosterseth transferred this issue from ansible/awx Mar 1, 2023
@bsb-it
Copy link

bsb-it commented Mar 1, 2023

Since 21.12.0 same problem here.
Files seem not missing:
/var/lib/rancher/k3s/agent/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/86/fs/usr/local/lib/python3.9/site-packages/spnego/_credssp.py
/var/lib/rancher/k3s/agent/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/86/fs/usr/local/lib/python3.9/site-packages/spnego/_credssp_structures.py
/var/lib/rancher/k3s/agent/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/86/fs/usr/local/lib/python3.9/site-packages/spnego/pycache/_credssp_structures.cpython-39.pyc
/var/lib/rancher/k3s/agent/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/86/fs/usr/local/lib/python3.9/site-packages/spnego/pycache/_credssp.cpython-39.pyc

@austlane
Copy link
Contributor

austlane commented Mar 1, 2023
edited
Loading

AWX-EE 21.11.0 uses the ansible-runner (v2.12) container as the base. In the bindep.txt it seems that it installs the requests rpm package.

# bindep.txt
python38-requests [platform:centos-8 platform:rhel-8]

This was lost with the transition to AWX-EE 21.12.0, which is based on centos:9-stream (as ansible-runner images were never updated).

See:

Perhaps this package should be added back to the EE?

# bindep.txt Example
python3-requests [platform:centos-9]

This installs python3-requests in addition to the following dependencies:

  • python3-chardet
  • python3-idna
  • python3-pysocks
  • python3-six
  • python3-urllib3

This could potentially render some of the entries in awx-ee/_build/requirements.txt redundant.

@clementbey
Copy link
Author

Same error with awx-ee:21.13.0

@bsb-it
Copy link

bsb-it commented Mar 10, 2023

We've changend from CREDSSP to NTLM: now all OK.

@clementbey
Copy link
Author

Same error with awx-ee:21.14.0

@keytechnologies
Copy link

Same issue with awx 22.0.0

@nicolasStevenin
Copy link

nicolasStevenin commented May 11, 2023
edited
Loading

Up. Same issue with awx 22.2.0

@shrutebattlestargalactica
Copy link

are there any updates on this problem?

@fanuelsen
Copy link

Same issue here too, CreddSSP is pretty essential for setting up Windows VMs from scratch if you want to keep WinRM connections encrypted and secure.

@clementbey
Copy link
Author

@relrod no news about this issue ? :)
Same problem with 22.6.0 today, CredSSP are so essential for us

@MonsterRick
Copy link

MonsterRick commented Aug 5, 2023
edited
Loading

I ended up constructed another Execution Environment (EE) to include credssp and windows collection.

I put the following in requirements.txt for credssp before build the EE. You need to modify other related files to include other functions you need.

example-pypi-package
pywinrm
pykerberos
requests
requests-credssp
requests-kerberos
pyVmomi

ref: https://github.com/kurokobo/awx-on-k3s/tree/main/builder

@fosterseth fosterseth mentioned this issue Aug 16, 2023
Closed
11 tasks
@alex-arzner-pro
Copy link

Same problem with 22.7.0. Any updates?

@alex-arzner-pro
Copy link

Same problem with 23.0.0.

@chronicc
Copy link

chronicc commented Nov 9, 2023
edited
Loading

As a workaround until upstream fixes this, installing the requests-credssp python package inside of the container resolves this issue for me. The package is also installed in quay.io/ansible/awx-ee:21.11.0.

@metabsd
Copy link

metabsd commented Jan 9, 2024

I have the same problem. I add requests-credssp in the list of pip and that fix the problem.

@YacineAouabed
Copy link

Hello,
Same issue here, why you can't just add this pip module on the AWX EE image ?
We have to workarround that with quay.io/ansible/awx-ee:21.11.0

@relrod
Copy link
Member

relrod commented Jan 12, 2024

I think we would take a PR for this if someone would like to submit one.

@shrutebattlestargalactica
Copy link

@chronicc
Copy link

credssp has known security risks with MITM attacks so likely not something you’d normally want to use. But if you do I’d recommend using docker to pull the awx-ee from their quay repo as your base image and then add a line at the end that runs your credssp installation then push to your own container service and use this as your EE

On Fri, Jan 12, 2024 at 3:36 AM Rick Elrod @.> wrote: I think we would take a PR for this if someone would like to submit one. — Reply to this email directly, view it on GitHub <#183 (comment)>, or unsubscribe https://github.com/notifications/unsubscribe-auth/AVNVYVXG532FWPTUUBPDTQLYOEG2BAVCNFSM6AAAAAAVMIGFT6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQOBYHA2DIOJQHE . You are receiving this because you are subscribed to this thread.Message ID: @.>

I welcome the information about a potential security thread in credssp. However it looks like the vulnerability has long been patched by Microsoft (https://support.microsoft.com/en-us/topic/credssp-updates-for-cve-2018-0886-5cbf9e5f-dc6d-744f-9e97-7ba400d6d3ea). I could not find any other information about currently active vulnerabilites in credssp.
If you happen to know of any, I'd like to know of them.

@chronicc chronicc linked a pull request Jan 27, 2024 that will close this issue
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@relrod relrod

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Requests credssp chronicc/awx-ee