There was a recent post on Reddit about this... Here it is: https://www.reddit.com/r/PowerShell/comments/7qra9r/double_hop_solvers_and_resourcebased_kerberos/
CredSSP isn't really the best way to go about this. And I think this post should go on Git as Ansible needs a better way to cover double-hops. On Tuesday, January 30, 2018 at 3:13:46 PM UTC+5:30, Павел Полушин wrote: > > Hello. > I have security-related question. > In our environment we use ansible for application deployment. Ansible > playbooks running by jenkins. > Scope for deployment contains Windows-based servers (2008R2+). > In some cases we are facing with "double-hop" problem when passing > credentials is needed. > CredSSP is intended to solve problems like this but it's insecure ( > http://www.powershellmagazine.com/2014/03/06/accidental-sabotage-beware-of-credssp/ > ). > In common cases, credentials are being sent in clear text. Here is picture > http://www.powershellmagazine.com/wp-content/uploads/2014/03/image001.png/ > > I'm interested, is this problem solved in requests-credssp module? > (Credentials are stored from jenkins. Ansible connects to servers using > https.) > Does anyone tried to investigate it? > > -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To post to this group, send email to ansible-project@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/babf2969-bb33-4e49-a411-082dd4b5de17%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
