winrm 2.1.3 → 2.2.0

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: ab6bcb370baa18dbd4e1b94d90511cd56d125b0a
4
- data.tar.gz: 6d9c7835ea837bab0450b4955955831fcdb73407
3
+ metadata.gz: 5339846f9181cf6fe697c0d33cd865d1a9a8aecb
4
+ data.tar.gz: 6780ada80472407f0946199c3162ce5c8fed97df
5
5
  SHA512:
6
- metadata.gz: ed23571d9ad2479542694df5217dfdbe82c4697a1f3844324ba9c11c0112a96e2ea047355e2bc173c8fff68c2432b020cdf30e7e3b40241c12190f80342b1309
7
- data.tar.gz: 2650558508f0a36ec2f20caf21d22a68fc743cb5942c731273f04f1000f9520d2bf51ddf1df410042c2f2bd83c3e0735b835a25e08510c344423d0cde5098212
6
+ metadata.gz: 44849b77e53db8a83bc9dbcc471fbb3fb2cddc809f32c4a516c8523660eb3609af2fb4b3bd04c6ff169a6ae9732c4d7b9b1afbd98e9fb0dfe7cfcb183604bc67
7
+ data.tar.gz: 89a535c6b28501f36f337c9b4b03926515117c2e0a0dcd25972a1d197e7a78e1f13f62dfd06212b14489011718386ac8c57dc8b27b0b6c5056b60ed1aef7e678
data/README.md CHANGED
@@ -1,263 +1,276 @@
1
- # Windows Remote Management (WinRM) for Ruby
2
- [![Build Status](https://travis-ci.org/WinRb/WinRM.svg?branch=master)](https://travis-ci.org/WinRb/WinRM)
3
- [![Gem Version](https://badge.fury.io/rb/winrm.svg)](http://badge.fury.io/rb/winrm)
4
- [![Build status](https://ci.appveyor.com/api/projects/status/ods9tvos78k5c15h?svg=true)](https://ci.appveyor.com/project/winrb/winrm)
5
-
6
- This is a SOAP library that uses the functionality in Windows Remote
7
- Management(WinRM) to call native object in Windows. This includes, but is
8
- not limited to, running batch scripts, powershell scripts and fetching WMI
9
- variables. For more information on WinRM, please visit [Microsoft's WinRM
10
- site](http://msdn.microsoft.com/en-us/library/aa384426.aspx).
11
-
12
- As of version 2.0, this gem retains the WinRM name but all powershell calls use the more modern [Powershell Remoting Protocol (PSRP)](https://msdn.microsoft.com/en-us/library/dd357801.aspx) for initializing runspace pools as well as creating and processing powershell pipelines.
13
-
14
- ## Supported Ruby Versions
15
- Ruby 2.0 or higher is required. If you need to use an older version of Ruby you'll need to use a 1.x version of this gem.
16
-
17
- ## Supported WinRM Versions
18
- WinRM 1.1 is supported, however 2.0 and higher is recommended. [See MSDN](http://technet.microsoft.com/en-us/library/ff520073.aspx) for information about WinRM versions and supported operating systems.
19
-
20
- ## Install
21
- `gem install -r winrm` then on the server `Enable-PSRemoting -Force` (already enabled on server operating systems 2012 and above) as admin
22
-
23
- ## Example
24
- ```ruby
25
- require 'winrm'
26
- opts = {
27
- endpoint: 'http://myhost:5985/wsman',
28
- user: 'administrator',
29
- password: 'Pass@word1'
30
- }
31
- conn = WinRM::Connection.new(opts)
32
- conn.shell(:powershell) do |shell|
33
- output = shell.run('$PSVersionTable') do |stdout, stderr|
34
- STDOUT.print stdout
35
- STDERR.print stderr
36
- end
37
- puts "The script exited with exit code #{output.exitcode}"
38
- end
39
- ```
40
-
41
- ## Connection Options
42
- There are various connection options you can specify upon initializing a WinRM connection object:
43
-
44
- * `:transport` - The type of underlying connection transport to use (more on this below). Defaults to `:negotiate`
45
- * `:locale` - The locale requested for response text formatting. This is the value sent in the `DataLocale` and `Locale` header values and defaults to `en-us`
46
- * `:max_envelope_size` - mazimum number of bytes expected for WinRM responses. This defaults to 153600
47
- * `:operation_timeout` - The maximum amount of time to wait for a response from the endpoint. This defaults to 60 seconds. Note that this will not "timeout" commands that exceed this amount of time to process, it just requires the endpoint to report the status of the command before the given amount of time passes.
48
- * `:receive_timeout` - The amount of time given to the underlying HTTP connection to respond before timing out. The defaults to 10 seconds longer than the `:operation_timeout`.
49
- * `:retry_limit` - the maximum number of times to retry opening a shell after failure. This defaults to 3.
50
- * `:retry_delay` - the amount of time to wait between retries and defaults to 10 seconds
51
- * `:user` - username used to authenticate over the `:transport`
52
- * `:password` - password used to authenticate over the `:transport`
53
-
54
- There are other options that may apply depending on the type of `:transport` used and are discussed below.
55
-
56
- ## Transports
57
-
58
- The transport used governs the authentication method used and the encryption level used for the underlying HTTP communication with the endpoint. The WinRM gem supports the following transport types:
59
-
60
- ### `:negotiate`
61
- ```ruby
62
- WinRM::Connection.new(
63
- endpoint: 'http://myhost:5985/wsman',
64
- transport: :negotiate,
65
- user: 'administrator',
66
- password: 'Pass@word1'
67
- )
68
- ```
69
-
70
- The `:negotiate` transport uses the [rubyntlm gem](https://github.com/WinRb/rubyntlm) to authenticate with the endpoint using the NTLM protocol. This uses an HTTP based connection but the SOAP message payloads are encrypted. If using HTTP (as opposed to HTTPS) this is the recommended transport. This is also the default transport used if none is specified in the connection options.
71
-
72
- ### `:ssl`
73
- ```ruby
74
- WinRM::Connection.new(
75
- endpoint: 'https://myhost:59856/wsman',
76
- transport: :ssl,
77
- user: 'administrator',
78
- password: 'Pass@word1'
79
- )
80
- ```
81
-
82
- The `:ssl` transport establishes a connection to the winrm endpoint over a secure sockets layer transport encrypting the entire message. Here are some additional connecion options available to `:ssl` connections:
83
-
84
- * `:client_cert` - Either a string path to a certificate `.pem` file or a `X509::Certificate` object. This along with an accompanying `:client_key` can be used in lieu of a `:user` and `:password`.
85
- * `:client_key` - the path to the private key file accompanying the above mentioned `:client_cert` or an `PKey::Pkey` object.
86
- * `:key_pass` - the optional password if necessary to access the `:client_cert`
87
- * `:no_ssl_peer_verification` - when set to `true` ssl certificate validation is not performed. With a self signed cert, its a match made in heaven!
88
- * `:ssl_peer_fingerprint` - when this is provided, normal certificate validation is skipped and instead the given fingerprint is matched against the certificate of the endpoint for verification.
89
- * `:ca_trust_path` - the path to a certificate `.pem` file to trust. Its similar to the `:ssl_peer_fingerprint` but contains the entire certificate to trust.
90
-
91
- ### `:kerberos`
92
- ```ruby
93
- WinRM::Connection.new(
94
- endpoint: 'http://myhost:5985/wsman',
95
- transport: :kerberos,
96
- realm: 'kerberos_realm'
97
- )
98
- ```
99
-
100
- Uses `:kerberos` to authenticate with the endpoint. These additional connection options may be used:
101
-
102
- * `:service` - kerberos service used to authenticate with the endpoint. Defaults to `HTTP`.
103
- * `:realm` - Kerberos realm to authenticate against.
104
-
105
- ### `:plaintext`
106
- Note: It is strongly recommended that you use `:negotiate` instead of `:plaintext`. As the name infers, the `:plaintext` transport includes authentication credentials in plain text.
107
- ```ruby
108
- WinRM::Connection.new(
109
- endpoint: 'http://myhost:5985/wsman',
110
- transport: :plaintext,
111
- user: 'administrator',
112
- password: 'Pass@word1',
113
- basic_auth_only: true
114
- )
115
- ```
116
-
117
- Additional supported connection options:
118
-
119
- * `:basic_auth_only` - Force basic authentication
120
- * `:disable_sspi` - Disable SSPI Negotiation authentication
121
-
122
- ## Shells
123
-
124
- As of the WinRM gem version 2, one creates a shell for executing commands by calling the `shell` method of a WinRM connection. There are two types of shells available:
125
-
126
- * `:cmd` - initiates a traditional cmd.exe shell via the WinRM protocol
127
- * `:powershell` - initiates a powershell runspace via the PSRP protocol
128
-
129
- Both shells support the same public methods: `:open`, `:close`, and `run`. Note that when given a shell, it is opened automatically upon executing the first command via `:run`. Further, `close` is called automatically when a `shell` is garbage collected or when using a shell from a block. However, it is always a good idea to proactively `close` a shell.
130
-
131
- ### Shell options supported by the `:cmd` shell
132
-
133
- ```
134
- shell_opts = {
135
- env_vars: { 'FOO' => 'BAR' }
136
- }
137
- conn = WinRM::Connection.new(opts)
138
- shell = conn.shell(:cmd, shell_opts)
139
- ```
140
-
141
- The `:cmd` shell supports a number of shell options that you can specify for the shell. There are safe defaults for all shell options and chances are that you will not need to override any of them. The available options are listed below.
142
-
143
- * `:shell_uri` - WSMAN Resource URI. Defaults to `http://schemas.microsoft.com/wbem/wsman/1/windows/shell/cmd` and you should not change this unless you hold the keys to the portal of eternity.
144
- * `:i_stream` - A simple token list of all input streams the client will be using during execution. The only supported stream and the default is `stdin`.
145
- * `:o_stream` - A simple token list of all output streams expected by the client. The supported streams and the defaults are `stdout` and `stderr`.
146
- * `:codepage` - The `WINRS_CODEPAGE` which is the client's console output code page. The default is 65001 (UTF-8).
147
- * `:noprofile` - The `WINRS_NOPROFILE` if set to `TRUE`, this option specifies that the user profile does not exist on the remote system and that the default profile should be used. By default, the value is `FALSE`.
148
- * `:working_directory` - the starting directory that the Shell is to use for initialization.
149
- * `:idle_timeout` - The remote winrm service will close and terminate the shell instance if it is idle for this many seconds. If the Shell is reused within this time limit, the countdown timer is reset once the command sequence is completed.
150
- * `:env_vars` - a hash of EnvironmentVariable key/values, the starting set of environment variables that the Shell will use.
151
-
152
- ### `:codepage` and working with legacy Windows versions
153
-
154
- When using the `:cmd` shell, the default codepage used is `65001`. This works best accross locales on "modern" versions of Windows (Windows 7/Server 2008 R2 and later). Older versions may exhibit undesirable behavior under the 65001 codepage. The most common symptom is that commands invoking executables will return immediately with no output or errors.
155
-
156
- When using these older versions of Windows, its best to use the native code page of the server's locale. For example, en-US servers will have a codepage of `437`. The `chcp` command can be used to determine the value of the native codepage.
157
-
158
- ## Executing a WQL Query
159
- ```ruby
160
- opts = {
161
- endpoint: 'http://myhost:5985/wsman',
162
- user: 'administrator',
163
- password: 'Pass@word1'
164
- }
165
- conn = WinRM::Connection.new(opts)
166
-
167
- out = conn.run_wql('select * from Win32_OperatingSystem')
168
- output_caption = out[:win32_operating_system][0][:caption]
169
- ```
170
-
171
- ## Create a self signed cert for WinRM
172
- You may want to create a self signed certificate for servicing https WinRM connections. You can use the following PowerShell script to create a cert and enable the WinRM HTTPS listener. Unless you are running windows server 2012 R2 or later, you must install makecert.exe from the Windows SDK, otherwise use `New-SelfSignedCertificate`.
173
-
174
- ```powershell
175
- $hostname = $Env:ComputerName
176
-
177
- C:\"Program Files"\"Microsoft SDKs"\Windows\v7.1\Bin\makecert.exe -r -pe -n "CN=$hostname,O=vagrant" -eku 1.3.6.1.5.5.7.3.1 -ss my -sr localMachine -sky exchange -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12 "$hostname.cer"
178
-
179
- $thumbprint = (& ls cert:LocalMachine/my).Thumbprint
180
-
181
- # Windows 2012R2 and above can use New-SelfSignedCertificate
182
- $thumbprint = (New-SelfSignedCertificate -DnsName $hostname -CertStoreLocation cert:\LocalMachine\my).Thumbprint
183
-
184
- $cmd = "winrm create winrm/config/Listener?Address=*+Transport=HTTPS '@{Hostname=`"$hostname`";CertificateThumbprint=`"$thumbprint`"}'"
185
- iex $cmd
186
- ```
187
-
188
- ## Setting up Certificate based authentication
189
- Perform the following steps to authenticate with a certificate instead of a username and password:
190
-
191
- 1. Generate a certificate with an Extended Key Usage of Client Authentication and a Subject Alternative Name with the UPN of the user. See this [powershell function](https://github.com/WinRb/WinRM/blob/master/WinrmAppveyor.psm1#L1) as an example of using `openssl` to create a self signed user certificate in `.pem` and `.pfx` formats along with the private key file.
192
-
193
- 2. Import the pfx file into the `TrustedPeople` directory of the `LocalMachine` certificate store on the windows endpoint.
194
-
195
- 3. Import the issuing certificate authority certificate in the endpoint's `Root` certificates. If your client certificate is self signed, this will be the client certificate.
196
-
197
- 4. Enable certificate authentication on the endpoint: `Set-Item -Path WSMan:\localhost\Service\Auth\Certificate -Value $true`
198
-
199
- 5. Add a winrm user mapping for the issuing certificate: `New-Item -Path WSMan:\localhost\ClientCertificate -Subject <user UPN> -URI * -Issuer <issuing certificate thumbprint> -Credential (Get-Credential) -Force`
200
-
201
- See [this post](http://www.hurryupandwait.io/blog/certificate-password-less-based-authentication-in-winrm) for more details on certificate authentication.
202
-
203
- ## Logging
204
- The `WinRM::Connection` exposes a `logger` attribute and uses the [logging](https://rubygems.org/gems/logging) gem to manage logging behavior. By default this appends to `STDOUT` and has a level of `:warn`, but one can adjust the level or add additional appenders.
205
- ```ruby
206
- conn = WinRM::Connection.new(opts)
207
-
208
- # suppress warnings
209
- conn.logger.level = :error
210
-
211
- # Log to a file
212
- conn.logger.add_appenders(Logging.appenders.file('error.log'))
213
- ```
214
-
215
- If a consuming application uses its own logger that complies to the logging API, you can simply swap it in:
216
- ```ruby
217
- conn.logger = my_logger
218
- ```
219
-
220
- ## Troubleshooting
221
- You may have some errors like ```WinRM::WinRMAuthorizationError```. See [this post](http://www.hurryupandwait.io/blog/understanding-and-troubleshooting-winrm-connection-and-authentication-a-thrill-seekers-guide-to-adventure) for tips and troubleshooting steps related to winrm connection and authentication issues.
222
-
223
- ## Contributing
224
-
225
- 1. Fork it.
226
- 2. Create a branch (git checkout -b my_feature_branch)
227
- 3. Run the unit and integration tests (bundle exec rake integration)
228
- 4. Commit your changes (git commit -am "Added a sweet feature")
229
- 5. Push to the branch (git push origin my_feature_branch)
230
- 6. Create a pull requst from your branch into master (Please be sure to provide enough detail for us to cipher what this change is doing)
231
-
232
- ### Running the tests
233
-
234
- We use Bundler to manage dependencies during development.
235
-
236
- ```
237
- $ bundle install
238
- ```
239
-
240
- Once you have the dependencies, you can run the unit tests with `rake`:
241
-
242
- ```
243
- $ bundle exec rake spec
244
- ```
245
-
246
- To run the integration tests you will need a Windows box with the WinRM service properly configured. Its easiest to use a Vagrant Windows box (mwrock/Windows2012R2 is public on [atlas](https://atlas.hashicorp.com/mwrock/boxes/Windows2012R2) with an evaluation version of Windows 2012 R2). You can also use `mwrock/WindowsNano` provided in this repo's `Vagrantfile`.
247
-
248
- 1. Create a Windows VM with WinRM configured (see above).
249
- 2. Copy the config-example.yml to config.yml - edit this file with your WinRM connection details.
250
- 3. Run `bundle exec rake integration`
251
-
252
- ## WinRM Author
253
- * Twitter: [@zentourist](https://twitter.com/zentourist)
254
- * BLOG: [http://distributed-frostbite.blogspot.com/](http://distributed-frostbite.blogspot.com/)
255
- * Add me in LinkedIn: [http://www.linkedin.com/in/danwanek](http://www.linkedin.com/in/danwanek)
256
- * Find me on irc.freenode.net in #ruby-lang (zenChild)
257
-
258
- ## Maintainers
259
- * Paul Morton (https://github.com/pmorton)
260
- * Shawn Neal (https://github.com/sneal)
261
- * Matt Wrock (https://github.com/mwrock)
262
-
263
- [Contributors](https://github.com/WinRb/WinRM/graphs/contributors)
1
+ # Windows Remote Management (WinRM) for Ruby
2
+ [![Build Status](https://travis-ci.org/WinRb/WinRM.svg?branch=master)](https://travis-ci.org/WinRb/WinRM)
3
+ [![Gem Version](https://badge.fury.io/rb/winrm.svg)](http://badge.fury.io/rb/winrm)
4
+ [![Build status](https://ci.appveyor.com/api/projects/status/ods9tvos78k5c15h?svg=true)](https://ci.appveyor.com/project/winrb/winrm)
5
+
6
+ This is a SOAP library that uses the functionality in Windows Remote
7
+ Management(WinRM) to call native object in Windows. This includes, but is
8
+ not limited to, running batch scripts, powershell scripts and fetching WMI
9
+ variables. For more information on WinRM, please visit [Microsoft's WinRM
10
+ site](http://msdn.microsoft.com/en-us/library/aa384426.aspx).
11
+
12
+ As of version 2.0, this gem retains the WinRM name but all powershell calls use the more modern [Powershell Remoting Protocol (PSRP)](https://msdn.microsoft.com/en-us/library/dd357801.aspx) for initializing runspace pools as well as creating and processing powershell pipelines.
13
+
14
+ ## Supported Ruby Versions
15
+ Ruby 2.0 or higher is required. If you need to use an older version of Ruby you'll need to use a 1.x version of this gem.
16
+
17
+ ## Supported WinRM Versions
18
+ WinRM 1.1 is supported, however 2.0 and higher is recommended. [See MSDN](http://technet.microsoft.com/en-us/library/ff520073.aspx) for information about WinRM versions and supported operating systems.
19
+
20
+ ## Install
21
+ `gem install -r winrm` then on the server `Enable-PSRemoting -Force` (already enabled on server operating systems 2012 and above) as admin
22
+
23
+ ## Example
24
+ ```ruby
25
+ require 'winrm'
26
+ opts = {
27
+ endpoint: 'http://myhost:5985/wsman',
28
+ user: 'administrator',
29
+ password: 'Pass@word1'
30
+ }
31
+ conn = WinRM::Connection.new(opts)
32
+ conn.shell(:powershell) do |shell|
33
+ output = shell.run('$PSVersionTable') do |stdout, stderr|
34
+ STDOUT.print stdout
35
+ STDERR.print stderr
36
+ end
37
+ puts "The script exited with exit code #{output.exitcode}"
38
+ end
39
+ ```
40
+
41
+ ## Connection Options
42
+ There are various connection options you can specify upon initializing a WinRM connection object:
43
+
44
+ * `:transport` - The type of underlying connection transport to use (more on this below). Defaults to `:negotiate`
45
+ * `:locale` - The locale requested for response text formatting. This is the value sent in the `DataLocale` and `Locale` header values and defaults to `en-us`
46
+ * `:max_envelope_size` - mazimum number of bytes expected for WinRM responses. This defaults to 153600
47
+ * `:operation_timeout` - The maximum amount of time to wait for a response from the endpoint. This defaults to 60 seconds. Note that this will not "timeout" commands that exceed this amount of time to process, it just requires the endpoint to report the status of the command before the given amount of time passes.
48
+ * `:receive_timeout` - The amount of time given to the underlying HTTP connection to respond before timing out. The defaults to 10 seconds longer than the `:operation_timeout`.
49
+ * `:retry_limit` - the maximum number of times to retry opening a shell after failure. This defaults to 3.
50
+ * `:retry_delay` - the amount of time to wait between retries and defaults to 10 seconds
51
+ * `:user` - username used to authenticate over the `:transport`
52
+ * `:password` - password used to authenticate over the `:transport`
53
+
54
+ There are other options that may apply depending on the type of `:transport` used and are discussed below.
55
+
56
+ ## Transports
57
+
58
+ The transport used governs the authentication method used and the encryption level used for the underlying HTTP communication with the endpoint. The WinRM gem supports the following transport types:
59
+
60
+ ### `:negotiate`
61
+ ```ruby
62
+ WinRM::Connection.new(
63
+ endpoint: 'http://myhost:5985/wsman',
64
+ transport: :negotiate,
65
+ user: 'administrator',
66
+ password: 'Pass@word1'
67
+ )
68
+ ```
69
+
70
+ The `:negotiate` transport uses the [rubyntlm gem](https://github.com/WinRb/rubyntlm) to authenticate with the endpoint using the NTLM protocol. This uses an HTTP based connection but the SOAP message payloads are encrypted. If using HTTP (as opposed to HTTPS) this is the recommended transport. This is also the default transport used if none is specified in the connection options.
71
+
72
+ ### `:ssl`
73
+ ```ruby
74
+ WinRM::Connection.new(
75
+ endpoint: 'https://myhost:59856/wsman',
76
+ transport: :ssl,
77
+ user: 'administrator',
78
+ password: 'Pass@word1'
79
+ )
80
+ ```
81
+
82
+ The `:ssl` transport establishes a connection to the winrm endpoint over a secure sockets layer transport encrypting the entire message. Here are some additional connecion options available to `:ssl` connections:
83
+
84
+ * `:client_cert` - Either a string path to a certificate `.pem` file or a `X509::Certificate` object. This along with an accompanying `:client_key` can be used in lieu of a `:user` and `:password`.
85
+ * `:client_key` - the path to the private key file accompanying the above mentioned `:client_cert` or an `PKey::Pkey` object.
86
+ * `:key_pass` - the optional password if necessary to access the `:client_cert`
87
+ * `:no_ssl_peer_verification` - when set to `true` ssl certificate validation is not performed. With a self signed cert, its a match made in heaven!
88
+ * `:ssl_peer_fingerprint` - when this is provided, normal certificate validation is skipped and instead the given fingerprint is matched against the certificate of the endpoint for verification.
89
+ * `:ca_trust_path` - the path to a certificate `.pem` file to trust. Its similar to the `:ssl_peer_fingerprint` but contains the entire certificate to trust.
90
+
91
+ ### `:kerberos`
92
+ ```ruby
93
+ WinRM::Connection.new(
94
+ endpoint: 'http://myhost:5985/wsman',
95
+ transport: :kerberos,
96
+ realm: 'kerberos_realm'
97
+ )
98
+ ```
99
+
100
+ Uses `:kerberos` to authenticate with the endpoint. These additional connection options may be used:
101
+
102
+ * `:service` - kerberos service used to authenticate with the endpoint. Defaults to `HTTP`.
103
+ * `:realm` - Kerberos realm to authenticate against.
104
+
105
+ ### `:plaintext`
106
+ Note: It is strongly recommended that you use `:negotiate` instead of `:plaintext`. As the name infers, the `:plaintext` transport includes authentication credentials in plain text.
107
+ ```ruby
108
+ WinRM::Connection.new(
109
+ endpoint: 'http://myhost:5985/wsman',
110
+ transport: :plaintext,
111
+ user: 'administrator',
112
+ password: 'Pass@word1',
113
+ basic_auth_only: true
114
+ )
115
+ ```
116
+
117
+ Additional supported connection options:
118
+
119
+ * `:basic_auth_only` - Force basic authentication
120
+ * `:disable_sspi` - Disable SSPI Negotiation authentication
121
+
122
+ ## Shells
123
+
124
+ As of the WinRM gem version 2, one creates a shell for executing commands by calling the `shell` method of a WinRM connection. There are two types of shells available:
125
+
126
+ * `:cmd` - initiates a traditional cmd.exe shell via the WinRM protocol
127
+ * `:powershell` - initiates a powershell runspace via the PSRP protocol
128
+
129
+ Both shells support the same public methods: `:open`, `:close`, and `run`. Note that when given a shell, it is opened automatically upon executing the first command via `:run`. Further, `close` is called automatically when a `shell` is garbage collected or when using a shell from a block. However, it is always a good idea to proactively `close` a shell.
130
+
131
+ ### Shell options supported by the `:cmd` shell
132
+
133
+ ```
134
+ shell_opts = {
135
+ env_vars: { 'FOO' => 'BAR' }
136
+ }
137
+ conn = WinRM::Connection.new(opts)
138
+ shell = conn.shell(:cmd, shell_opts)
139
+ ```
140
+
141
+ The `:cmd` shell supports a number of shell options that you can specify for the shell. There are safe defaults for all shell options and chances are that you will not need to override any of them. The available options are listed below.
142
+
143
+ * `:shell_uri` - WSMAN Resource URI. Defaults to `http://schemas.microsoft.com/wbem/wsman/1/windows/shell/cmd` and you should not change this unless you hold the keys to the portal of eternity.
144
+ * `:i_stream` - A simple token list of all input streams the client will be using during execution. The only supported stream and the default is `stdin`.
145
+ * `:o_stream` - A simple token list of all output streams expected by the client. The supported streams and the defaults are `stdout` and `stderr`.
146
+ * `:codepage` - The `WINRS_CODEPAGE` which is the client's console output code page. The default is 65001 (UTF-8).
147
+ * `:noprofile` - The `WINRS_NOPROFILE` if set to `TRUE`, this option specifies that the user profile does not exist on the remote system and that the default profile should be used. By default, the value is `FALSE`.
148
+ * `:working_directory` - the starting directory that the Shell is to use for initialization.
149
+ * `:idle_timeout` - The remote winrm service will close and terminate the shell instance if it is idle for this many seconds. If the Shell is reused within this time limit, the countdown timer is reset once the command sequence is completed.
150
+ * `:env_vars` - a hash of EnvironmentVariable key/values, the starting set of environment variables that the Shell will use.
151
+
152
+ ### `:codepage` and working with legacy Windows versions
153
+
154
+ When using the `:cmd` shell, the default codepage used is `65001`. This works best accross locales on "modern" versions of Windows (Windows 7/Server 2008 R2 and later). Older versions may exhibit undesirable behavior under the 65001 codepage. The most common symptom is that commands invoking executables will return immediately with no output or errors.
155
+
156
+ When using these older versions of Windows, its best to use the native code page of the server's locale. For example, en-US servers will have a codepage of `437`. The `chcp` command can be used to determine the value of the native codepage.
157
+
158
+ ## Executing a WQL Query
159
+ ```ruby
160
+ opts = {
161
+ endpoint: 'http://myhost:5985/wsman',
162
+ user: 'administrator',
163
+ password: 'Pass@word1'
164
+ }
165
+ conn = WinRM::Connection.new(opts)
166
+
167
+ conn.run_wql('select * from Win32_Process') do |type, item|
168
+ puts "***#{type}:"
169
+ item.each { |k,v| puts "#{k}: #{v}" }
170
+ end
171
+ ```
172
+
173
+ This will output data for each process:
174
+
175
+ ```
176
+ ***win32_process:
177
+ caption: svchost.exe
178
+ command_line: C:\Windows\System32\svchost.exe -k termsvcs
179
+ ...
180
+ ```
181
+
182
+ `run_wql` takes an optional second parameter in case you need to use a custom namespace. `root/cimv2/*` is the default.
183
+
184
+ ## Create a self signed cert for WinRM
185
+ You may want to create a self signed certificate for servicing https WinRM connections. You can use the following PowerShell script to create a cert and enable the WinRM HTTPS listener. Unless you are running windows server 2012 R2 or later, you must install makecert.exe from the Windows SDK, otherwise use `New-SelfSignedCertificate`.
186
+
187
+ ```powershell
188
+ $hostname = $Env:ComputerName
189
+
190
+ C:\"Program Files"\"Microsoft SDKs"\Windows\v7.1\Bin\makecert.exe -r -pe -n "CN=$hostname,O=vagrant" -eku 1.3.6.1.5.5.7.3.1 -ss my -sr localMachine -sky exchange -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12 "$hostname.cer"
191
+
192
+ $thumbprint = (& ls cert:LocalMachine/my).Thumbprint
193
+
194
+ # Windows 2012R2 and above can use New-SelfSignedCertificate
195
+ $thumbprint = (New-SelfSignedCertificate -DnsName $hostname -CertStoreLocation cert:\LocalMachine\my).Thumbprint
196
+
197
+ $cmd = "winrm create winrm/config/Listener?Address=*+Transport=HTTPS '@{Hostname=`"$hostname`";CertificateThumbprint=`"$thumbprint`"}'"
198
+ iex $cmd
199
+ ```
200
+
201
+ ## Setting up Certificate based authentication
202
+ Perform the following steps to authenticate with a certificate instead of a username and password:
203
+
204
+ 1. Generate a certificate with an Extended Key Usage of Client Authentication and a Subject Alternative Name with the UPN of the user. See this [powershell function](https://github.com/WinRb/WinRM/blob/master/WinrmAppveyor.psm1#L1) as an example of using `openssl` to create a self signed user certificate in `.pem` and `.pfx` formats along with the private key file.
205
+
206
+ 2. Import the pfx file into the `TrustedPeople` directory of the `LocalMachine` certificate store on the windows endpoint.
207
+
208
+ 3. Import the issuing certificate authority certificate in the endpoint's `Root` certificates. If your client certificate is self signed, this will be the client certificate.
209
+
210
+ 4. Enable certificate authentication on the endpoint: `Set-Item -Path WSMan:\localhost\Service\Auth\Certificate -Value $true`
211
+
212
+ 5. Add a winrm user mapping for the issuing certificate: `New-Item -Path WSMan:\localhost\ClientCertificate -Subject <user UPN> -URI * -Issuer <issuing certificate thumbprint> -Credential (Get-Credential) -Force`
213
+
214
+ See [this post](http://www.hurryupandwait.io/blog/certificate-password-less-based-authentication-in-winrm) for more details on certificate authentication.
215
+
216
+ ## Logging
217
+ The `WinRM::Connection` exposes a `logger` attribute and uses the [logging](https://rubygems.org/gems/logging) gem to manage logging behavior. By default this appends to `STDOUT` and has a level of `:warn`, but one can adjust the level or add additional appenders.
218
+ ```ruby
219
+ conn = WinRM::Connection.new(opts)
220
+
221
+ # suppress warnings
222
+ conn.logger.level = :error
223
+
224
+ # Log to a file
225
+ conn.logger.add_appenders(Logging.appenders.file('error.log'))
226
+ ```
227
+
228
+ If a consuming application uses its own logger that complies to the logging API, you can simply swap it in:
229
+ ```ruby
230
+ conn.logger = my_logger
231
+ ```
232
+
233
+ ## Troubleshooting
234
+ You may have some errors like ```WinRM::WinRMAuthorizationError```. See [this post](http://www.hurryupandwait.io/blog/understanding-and-troubleshooting-winrm-connection-and-authentication-a-thrill-seekers-guide-to-adventure) for tips and troubleshooting steps related to winrm connection and authentication issues.
235
+
236
+ ## Contributing
237
+
238
+ 1. Fork it.
239
+ 2. Create a branch (git checkout -b my_feature_branch)
240
+ 3. Run the unit and integration tests (bundle exec rake integration)
241
+ 4. Commit your changes (git commit -am "Added a sweet feature")
242
+ 5. Push to the branch (git push origin my_feature_branch)
243
+ 6. Create a pull requst from your branch into master (Please be sure to provide enough detail for us to cipher what this change is doing)
244
+
245
+ ### Running the tests
246
+
247
+ We use Bundler to manage dependencies during development.
248
+
249
+ ```
250
+ $ bundle install
251
+ ```
252
+
253
+ Once you have the dependencies, you can run the unit tests with `rake`:
254
+
255
+ ```
256
+ $ bundle exec rake spec
257
+ ```
258
+
259
+ To run the integration tests you will need a Windows box with the WinRM service properly configured. Its easiest to use a Vagrant Windows box (mwrock/Windows2012R2 is public on [atlas](https://atlas.hashicorp.com/mwrock/boxes/Windows2012R2) with an evaluation version of Windows 2012 R2). You can also use `mwrock/WindowsNano` provided in this repo's `Vagrantfile`.
260
+
261
+ 1. Create a Windows VM with WinRM configured (see above).
262
+ 2. Copy the config-example.yml to config.yml - edit this file with your WinRM connection details.
263
+ 3. Run `bundle exec rake integration`
264
+
265
+ ## WinRM Author
266
+ * Twitter: [@zentourist](https://twitter.com/zentourist)
267
+ * BLOG: [http://distributed-frostbite.blogspot.com/](http://distributed-frostbite.blogspot.com/)
268
+ * Add me in LinkedIn: [http://www.linkedin.com/in/danwanek](http://www.linkedin.com/in/danwanek)
269
+ * Find me on irc.freenode.net in #ruby-lang (zenChild)
270
+
271
+ ## Maintainers
272
+ * Paul Morton (https://github.com/pmorton)
273
+ * Shawn Neal (https://github.com/sneal)
274
+ * Matt Wrock (https://github.com/mwrock)
275
+
276
+ [Contributors](https://github.com/WinRb/WinRM/graphs/contributors)