psrp¶
Collection Note
This module is part of the ansible.builtin collection. To install the collection, use:
Added in version2.7.
You need further requirements to be able to use this module, see the Requirements section for details.
Synopsis¶
- Run commands or put/fetch on a target via PSRP (WinRM plugin)
- This is similar to the P(ansible.builtin.winrm#connection) connection plugin which uses the same underlying transport but instead runs in a PowerShell interpreter.
Requirements¶
The following Python packages are needed on the host that executes this module:
Parameters¶
| Parameter | Defaults / Choices | Comments |
|---|---|---|
| auth str |
Default: negotiate Choices: basic, certificate, negotiate, kerberos, ntlm, credssp |
The authentication protocol to use when authenticating the remote user. The default, V(negotiate), will attempt to use Kerberos (V(kerberos)) if it is available and fall back to NTLM (V(ntlm)) if it isn't. |
| ca_cert path |
The path to a PEM certificate chain to use when validating the server's certificate. This value is ignored if O(cert_validation) is set to V(ignore). |
|
| cert_validation str |
Default: validate Choices: validate, ignore |
Whether to validate the remote server's certificate or not. Set to V(ignore) to not validate any certificates. O(ca_cert) can be set to the path of a PEM certificate chain to use in the validation. |
| certificate_key_pem path |
The local path to an X509 certificate key to use with certificate auth. | |
| certificate_pem path |
The local path to an X509 certificate to use with certificate auth. | |
| configuration_name str |
Default: Microsoft.PowerShell |
The name of the PowerShell configuration endpoint to connect to. |
| connection_timeout int |
Default: 30 |
The connection timeout for making the request to the remote host. This is measured in seconds. |
| credssp_auth_mechanism str |
Default: auto Choices: auto, kerberos, ntlm |
The sub authentication mechanism to use with CredSSP auth. When V(auto), both Kerberos and NTLM is attempted with kerberos being preferred. |
| credssp_disable_tlsv1_2 bool |
Disables the use of TLSv1.2 on the CredSSP authentication channel. This should not be set to V(yes) unless dealing with a host that does not have TLSv1.2. |
|
| credssp_minimum_version int |
Default: 2 |
The minimum CredSSP server authentication version that will be accepted. Set to V(5) to ensure the server has been patched and is not vulnerable to CVE 2018-0886. |
| ignore_proxy bool |
Will disable any environment proxy settings and connect directly to the remote host. This option is ignored if O(proxy) is set. |
|
| max_envelope_size int |
Default: 153600 |
Sets the maximum size of each WSMan message sent to the remote host. This is measured in bytes. Defaults to C(150KiB) for compatibility with older hosts. |
| message_encryption str |
Default: auto Choices: auto, always, never |
Controls the message encryption settings, this is different from TLS encryption when O(protocol) is V(https). Only the auth protocols V(negotiate), V(kerberos), V(ntlm), and V(credssp) can do message encryption. The other authentication protocols only support encryption when V(protocol) is set to V(https). V(auto) means means message encryption is only used when not using TLS/HTTPS. V(always) is the same as V(auto) but message encryption is always used even when running over TLS/HTTPS. V(never) disables any encryption checks that are in place when running over HTTP and disables any authentication encryption processes. |
| negotiate_delegate bool |
Allow the remote user the ability to delegate it's credentials to another server, i.e. credential delegation. Only valid when Kerberos was the negotiated auth or was explicitly set as the authentication. Ignored when NTLM was the negotiated auth. |
|
| negotiate_hostname_override str |
Override the remote hostname when searching for the host in the Kerberos lookup. This allows Ansible to connect over IP but authenticate with the remote server using it's DNS name. Only valid when Kerberos was the negotiated auth or was explicitly set as the authentication. Ignored when NTLM was the negotiated auth. |
|
| negotiate_send_cbt bool |
Default: True |
Send the Channel Binding Token (CBT) structure when authenticating. CBT is used to provide extra protection against Man in the Middle C(MitM) attacks by binding the outer transport channel to the auth channel. CBT is not used when using just C(HTTP), only C(HTTPS). |
| negotiate_service str |
Default: WSMAN |
Override the service part of the SPN used during Kerberos authentication. Only valid when Kerberos was the negotiated auth or was explicitly set as the authentication. Ignored when NTLM was the negotiated auth. |
| operation_timeout int |
Default: 20 |
Sets the WSMan timeout for each operation. This is measured in seconds. This should not exceed the value for O(connection_timeout). |
| path str |
Default: wsman |
The URI path to connect to. |
| pipelining boolean |
Pipelining reduces the number of connection operations required to execute a module on the remote server, by executing many Ansible modules without actual file transfers. This can result in a very significant performance improvement when enabled. However this can conflict with privilege escalation (C(become)). For example, when using sudo operations you must first disable C(requiretty) in the sudoers file for the target hosts, which is why this feature is disabled by default. Env: ANSIBLE_PIPELINING |
|
| port int |
The port for PSRP to connect on the remote target. Default is V(5986) if O(protocol) is not defined or is V(https), otherwise the port is V(5985). |
|
| protocol str |
Choices: http, https | Set the protocol to use for the connection. Default is V(https) if O(port) is not defined or O(port) is not V(5985). |
| proxy str |
Set the proxy URL to use when connecting to the remote host. | |
| read_timeout int |
Default: 30 |
The read timeout for receiving data from the remote host. This value must always be greater than O(operation_timeout). This option requires pypsrp >= 0.3. This is measured in seconds. Version Added: 2.8 |
| reconnection_backoff int |
Default: 2 |
The backoff time to use in between reconnection attempts. (First sleeps X, then sleeps 2*X, then sleeps 4*X, ...) This is measured in seconds. The C(ansible_psrp_reconnection_backoff) variable was added in Ansible 2.9. Version Added: 2.8 |
| reconnection_retries int |
The number of retries on connection errors. Version Added: 2.8 |
|
| remote_addr str |
Default: inventory_hostname |
The hostname or IP address of the remote host. |
| remote_password str |
Authentication password for the O(remote_user). Can be supplied as CLI option. | |
| remote_user str |
The user to log in as. |
Authors¶
- Ansible Core Team