Try SpotterRun tasks over Microsoft PowerShell Remoting Protocol
| "added in version" 2.7 of ansible.builtin"
Authors: Ansible Core Team
pipInstall with pip install ansible-core==2.16.5
Run commands or put/fetch on a target via PSRP (WinRM plugin)
This is similar to the P(ansible.builtin.winrm#connection) connection plugin which uses the same underlying transport but instead runs in a PowerShell interpreter.
auth:
choices:
- basic
- certificate
- negotiate
- kerberos
- ntlm
- credssp
default: negotiate
description:
- The authentication protocol to use when authenticating the remote user.
- The default, V(negotiate), will attempt to use Kerberos (V(kerberos)) if it is available
and fall back to NTLM (V(ntlm)) if it isn't.
type: str
vars:
- name: ansible_psrp_auth
path:
default: wsman
description:
- The URI path to connect to.
type: str
vars:
- name: ansible_psrp_path
port:
description:
- The port for PSRP to connect on the remote target.
- Default is V(5986) if O(protocol) is not defined or is V(https), otherwise the port
is V(5985).
keyword:
- name: port
type: int
vars:
- name: ansible_port
- name: ansible_psrp_port
proxy:
description:
- Set the proxy URL to use when connecting to the remote host.
type: str
vars:
- name: ansible_psrp_proxy
ca_cert:
aliases:
- cert_trust_path
description:
- The path to a PEM certificate chain to use when validating the server's certificate.
- This value is ignored if O(cert_validation) is set to V(ignore).
type: path
vars:
- name: ansible_psrp_cert_trust_path
- name: ansible_psrp_ca_cert
protocol:
choices:
- http
- https
description:
- Set the protocol to use for the connection.
- Default is V(https) if O(port) is not defined or O(port) is not V(5985).
type: str
vars:
- name: ansible_psrp_protocol
pipelining:
default: false
description:
- Pipelining reduces the number of connection operations required to execute a module
on the remote server, by executing many Ansible modules without actual file transfers.
- This can result in a very significant performance improvement when enabled.
- However this can conflict with privilege escalation (become). For example, when
using sudo operations you must first disable 'requiretty' in the sudoers file for
the target hosts, which is why this feature is disabled by default.
env:
- name: ANSIBLE_PIPELINING
ini:
- key: pipelining
section: defaults
- key: pipelining
section: connection
type: boolean
vars:
- name: ansible_pipelining
remote_addr:
default: inventory_hostname
description:
- The hostname or IP address of the remote host.
type: str
vars:
- name: inventory_hostname
- name: ansible_host
- name: ansible_psrp_host
remote_user:
description:
- The user to log in as.
keyword:
- name: remote_user
type: str
vars:
- name: ansible_user
- name: ansible_psrp_user
ignore_proxy:
default: false
description:
- Will disable any environment proxy settings and connect directly to the remote host.
- This option is ignored if O(proxy) is set.
type: bool
vars:
- name: ansible_psrp_ignore_proxy
read_timeout:
default: 30
description:
- The read timeout for receiving data from the remote host.
- This value must always be greater than O(operation_timeout).
- This option requires pypsrp >= 0.3.
- This is measured in seconds.
type: int
vars:
- name: ansible_psrp_read_timeout
version_added: '2.8'
version_added_collection: ansible.builtin
cert_validation:
choices:
- validate
- ignore
default: validate
description:
- Whether to validate the remote server's certificate or not.
- Set to V(ignore) to not validate any certificates.
- O(ca_cert) can be set to the path of a PEM certificate chain to use in the validation.
type: str
vars:
- name: ansible_psrp_cert_validation
certificate_pem:
description:
- The local path to an X509 certificate to use with certificate auth.
type: path
vars:
- name: ansible_psrp_certificate_pem
remote_password:
aliases:
- password
description: Authentication password for the O(remote_user). Can be supplied as CLI
option.
type: str
vars:
- name: ansible_password
- name: ansible_winrm_pass
- name: ansible_winrm_password
max_envelope_size:
default: 153600
description:
- Sets the maximum size of each WSMan message sent to the remote host.
- This is measured in bytes.
- Defaults to C(150KiB) for compatibility with older hosts.
type: int
vars:
- name: ansible_psrp_max_envelope_size
negotiate_service:
default: WSMAN
description:
- Override the service part of the SPN used during Kerberos authentication.
- Only valid when Kerberos was the negotiated auth or was explicitly set as the authentication.
- Ignored when NTLM was the negotiated auth.
type: str
vars:
- name: ansible_psrp_negotiate_service
operation_timeout:
default: 20
description:
- Sets the WSMan timeout for each operation.
- This is measured in seconds.
- This should not exceed the value for O(connection_timeout).
type: int
vars:
- name: ansible_psrp_operation_timeout
configuration_name:
default: Microsoft.PowerShell
description:
- The name of the PowerShell configuration endpoint to connect to.
type: str
vars:
- name: ansible_psrp_configuration_name
connection_timeout:
default: 30
description:
- The connection timeout for making the request to the remote host.
- This is measured in seconds.
type: int
vars:
- name: ansible_psrp_connection_timeout
message_encryption:
choices:
- auto
- always
- never
default: auto
description:
- Controls the message encryption settings, this is different from TLS encryption
when O(protocol) is V(https).
- Only the auth protocols V(negotiate), V(kerberos), V(ntlm), and V(credssp) can do
message encryption. The other authentication protocols only support encryption when
V(protocol) is set to V(https).
- V(auto) means means message encryption is only used when not using TLS/HTTPS.
- V(always) is the same as V(auto) but message encryption is always used even when
running over TLS/HTTPS.
- V(never) disables any encryption checks that are in place when running over HTTP
and disables any authentication encryption processes.
type: str
vars:
- name: ansible_psrp_message_encryption
negotiate_delegate:
description:
- Allow the remote user the ability to delegate it's credentials to another server,
i.e. credential delegation.
- Only valid when Kerberos was the negotiated auth or was explicitly set as the authentication.
- Ignored when NTLM was the negotiated auth.
type: bool
vars:
- name: ansible_psrp_negotiate_delegate
negotiate_send_cbt:
default: true
description:
- Send the Channel Binding Token (CBT) structure when authenticating.
- CBT is used to provide extra protection against Man in the Middle C(MitM) attacks
by binding the outer transport channel to the auth channel.
- CBT is not used when using just C(HTTP), only C(HTTPS).
type: bool
vars:
- name: ansible_psrp_negotiate_send_cbt
certificate_key_pem:
description:
- The local path to an X509 certificate key to use with certificate auth.
type: path
vars:
- name: ansible_psrp_certificate_key_pem
reconnection_backoff:
default: 2
description:
- The backoff time to use in between reconnection attempts. (First sleeps X, then
sleeps 2*X, then sleeps 4*X, ...)
- This is measured in seconds.
- The C(ansible_psrp_reconnection_backoff) variable was added in Ansible 2.9.
type: int
vars:
- name: ansible_psrp_connection_backoff
- name: ansible_psrp_reconnection_backoff
version_added: '2.8'
version_added_collection: ansible.builtin
reconnection_retries:
default: 0
description:
- The number of retries on connection errors.
type: int
vars:
- name: ansible_psrp_reconnection_retries
version_added: '2.8'
version_added_collection: ansible.builtin
credssp_auth_mechanism:
choices:
- auto
- kerberos
- ntlm
default: auto
description:
- The sub authentication mechanism to use with CredSSP auth.
- When V(auto), both Kerberos and NTLM is attempted with kerberos being preferred.
type: str
vars:
- name: ansible_psrp_credssp_auth_mechanism
credssp_disable_tlsv1_2:
default: false
description:
- Disables the use of TLSv1.2 on the CredSSP authentication channel.
- This should not be set to V(yes) unless dealing with a host that does not have TLSv1.2.
type: bool
vars:
- name: ansible_psrp_credssp_disable_tlsv1_2
credssp_minimum_version:
default: 2
description:
- The minimum CredSSP server authentication version that will be accepted.
- Set to V(5) to ensure the server has been patched and is not vulnerable to CVE 2018-0886.
type: int
vars:
- name: ansible_psrp_credssp_minimum_version
negotiate_hostname_override:
description:
- Override the remote hostname when searching for the host in the Kerberos lookup.
- This allows Ansible to connect over IP but authenticate with the remote server using
it's DNS name.
- Only valid when Kerberos was the negotiated auth or was explicitly set as the authentication.
- Ignored when NTLM was the negotiated auth.
type: str
vars:
- name: ansible_psrp_negotiate_hostname_override