I am trying to connect to a Windows EC2 instance and run some commands against it using pywinrm
.
I am using the following code to create a session:
session = winrm.Session(ec2_instance.public_dns_name, auth=(user_name, password))
which works fine.
Now, when I use the session object created above to run a command like:
session.run_ps("hostname")
or session.run_cmd("hostname")
-> it fails with a timeout error because the firewall rules for WinRM ports 5985
and 5986
are not configured (The security group on AWS side has the ports open but the VM does not have it).
Once the inbound rule for ports 5985
and 5986
is configured on the EC2 instance, running any command fails with the following error:
Exception has occurred: InvalidCredentialsError the specified credentials were rejected by the server
I know that error message is misleading because the credentials are correct.
The reason I say that the credentials are correct because when I run the following from the EC2 instance:
Set-Item -Force WSMan:localhostServiceauthBasic $true
Set-Item -Force WSMan:localhostServiceAllowUnencrypted $true
And then run the command using my code, it all works fine.
Now, what I am trying to find is, a way to enable the AllowUnencrypted
value through my python code.
I have looked at using Kerberos
but it seems like I need to create an AWS Managed Microsoft AD directory which will incur cost to my organization.
I have also tried to use NTLM
like this:
protocol = Protocol(
endpoint=f"https://{ec2_instance.public_dns_name}:5985/wsman",
transport="ntlm",
username="Administrator",
password="Password",
server_cert_validation="ignore",
)
shell_id = protocol.open_shell()
But I get the following error:
HTTPSConnectionPool(host='ec2-x-x-x-x.us-west-2.compute.amazonaws.com', port=5985): Max retries exceeded with url: /wsman (Caused by SSLError(SSLError(1, '[SSL: WRONG_VERSION_NUMBER] wrong version number (_ssl.c:1129)')))
Any help is appreciated.
Thanks
2
Answers
Here is the solution that worked for me:
Step 1: Use AWS SSM to run commands on an EC2 instance. These commands will
WMan
attributesBasic Authentication
toTrue
andAllowUnencrypted
toTrue
.5985
and5986
.I got help from here: How to execute commands on AWS Instance using Boto3
AMIs with SSM pre-installed: https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-install-ssm-win.html
Step 2: Use
WinRM
python library to bring EBS disk online, initialize, partition and format the disk.Step 3: Code to decrypt password for login:
"HTTPSConnectionPool(host=’ec2-x-x-x-x.us-west-2.compute.amazonaws.com’, port=5985): Max retries exceeded with url: /wsman (Caused by SSLError(SSLError(1, ‘[SSL: WRONG_VERSION_NUMBER] wrong version number (_ssl.c:1129)’)))"
From your error, port 5985 is HTTP listener where as HTTPS should be port 5986.
Change endpoint port to 5986 and give a try "endpoint=f"https://{ec2_instance.public_dns_name}:5986/wsman","
Sorry I’m unable to add comment yet.