- Install Ansible on Windows - Thu, Jul 20 2023
- Use Azure Bastion as a jump host for RDP and SSH - Tue, Apr 18 2023
- Azure Virtual Desktop: Getting started - Fri, Apr 14 2023
Traditionally, PowerShell (PS) remoting took place using a combination of two protocols:
- PowerShell Remoting Protocol (MS-PSRP), for runspace creation and session management
- Windows Remote Management (WinRM), Microsoft's implementation of the Web Services-Management (WS-Man) protocol, for the HTTP(S) endpoint listeners and the underlying transport
Using WS-Man with PSRP unlocks much flexibility in terms of how a Windows computer can host one or more PowerShell remoting sessions. Specifically, you can define custom session configurations to manage incoming session requests. This includes the implementation of constrained Just Enough Administration (JEA) endpoints.
Alas, we live in a cross-platform world nowadays. The PowerShell development team understands the need to bring the PowerShell engine to Linux and macOS devices. They also recognize the ubiquity of the Secure Shell (SSH) communications protocol.
Today we have .NET Core, PowerShell Core 6.0, and a Win32 OpenSSH port. Eventually administrators will be able to select either WS-Man or SSH as their PowerShell remoting transport protocol, depending on their connectivity needs. That said, SSH transport functionality is under active development and remains a bit limited as of this writing in early March 2018.
Specifically, we don't yet have full PS session support, which takes both custom session configurations and JEA off the table for now. According to the GitHub issues list, sudo doesn't yet work in a remoting session on a Linux machine.
Here we'll set up a simple cross-platform environment and test what's currently available in PowerShell Core 6.
The environment
In my lab, I have a Windows VM set up as follows:
- Windows Server 2016 domain controller and DNS server
- OpenSSH server and client installed and running along with TCP port 22 open on the firewall
- PowerShell Core 6.0 installed
- WinRM PowerShell remoting enabled with the relevant firewall ports open
I also have an Ubuntu Linux 14.04 server set up like this:
- Located on the same IPv4 subnet as the Windows box
- Registered in the Windows Server DNS domain zone
- OpenSSH server and client installed
- PowerShell Core 6.0 installed
- Firewall disabled (didn't want to horse around with Linux firewall configuration for this lab)
All systems require both OpenSSH and PowerShell 6.0 installed. Don't worry, PowerShell 6.0 Core can coexist side by side with Windows PowerShell already installed on the Windows server.
Let's get this party started!
Set up Windows
Follow these instructions to install the OpenSSH test release. In a nutshell, what you're doing is:
- Downloading the release files as a .zip archive
- Unpacking the .zip into the path C:\Program Files\OpenSSH (pro tip: add this path to your system's PATH environment variable so you can start the SSH tools from any location at a command prompt)
- Running the installation script
- Modifying Windows Firewall to allow inbound SSH connections
Install PowerShell Core 6.0 on Windows by downloading the latest .msi release package from the PowerShell/PowerShell GitHub repository. You can grab the 64-bit (x64) or 32-bit (x86) package as necessary.
Next, simply do a "click-click-next" installation—it's that simple! And the fact the the .NET Core and PowerShell Core bits can sit side by side with Desktop PowerShell is fantastic news.
Set up Linux
Now let's turn our attention to configuring the Ubuntu 14.04 system. This is a Debian Linux distribution, so we can bring the system software up to date by running the following commands from a freshly opened Terminal:
sudo apt-get update sudo apt-get upgrade
If you don't already have it installed, you'll need an OpenSSH server and client:
sudo apt-get install openssh-client -y sudo apt-get install openssh-server -y
Follow the instructions at GitHub to configure the OpenSSH configuration file to enable password authentication and define an entry for the PowerShell subsystem.
Finally, we'll install PowerShell Core 6.0. We'll start by importing the Microsoft Ubuntu software repository's public key and registering with the repo:
curl https://packages.microsoft.com/keys/microsoft.asc | sudo apt-key add - curl https://packages.microsoft.com/config/ubuntu/14.04/prod.list | sudo tee /etc/apt/sources.list.d/microsoft.list
We then should update our local package list:
sudo apt-get update
And install PowerShell Core 6.0:
sudo apt-get install powershell -y
This admittedly takes me some getting used to, but you start PowerShell with pwsh. That's true for Windows as well.
Test remoting
In the first example, we'll attempt a Windows-to-Linux remoting connection by creating a session and then entering it:
$session = New-PSSession -HostName ubuntu1 -Username timw ‑SSHTransport Enter-PSSession -Session $session
Some notes:
- Notice the -HostName This is part of a parameter set in which you must also specify the -SSHTransport switch parameter.
- It will prompt you to accept the remote machine's SSH public key, which is normal for SSH communication.
- Remember we set up our SSH servers to use password authentication. This is why you'll need both a valid username on the Linux box, but also the account password.
In the following screenshot I demonstrate a Mac-to-Mac PowerShell session.
Mac to Mac remoting
Next, we'll use Invoke-Command to send a PowerShell command from Linux to Windows:
Invoke-Command -HostName dc1 -Username tim -SSHTransport -ScriptBlock {Get-Service}More notes:
- Use -ComputerName when you want to use WinRM/WS-Man and ‑Hostname when you want to use SSH transport.
- If the SSH server is configured for key-based authentication, add the ‑KeyFilePath
- In this case, tim is the name of an account valid on the remote machine, not the local one.
Wrap-up
Today we got a glimpse into the future. Eventually, we will be able to open a PowerShell console on any Windows, Linux, or macOS computer and perform remote management on nearly any type of hardware. This includes routers, switches, or any other device capable of hosting a Common Information Model (CIM) server with Open Management Infrastructure (OMI).
Subscribe to 4sysops newsletter!
Although PowerShell Core 6.0 is now generally available, the SSH remoting is still under development. For homework, I assign you the following task: Test WS-Man remoting using the -ComputerName and -Credential parameters of Enter-PSSession and Invoke-Command!
