Saturday, June 24, 2023

OpenSSH on Windows 2019 with Powershell as default ssh shell

 

INSTALL OPENSSH on WINDOWS 2019





Link to online help

https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse?tabs=gui

Install OpenSSH for Windows


Prerequisites

Before you start, your computer must meet the following requirements:


  1. A device running at least Windows Server 2019 or Windows 10 (build 1809).

  2. PowerShell 5.1 or later.

  3. An account that is a member of the built-in Administrators group.


Check I have a admin shell

PS C:\Windows\system32> (New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)

True

Current version of powershell

PS C:\Windows\system32> $PSVersionTable.PSVersion


Major  Minor  Build  Revision

-----  -----  -----  --------

5      1      17763  3770


My base level 2019 version

PS C:\Windows\system32> systeminfo |findstr "OS "

OS Name:                   Microsoft Windows Server 2019 Datacenter

OS Version:                10.0.17763 N/A Build 17763


https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-hotfix?view=powershell-7.3


My hot fix levels

PS C:\Windows\system32> Get-HotFix


Source        Description      HotFixID      InstalledBy          InstalledOn

------        -----------      --------      -----------          -----------

W2019A        Update           KB5027131     NT AUTHORITY\SYSTEM  18/06/2023 00:00:00

W2019A        Security Update  KB4512577                          07/09/2019 00:00:00

W2019A        Update           KB4589208     NT AUTHORITY\SYSTEM  18/06/2023 00:00:00

W2019A        Security Update  KB5027222     NT AUTHORITY\SYSTEM  18/06/2023 00:00:00

W2019A        Security Update  KB5023789     NT AUTHORITY\SYSTEM  18/06/2023 00:00:00



PS C:\Windows\system32> wmic qfe list

Caption                                     CSName  Description      FixComments  HotFixID   InstallDate  InstalledBy          InstalledOn  Name  ServicePackInEffect  Status

http://support.microsoft.com/?kbid=5027131  W2019A  Update                        KB5027131               NT AUTHORITY\SYSTEM  6/18/2023

http://support.microsoft.com/?kbid=4512577  W2019A  Security Update               KB4512577                                    9/7/2019

https://support.microsoft.com/help/4589208  W2019A  Update                        KB4589208               NT AUTHORITY\SYSTEM  6/18/2023

https://support.microsoft.com/help/5027222  W2019A  Security Update               KB5027222               NT AUTHORITY\SYSTEM  6/18/2023

                                            W2019A  Security Update               KB5023789               NT AUTHORITY\SYSTEM  6/18/2023


PS C:\Windows\system32>

Check the openssh packages available

PS C:\Windows\system32>  Get-WindowsCapability -Online| out-string  -stream |select-string -pattern "openssh"


Name  : OpenSSH.Client~~~~0.0.1.0

Name  : OpenSSH.Server~~~~0.0.1.0



PS C:\Windows\system32>

Install server & client

PS C:\Windows\system32> Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0

Path          :

Online        : True

RestartNeeded : False


PS C:\Windows\system32> Add-WindowsCapability -Online -Name OpenSSH.Client~~~~0.0.1.0

Path          :

Online        : True

RestartNeeded : False


PS C:\Windows\system32>

Check the status of the new sshd service

PS C:\Windows\system32> Get-Service sshd | Select-Object -Property Name,Status,StartType


Name  Status StartType

----  ------ ---------

sshd Stopped    Manual



PS C:\Windows\system32>

Start it and set to automatic

PS C:\Windows\system32> Start-Service sshd

PS C:\Windows\system32> Set-Service -Name sshd -StartupType 'Automatic'

PS C:\Windows\system32> Get-Service sshd | Select-Object -Property Name,Status,StartType


Name  Status StartType

----  ------ ---------

sshd Running Automatic



PS C:\Windows\system32>

Check Firewall is allowed for ssh

PS C:\Windows\system32> Get-NetFirewallRule -Name *ssh*



Name                  : OpenSSH-Server-In-TCP

DisplayName           : OpenSSH SSH Server (sshd)

Description           : Inbound rule for OpenSSH SSH Server (sshd)

DisplayGroup          : OpenSSH Server

Group                 : OpenSSH Server

Enabled               : True

Profile               : Any

Platform              : {}

Direction             : Inbound

Action                : Allow

EdgeTraversalPolicy   : Block

LooseSourceMapping    : False

LocalOnlyMapping      : False

Owner                 :

PrimaryStatus         : OK

Status                : The rule was parsed successfully from the store. (65536)

EnforcementStatus     : NotApplicable

PolicyStoreSource     : PersistentStore

PolicyStoreSourceType : Local


PS C:\Windows\system32>

Check the env variables

PS C:\Windows\system32> echo $env:ProgramData

C:\ProgramData

PS C:\Windows\system32> dir $env:ProgramData\ssh.


    Directory: C:\ProgramData\ssh


Mode                LastWriteTime         Length Name

----                -------------         ------ ----

d-----       18/06/2023     10:23                logs

-a----       18/06/2023     10:23              6 sshd.pid

-a----       05/09/2018     15:07           2253 sshd_config

-a----       18/06/2023     10:23            672 ssh_host_dsa_key

-a----       18/06/2023     10:23            617 ssh_host_dsa_key.pub

-a----       18/06/2023     10:23            227 ssh_host_ecdsa_key

-a----       18/06/2023     10:23            189 ssh_host_ecdsa_key.pub

-a----       18/06/2023     10:23            419 ssh_host_ed25519_key

-a----       18/06/2023     10:23            109 ssh_host_ed25519_key.pub

-a----       18/06/2023     10:23           1679 ssh_host_rsa_key

-a----       18/06/2023     10:23            409 ssh_host_rsa_key.pub


PS C:\Windows\system32>

Generate new key pair

I chose no password 


My user is robert so you would need to check that :)

PS C:\Windows\system32>  ssh-keygen

Generating public/private rsa key pair.

Enter file in which to save the key (C:\Users\robert/.ssh/id_rsa):

Created directory 'C:\Users\robert/.ssh'.

Enter passphrase (empty for no passphrase):

Enter same passphrase again:

Your identification has been saved in C:\Users\robert/.ssh/id_rsa.

Your public key has been saved in C:\Users\robert/.ssh/id_rsa.pub.

The key fingerprint is:

SHA256:K1R82wY75a/NDK4ltnHmAI7SzCJJNvgCLqNc8hzRaR0 rjruss\robert@w2019a

The key's randomart image is:

+---[RSA 2048]----+

|                 |

|       .         |

|       Eo o .    |

| .  . o... B     |

|o +. +..S + +    |

|o+ oo= o o o .   |

|+o+oo * o = = .  |

|+o=..o . . @ *   |

|.. o      o.+ +  |

+----[SHA256]-----+

PS C:\Windows\system32>

Use Puttygen to generate my client key pair


Follow the prompt to generate randomness

Save public and private keys – you can choose to use a password this will be required 

Export openssh key 

3 files now available on my PC

Copy the public key section as directed by puttygen – we need this on the w2019 server

Paste contents into authorized_keys file in the users .ssh directory (that was created by ssh-keygen) reminder I am using robert as the user - check your user



Check owner

PS C:\Windows\system32> (get-acl \users\robert\.ssh\authorized_keys).owner

RJRUSS\robert

Set the permissions on that file

PS C:\Windows\system32> cd \users\robert\.ssh

PS C:\users\robert\.ssh> (get-acl ~\.ssh\authorized_keys).owner

RJRUSS\robert


PS C:\users\robert\.ssh>  icacls \users\robert\.ssh\authorized_keys

\users\robert\.ssh\authorized_keys NT AUTHORITY\SYSTEM:(F)

                                   BUILTIN\Administrators:(F)

                                   RJRUSS\robert:(F)


Successfully processed 1 files; Failed processing 0 files

PS C:\users\robert\.ssh>

PS C:\users\robert\.ssh> icacls \users\robert\.ssh\authorized_keys /inheritance:r

processed file: \users\robert\.ssh\authorized_keys

Successfully processed 1 files; Failed processing 0 files

PS C:\users\robert\.ssh>

PS C:\users\robert\.ssh>  icacls \users\robert\.ssh\authorized_keys /remove BUILTIN\Administrators

processed file: \users\robert\.ssh\authorized_keys

Successfully processed 1 files; Failed processing 0 files

PS C:\users\robert\.ssh>

Update the sshd config file

Remove the # from these two lines to prevent passwords - this disables passwords and only key based logon allowed

Comment out the match authorized keyfile line


SAVE changes

Restart sshd service

PS C:\users\robert\.ssh> Stop-Service sshd

PS C:\users\robert\.ssh> Start-Service sshd



Setup new putty session

User the user@x.x.x.x format

Add the ppk key in the auth section

Accept new host & Dos prompt should appear

Change to powershell default


Download the required release of powershell

https://github.com/PowerShell/PowerShell/releases




I used the installation version

https://github.com/PowerShell/PowerShell/releases/download/v7.3.4/PowerShell-7.3.4-win-x64.msi





I selected all options you may want to consider deselecting if you don’t need/want the feature

I chose to update via Microsoft update – always worth considering


Launch it to test


Update ssh_config file

Subsystem powershell c:/progra~1/powershell/7/pwsh.exe -sshs -NoLogo

Save

Check the openssh registry details


PS C:\Program Files\PowerShell\7> dir "c:/progra~1/powershell/7/pwsh.exe"


    Directory: C:\Program Files\powershell\7


Mode                 LastWriteTime         Length Name

----                 -------------         ------ ----

-a---          12/04/2023    18:07         293312 pwsh.exe


PS C:\Program Files\PowerShell\7>

Update the registry

PS C:\users\robert\.ssh> New-ItemProperty -Path "HKLM:\SOFTWARE\OpenSSH" -Name DefaultShell -Value "c:/progra~1/powershell/7/pwsh.exe" -PropertyType String -Force



DefaultShell : c:/progra~1/powershell/7/pwsh.exe

PSPath       : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\OpenSSH

PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE

PSChildName  : OpenSSH

PSDrive      : HKLM

PSProvider   : Microsoft.PowerShell.Core\Registry




PS C:\users\robert\.ssh>

Refresh openssh registry view and default shell appears

Open putty again and connect

Now defaults to powershell

Check if administrator 

PowerShell 7.3.4

PS C:\Users\robert> (New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdent

ity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)

True

PS C:\Users\robert> function Test-Administrator

>> {

>>     $user = [Security.Principal.WindowsIdentity]::GetCurrent();

>>     (New-Object Security.Principal.WindowsPrincipal $user).IsInRole([Security.Principal.WindowsBu

iltinRole]::Administrator)

>> }

PS C:\Users\robert> Test-Administrator

True















Google +