-
-
Notifications
You must be signed in to change notification settings - Fork 9
OpenSSH and SSM
Add-WindowsCapability -Online -Name OpenSSH.Client~~~~0.0.1.0
Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0
Start-Service sshd
Set-Service -Name sshd -StartupType 'Automatic'
Confirm the Firewall rule is configured. It should be created automatically by setup. Run the following to verify
if (!(Get-NetFirewallRule -Name "OpenSSH-Server-In-TCP" -ErrorAction SilentlyContinue | Select-Object Name, Enabled)) {
Write-Output "Firewall Rule 'OpenSSH-Server-In-TCP' does not exist, creating it..."
New-NetFirewallRule -Name 'OpenSSH-Server-In-TCP' -DisplayName 'OpenSSH Server (sshd)' -Enabled True -Direction Inbound -Protocol TCP -Action Allow -LocalPort 22
} else {
Write-Output "Firewall rule 'OpenSSH-Server-In-TCP' has been created and exists."
}
https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.localaccounts/new-localuser?view=powershell-5.1
$Password = Read-Host -AsSecureString
$params = @{
Name = 'ssm'
Password = $Password
FullName = 'ssm'
Description = 'ssm non admin.'
}
New-LocalUser @params
https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh_keymanagement
ssh-keygen -t ecdsa
$authorizedKey = Get-Content -Path $env:USERPROFILE\.ssh\id_ecdsa.pub
Generate the PowerShell to be run remote that will copy the public key file generated previously on your client to the authorized_keys file on your server
$remotePowershell = "powershell New-Item -Force -ItemType Directory -Path $env:USERPROFILE\.ssh; Add-Content -Force -Path $env:USERPROFILE\.ssh\authorized_keys -Value '$authorizedKey'"
ssh username@domain1@contoso.com $remotePowershell
$authorizedKey = Get-Content -Path $env:USERPROFILE\.ssh\id_ecdsa.pub
Generate the PowerShell to be run remote that will copy the public key file generated previously on your client to the authorized_keys file on your server
$remotePowershell = "powershell Add-Content -Force -Path $env:ProgramData\ssh\administrators_authorized_keys -Value '''$authorizedKey''';icacls.exe ""$env:ProgramData\ssh\administrators_authorized_keys"" /inheritance:r /grant ""Administrators:F"" /grant ""SYSTEM:F"""
ssh username@domain1@contoso.com $remotePowershell
https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh-server-configuration
New-ItemProperty -Path "HKLM:\SOFTWARE\OpenSSH" -Name DefaultShell -Value "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -PropertyType String -Force
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Program Files\PowerShell\7\pwsh.exe
Add User "ssm" to "log on as batch job" (For Using SSM monitor (run server in backround) with user account"
$username = "ssm"
$user = [wmiclass]"Win32_UserAccount.Name='$username'"
$sid = $user.SID
$securityPolicy = [wmiclass]"Win32_SecuritySetting.Name='SeBatchLogonRight'"
$securityPolicy.AddAccountRight($sid)
Add User "ssm" to NameSpace for Remote WMI Or Add to default "Remote Management Users" (For using SSM WMI and CIM related (details command) commands with user account)
https://github.com/microsoft/vscode-remote-release/issues/2648#issuecomment-1293832539
Create a new Local group "remoteWMI"
Computer Managerment > Services and Applications > Right click WMI Control and select Properties
Security tab and select the namespace you want to modify
- CIMV2
- WMI
- StandardCIMv2
- Microsoft/Windows/TaskScheduler
Add the newly created group to the list and check the option Remote Enable
logout and login
OR Add-LocalGroupMember -Group "Remote Management Users" -Member "ssm"
Windows does this normally and the closet work around I can come up with at the moment. Is to use the install monitor command and make sure to set it up to run in background. This will automatically start the process. stop command will disable the scheduled task. I found a fix, applied it last update.You can also use Start-ScheduledTask and Enable-ScheduledTask after ssm install-monitor command. be sure to install-monitor to run in background. Also, could use PSRemoting. which allows you exit without the cost of the process
I recommend this client.
https://bitvise.com/ssh-client-download