Fotolia
PowerShell 7 remoting expands management horizons
Connecting to different operating systems to manage them from PowerShell requires SSH setup, which is less onerous in the version 7 release.
When PowerShell Core 6 was released in January 2018, a key feature was cross-platform PowerShell remoting that opened up this management tool to Linux administrators.
The March 2020 release of PowerShell 7 delivered many new and updated features. In addition to dropping the Core moniker and Microsoft adding the tool to long-term support, PowerShell 7 arrived with an easier remoting setup process that should encourage its use beyond the Windows OS.
Using PowerShell 7 remoting between Windows and Linux currently requires SSH transport on both sides. Linux only supports the SSH transport, but Windows supports the traditional WS-MAN remoting method and SSH as a newer option.
How to set up Windows SSH remoting for PowerShell 7
For this article, we will use Windows Server 2019 which has native SSH functionality. You can also use Windows 10 build 1809 which has built-in SSH. It is possible to use Windows Server 2016, but the features are not built in and require a bit more configuration.
To find out the installed features, run the following PowerShell command:
Get-WindowsCapability -Online | Where-Object Name -like 'OpenSSH*' | Format-Table -AutoSize
By default, the OpenSSH.Client~~~~0.0.1.0 feature is installed. To install the server component, run the following command using the Deployment Image Servicing and Management cmdlets to add the OpenSSH.Server~~~~0.0.1.0 Windows Feature:
Add-WindowsCapability -Online -Name 'OpenSSH.Server~~~~0.0.1.0'
Enable PowerShell 7 remoting
Additionally, you need to register the endpoint names for PowerShell 7 by running Enable-PSRemoting -SkipNetworkProfileCheck. This can cause issues if you are attempting to remote to a Windows system and use PowerShell 7 as the environment. Windows.PowerShell is the default configuration, but to specifically use PowerShell 7, you would need to call that endpoint while connecting.
This command registers the endpoint names to allow for remoting and are specific to the latest PowerShell version, in this case 7.0.1. We specify the -SkipNetworkProfileCheck parameter because any Public network will end the Enable-PSRemoting command early. As long as you are aware of the ramifications and proper control of this, then it is safe to run this command.
Configure the SSH server on Windows
After installation, set the SSH server to start automatically:
Start-Service -Name 'sshd'
Set-Service -Name 'sshd' -StartupType 'Automatic'
Next, we need to configure SSH before using it in PowerShell 7 remoting. Open the sshd_config with notepad or your editor of choice:
notepad $Env:ProgramData\ssh\sshd_config
Add the following configurations to the sshd_config file:
# Make sure that the subsystem line goes after the existing SFTP subsystem line
Subsystem powershell c:/progra~1/powershell/7/pwsh.exe -sshs -NoLogo -NoProfile
PasswordAuthentication yes
# Below is optional but recommended to allow use of public/private keys
PubkeyAuthentication yes
Once saved and configured, run the following command:
Restart-Service -Name 'sshd'
This will restart the SSH server and load the changed configurations.
There is a bug in the OpenSSH server version included with Windows. It requires that 8.3 short names be used for any file paths, hence c:/progra~1. To verify that you are using the correct 8.3 short name, you can use the following command to retrieve this for the Program Files folder where PowerShell 7 is installed:
Get-CimInstance Win32_Directory -Filter 'Name="C:\\Program Files"' | Select-Object EightDotThreeFileName
PowerShell 7 remoting setup on the Linux side
In this article, we will be using Ubuntu 18.04 and there are just a handful of configurations necessary to make PowerShell 7 remoting work with Linux. Follow these commands to install PowerShell 7 on Ubuntu.
wget -q https://packages.microsoft.com/config/ubuntu/18.04/packages-microsoft-prod.deb
sudo dpkg -i packages-microsoft-prod.deb
sudo apt-get update
sudo add-apt-repository universe
sudo apt-get install -y powershell
Both the SSH server and client should already be installed, and there are just a few changes necessary in /etc/ssh/sshd_config. For this tutorial, we will set PasswordAuthentication to yes with the following command:
PasswordAuthentication yes
You should avoid this practice in production. Typically, it is best to use public/private keys for authentication instead of password-only, but this can be useful for testing purposes.
Finally, powershell needs to be set as a subsystem for SSH with the following command:
Subsystem powershell /usr/bin/pwsh -sshs -NoLogo -NoProfile
After the configurations are set, restart the SSHD service:
sudo service sshd restart
Remoting to Linux from Windows
To connect to remote Linux machines, it is very simple using public/private keys. First, let's set up the session for use in remoting.
$Session = New-PSSession -HostName '165.227.199.246' -KeyFilePath 'id_ed25519_key' -UserName 'root'
Enter-PSSession
In this case, we are going to draw the first five processes from the remote Linux machine. As you may be able to tell from the accounts-daemon process, we are looking at a Linux system.
Invoke-Command -Session $Session -ScriptBlock { Get-Process | Select-Object -First 5 | Format-Table -AutoSize }
Remoting to Windows from Linux
Conversely, we can remote to Windows from Linux using a very similar method.
$Session = New-PSSession -HostName '40.69.152.22' -UserName 'lc-admin'
Similar to the process when remoting to Linux from Windows, we can pull back the first five processes. As you can tell with the conhost processes, we are viewing data from a Windows machine.
Invoke-Command -Session $Session -ScriptBlock { Get-Process | Select-Object -First 5 | Format-Table -AutoSize }
More functionality will arrive in time
PowerShell 7 with SSH opens up a new world of remote system management using PowerShell between disparate systems. Although not all features are available using the SSH transport yet, such as Just Enough Administration or remote endpoint configuration, those features will no doubt come in time.
