Warning: call_user_func_array() expects parameter 1 to be a valid callback, no array or string given in /home/kalofero/public_html/blog/wp-includes/class-wp-hook.php on line 286
How to Add a Linux Machine as PowerShell Host in vRO (Linux PS over SSH) (SKKB1030) | Spas Kaloferov's Blog

How to Add a Linux Machine as PowerShell Host in vRO (Linux PS over SSH) (SKKB1030)

In this article we will look into the alpha version of PowerShell v6 for both Linux and Windows. We will show how to execute PowerShell commands between Linux and Windows machines and Vmware vRealize Orchestrator (vRO)

Introduction

In this article we will look into the alpha version of Microsoft Windows PowerShell v6 for both Linux and Microsoft Windows. We will show how to execute PowerShell commands between Linux , Windows, and VMware vRealize Orchestrator (vRO):

  • Linux to Windows
  • Windows to Linux
  • Linux to Linux
  • vRO to Linux

We will also show how to add a Linux PowerShell (PSHost) in vRO.
Currently, the alpha version of PowerShell v6 does not support the PSCredential object, so we cannot use the Invoke-Command command to programmatically pass credentials and execute commands from vRO, through a Linux PSHost, to other Linux machines, or Windows machines. Conversely, we cannot execute from vRO –> through a Windows PSHost –> to Linux Machines.
To see how we used the Invoke-Command method to do this, see my blog Using CredSSP with the vCO PowerShell Plugin (SKKB1002).

In addition to not supporting the PSCredential object, the alpha version doesn’t support WinRM. WinRM is Microsoft’s implementation of the WS-Management protocol, a standard Simple Object Access Protocol (SOAP)-based, firewall-friendly protocol that enables hardware and operating systems from different vendors to interoperate. Therefore, when adding a Linux machine as a PowerShell host in vRO, we will be using SSH instead of WinRM as the protocol of choice.
The PowerShell v6 RTM version is expected to support WinRM, so we will be able to add the Linux PSHost with WinRM, and not SSH.
So, let’s get started.

 

Lab Environment

The logical design of this lab can be seen HERE.

 

Installing and Configuring PowerShell 6

Setup on Windows

To install PowerShell v6 (currently in alpha) on a Windows Server 2012 R2, first you need to install the Visual C++ Redistributable 2015 package as a prerequisite.
I’ve tried installing the package, but on my machine it failed with the following error.

[084C:1748][2016-09-01T14:04:47]e000: Error 0x80240017: Failed to execute MSU package.
[1AC4:17EC][2016-09-01T14:04:47]e000: Error 0x80240017: Failed to configure per-machine MSU package.
[1AC4:17EC][2016-09-01T14:04:47]i319: Applied execute package: Windows81_x64, result: 0x80240017, restart: None
[1AC4:17EC][2016-09-01T14:04:47]e000: Error 0x80240017: Failed to execute MSU package.
[084C:1748][2016-09-01T14:04:47]i372: Session end, registration key: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{e46eca4f-393b-40df-9f49-076faf788d83}, resume: ARP, restart: None, disable resume: No

Note: In some cases you may have to install the entire Microsoft Visual Studio 2015 product before you are able to install the Microsoft Visual C++ Redistributable 2015 package.
An installation of PowerShell can establish PowerShell sessions to remote computers using New-PSSession and Enter-PSSession. To enable it to accept incoming PowerShell remote connections, the user must create a WinRM remoting endpoint. This is an explicit opt-in scenario where the user runs Install-PowerShellRemoting.ps1 to create the WinRM endpoint. The installation script is a short-term solution until Microsoft adds additional functionality to Enable-PSRemoting to perform the same action. For more details, see issue #1193, WinRM Plugin Registration and Modification.

You can download and install the MSI PowerShell v6 package at v6.0.0-alpha.10 release of PowerShell.

Open a PowerShell command prompt and run the Install-PowerShellRemoting.ps1 script located in the folder where you installed the package:

.\Install-PowerShellRemoting.ps1 –PowerShellHome “C:\Program Files\PowerShell\6.0.0.9” –PowerShellVersion “6.0.0-alpha.9”

When running the command you may receive an error similar to the following:

The WS-Management service cannot process the request. Configuration for plugin: "powershell." is corrupt.

To resolve this open a CMD and run :

Winrm invoke Resotre http://schemas.microsoft.com/wbem/wsman/1/config/plugin@{}

Run again the above PowerShell command and this time it should complete successfully.

Now let’s open a PowerShell v6 console.
Note: If you open the usual PowerShell console it will not open a PowerShell v6 console. In my case I already have PowerShell v5 installed. You can check which version of PowerShell you are running in the console by running the following command:

$PSVersionTable.PSVersion.

In my case if I open the usual PowerShell console and run the command I see PS v5:

If you want to open the PowerShell v6 console you can access it from the start menu:

If you receive the following error, you haven’t installed the Visual C++ Redistributable 2015 prerequisite package

Check the PowerShell version to verify it is the one you need:

If you want to access PowerShell v6 from the default PowerShell console you have to create a new PSSession and use the PowerShell.6.0.0-alpha.9 configuration name:

$session = NewPSSession –ComputerName localhost –ConfigurationName “powershell.6.0.0-alpha.9”
Enter-PSSession $session

 

Setup on Linux

PowerShell 6 for Linux supports Ubuntu 14.04, Ubuntu 16.04, CentOS 7, and macOS 10.11. All packages are available on our GitHub releases page.
I have CentOS 7.1 as my Linux PowerShell VM.
Execute the following in the terminal to install PowerShell 6 on CentOS Linux

sudo yum install powershell-6.0.0_alpha.9-1.el7.centos.x86_64.rpm

You can also install the RPM without the intermediate step of downloading it:

sudo yum install https://github.com/PowerShell/PowerShell/releases/download/v6.0.0-alpha.9/powershell-6.0.0_alpha.9-1.el7.centos.x86_64.rpm

Paths:

  • $PSHOME is /opt/microsoft/powershell/6.0.0-alpha.9/
  • User profiles will be read from ~/.config/powershell/profile.ps1
  • Default profiles will be read from $PSHOME/profile.ps1
  • User modules will be read from ~/.local/share/powershell/Modules
  • Shared modules will be read from /usr/local/share/powershell/Modules
  • Default modules will be read from $PSHOME/Modules
  • PSReadLine history will be recorded to ~/.local/share/powershell/PSReadLine/ConsoleHost_history.txt

For more Installation options, visit Package installation instructions

Open SSH session to the Linux machine and run the following command to enter into PowerShell :

pwoershell

Installing and Configuring OpenSSH

PowerShell remoting normally uses WinRM for connection negotiation and data transport. SSH was chosen for this remoting implementation since it is now available for both Linux and Windows platforms and allows true multiplatform PowerShell remoting. However, WinRM also provides a robust hosting model for PowerShell remote sessions which this implementation does not yet do. And this means that PowerShell remote endpoint configuration and JEA (Just Enough Administration) is not yet supported in this implementation.

PowerShell SSH remoting lets you do basic PowerShell session remoting between Windows and Linux machines. This is done by creating a PowerShell hosting process on the target machine as an SSH subsystem. Eventually this will be changed to a more general hosting model similar to how WinRM works in order to support endpoint configuration and JEA.

The New-PSSession, Enter-PSSession and Invoke-Command cmdlets now have a new parameter set to facilitate this new remoting connection

[-HostName <string>]  [-UserName <string>]  [-KeyPath <string>]

This new parameter set will likely change but for now allows you to create SSH PSSessions that you can interact with from the command line or invoke commands and scripts on. You specify the target machine with the HostName parameter and provide the user name with UserName. When running the cmdlets interactively at the PowerShell command line you will be prompted for a password. But you also have the option to use SSH key authentication and provide a private key file path with the KeyPath parameter. Note that PSCredential is not yet supported.

SSH is required to be installed on all machines.

  • You should install both client (ssh.exe) and server (sshd.exe) so that you can experiment with remoting to and from the machines.
  • For Windows you will need to install Win32 Open SSH from GitHub.
  • For Linux you will need to install SSH (including server) appropriate to your platform.
  • You will also need a recent PowerShell build or package from GitHub having the SSH remoting feature. SSH Subsystems is used to establish a PowerShell process on the remote machine and the SSH server will need to be configured for that.
  • In addition you will need to enable password authentication and optionally key based authentication.

Setup on Windows

Download and install the latest Win32 OpenSSH.. For compat issues on Nano see issues on Nano
Extract contents to C:\Program Files\OpenSSH
Start Powershell as Administrator run :

cd ‘C:\Program Files\OpenSSH’

Install sshd and ssh-agent services by running the following command:

powershell.exe .\install-sshd.ps1

Setup SSH host keys (this will generate all the ‘host’ keys that sshd expects when its starts) by running toe following command:

.\ssh-keygen.exe -A

Secure SSH host keys (optional)

Start-Service ssh-agent

download psexec from here and launch cmd.exe as SYSTEM

psexec.exe -i -s cmd.exe

Register host keys in above cmd.exe

ssh-add ssh_host_dsa_key
ssh-add ssh_host_rsa_key
ssh-add ssh_host_ecdsa_key
ssh-add ssh_host_ed25519_key

Host private keys are now securely stored by ssh-agent, private key files can be removed at this point.
Open Firewall

New-NetFirewallRule -Protocol TCP -LocalPort 22 -Direction Inbound -Action Allow -DisplayName SSH

If you need key-based authentication, run the following to setup the key-auth package
powershell.exe .\install-sshlsa.ps1

Restart-Computer

Set sshd in auto-start mode and open up firewall (optional)

Set-Service sshd -StartupType Automatic
Set-Service ssh-agent -StartupType Automatic

Make the service start on boot (PowerShell): Set-Service sshd -StartupType Automatic
Edit the sshd_config file at the location where you installed Win32 Open SSH
Make sure password authentication is enabled

PasswordAuthentication yes

Add a PowerShell subsystem entry

Subsystem powershell PowerShell_Install_Path\powershell.exe -sshs -NoLogo –NoProfile

Optionally enable key authentication

RSAAuthentication yes
PubkeyAuthentication yes

Restart the sshd service

Restart-Service sshd

Add the path where OpenSSH is installed to your Path Env Variable
This should be along the lines of C:\OpenSSH\

This allows for the ssh.exe to be found, and resolves the issue you may see as reported in issue #2003, Improve error message for PSRP over SSH when ssh.exe is unavailable in your PATH, with Invoke-Command New-PSSession & Enter-PSSession.

For the detailed manual, visit Install Win32 OpenSSH

Setup on Linux

Download and install the OpenSSH Server and Client packages on your Linux machine.

SSH server settings are stored in the /etc/ssh/sshd_config file.
Edit the file and allow the following Authentications:

RSAAuthentication yes
PubkeyAuthentication yes

Enable Password authentication:

PasswordAuthentication yes

Add the Powershell Subsystem:

Subsystem powershell powershell –sshs –NoLogo -NoProfile

Restart sshd.
For more sshd_config references for CentOS , visit Securing OpenSSH

 

Editing the Kerberos Realm on the Linux PSHost

Configure the krb5.config file and add you domain for Kerberos authentication.
Configure it the same way, we did in Using CredSSP with the vCO PowerShell Plugin (SKKB1002)

In this example, I’ve added my VMware.com Active Directory domain for Kerberos Authentication.

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
default_realm = VMWARE.COM
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
VMWARE.COM = {
kdc = lan1dc1.vmware.com
admin_server = lan1dc1.vmware.com
}
[domain_realm]
.vmware.com = VMWARE.COM
vmware.com = VMWARE.COM

At this point i restart both the Linux PS Host and the Windows machines to apply all changes.

 

Testing PowerShell Execution and Remoting

Now let’s test some PowerShell executions between the Windows and the Linux PowerShell machines.

Windows to Linux

Let’s first test executing a remote command from our Windows to our Linux PowerShell machine.
We will run simple Get-Date and hostname commands on the Linux machine.
Open a PowerShell 6 console on the Windows machine and run :

$session = New-PSSession -HostName ps-lux-a-01.vmware.com -UserName administrator@vmware.com
Invoke-Command $session -ScriptBlock { Get-Date; hostname }

 

Linux to Windows

Let’s first test executing a remote command from our Linux to our Windows PowerShell machine.
We will run simple Get-Date and hostname commands on the Windows machine.
Enter into PowerShell on the Linux machine and run :

$session = New-PSSession -HostName lan1dc1.vmware.com -UserName administrator@vmware.com
Invoke-Command $session -ScriptBlock { Get-Date; hostname }

 

Linux to Linux

I don’t have a second Linux Powershell machine, but in the same manner as above, you can test from Linux to Linux PowerShell machine.

 

Adding Linux as a Linux PowerShell Host in vRO

Use the steps defined in the Add the PowerShell Host to vCO chapter from Using CredSSP with the vCO PowerShell Plugin (SKKB1002) article.

We will be adding the host as SSH. WinRM will be supported in the initial RTM release of PowerShell v6.
Note: The latest versions of the PowerShell plugin for vRO does not support SSH, so you should take a previous version of the plugin to get that functionality.

Use the following settings:
PowerShell remote host type: SSH
User Name: administrator_account@domain_name

To test the Linux PSHost use the Invoke a PowerShell script workflow and execute the following simple command:

Get-Date; hostname; whoami

               

Currently the Alpha version of PowerShell v6 does not support the PSCredential object , so we cannot use the Invoke-Command command to programmatically pass credentials and execute commands from vRO , through the Linux PSHost to other Linux machines or windows Machines.
And conversely, we cannot execute from vRO , through a Windows PSHost, to Linux Machines.
We did this in the Using CredSSP with the vCO PowerShell Plugin (SKKB1002)

The first RTM version it is also expected to support WinRM so we will be able to add the Linux PSHost with WinRM and not SSH.

References

PowerShell Remoting Over SSH
Known Issues for PowerShell on Non-Windows Platforms
Package installation instructions
v6.0.0-alpha.9 release of PowerShell
Package Installation Instructions (Windows)
Installing Kerberos on Redhat 7
PowerShell on Linux and Open Source!

Final Step

If all went well, go grab a beer.

DISCLAIMER; This is a personal blog. Any views or opinions represented in this blog are personal and belong solely to the blog owner and do not represent those of people, institutions or organizations that the owner may or may not be associated with in professional or personal capacity, unless explicitly stated. Any views or opinions are not intended to malign any religion, ethnic group, club, organization, company, or individual.
All content provided on this blog is for informational purposes only. The owner of this blog makes no representations as to the accuracy or completeness of any information on this site or found by following any link on this site. The owner will not be liable for any errors or omissions in this information nor for the availability of this information. The owner will not be liable for any losses, injuries, or damages from the display or use of this information.
Photos
Unless stated, all photos are the work of the blog owner and are licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Unported License. If used with watermark, no need to credit to the blog owner. For any edit to photos, including cropping, please contact me first.
Recipes
Unless stated, all recipes are the work of the blog owner and are licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Unported License. Please credit all recipes to the blog owner and link back to the original blog post.
Downloadable Files
Any downloadable file, including but not limited to pdfs, docs, jpegs, pngs, is provided at the user’s own risk. The owner will not be liable for any losses, injuries, or damages resulting from a corrupted or damaged file.
Comments
Comments are welcome. However, the blog owner reserves the right to edit or delete any comments submitted to this blog without notice due to
– Comments deemed to be spam or questionable spam
– Comments including profanity
– Comments containing language or concepts that could be deemed offensive
– Comments containing hate speech, credible threats, or direct attacks on an individual or group
The blog owner is not responsible for the content in comments.
This policy is subject to change at anytime.

Leave a Reply

Your email address will not be published. Required fields are marked *