How to Add a Linux Machine as PowerShell Host in vRO (Linux PS over SSH) (SKKB1030)

It's only fair to share...Share on FacebookTweet about this on TwitterShare on LinkedInShare on Google+Digg thisPin on PinterestShare on TumblrPrint this pageEmail this to someone

In this article we will look into the alpha version of PowerShell v6 for both Linux and Windows. We will show how to execute PowerShell commands between Linux and Windows machines and Vmware vRealize Orchestrator (vRO)

Introduction

In this article we will look into the alpha version of Microsoft Windows PowerShell v6 for both Linux and Microsoft Windows. We will show how to execute PowerShell commands between Linux , Windows, and VMware vRealize Orchestrator (vRO):

  • Linux to Windows
  • Windows to Linux
  • Linux to Linux
  • vRO to Linux

We will also show how to add a Linux PowerShell (PSHost) in vRO.
Currently, the alpha version of PowerShell v6 does not support the PSCredential object, so we cannot use the Invoke-Command command to programmatically pass credentials and execute commands from vRO, through a Linux PSHost, to other Linux machines, or Windows machines. Conversely, we cannot execute from vRO –> through a Windows PSHost –> to Linux Machines.
To see how we used the Invoke-Command method to do this, see my blog Using CredSSP with the vCO PowerShell Plugin (SKKB1002).

In addition to not supporting the PSCredential object, the alpha version doesn’t support WinRM. WinRM is Microsoft’s implementation of the WS-Management protocol, a standard Simple Object Access Protocol (SOAP)-based, firewall-friendly protocol that enables hardware and operating systems from different vendors to interoperate. Therefore, when adding a Linux machine as a PowerShell host in vRO, we will be using SSH instead of WinRM as the protocol of choice.
The PowerShell v6 RTM version is expected to support WinRM, so we will be able to add the Linux PSHost with WinRM, and not SSH.
So, let’s get started.

 

Lab Environment

The logical design of this lab can be seen HERE.

 

Installing and Configuring PowerShell 6

Setup on Windows

To install PowerShell v6 (currently in alpha) on a Windows Server 2012 R2, first you need to install the Visual C++ Redistributable 2015 package as a prerequisite.
I’ve tried installing the package, but on my machine it failed with the following error.

[084C:1748][2016-09-01T14:04:47]e000: Error 0x80240017: Failed to execute MSU package.
[1AC4:17EC][2016-09-01T14:04:47]e000: Error 0x80240017: Failed to configure per-machine MSU package.
[1AC4:17EC][2016-09-01T14:04:47]i319: Applied execute package: Windows81_x64, result: 0x80240017, restart: None
[1AC4:17EC][2016-09-01T14:04:47]e000: Error 0x80240017: Failed to execute MSU package.
[084C:1748][2016-09-01T14:04:47]i372: Session end, registration key: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{e46eca4f-393b-40df-9f49-076faf788d83}, resume: ARP, restart: None, disable resume: No

Note: In some cases you may have to install the entire Microsoft Visual Studio 2015 product before you are able to install the Microsoft Visual C++ Redistributable 2015 package.
An installation of PowerShell can establish PowerShell sessions to remote computers using New-PSSession and Enter-PSSession. To enable it to accept incoming PowerShell remote connections, the user must create a WinRM remoting endpoint. This is an explicit opt-in scenario where the user runs Install-PowerShellRemoting.ps1 to create the WinRM endpoint. The installation script is a short-term solution until Microsoft adds additional functionality to Enable-PSRemoting to perform the same action. For more details, see issue #1193, WinRM Plugin Registration and Modification.

You can download and install the MSI PowerShell v6 package at v6.0.0-alpha.10 release of PowerShell.

Open a PowerShell command prompt and run the Install-PowerShellRemoting.ps1 script located in the folder where you installed the package:

.\Install-PowerShellRemoting.ps1 –PowerShellHome “C:\Program Files\PowerShell\6.0.0.9” –PowerShellVersion “6.0.0-alpha.9”

When running the command you may receive an error similar to the following:

The WS-Management service cannot process the request. Configuration for plugin: "powershell." is corrupt.

To resolve this open a CMD and run :

Winrm invoke Resotre http://schemas.microsoft.com/wbem/wsman/1/config/plugin@{}

Run again the above PowerShell command and this time it should complete successfully.

Now let’s open a PowerShell v6 console.
Note: If you open the usual PowerShell console it will not open a PowerShell v6 console. In my case I already have PowerShell v5 installed. You can check which version of PowerShell you are running in the console by running the following command:

$PSVersionTable.PSVersion.

In my case if I open the usual PowerShell console and run the command I see PS v5:

If you want to open the PowerShell v6 console you can access it from the start menu:

If you receive the following error, you haven’t installed the Visual C++ Redistributable 2015 prerequisite package

Check the PowerShell version to verify it is the one you need:

If you want to access PowerShell v6 from the default PowerShell console you have to create a new PSSession and use the PowerShell.6.0.0-alpha.9 configuration name:

$session = NewPSSession –ComputerName localhost –ConfigurationName “powershell.6.0.0-alpha.9”
Enter-PSSession $session

 

Setup on Linux

PowerShell 6 for Linux supports Ubuntu 14.04, Ubuntu 16.04, CentOS 7, and macOS 10.11. All packages are available on our GitHub releases page.
I have CentOS 7.1 as my Linux PowerShell VM.
Execute the following in the terminal to install PowerShell 6 on CentOS Linux

sudo yum install powershell-6.0.0_alpha.9-1.el7.centos.x86_64.rpm

You can also install the RPM without the intermediate step of downloading it:

sudo yum install https://github.com/PowerShell/PowerShell/releases/download/v6.0.0-alpha.9/powershell-6.0.0_alpha.9-1.el7.centos.x86_64.rpm

Paths:

  • $PSHOME is /opt/microsoft/powershell/6.0.0-alpha.9/
  • User profiles will be read from ~/.config/powershell/profile.ps1
  • Default profiles will be read from $PSHOME/profile.ps1
  • User modules will be read from ~/.local/share/powershell/Modules
  • Shared modules will be read from /usr/local/share/powershell/Modules
  • Default modules will be read from $PSHOME/Modules
  • PSReadLine history will be recorded to ~/.local/share/powershell/PSReadLine/ConsoleHost_history.txt

For more Installation options, visit Package installation instructions

Open SSH session to the Linux machine and run the following command to enter into PowerShell :

pwoershell

Installing and Configuring OpenSSH

PowerShell remoting normally uses WinRM for connection negotiation and data transport. SSH was chosen for this remoting implementation since it is now available for both Linux and Windows platforms and allows true multiplatform PowerShell remoting. However, WinRM also provides a robust hosting model for PowerShell remote sessions which this implementation does not yet do. And this means that PowerShell remote endpoint configuration and JEA (Just Enough Administration) is not yet supported in this implementation.

PowerShell SSH remoting lets you do basic PowerShell session remoting between Windows and Linux machines. This is done by creating a PowerShell hosting process on the target machine as an SSH subsystem. Eventually this will be changed to a more general hosting model similar to how WinRM works in order to support endpoint configuration and JEA.

The New-PSSession, Enter-PSSession and Invoke-Command cmdlets now have a new parameter set to facilitate this new remoting connection

[-HostName <string>]  [-UserName <string>]  [-KeyPath <string>]

This new parameter set will likely change but for now allows you to create SSH PSSessions that you can interact with from the command line or invoke commands and scripts on. You specify the target machine with the HostName parameter and provide the user name with UserName. When running the cmdlets interactively at the PowerShell command line you will be prompted for a password. But you also have the option to use SSH key authentication and provide a private key file path with the KeyPath parameter. Note that PSCredential is not yet supported.

SSH is required to be installed on all machines.

  • You should install both client (ssh.exe) and server (sshd.exe) so that you can experiment with remoting to and from the machines.
  • For Windows you will need to install Win32 Open SSH from GitHub.
  • For Linux you will need to install SSH (including server) appropriate to your platform.
  • You will also need a recent PowerShell build or package from GitHub having the SSH remoting feature. SSH Subsystems is used to establish a PowerShell process on the remote machine and the SSH server will need to be configured for that.
  • In addition you will need to enable password authentication and optionally key based authentication.

Setup on Windows

Download and install the latest Win32 OpenSSH.. For compat issues on Nano see issues on Nano
Extract contents to C:\Program Files\OpenSSH
Start Powershell as Administrator run :

cd ‘C:\Program Files\OpenSSH’

Install sshd and ssh-agent services by running the following command:

powershell.exe .\install-sshd.ps1

Setup SSH host keys (this will generate all the ‘host’ keys that sshd expects when its starts) by running toe following command:

.\ssh-keygen.exe -A

Secure SSH host keys (optional)

Start-Service ssh-agent

download psexec from here and launch cmd.exe as SYSTEM

psexec.exe -i -s cmd.exe

Register host keys in above cmd.exe

ssh-add ssh_host_dsa_key
ssh-add ssh_host_rsa_key
ssh-add ssh_host_ecdsa_key
ssh-add ssh_host_ed25519_key

Host private keys are now securely stored by ssh-agent, private key files can be removed at this point.
Open Firewall

New-NetFirewallRule -Protocol TCP -LocalPort 22 -Direction Inbound -Action Allow -DisplayName SSH

If you need key-based authentication, run the following to setup the key-auth package
powershell.exe .\install-sshlsa.ps1

Restart-Computer

Set sshd in auto-start mode and open up firewall (optional)

Set-Service sshd -StartupType Automatic
Set-Service ssh-agent -StartupType Automatic

Make the service start on boot (PowerShell): Set-Service sshd -StartupType Automatic
Edit the sshd_config file at the location where you installed Win32 Open SSH
Make sure password authentication is enabled

PasswordAuthentication yes

Add a PowerShell subsystem entry

Subsystem powershell PowerShell_Install_Path\powershell.exe -sshs -NoLogo –NoProfile

Optionally enable key authentication

RSAAuthentication yes
PubkeyAuthentication yes

Restart the sshd service

Restart-Service sshd

Add the path where OpenSSH is installed to your Path Env Variable
This should be along the lines of C:\OpenSSH\

This allows for the ssh.exe to be found, and resolves the issue you may see as reported in issue #2003, Improve error message for PSRP over SSH when ssh.exe is unavailable in your PATH, with Invoke-Command New-PSSession & Enter-PSSession.

For the detailed manual, visit Install Win32 OpenSSH

Setup on Linux

Download and install the OpenSSH Server and Client packages on your Linux machine.

SSH server settings are stored in the /etc/ssh/sshd_config file.
Edit the file and allow the following Authentications:

RSAAuthentication yes
PubkeyAuthentication yes

Enable Password authentication:

PasswordAuthentication yes

Add the Powershell Subsystem:

Subsystem powershell powershell –sshs –NoLogo -NoProfile

Restart sshd.
For more sshd_config references for CentOS , visit Securing OpenSSH

 

Editing the Kerberos Realm on the Linux PSHost

Configure the krb5.config file and add you domain for Kerberos authentication.
Configure it the same way, we did in Using CredSSP with the vCO PowerShell Plugin (SKKB1002)

In this example, I’ve added my VMware.com Active Directory domain for Kerberos Authentication.

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
default_realm = VMWARE.COM
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
VMWARE.COM = {
kdc = lan1dc1.vmware.com
admin_server = lan1dc1.vmware.com
}
[domain_realm]
.vmware.com = VMWARE.COM
vmware.com = VMWARE.COM

At this point i restart both the Linux PS Host and the Windows machines to apply all changes.

 

Testing PowerShell Execution and Remoting

Now let’s test some PowerShell executions between the Windows and the Linux PowerShell machines.

Windows to Linux

Let’s first test executing a remote command from our Windows to our Linux PowerShell machine.
We will run simple Get-Date and hostname commands on the Linux machine.
Open a PowerShell 6 console on the Windows machine and run :

$session = New-PSSession -HostName ps-lux-a-01.vmware.com -UserName administrator@vmware.com
Invoke-Command $session -ScriptBlock { Get-Date; hostname }

 

Linux to Windows

Let’s first test executing a remote command from our Linux to our Windows PowerShell machine.
We will run simple Get-Date and hostname commands on the Windows machine.
Enter into PowerShell on the Linux machine and run :

$session = New-PSSession -HostName lan1dc1.vmware.com -UserName administrator@vmware.com
Invoke-Command $session -ScriptBlock { Get-Date; hostname }

 

Linux to Linux

I don’t have a second Linux Powershell machine, but in the same manner as above, you can test from Linux to Linux PowerShell machine.

 

Adding Linux as a Linux PowerShell Host in vRO

Use the steps defined in the Add the PowerShell Host to vCO chapter from Using CredSSP with the vCO PowerShell Plugin (SKKB1002) article.

We will be adding the host as SSH. WinRM will be supported in the initial RTM release of PowerShell v6.
Note: The latest versions of the PowerShell plugin for vRO does not support SSH, so you should take a previous version of the plugin to get that functionality.

Use the following settings:
PowerShell remote host type: SSH
User Name: administrator_account@domain_name

To test the Linux PSHost use the Invoke a PowerShell script workflow and execute the following simple command:

Get-Date; hostname; whoami

               

Currently the Alpha version of PowerShell v6 does not support the PSCredential object , so we cannot use the Invoke-Command command to programmatically pass credentials and execute commands from vRO , through the Linux PSHost to other Linux machines or windows Machines.
And conversely, we cannot execute from vRO , through a Windows PSHost, to Linux Machines.
We did this in the Using CredSSP with the vCO PowerShell Plugin (SKKB1002)

The first RTM version it is also expected to support WinRM so we will be able to add the Linux PSHost with WinRM and not SSH.

References

PowerShell Remoting Over SSH
Known Issues for PowerShell on Non-Windows Platforms
Package installation instructions
v6.0.0-alpha.9 release of PowerShell
Package Installation Instructions (Windows)
Installing Kerberos on Redhat 7
PowerShell on Linux and Open Source!

Final Step

If all went well, go grab a beer.

It's only fair to share...Share on FacebookTweet about this on TwitterShare on LinkedInShare on Google+Digg thisPin on PinterestShare on TumblrPrint this pageEmail this to someone

Leave a Reply

Your email address will not be published. Required fields are marked *