Skip to content

Instantly share code, notes, and snippets.

@Snozzberries

Snozzberries/PowerShellRemotingSshKerberos.md

Last active April 17, 2024 14:29
Show Gist options
  • Save Snozzberries/74d24e9eb3d0dc9b9ecb56030275a871 to your computer and use it in GitHub Desktop.
Save Snozzberries/74d24e9eb3d0dc9b9ecb56030275a871 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
PowerShellRemotingSshKerberos.md

Example SSH Server Initialization

The SSH server configuration requires GSSAPIAuthentication yes.

Ref: https://snozzberries.github.io/2023/08/29/powershell-ssh.html

$r=[System.Net.WebRequest]::Create("https://github.com/PowerShell/PowerShell/releases/latest")
$r.AllowAutoRedirect=$false
$r.Method="Head"
$t=$r.GetResponse().Headers["Location"]
$v=$t.substring($t.indexOf("/tag/v")+6,$t.length-$t.indexOf("/tag/v")-6)
irm https://github.com/PowerShell/PowerShell/releases/download/v$v/PowerShell-$v-win-x64.msi -OutFile ".\Powershell-$v-win-x64.msi"
Start-Process msiexec.exe -Wait -ArgumentList "/I Powershell-$v-win-x64.msi /quiet /l*v .\Powershell-$v-win-x64.msi.log"
Get-WindowsCapability -Online|?{$_.Name -like "OpenSSH.Server*"}|Add-WindowsCapability -Online
Start-Service sshd
Set-Service -Name sshd -StartupType 'Automatic'
New-NetFirewallRule -Name 'OpenSSH-Server-In-TCP' -DisplayName 'OpenSSH Server (sshd)' -Enabled True -Direction Inbound -Protocol TCP -Action Allow -LocalPort 22
New-ItemProperty -Path "HKLM:\SOFTWARE\OpenSSH" -Name DefaultShell -Value "c:/progra~1/powershell/7/pwsh.exe" -PropertyType String -Force
cp "$env:ProgramData\ssh\sshd_config" "$env:ProgramData\ssh\sshd_config.old"
(gc "$env:ProgramData\ssh\sshd_config") -replace "# override default of no subsystems", "$&`nSubsystem powershell c:/progra~1/powershell/7/pwsh.exe -sshs -nologo -noprofile" | sc $env:ProgramData\ssh\sshd_config
(gc "$env:ProgramData\ssh\sshd_config") -replace "#PasswordAuthentication yes", "PasswordAuthentication yes" | sc $env:ProgramData\ssh\sshd_config
(gc "$env:ProgramData\ssh\sshd_config") -replace "#GSSAPIAuthentication no", "GSSAPIAuthentication yes" | sc $env:ProgramData\ssh\sshd_config
Restart-Service sshd

Example SSH client connection

The client requires specific SSH options to use Kerberos.

$options = @{
  GSSAPIDelegateCredentials = "yes"
  GSSAPIAuthentication = "yes"
}
Enter-PSSession -HostName <FQDN> -Options $options

Kerberos Double Hop

Enable resource based constrained delegation.

<Second Hop Server> is an resource you intend to access from within the remote session.

<First Hop Server> is the SSH server, the primary session proxy system.

$splat = @{
  Identity = (Get-ADComputer <Second Hop Server>)
  PrincipalsAllowedToDelegateToAccount = (Get-ADComputer <First Hop Server>)
}
Set-ADComputer @splat
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment