We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you a podcast all about Citrix Workspace, moving to the cloud, and analytics & intelligence. Episode 2 coming soon!Listen Now

x

Powershell 7 OpenSSH Invoke-command not passing creds

Medium Priority
44 Views
Last Modified: 2020-05-03
Windows 2019 Server Data Center VM VMware 6.7 ESXI 6.7
Ubuntu 18.04 VM VMware 6.7 ESXI 6.7

I have OpenSSH install on Both
I have PowerShell 7.0 install on both.

I can SSH from my Ubuntu server to my Windows 2019 Server no problem.

My problem is I can not invoke-command  from Ubuntu to the Windows 2019 Server


PS /home/thomas> invoke-command -hostname serv027-n1..network..com -ScriptBlock {get-service sshd}
thomas@serv027-n1.network..com's password:
OpenError: [serv027-n1.network.com] The SSH client session has ended with error message: The SSH transport process has abruptly terminated causing this remote session to break.


I tried

invoke-command -hostname serv027-n1..network..com -username Thomas -ScriptBlock {get-service sshd}
asked for password
Same openerror as above

tried

 $cred = get-credential Thomas

PS /home/thomas> invoke-command  -hostname SERV027-N1..network..com  -credential $cred  -scriptblock {get-service nscp}

PowerShell credential request
Enter your credentials.
User: thomas
Password for user thomas: ********

Invoke-Command: Parameter set cannot be resolved using the specified named parameters. One or more parameters issued cannot be used together or an insufficient number of parameters were provided.
PS /home/thomas>



I am logged on to Ubuntu as Thomas which is a local account on my ubuntu server  
My Ubuntu server is Domain Joined but I have not been able to sign in to ubuntu yet with my domain account.

On the Windows 2019 server I added domain user Thomas to the local administrator group.

Any ideas

New to OpenSSH

Thank you

Tom
Comment
Watch Question

System Infrastructure Architect
CERTIFIED EXPERT
Commented:

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts
Thomas GrassiSystems Administrator

Author

Commented:
Louis

I got a lot further along I now can run invoke-command from my Ubuntu to my Windows Server

It was the  sshd_config  file I need to update.

Only thing is now it prompts me for the password. Which I enter and then the command works.

To eliminate the password needing to be entered I tried the steps on the other link and I got this.

thomas@serv017:~$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/thomas/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/thomas/.ssh/id_rsa.
Your public key has been saved in /home/thomas/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:NLVCYlIP3jxeGDZzMwiHjkdqXXJFWGTiTija4UXWP58 thomas@serv017
The key's randomart image is:
+---[RSA 2048]----+
|    ..O+OB@      |
|     *+%*X +     |
|    o*++%.o      |
|   ++++= =o      |
|  ..o.  S  o .   |
|            E    |
|                 |
|                 |
|                 |
+----[SHA256]-----+

thomas@serv017:~$ ssh-copy-id -i ~/.ssh/id_rsa.pub thomas@SERV027-N1
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/home/thomas/.ssh/id_rsa.pub"
The authenticity of host serv027-n1 (10.12.18.120)' can't be established.
ECDSA key fingerprint is SHA256:GfiCQqWuNk7tPLjXIPTbiW8pKkM9LTNObkwUVO7dDh0.
Are you sure you want to continue connecting (yes/no)? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
thomas@serv027-n1's password:
'exec' is not recognized as an internal or external command,
operable program or batch file.
The system cannot find the path specified.


Any ideas?
Louis LIETAERSystem Infrastructure Architect
CERTIFIED EXPERT

Commented:
Thomas GrassiSystems Administrator

Author

Commented:
Louis,

Yes tricky is the key.

The problem is on the Ubuntu server the article was great but was all windows based client was windows 10 server 2019

My client is Ubuntu 18.04

I created the folder on the Windows 2019 server c:\users\thomas\.ssd

But I still am unable to copy the id_rsa from the ubuntu to my windows server


The question is how to copy the id_rsa from ubuntu to windows?
Louis LIETAERSystem Infrastructure Architect
CERTIFIED EXPERT

Commented:
Have try winscp method ?
Thomas GrassiSystems Administrator

Author

Commented:
No I did not that's a windows command

I believe I need to copy from ubuntu to windows something has to be available to do that
Thomas GrassiSystems Administrator

Author

Commented:
Louis

I used SCP

 scp ~/.ssh/id_rsa thomas@10.12.58.120:/users/thomas/.ssh

Now on my windows 2019 server

C:\Users\thomas\.ssh>dir
 Volume in drive C has no label.
 Volume Serial Number is 8094-DB89

 Directory of C:\Users\thomas\.ssh

05/02/2020  11:56 AM    <DIR>          .
05/02/2020  11:56 AM    <DIR>          ..
05/02/2020  09:40 AM                 0 authorized_keys
05/02/2020  11:56 AM             1,675 id_rsa
               2 File(s)          1,675 bytes
               2 Dir(s)  65,333,473,280 bytes free


But it still prompts me for password.

Must be more to just coping the file

Thoughts.
Louis LIETAERSystem Infrastructure Architect
CERTIFIED EXPERT

Commented:
Hi, sorry to insist have strictly followed those steps:

The next thing you should do is add your private key to your Windows security context. You can do this by running the following three commands:
 
Set-Service ssh-agent -StartupType ‘Automatic’
Start-service ssh-agent
Ssh-add ~\.ssh\id_rsa
Once you’ve done this, you’ll want to deploy your public key to the Windows Server 2019 server that you want to use SSH key based authentication with. To do this, perform the following steps (where chancellor is the name of the user account you’re configuring SSH key based authentication for):
 
Ssh chancellor@172.16.0.15 mkdir c:\users\chancellor\.ssh\
Scp c:\users\chancellor\.ssh\id_rsa.pub chancellor@172.16.0.15:C:\Users\Administrator\.ssh\authorized_keys
You’ll then need to run the following PowerShell command, located in that OpenSSHUtils PowerShell module I mentioned earlier, to configure some of the permissions for the authorized keys file. You might even want to SSH across to the server using password based authentication to do this:
 
Repair-AuthorizedKeyPermission C:\users\Chancellor\.ssh\authorized_keys
Because the PowerShell cmdlet doesn’t entirely work as it should, you’ll also need to run the following command as “NT SERVICE\sshd” should not have any permissions to the authorized_keys file (if it does, key based authentication doesn’t seem to work)
 
Icacls authorized_keys /remove “NT SERVICE\sshd”
The final step you’ll need to take requires you to edit the c:\ProgramData\ssh\sshd_config file, which you can do using the nano text editor and comment out the following lines (which are at the end of the file):
 
# Match Group administrators                                                   
#       AuthorizedKeysFile __PROGRAMDATA__/ssh/administrators_authorized_keys 
You may need to do this locally on the Windows Server 2019 box. Once this is done, you can restart the sshd service (restart-service sshd) and you will be able to connect from your client using key based authentication.
Thomas GrassiSystems Administrator

Author

Commented:
Louis,

No problem.  I am new to this openssh stuff. very frustrating that simply tasks are not so clear and do not work.

Step 1
ssh_agent is running
was able to Ssh-add ~\.ssh\id_rsa

PS C:\Users\thomas\.ssh> ssh-add id_rsa
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions for 'id_rsa' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.


Step 2

copied the id_rsa.pub file over from ubuntu to my windows server

thomas@serv017:~$ scp ~/.ssh/id_rsa.pub thomas@10.122.8.120:/users/thomas/.ssh/authorized_keys
thomas@10.122.8.120's password:
id_rsa.pub                                                                                                                                                                                                 100%  396     0.4KB/s   00:00
thomas@serv017:~$


Step 3

Failed unable to install that module

Repair-AuthorizedKeyPermission C:\users\Chancellor\.ssh\authorized_keys           Not sure this is needed but if so then I have an issue

PS C:\Windows\System32> Install-Module -Force OpenSSHUtils -Scope AllUsers
Install-Package: C:\program files\powershell\7\Modules\PowerShellGet\PSModule.psm1:9685
Line |
9685 |  … talledPackages = PackageManagement\Install-Package @PSBoundParameters
     |                     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     | The module 'OpenSSHUtils' cannot be installed or updated because the authenticode signature of the
     | file 'OpenSSHUtils.psd1' is not valid.


Doing this using Powershell 7.0



Step 4

Icacls authorized_keys /remove “NT SERVICE\sshd”

PS C:\Users\thomas\.ssh> Icacls authorized_keys /remove NT SERVICE\sshd
Successfully processed 0 files; Failed processing 0 files

PS C:\Users\thomas\.ssh> restart-service sshd

Worked.


Still getting prompted.
Louis LIETAERSystem Infrastructure Architect
CERTIFIED EXPERT

Commented:
try this on your windows private key

icacls .\private.key /inheritance:r
icacls .\private.key /grant:r "%username%":"(R)"
an retry "ssh-add id_rsa" in step 1
Thomas GrassiSystems Administrator

Author

Commented:
Louis almost there..

First command

PS C:\Users\thomas\.ssh> icacls .\authorized_keys /inheritance:r
processed file: .\authorized_keys
Successfully processed 1 files; Failed processing 0 files

Second command not so good.

PS C:\Users\thomas\.ssh> icacls .\authorized_keys /grant:r "%thomas%":"(R)"
Invalid parameter "%thomas%"


PS C:\Users\thomas\.ssh> icacls .\authorized_keys /grant:r "%username%":"(R)"
Invalid parameter "%username%"

thoughts?

Tom
Louis LIETAERSystem Infrastructure Architect
CERTIFIED EXPERT

Commented:
replace %username% by $env:USERNAME, or your "user name" without %%
Thomas GrassiSystems Administrator

Author

Commented:
PS C:\Users\thomas\.ssh> icacls .\authorized_keys /grant:r thomas:"(R)"
processed file: .\authorized_keys
Successfully processed 1 files; Failed processing 0 files

PS C:\Users\thomas\.ssh> ssh-add id_rsa
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions for 'id_rsa' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.

PS C:\Users\thomas\.ssh> restart-service sshd
PS C:\Users\thomas\.ssh>

Removed the %"username"% replaced with just thomas  that run ok now  se above

 still getting prompted for password on my ubuntu server

 PS /home/thomas/.ssh> invoke-command  -hostname SERV027-N1 {get-service ssh-agent}
thomas@serv027-n1's password:

Status   Name               DisplayName                            PSComputerName
------   ----               -----------                            --------------
Running  ssh-agent          OpenSSH Authentication Agent          SERV027-n1
Louis LIETAERSystem Infrastructure Architect
CERTIFIED EXPERT

Commented:
"It is required that your private key files are NOT accessible by others."

can you check with users can have permissions to this file, even with gun interface, try to remove all other users or groups
Thomas GrassiSystems Administrator

Author

Commented:
Louis

The files authorized_keys and id_rsa are in c:\users\thomas\.ssh  

No one has access to that folder

It has to be something simple not sure what it can be looking at my sshd_config file now
Thomas GrassiSystems Administrator

Author

Commented:
My sshd_config


# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options override the
# default value.

#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

#HostKey __PROGRAMDATA__/ssh/ssh_host_rsa_key
#HostKey __PROGRAMDATA__/ssh/ssh_host_dsa_key
#HostKey __PROGRAMDATA__/ssh/ssh_host_ecdsa_key
#HostKey __PROGRAMDATA__/ssh/ssh_host_ed25519_key

# Ciphers and keying
#RekeyLimit default none

# Logging
#SyslogFacility AUTH
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
#PermitRootLogin prohibit-password
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

PubkeyAuthentication yes

# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile      .ssh/authorized_keys

#AuthorizedPrincipalsFile none

# For this to work you will also need host keys in %programData%/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication yes
#PermitEmptyPasswords no

#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
#PermitTTY yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#PermitUserEnvironment no
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS no
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none

# no default banner path
#Banner none

# override default of no subsystems
Subsystem      sftp      sftp-server.exe
Subsystem       powershell c:\progra~1\PowerShell\7\pwsh.exe -sshs -NoLogo -NoProfile

# Example of overriding settings on a per-user basis
#Match User anoncvs
#      AllowTcpForwarding no
#      PermitTTY no
#      ForceCommand cvs server

Match Group administrators
       AuthorizedKeysFile __PROGRAMDATA__/ssh/administrators_authorized_keys
Louis LIETAERSystem Infrastructure Architect
CERTIFIED EXPERT

Commented:
have you perform step 4 again PS C:\Users\thomas\.ssh> restart-service sshd
Thomas GrassiSystems Administrator

Author

Commented:
PS C:\Users\thomas\.ssh> restart-service sshd
PS C:\Users\thomas\.ssh> restart-service ssh-agent

yes I did and just did them again no change
Louis LIETAERSystem Infrastructure Architect
CERTIFIED EXPERT

Commented:
this looks strange to me :

Match Group administrators
       AuthorizedKeysFile __PROGRAMDATA__/ssh/administrators_authorized_keys

is your account apply to those 2 lines, can you try to comment them and restart ssh
Thomas GrassiSystems Administrator

Author

Commented:
# Match Group administrators
#       AuthorizedKeysFile __PROGRAMDATA__/ssh/administrators_authorized_keys

PS C:\> restart-service ssh-agent
PS C:\> restart-service sshd
PS C:\>

No change still prompts I even logged off the account on ubuntu  no change
Louis LIETAERSystem Infrastructure Architect
CERTIFIED EXPERT

Commented:
You manage it ? as I am rewarded ;-)
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.