In classic Windows PowerShell (up to and including version 5.1), only the WinRM protocol (WSMan, port 5985/5986) could be used for remote access via PSRemoting between computers. In the new cross-platform versions of PowerShell Core 7.x and 6.x, you can use SSH as the transport for PowerShell remoting between computers. In this article, we'll look at how to set up PSRemoting over SSH to connect to Windows, Linux, and macOS hosts.
Configuring SSH PowerShell Remoting on Windows.
Let's see how to set up an SSH server on the Windows client side for remoting via PowerShell Remoting.
In Windows 10 (starting with version 1809) and Windows Server 2019+, a built-in OpenSSH server is available for installation . It can be installed using the following command (for Windows 10 and 11):
Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0Also install the latest version of PowerShell Core on your computer :
iex "& { $(irm https://aka.ms/install-powershell.ps1) } -UseMSI"Then you need to enable automatic start of the sshd service:
Set-Service -Name sshd -StartupType 'Automatic'Make sure Windows is now listening on TCP/22 (SSH) port)
Start-Service sshd
Get-NetTCPConnection -State Listen|where {$_.localport -eq '22'}
Allow incoming SSH connections in Windows Defender Firewall:
Enable-NetFirewallRule -Name *OpenSSH-Server*Then you need to open the sshd_config configuration file (C:\ProgramData\ssh):
notepad $Env:ProgramData\ssh\sshd_configAllow password access by uncommenting the line:
PasswordAuthentication yesYou can also allow SSH access by keys:
PubkeyAuthentication yesAdd the following line to the file, which will launch the pwsh interpreter for remote SSH connections:
Subsystem powershell c:/progra~1/powershell/7/pwsh.exe -sshs -NoLogoSave the sshd_config file, restart the sshd service:
restart-service sshd
Configuring SSH Remoting for PowerShell on Linux.
Now let's look at how to set up a Linux host for PowerShell Remoting over SSH.
Install PowerShell Core on your Linux distribution according to the instructions. In my Ubuntu 20.04 example, run the commands:
sudo apt-get update -yInstall OpenSSH server (if not installed):
wget -q https://packages.microsoft.com/config/ubuntu/$(lsb_release -rs)/packages-microsoft-prod.deb -O packages-microsoft-prod.deb
sudo dpkg -i packages-microsoft-prod.deb
sudo apt-get update
sudo apt-get install powershell -y
sudo apt install openssh-server
Add the following lines to the /etc/ssh/sshd_config file:
PasswordAuthentication yes
Subsystem powershell /usr/bin/pwsh -sshs -NoLogo
sudo systemctl restart sshd.service
PowerShell remoting over SSH examples.
You can now connect to your configured Windows or Linux host using PowerShell over SSH. For remote access to computers via SSH, the same PowerShell cmdlets are used as for via WinRM:
- New-PSSession
- Enter-PSSession - to start an interactive PowerShell session with a remote host;
- Invoke-Command - for remotely launching individual PS1 commands or scripts.
By default, all of these cmdlets try to use Windows WinRM to connect to remote computers. You need to use other connection options to use the SSH transport (available in PowerShell Core, so you need to run from the console pwsh.exe):
The -HostName (instead of -ComputerName) and -UserName (instead of Credential) parameters allow you to specify the computer name and user for the SSH connection. Using the -KeyFilePath parameter, you can specify RSA keys for SSH authentication (optional). You can also use the -SSHTransport option to explicitly specify the use of the SSH transport for PowerShell traffic.
Let's try to interactively connect to a remote computer from Windows using the built-in ssh client:
Enter-PSSession -HostName 192.168.13.202 -UserName kbuldogov
To connect, it is enough to confirm the SSH fingerprint of the server and enter the password of the user who is allowed to connect remotely.
You can create multiple persistent PowerShell sessions to remote computers and execute commands on them via SSH:
$session1 = New-PSSession -HostName 192.168.13.202 -UserName kbuldogov -SSHTransportTo run a command on multiple computers at once, run:
$session2 = New-PSSession -HostName 192.168.14.144 -UserName sysops -SSHTransport
Invoke-Command -Session $session1, $session2 -ScriptBlock { $PSVersionTable| select OS, PSVersion}| Select-Object PSComputerName, PSVersion, OS
In this example, we ran a PowerShell command on both a Windows and a Linux computer at the same time and printed the results to the console.
In PowerShell Core 7.1 and later, PSRemoting supports a second hop (double hop) to another remote machine from an existing session.The variable can have multiple SSH sessions and authenticate using RSA keys:
$sshConnections = @ HostName="winhost1"; UserName="site\my"; KeyFilePath="c:\users\my\id_rsa" }, @{ HostName="sysops@ubuntu1"; KeyFilePath="c:\UserB\root\id_rsa" }
New-PSSession -SSHConnection $sshConnections
Key limitations of PowerShell Remoting over SSH:
- PowerShell profiles are not supported;
- In remote sessions with Linux hosts, sudo is not supported (a notification appears on startup: sudo: a terminal is required to read the password; either use the -S option to read from standard input or configure an askpass helper);
- Not supported by Just Enough Administration (JEA);
As you can see, setting up PowerShell Remoting via SSH is much easier than via WinRM HTTPS. You can also use this connection method to connect via PowerShell to computers in a workgroup without adding them to TrustedHost.
PowerShell Remoting over SSH is a safe and easy replacement for WinRM. PSremoting over SSH is supported on all platforms (both Windows and Linux), does not require any additional ports to be opened (except for TCP/22 SSH) and is easy to set up.