Install Powershell 7.0 on Ubuntu 18.04 Invoke-command Access Denied

Unbuntu 18.4 I use for Nagios to monitor my VM’s
I am writing script to restart HTTP application pools on the VM
The WM is a Windows 2019 Server in this case I have others
So when Nagios chceks the application pool and finds it stopped I have a powershell command to restart the app pool.
start-webapppool -name “SecurityTokenServiceApplicationPool”

So I installed PowerShell 7.0 on my Unbuntu VM and when I run this powershell command

PS /home/thomas> invoke-command -Computername SERV027-N1 -scriptblock {get-service nscp}
Invoke-Command: MI_RESULT_ACCESS_DENIED

The Ubuntu VM is domain joined to my Active Directory as is SERV027-N1

WinRM is setup on all my servers. on the windows side.

From my Windows 10 Desktop I can run the same command with success.

PS C:\util> invoke-command -ComputerName SERV027-N1 -ScriptBlock {get-service nscp}

Status Name DisplayName PSComputerName


Running nscp NSClient++ (x64) SERV027-N1

Any ideas

I am new to powershell on Ubuntu

Thank you

Tom

Can you clarify if the working command on windows is PS7 or 5.1?

Doug,

All my Windows servers are running 5.1
Have Windows 2012 R2
Windows 2016
Windows 2019

I was researching this do I need openssh on the windows side ?

Thank you
Tom

I would just like you to test PS7 on windows as well. Maybe the issue is less of an “on Ubuntu” issue and more of a “PS7” one.

You are connecting to a Windows VM and the user accounts on both Ubuntu and Windows are not same. Specify the credentials while connecting via Invoke-Command.

$cred = get-credential mydomain\administrator

PS /home/thomas> $cred

UserName Password


mydomain\administrator System.Security.SecureString

Using -Hostname
PS /home/thomas> invoke-command -hostname “SERV027-N1” -credential $cred -scriptblock {get-service nscp}
Invoke-Command: Parameter set cannot be resolved using the specified named parameters. One or more parameters issued cannot be used together or an insufficient number of parameters were provided.

Using -Computername

PS /home/thomas> invoke-command -computername “SERV027-N1” -credential $cred -scriptblock {get-service nscp}
Invoke-Command: MI_RESULT_ACCESS_DENIED

cred not working either

Still curious if PS7 on windows works like 5.1 or not.

Doug

I install PowerShell 7.0 on my Windows server but 5.1 is still installed. So how do I know it is connecting via PowerShell 7.0?

Tried with creds using -computername
PS /home/thomas> invoke-command -computername “SERV027-N1” -credential $cred -scriptblock {get-service nscp}
Invoke-Command: MI_RESULT_ACCESS_DENIED

tried with creds using -computername
PS /home/thomas> invoke-command -computername “SERV027-N1” -scriptblock {get-service nscp}
Invoke-Command: MI_RESULT_ACCESS_DENIED

Without creds using -hostname

PS /home/thomas> invoke-command -hostname “SERV027-N1” -scriptblock {get-service nscp}
OpenError: [serv027-n1] The background process reported an error with the following message: The SSH client session has ended with error message: ssh: connect to host serv027-n1 port 22: Connection timed out.

Then I added a inbound port on the Windows firewall for port 22

PS /home/thomas> invoke-command -hostname “SERV027-N1” -scriptblock {get-service nscp}
OpenError: [srv027-n1] The background process reported an error with the following message: The SSH client session has ended with error message: ssh: connect to host serv027-n1 port 22: Connection timed out.

Using Creds with -hostname
PS /home/thomas> invoke-command -hostname “SERV027-N1” -credential $cred -scriptblock {get-service nscp}
Invoke-Command: Parameter set cannot be resolved using the specified named parameters. One or more parameters issued cannot be used together or an insufficient number of parameters were provided.
PS /home/thomas>

Any ideas?

You run pwsh.exe instead of powershell.exe. If you run $PSVersiontable inside you will see which version. Once installed you should also be able to find shortcut for either version in your start menu.

Can you give more details about the ubuntu machine. You said it’s a VM, is it running in hyperv, esxi, virtualbox?

Have you read these?

https://github.com/PowerShell/Win32-OpenSSH/issues/1095

https://github.com/PowerShell/PowerShell/blob/866b558771a20cca3daa47f300e830b31a24ee95/docs/new-features/remoting-over-ssh/README.md

https://github.com/PowerShell/Win32-OpenSSH/issues/318

 

Doug,

My Ubuntu machine is a VM on VMware 6.7 ESXI 6.7 Host

My windows Serve IS ALSO A vm on VMware 6.7 ESXI 6.7 host.
From my Windows 2019 server
PowerShell 7.0.0
Copyright © Microsoft Corporation. All rights reserved.

https://aka.ms/powershell
Type ‘help’ to get help.

PS C:\Windows\System32> $PSVersionTable

Name Value


PSVersion 7.0.0
PSEdition Core
GitCommitId 7.0.0
OS Microsoft Windows 10.0.17763
Platform Win32NT
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
WSManStackVersion 3.0

From my Ubuntu

~# pwsh
PowerShell 7.0.0
Copyright © Microsoft Corporation. All rights reserved.

https://aka.ms/powershell
Type ‘help’ to get help.

PS /root> $PSVersionTable

Name Value


PSVersion 7.0.0
PSEdition Core
GitCommitId 7.0.0
OS Linux 4.4.0-177-generic #207-Ubuntu SMP Mon Mar…
Platform Unix
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
WSManStackVersion 3.0

I tried enter-possession and I get same error

I tried to enter possession from my ubuntu to my ubuntu that gets a little further

PS /root> enter-pssession -Hostname TGCS018 -UserName thomas
thomas@serv018’s password:
Enter-PSSession: The background process reported an error with the following message: The SSH client session has ended with error message: subsystem request failed on channel 0.
PS /root>

I whole heartedly believe the answer to your woes is in one of those links.

Doug

I am now able to SSH from my Ubuntu server to my Windows Server I had to install OpenSSH on the Windows Server Port 22 is now listening on the Windows server.

But I still can not run the invoke-command with or without creds they are still failing.

Any ideas? I would rather not need to use creds at all since this will be a script and will run standalone

Thanks

Tom

Doug,

Update 2 I am now able to run invoke-command from Ubuntu to Windows Server.

It was the sshd_config file on the windows server that needed updating

My only problem is it still prompts me for the password.
Trying to be able to run this without creds

Any ideas?

When running the cmdlets interactively, you're prompted for a password. You can also, use SSH key authentication using a private key file with the KeyFilePath parameter.

And, you must enable password or key-based authentication.


Need to figure out what’s wrong with your keys?

https://docs.microsoft.com/en-us/powershell/scripting/learn/remoting/ssh-remoting-in-powershell-core?view=powershell-7

Doug,

Yes

My issue is that I am unable to copy my SSH Key from Ubuntu to my Windows Server for some reason

Something on my Ubuntu server trying to troubleshoot that now.

Very strange all I find is Openssh windows to windows examples the ubuntu to windows examples does not go into details

Doug update

I used scp to copy the file from ubuntu to windows but it still prompts me

Still researching this.

The password works consistently otherwise?

Doug

Yes when I enter the password it presents the results.

PS /home/thomas> invoke-command -hostname SERV027-N1 {get-service ssh-agent}
thomas@serv027-n1’s password:

Status Name DisplayName PSComputerName


Running ssh-agent OpenSSH Authentication Agent serv027-n1

Thanks for responding to my other posting too

Doug,

Now that I have OpenSSHUTilS module installed I was able to run this

PS C:\Users\thomas.ssh> Repair-AuthorizedKeyPermission authorized_keys
[*] authorized_keys

‘NT AUTHORITY\SYSTEM’ needs FullControl access to ‘authorized_keys’.
Shall I make the above change?
[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is “Y”): y
‘NT AUTHORITY\SYSTEM’ now has FullControl to ‘authorized_keys’.
Repaired permissions

PS C:\Users\thomas.ssh> get-acl authorized_keys

Directory: C:\Users\thomas\.ssh

Path Owner Access


authorized_keys BUILTIN\Administrators NT AUTHORITY\SYSTEM Allow FullControl…

PS C:\Users\thomas.ssh> get-acl authorized_keys | fl

Path : Microsoft.PowerShell.Core\FileSystem::C:\Users\thomas.ssh\authorized_keys
Owner : BUILTIN\Administrators
Group : OUR\Domain Users
Access : NT AUTHORITY\SYSTEM Allow FullControl
OUR\thomas Allow FullControl
Audit :
Sddl : O:BAG:DUD:PAI(A;;FA;;;SY)(A;;FA;;;S-1-5-21-3054588571-1341459584-784128302-4702)

The Repair-AuthorizedKeyPermission command set the proper permissions

I then restarted sshd

And now from my Ubuntu server I can run invoke-command with out creds

I am documenting the process so I can work on my other servers.

Thank you for your help

This is resolved.