WinRM PS remoting from Windows to Linux

I was just following an article posted in 4sysops a year and a half ago https://4sysops.com/archives/powershell-remoting-between-windows-and-linux/, and I can see it needs an update. I was able to PSRemote from Linux Centos7 PS Core 6.1 to Windows 10 PS 5.1, however the instructions did not work because HTTP clear text passwords are not allowed anymore. Fortunately, I was able to install a Kerberos client pointing to my Windows DC and changed the -Authentication from BASIC to KERBEROS and made it work.

The problem I now have is the opposite. I need to PS Remote from Windows PS 5.1 to Linux PS Core 6.1. I installed OMI and PSRP as stated in the article, however there is no way to make it work. I read I need to use SSH however that works from PS Core 6.1 only, and I need to use Windows PS 5.1 because of some Modules that use WPF.

Are there any updated instructions on how to connect from Windows to Linux over WinRM? Please advise

PSCore has SSH features, PSv5x does not and there are no plans to ever add it or anything else to PS5x, so, you have to add that SSH module from the PS gallery. Note there are several of theme provided by the PS Package Manager PSGet which is part of PS5x, but has to be installed on PS4x. It is not supported below PS4. Posh-SSH is the most common one used.

 Find-Module -Name '*ssh*'

Version              Name                                Repository           Description                                                                                                           
-------              ----                                ----------           -----------                                                                                                           
2.0.2                Posh-SSH                            PSGallery            Provide SSH and SCP functionality for executing commands against remote hosts.                                        
2.1.3                SSHSessions                         PSGallery            Svendsen Tech's SSH-Sessions module provides SSH session creation, management and interaction from PowerShell. Lets...
0.0.2.0              OpenSSHUtils                        PSGallery            Utilities and functions for configuring OpenSSH on Windows.                                                           
1.0.0                SSH                                 PSGallery            Provides a PowerShell-based SSH client based on SSH.net  http://sshnet.codeplex.com/                                  
1.1.3                PowerSSH                            PSGallery            This module detects the first use of an SSH command, automatically runs the SSH agent, keeps the SSH authentication...
0.9.4                WinSSH                              PSGallery            Install OpenSSH-Win64, optionally install ssh-agent and sshd Services. Also includes functions to help configure ss...
...
0.3.1                posh-sshell                         PSGallery            Provides integration with ssh-agent and pageant from within Powershell                                                
1.1.4                PowerSSH-Legacy                     PSGallery            This module detects the first use of an SSH command, automatically runs the SSH agent, keeps the SSH authentication...



 Find-Package -Name '*ssh*'

Name                           Version          Source           Summary                                                                                                                            
----                           -------          ------           -------                                                                                                                            
Posh-SSH                       2.0.2            PSGallery        Provide SSH and SCP functionality for executing commands against remote hosts.                                                     
SSHSessions                    2.1.3            PSGallery        Svendsen Tech's SSH-Sessions module provides SSH session creation, management and interaction from PowerShell. Lets you execute ...
OpenSSHUtils                   0.0.2.0          PSGallery        Utilities and functions for configuring OpenSSH on Windows.                                                                        
SSH                            1.0.0            PSGallery        Provides a PowerShell-based SSH client based on SSH.net  http://sshnet.codeplex.com/                                               
PowerSSH                       1.1.3            PSGallery        This module detects the first use of an SSH command, automatically runs the SSH agent, keeps the SSH authentication agent runnin...
WinSSH                         0.9.4            PSGallery        Install OpenSSH-Win64, optionally install ssh-agent and sshd Services. Also includes functions to help configure sshd_config, fi...
...
ssh-wrapper                    1.0.1            PSGallery        Exposes ssh from WSL by wrapping: bash -c "ssh $args". Requires Windows Subsystem for Linux on Windows 10.                         
...
posh-sshell                    0.3.1            PSGallery        Provides integration with ssh-agent and pageant from within Powershell                                                             
PowerSSH-Legacy                1.1.4            PSGallery        This module detects the first use of an SSH command, automatically runs the SSH agent, keeps the SSH authentication agent runnin...

See also…

Windows-to-Linux remoting ^

The first thing I wanted to try was an interactive remoting session from Windows Server 2016 to CentOS Linux. Per the docs, this is what I did, and as you can see from the subsequent screenshot, I was successful:

https://4sysops.com/archives/powershell-remoting-between-windows-and-linux

You can get WinRM on Linux via those OSS project.

https://blogs.technet.microsoft.com/heyscriptingguy/2015/10/27/using-winrm-on-linux

Full disclosure: I’ve never had any reason, to try this WinRM use case for Linux.

My original post mentioned that the referenced article https://4sysops.com/archives/powershell-remoting-between-windows-and-linux needs an update because it was tested with PS 6 Alpha and things have now changed.

1. In the Linux to Windows remote session, the command used is

$cred = Get-Credential
Enter-PSSession -ComputerName 'winserver1' -Credential $cred -Authentication Basic

However, when I tried that I got the following error

PS /home/vortiz> enter-pssession -ComputerName w81o2010.bjtest.com -credential (Get-Credential)  -authentication basic

PowerShell credential request
Enter your credentials.
User: bjtest/administrator
Password for user bjtest/administrator: ***********

enter-pssession : Basic authentication is not supported over HTTP on Unix.
At line:1 char:1
+ enter-pssession -ComputerName w81o2010.bjtest.com -credential (Get-Cr ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo          : InvalidArgument: (w81o2010.bjtest.com:String) [Enter-PSSession], PSRemotingTransportException
+ FullyQualifiedErrorId : CreateRemoteRunspaceFailed

PS /home/vortiz>

That restriction came after this article was written, so there is nothing I can do to make it work that way. I had to implement Kerberos client in Linux, following the instructions found at https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/windows_integration_guide/introduction so I ended up joining my Windows Domain, and was able to authenticate using Kerberos and not Basic. Something to notice is that when the KDC is already configured to point to the Domain Controller, the userid passed at the Credentials must have the domain specified in uppercase (i.e. userid@DOMAIN.LOCAL) otherwise it is not going to work. That made the trick and I was able to finally have a remote session from Linux to Windows.

2. For the Windows to Linux remote session, more instructions need also updating.

• Install and configure OMI server

• Install the PSRP Linux support library

It is much easier now to install omi-psrp-server using yum. It will provide WinRM with SSL support

yum install -y omi-psrp-server

However, even after this I couldn't make it work, until I realized the installation instructions did not ask to open port 5986, which is the default for WinRM SSL.

[root@linux7 ~]# netstat -plnt
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      1723/master
tcp        0      0 127.0.0.1:6010          0.0.0.0:*               LISTEN      84149/sshd
tcp        0      0 0.0.0.0:445             0.0.0.0:*               LISTEN      1277/smbd
tcp        0      0 0.0.0.0:5986            0.0.0.0:*               LISTEN      1364/omiengine
tcp        0      0 0.0.0.0:139             0.0.0.0:*               LISTEN      1277/smbd
tcp        0      0 0.0.0.0:111             0.0.0.0:*               LISTEN      711/rpcbind
tcp        0      0 192.168.122.1:53        0.0.0.0:*               LISTEN      1728/dnsmasq
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      1209/sshd
tcp        0      0 127.0.0.1:631           0.0.0.0:*               LISTEN      1207/cupsd
tcp6       0      0 ::1:25                  :::*                    LISTEN      1723/master
tcp6       0      0 ::1:6010                :::*                    LISTEN      84149/sshd
tcp6       0      0 :::445                  :::*                    LISTEN      1277/smbd
tcp6       0      0 :::139                  :::*                    LISTEN      1277/smbd
tcp6       0      0 :::111                  :::*                    LISTEN      711/rpcbind
tcp6       0      0 :::22                   :::*                    LISTEN      1209/sshd
tcp6       0      0 ::1:631                 :::*                    LISTEN      1207/cupsd
[root@linux7 ~]#

firewall-cmd --permanent --zone=public --add-port=5986/tcp --permanent

After this, I was able to connect from Windows to Linux using the commands stated in the referenced article. I was also able to change from Basic to Kerberos authentication when connecting to Domain computers, by specifying the domain user as userid@DOMAIN.NAME in the credentials (yes, in uppercase).

Installing, as suggested, one of the many SSH modules is also a possibility I will explore later on.

My original post mentioned that the referenced article https://4sysops.com/archives/powershell-remoting-between-windows-and-linux needs an update because it was tested with PS 6 Alpha and things have now changed.

1. In the Linux to Windows remote session, the command used is

$cred = Get-Credential
Enter-PSSession -ComputerName 'winserver1' -Credential $cred -Authentication Basic

However, when I tried that I got the following error

PS /home/vortiz> enter-pssession -ComputerName w81o2010.bjtest.com -credential (Get-Credential)  -authentication basic

PowerShell credential request
Enter your credentials.
User: bjtest/administrator
Password for user bjtest/administrator: ***********

enter-pssession : Basic authentication is not supported over HTTP on Unix.
At line:1 char:1
+ enter-pssession -ComputerName w81o2010.bjtest.com -credential (Get-Cr ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo          : InvalidArgument: (w81o2010.bjtest.com:String) [Enter-PSSession], PSRemotingTransportException
+ FullyQualifiedErrorId : CreateRemoteRunspaceFailed

PS /home/vortiz>

That restriction came after this article was written, so there is nothing I can do to make it work that way. I had to implement Kerberos client in Linux, following the instructions found at https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/windows_integration_guide/introduction so I ended up joining my Windows Domain, and was able to authenticate using Kerberos and not Basic. Something to notice is that when the KDC is already configured to point to the Domain Controller, the userid passed at the Credentials must have the domain specified in uppercase (i.e. userid@DOMAIN.LOCAL) otherwise it is not going to work. That made the trick and I was able to finally have a remote session from Linux to Windows.

2. For the Windows to Linux remote session, more instructions need also updating.

• Install and configure OMI server

• Install the PSRP Linux support library

It is much easier now to install omi-psrp-server using yum. It will provide WinRM with SSL support

yum install -y omi-psrp-server

However, even after this I couldn't make it work, until I realized the installation instructions did not ask to open port 5986, which is the default for WinRM SSL.

[root@linux7 ~]# netstat -plnt
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      1723/master
tcp        0      0 127.0.0.1:6010          0.0.0.0:*               LISTEN      84149/sshd
tcp        0      0 0.0.0.0:445             0.0.0.0:*               LISTEN      1277/smbd
tcp        0      0 0.0.0.0:5986            0.0.0.0:*               LISTEN      1364/omiengine
tcp        0      0 0.0.0.0:139             0.0.0.0:*               LISTEN      1277/smbd
tcp        0      0 0.0.0.0:111             0.0.0.0:*               LISTEN      711/rpcbind
tcp        0      0 192.168.122.1:53        0.0.0.0:*               LISTEN      1728/dnsmasq
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      1209/sshd
tcp        0      0 127.0.0.1:631           0.0.0.0:*               LISTEN      1207/cupsd
tcp6       0      0 ::1:25                  :::*                    LISTEN      1723/master
tcp6       0      0 ::1:6010                :::*                    LISTEN      84149/sshd
tcp6       0      0 :::445                  :::*                    LISTEN      1277/smbd
tcp6       0      0 :::139                  :::*                    LISTEN      1277/smbd
tcp6       0      0 :::111                  :::*                    LISTEN      711/rpcbind
tcp6       0      0 :::22                   :::*                    LISTEN      1209/sshd
tcp6       0      0 ::1:631                 :::*                    LISTEN      1207/cupsd
[root@linux7 ~]#

firewall-cmd --permanent --zone=public --add-port=5986/tcp --permanent

After this, I was able to connect from Windows to Linux using the commands stated in the referenced article. I was also able to change from Basic to Kerberos authentication when connecting to Domain computers, by specifying the domain user as userid@DOMAIN.NAME in the credentials (yes, in uppercase).

Installing, as suggested, one of the many SSH modules is also a possibility I will explore later on.

Understood.

As for this…

Something to notice is that when the KDC is already configured to point to the Domain Controller, the userid passed at the Credentials must have the domain specified in uppercase (i.e. userid@DOMAIN.LOCAL) otherwise it is not going to work.

… this sort of thing has to be done with the way KCD (Kerberos Constrained Delegation) has to be configured to work in Windows proper when setting up the keytab file for KCD comms.