Tuesday, May 28, 2024
No menu items!
HomeCloud ComputingGetting started with OpenSSH on Windows Compute Engine instances

Getting started with OpenSSH on Windows Compute Engine instances

One of the best practices for managing your virtual machines in the cloud is to rely on smart automation for certain tasks. When done this way you can save cloud and IT teams a tremendous amount of time and toil, especially for tasks like VM state validation which we’ll talk about in this blog. Let’s back up a bit first, though. 

In autumn of 2018 Microsoft added OpenSSH support to Windows Server and Windows Desktop Operating Systems. OpenSSH, developed by The OpenBSD Project, provides secure connectivity to another computer using encrypted communication based on the Secure Shell (SSH) protocol. Prior to OpenSSH being supported in Windows, Users and Administrators of those operating systems were required to use Microsoft Remote Desktop Protocol or Powershell Remoting for remote access. 

OpenSSH Server support in Windows Server can be beneficial for Google Cloud customers; in addition to using standard SSH clients to remotely connect and administer a Windows Server, you can now also leverage the Google Cloud SDK via the gcloud command to integrate with the rest of the Google Cloud ecosystem to set up workflows and automation.

For example, let’s assume that you wanted to automate the recycling of an IIS Application Pool if the Web Server CPU usage was greater than 90%. This process can be automated in a variety of ways, one of which could be to create a Pub/Sub topic integrated with a Cloud Function to log in to the Server via SSH and execute the Restart-WebAppPool Powershell command. Alternatively, if there’s a predetermined time that you want to automate the execution of the Restart-WebAppPool command, you can also use Cloud Scheduler to use the SSH functionality in gcloud to log in and execute the Powershell command.

Getting started with OpenSSH Server on Windows Server

Windows Server 2019 and Windows Server 2022 Images on Google Cloud come with the OpenSSH Client installed and enabled by default and the OpenSSH Server disabled.

code_block[StructValue([(u’code’, u’### Sample output – Windows Server 2019 ###rnrnPS C:\> systeminfo /FO csv | ConvertFrom-CSV | Select “OS Name”,”OS Version” | Format-ListrnrnrnOS Name : Microsoft Windows Server 2019 DatacenterrnOS Version : 10.0.17763 N/A Build 17763rnrnPS C:\> Get-WindowsCapability -Online | ? Name -like ‘OpenSSH*’rnName : OpenSSH.Client~~~~ : InstalledrnrnName : OpenSSH.Server~~~~ : NotPresentrnrnrnrn### Sample output – Windows Server 2022 ###rnrnPS C:\> systeminfo /FO csv | ConvertFrom-CSV | Select “OS Name”,”OS Version” | Format-ListrnrnOS Name : Microsoft Windows Server 2022 DatacenterrnOS Version : 10.0.20348 N/A Build 20348rnrnPS C:\> Get-WindowsCapability -Online | ? Name -like ‘OpenSSH*’rnrnName : OpenSSH.Client~~~~ : InstalledrnrnName : OpenSSH.Server~~~~ : NotPresent’), (u’language’, u”)])]

To enable the OpenSSH Server, run the following Powershell command from an elevated prompt:

code_block[StructValue([(u’code’, u’PS C:\> Add-WindowsCapability -Online -Name OpenSSH.Server~~~~′), (u’language’, u”)])]

After the installation is complete, run the following Powershell commands to start the OpenSSH Server service:

code_block[StructValue([(u’code’, u”PS C:\> Start-Service sshdrnPS C:\> Set-Service -Name sshd -StartupType ‘Automatic'”), (u’language’, u”)])]

The next step is getting your SSH keys added so that you can login. If you don’t have an existing Public and Private keypair you can generate one using the ssh-keygen command. 

OpenSSH Server in Windows has two options for adding your Public key:

authorized_keys file located in each Users’ home directory. This option requires the User account to be added to the Server and a $HOME directory created. 

administrators_authorized_keys file located in the C:ProgramDatassh directory. This option provides a shared Administrative login facility but does not require a User profile.

In this example let’s assume that a user called Alice already exists on a Windows Server called win2019-ssh and has a User Profile created. We need to add Alice’s Public key (alice.pub) to Alice’s home directory and to achieve this; you’ll need to be logged on as an Administrator (either locally or remotely) to create the authorized_keys file in the User Profile.

code_block[StructValue([(u’code’, u’#SSH into the Server and run the command to create the .ssh folder in Aliceu2019s home directoryrnPS C:\> ssh administrator@win2019-ssh u2018mkdir C:\Users\Alice\.sshu2019rnrn#While logged in as an Administrator, use Secure Copy Protocol to copy Aliceu2019s Public key into the authorized_keys filernrnrn#Copy from Windows ServerrnPS C:\> scp C:\alice.pub administrator@win2019-ssh:C:\Users\Alice\.ssh\authorized_keysrnrn#Alternatively you can copy the key from Linux Serverrn~$ scp ./alice.pub administrator@win2019-ssh:C:/Users/Alice/.ssh/authorized_keys’), (u’language’, u”)])]

After the authorized_keys file is created under Alice’s .ssh folder, run the following command as Administrator to set the appropriate permissions.

code_block[StructValue([(u’code’, u’PS C:\> ssh administrator@win2019-ssh ‘icacls.exe “C:\Users\Alice\.ssh\authorized_keys” /inheritance:r /grant “Administrators:F” /grant “SYSTEM:F””), (u’language’, u”)])]

Alice can now log in to win2019-ssh using standard SSH or gcloud without having to input a password.

code_block[StructValue([(u’code’, u’#Sample output using standard SSHrnrnalice@cloudshell:~$ ssh alice@win2019-sshrnrnMicrosoft Windows [Version 10.0.17763.2114]rn(c) 2018 Microsoft Corporation. All rights reserved.rnrnrnalice@WIN2019-SSH C:\Users\Alice>rnrnrn#Sample output using gcloud compute sshrn#Aliceu2019s Private Key (id_ecdsa) is being passed as a parameterrnrnalice@cloudshell:~$ gcloud compute ssh alice@win2019-ssh –zone=us-central1-a –ssh-key-file=”~/.ssh/id_ecdsa”rnrnMicrosoft Windows [Version 10.0.17763.2114]rn(c) 2018 Microsoft Corporation. All rights reserved.rnrnalice@WIN2019-SSH C:\Users\Alice>’), (u’language’, u”)])]

An optional but strongly recommended configuration is to disable password authentication for SSH connections to prevent brute force attacks.

code_block[StructValue([(u’code’, u”#Before proceeding ensure that the Administratoru2019s Public Key has been added to the Administrator User Profileu2019s .ssh folderrnrnPS C:\> $sshd_config = ‘C:\ProgramData\ssh\sshd_config’rnPS C:\> (Get-Content $sshd_config) -Replace ‘#PasswordAuthentication yes’, ‘PasswordAuthentication no’ | Set-Content $sshd_configrnPS C:\> Restart-Service sshd”), (u’language’, u”)])]

Fleet-wide deployment

With the ability to manage your Compute Engine Windows instances over SSH with PowerShell, wouldn’t it be great if you could ensure your entire Windows fleet has it enabled? This is where Google Compute Engine VM Manager OS configuration management comes into play.  

We can write a policy for VM Manager to do all the hard work for us. There are two modes for a policy — the first is `Validation`.  This checks to see if the instance is in the desired state —  in our case, do we have the Windows sshd process running? We can do that with this policy fragment:

code_block[StructValue([(u’code’, u”validate:rn interpreter: POWERSHELLrn script: |rn $service = Get-Service -Name ‘sshd’rn if ($service.Status -eq ‘Running’) {exit 100} else {exit 101}”), (u’language’, u”)])]

Here we are telling the OS policy agent to use PowerShell to run a simple script that does the following: if the VM is compliant, i.e., the sshd service is running, we return `100`, otherwise we return `101` to tell VM Manager that the VM is not compliant.

If we want to remediate servers, we can use the `Enforcement` mode; this carries out automation to remediate the policy — in our case, install the Open SSH server, set the service to start up automatically and start the service. We can do that with this policy fragment:

code_block[StructValue([(u’code’, u”enforce:rn interpreter: POWERSHELLrn script: |rn Add-WindowsCapability -Online -Name OpenSSH.Server~~~~ Set-Service -Name sshd -StartupType ‘Automatic’rn Start-Service sshdrn exit 100″), (u’language’, u”)])]

As before, we return `100` to indicate that everything was successful.

These two policy elements combine to form our overall OS policy:

code_block[StructValue([(u’code’, u”osPolicies:rn – id: win-ensure-openssh-policyrn mode: ENFORCEMENTrn resourceGroups:rn – resources:rn id: ensure-sshrn exec:rn validate:rn interpreter: POWERSHELLrn script: |rn $service = Get-Service -Name ‘sshd’rn if ($service.Status -eq ‘Running’) {exit 100} else {exit 101}rn enforce:rn interpreter: POWERSHELLrn script: |rn Add-WindowsCapability -Online -Name OpenSSH.Server~~~~ Set-Service -Name sshd -StartupType ‘Automatic’rn Start-Service sshdrn exit 100rninstanceFilter:rn osShortNames:rn – windowsrn inclusionLabels:rn – labels:rn ssh: installedrnrollout:rn disruptionBudget:rn fixed: 10rn minWaitDuration: 300s”), (u’language’, u”)])]

You can see we are choosing the ‘Enforcement’ mode for the policy, we are filtering Compute Engine instances to be only those with a `windows` OS, via the `osShortNames` parameter, and (optionally) we are only going to apply this policy to instances that have the label `ssh` with the value `installed`; you can also have `exclusionLabels` if you want to do the reverse, or remove the label entries entirely if you want to apply the policy to your Windows systems.

You can then apply this policy to a zone with the following gcloud command:

code_block[StructValue([(u’code’, u’gcloud compute os-config os-policy-assignments create ensure-ssh-policy \rn –location=<compute engine zone name> \rn –file=<policy file.yaml> \rn –async’), (u’language’, u”)])]


Modern infrastructure management is all about automation. With the ability to enable SSH on Windows instances, you can combine automation tooling approaches across both Windows and Linux systems.

Combined with Compute Engine VM Manager OS Policy Management, you can also do it at scale across your entire fleet.

Learn more about VM Manager and check out other OS policy examples.

Cloud BlogRead More



Please enter your comment!
Please enter your name here

Most Popular

Recent Comments