Blog Article Request: Current Project Status and Future Planning

[JasonFossen]

Hello Win32-OpenSSH Team:

Please post a blog article that summarizes the current state of OpenSSH for Windows and PowerShell Core, especially regarding remoting, key-based authentication, key management, sudo, Active Directory integration, major features that will (not) be added soon, depth of planned integration with PSCore, security or crypto library issues, Credential Guard protection of keys/passwords, multi-factor auth support, etc.

Thank You! Jason

[manojampalam]

While we work on getting a blog article out, here's the current status of things. We've gotten most of the feature parity with Unix, with a few exceptions (listed in https://github.com/PowerShell/Win32-OpenSSH/wiki/Project-Scope).

That said, with an intent to not make any changes to original for-Unix code, we have a quite a number of #ifdef'ed Windows based logic in common code (with Unix). This makes the fork some what fragile with each integration from upstream (https://github.com/openssh/openssh-portable) having a merge overhead and a possibility of regressions in Windows. Our focus right now is to work with upstream community and see if these platform differences could be reconciled using platform abstraction.

As for the specific features you asked, here's the status:

• Remoting - PSRP over SSH is supported with Powershell Core (https://docs.microsoft.com/en-us/powershell/scripting/core-powershell/ssh-remoting-in-powershell-core?view=powershell-6). We ensure that this will not be broken
• key-based authentication and key management - works the same way as it does on Unix. AuthorizedKeysCommand is not supported yet, but will be in the next couple of months.
• sudo - This is outside the scope of this project and there is no easy alternative at this point. Recommend asking Powershell experts.
• Active Directory integration - Native support will not happen anytime soon since it involves changes to underlying code that will diverge this fork significantly. That said, with the support of AuthorizedKeysCommand coming soon, it should be easy to write a utility that could do AD key -user mapping out of band.
• Credential Guard protection of keys/passwords - Not sure how passwords are applicable, but for keys, credential guard protection is in radar, we don't have an ETA yet.
• Multi-factor auth support - This is currently supported by mandating both password and key-based auth. There is a provision to overload password auth (ex. to support a OTP login via custom LSA provider).
• depth of planned integration with PSCore - While PSCore is dependent on OpenSSH (for PSRP over SSH), OpenSSH itself is an independent project. As said earlier, we will ensure PSRP over SSH is not broken.
• security or crypto library issues - there are none at this point.

[JasonFossen]

Thank you for this detailed reply, looking forward to the article -- best wishes!

[JustinGrote]

Really looking forward to AuthorizedKeysCommand, with that it'd be trivial to tie it to a powershell script to fetch it from a user AD custom attribute and allow for centralized authorized keys, since Kerberos is currently not supported (though NoMoreFood's implemention I hope makes it into the codebase)

[manojampalam]

For sudo, you could do a nested ssh from within the remote session ssh -t adminuser@localhost