search

hashicorp / packer

Packer is a tool for creating identical machine images for multiple platforms from a single source configuration.
http://www.packer.io
Other
14.99k stars 3.32k forks source link

[question] Packer ssh connection to windows ssh server #9578

Closed lmayorga1980 closed 4 years ago

lmayorga1980 commented 4 years ago

I am trying to connect to a Windows SSH Server using the following snippet from the user_data.ps1.

<powershell>

cmd /c net user myuser somepassword /add /y

cmd /c 'wmic UserAccount where Name="myuser" set PasswordExpires=False'

cmd /c net localgroup administrators myuser /add

write-output "Running User Data Script"
write-host "(host) Running User Data Script"

Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0

Start-Service sshd
# OPTIONAL but recommended:
Set-Service -Name sshd -StartupType 'Automatic'
# Confirm the Firewall rule is configured. It should be created automatically by setup.
Get-NetFirewallRule -Name *ssh*
# There should be a firewall rule named "OpenSSH-Server-In-TCP", which should be enabled
# If the firewall does not exist, create one
New-NetFirewallRule -Name sshd -DisplayName 'OpenSSH Server (sshd)' -Enabled True -Direction Inbound -Protocol TCP -Action Allow -LocalPort 22

New-ItemProperty -Path "HKLM:\SOFTWARE\OpenSSH" -Name DefaultShell -Value "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -PropertyType String -Force

@'
ssh-rsa <my-public-key>
'@ > $Env:Programdata/ssh/administrators_authorized_keys 

$acl = Get-Acl C:\ProgramData\ssh\administrators_authorized_keys
$acl.SetAccessRuleProtection($true, $false)
$administratorsRule = New-Object system.security.accesscontrol.filesystemaccessrule("Administrators","FullControl","Allow")
$systemRule = New-Object system.security.accesscontrol.filesystemaccessrule("SYSTEM","FullControl","Allow")
$acl.SetAccessRule($administratorsRule)
$acl.SetAccessRule($systemRule)
$acl | Set-Acl

Restart-Service sshd
cmd.exe /c netsh advfirewall firewall set rule group="remote administration" new enable=yes
</powershell>

Anything else to make it work for WinRM?

SwampDragons commented 4 years ago

I've never gotten around to figuring out how to connect via winrm to any windows AWS instance using a non-Administrator user. Even setting users in the administrators group hasn't seemed to be enough for me -- there's probably some other lever you have to pull to allow remote access for non-administrator users.

You may have better luck reaching out to the mailing list or community forum for help since I'm not a WinRM expert.

SwampDragons commented 4 years ago

Since this is a configuration question and not a bug/feature request I'm going to close it to keep it off our github bug tracker but if you figure it out can you open a Documentation PR?

lmayorga1980 commented 4 years ago

@SwampDragons

This is the final configuration to set SSH under the userdata.ps1 using Windows SSH. I can send a PR on the docs but I will need to workout at least a couple of provisioners too.

<powershell>
##User for Kevin

cmd /c net user myuser mypassword /add /y

cmd /c 'wmic UserAccount where Name="myuser" set PasswordExpires=False'

cmd /c net localgroup administrators myuser /add

write-output "Running User Data Script"
write-host "(host) Running User Data Script"

Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0

Start-Service sshd
# OPTIONAL but recommended:
Set-Service -Name sshd -StartupType 'Automatic'
# Confirm the Firewall rule is configured. It should be created automatically by setup.
Get-NetFirewallRule -Name *ssh*
# There should be a firewall rule named "OpenSSH-Server-In-TCP", which should be enabled
# If the firewall does not exist, create one
New-NetFirewallRule -Name sshd -DisplayName 'OpenSSH Server (sshd)' -Enabled True -Direction Inbound -Protocol TCP -Action Allow -LocalPort 22

New-ItemProperty -Path "HKLM:\SOFTWARE\OpenSSH" -Name DefaultShell -Value "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -PropertyType String -Force

#REPLACE BY YOUR KEY COMING FROM SOMEWHERE ELSE INSTEAD OF HARDCODING
New-Item -Path $Env:Programdata/ssh -Name "administrators_authorized_keys" -ItemType "file" -Value "ssh-rsa <YOUR-PUBLIC-KEY>"

$acl = Get-Acl C:\ProgramData\ssh\administrators_authorized_keys
$acl.SetAccessRuleProtection($true, $false)
$administratorsRule = New-Object system.security.accesscontrol.filesystemaccessrule("Administrators","FullControl","Allow")
$systemRule = New-Object system.security.accesscontrol.filesystemaccessrule("SYSTEM","FullControl","Allow")
$acl.SetAccessRule($administratorsRule)
$acl.SetAccessRule($systemRule)
$acl | Set-Acl

Restart-Service sshd

cmd.exe /c netsh advfirewall firewall set rule group="remote administration" new enable=yes

</powershell>
ghost commented 3 years ago

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.