Skip to content

Instantly share code, notes, and snippets.

@giseongeom
Last active February 22, 2023 13:57
Show Gist options
  • Save giseongeom/c5392ebc35e7ebec6371e4b21e4257eb to your computer and use it in GitHub Desktop.
Save giseongeom/c5392ebc35e7ebec6371e4b21e4257eb to your computer and use it in GitHub Desktop.
Enable OpenSSH for Windows (Windows 10/11)
#Requires -version 5
#Requires -RunAsAdministrator
# Enable tls1.2 from default (SSL3, TLS)
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Ssl3 -bor [Net.SecurityProtocolType]::Tls -bor [Net.SecurityProtocolType]::Tls11 -bor [Net.SecurityProtocolType]::Tls12
# Enable TLS1.2 permanently
Set-ItemProperty -Path 'HKLM:\SOFTWARE\Wow6432Node\Microsoft\.NetFramework\v4.0.30319' -Name 'SchUseStrongCrypto' -Value '1' -Type DWord -Force
Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\.NetFramework\v4.0.30319' -Name 'SchUseStrongCrypto' -Value '1' -Type DWord -Force
# Install Nuget
Install-PackageProvider -Name NuGet -Force
Set-PSRepository -InstallationPolicy Trusted -Name PSGallery
# Enable OpenSSH for Windows
[bool]$isSSHClientInstalled = Get-WindowsCapability -Online -Name OpenSSH.Client~~~~0.0.1.0 | Where-Object { $_.State -eq 'Installed' } | Measure-Object | Select-Object -ExpandProperty Count
[bool]$isSSHServerInstalled = Get-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0 | Where-Object { $_.State -eq 'Installed' } | Measure-Object | Select-Object -ExpandProperty Count
if (-not($isSSHClientInstalled)) {
Add-WindowsCapability -Online -Name OpenSSH.Client~~~~0.0.1.0
}
if (-not($isSSHServerInstalled)) {
Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0
if (Get-Service sshd -ErrorAction SilentlyContinue) {
New-ItemProperty -Path "HKLM:\SOFTWARE\OpenSSH" -Name DefaultShell -Value "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -PropertyType String -Force
Set-Service -Name sshd -StartupType 'Automatic'
Start-Service sshd
Set-Service -Name ssh-agent -StartupType 'Automatic'
Start-Service ssh-agent
}
}
# Create SSH publickey lists and adjust file permission(s)
$ssh_admin_authorized_filepath = 'C:\ProgramData\ssh\administrators_authorized_keys'
$ssh_admin_pubkey_list = "
#
# OpenSSH compatible public-key lists
#
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHThWyT9PKizPnNB5wWXumkUkoSiTYk90wCrAI9sG3/I [email protected]
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK+c5hyivocsd4F1waBvUTRx2A7prLAeZ6dnHyY32UXq [email protected]
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAxVq6IpjC8XaQ+utFbhtwgnp1Ig12RDRII+QjvfWgpkW2rcwe7CHVTCcf9PgZlnmMLVWsv1ha61MUopGN/bhWjcBE2fqhYJ3EU0UkeKRb6mviZYq5r5qnUmcT2KkzmU7xgQQdL4UoId1NB9pN7PEmLtyFuqH3HANGbgHW5l4vi5hx6XsUOBbNXp5/Qd2+FAJlr7RGY2BT5urqF0s94o984R8EM+HhOHb9E3qnf3jkthkTQC73vHS28aiSjKVDJFsTxQywS1mhzXvrQzyM7+B7PyuDJ2vpX4k4k0ubbgXQI6l3pkERREwiTzLg+QX0/CexshDrCba/RJGkLxHwYkra1Q== [email protected]
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA3T3wuhVb+HmZKiu52BpWFShes9okRt3puZRhWkfgFyDoLLFOTB8H+Ng+cbnCl69OzctmpMeafD+3D0QU3rEofM31GMNOfbzupe5aNv56FX4c7lHzROS3O364DCqCShFKvvAPZW0LmrXya4Tn8HQ/oP9b4ukIex0UT4M4XSbBVhLq0dMFwVZb8PpkQpFJudHm9SGAyEP87Cq2IcU0rcoFqCmjBcoV+9tF7rLeS72eddOkn7ZPMixUt8vkMJaAuxnq36v+I4f2In8Fn/ZR7ayrqKvJ5dtOwf4Ut7IynQxekgKqFXOX25NtK6uE3wovpcVwxqNN964anlgQGS7kPWbF8w== [email protected]
#
#
".Split("`r`n") -notmatch '^#.*' | Where-Object { $_.trim() }
$ssh_admin_pubkey_list | Out-File -Encoding ascii -FilePath $ssh_admin_authorized_filepath -Force
if (Test-Path $ssh_admin_authorized_filepath)
{
# Fix owner and permissions
# https://github.com/PowerShell/Win32-OpenSSH/wiki/Security-protection-of-various-files-in-Win32-OpenSSH
Set-Location C:\ProgramData\ssh
takeown /F administrators_authorized_keys /A
icacls administrators_authorized_keys /inheritance:r
icacls administrators_authorized_keys /grant SYSTEM:`(F`)
icacls administrators_authorized_keys /grant BUILTIN\Administrators:`(F`)
}
# Enable PSRemoting over SSH
$sshd_config_filepath = 'C:\ProgramData\ssh\sshd_config'
if ((Test-Path $sshd_config_filepath) -And (Test-Path 'C:\Program Files\PowerShell\7')) {
New-Item -ItemType SymbolicLink -Path C:\pwsh -Target 'C:\Program Files\PowerShell\7'
$sshd_config = Get-Content -Path $sshd_config_filepath
$sshd_config -replace "^Subsystem.*", "Subsystem sftp sftp-server.exe`nSubsystem powershell c:/pwsh/pwsh.exe -sshs -NoLogo" `
| Set-Content -Path $sshd_config_filepath -Force
Restart-Service sshd
}
@giseongeom
Copy link
Author

giseongeom commented Aug 31, 2020

위의 스크립트 실행하면

  • OpenSSH for Windows client, server 활성화
  • C:\ProgramData\ssh\administrators_authorized_keys 파일 생성
  • Administrators 권한으로 접속할 사용자의 SSH public key를 등록
  • PowerShell Remoting over SSH 활성화됨

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment