OpenSSH for Windows: The IT Admin's Key to Remote Management

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
foreign [Music] [Music] myself foreign [Music] ER pool and this channel is dedicated to I.T students I.T professionals and anyone who enjoys learning technical subjects as soon as we started putting computers on a network administrators needed the ability to go across the network and administer those remote hosts all operating systems provided some basic utilities that allowed you to do that the problem came as the network between these two devices became more and more untrusted we needed a robust method of authentication and we needed to encrypt the traffic between the admin and the remote host well by 1995 a researcher at Helsinki University of Technology in Finland was a victim of a password sniffing attack and sat down and developed the basics of SSH ssh is going to provide us robust authentication and encrypt that traffic so we can Minister not only hosts but Network equipment routers firewalls we can administer it safely now Microsoft was very slow in bringing SSH utilities and functionality into the windows environment every Windows administrator used third-party tools so that they could communicate using SSH into their routers their switches their Network gear their non-windows operating systems they may be hosting a database or an Apache web server on Linux it admins were always using SSH it just wasn't built into Windows now it's very important we understand what is SSH well number one it's a cryptographic network protocol that allows developers to write applications on either side of this encrypted tunnel the most popular is what we call the SSH client and an SSH server and this allows the administrator to go across and pull the command line operating system function back to his desktop screen so he can administer that host remotely I also find this an excellent substitute for VPN I've got a secure tunnel now most applications that are developed around SSH are going to be command line now here's an example of a graphical application that can be run in Windows and runs across the SSH protocol it's called winscp it's used by web developers who want to be able to see their desktop file system and their web server file system in this graphical Explorer view as of Windows 10 version 1803 and above including Windows 11 open SSH is now the client software is now installed by default the open SSH server is now a feature on demand in server 2019 and 2022 this is the same now open SSH client will come across and talk to the host and will open a command prompt console you can change that to a a Powershell console in the registry that will be found in the notes in the video description there's a link to my video notes I'll have a lot of stuff about ssh in the video notes let's go ahead and launch our Windows 11 we're going to go to the start icon and we'll go right into settings now you can install software using Powershell or command line dissum command so there's a variety of ways you can install optional or feature on-demand software this is just we're just going to go through the settings at this point let's go to apps and we're going to go to optional features I just put in the search SS you can see the open SS client and I have already installed the openss server if you want it if it's not installed you can simply go to view add an optional feature view feature again you can just type SS and it pulls up and here if it was not installed then it would be an optional feature you would check the box and click install and you go let me show show you first how we run the client the SSH client we're going to go start I'm going to come up to terminal you can download terminal from Microsoft store and run it as an administrator and it's going to launch right in Powershell and I just simply type SSH and it that's your client it's command line driven it's got lots of features functionality now if I come over here to my terminal and I launch CMD I can do the same thing so my SSH client can run both in command line and in Powershell let's go take a look at where the open SSH files for the client software are stored on Windows we're going to go to the Explorer double click on my PC C drive come down to Windows we'll go to system 32 and we will look in the directory called open SSH and here are all the files to run your client open SSH software so open SSH client can be run from the Powershell prompt you can also run the open SSH client from the command line prompt okay over here on my client I've got my open SSH software installed for the client and I went over to my remote host and installed open SSH server software now before we try to connect there's a few things that I have to do on the server side to make sure it's properly configured and then we can connect across now the first thing that I want to do on this server side after I've installed the software is open up my services Control Panel App look for the open SSH ssh server service I'm going to double click and I'm going to set the startup type to automatic and I'm going to go ahead and start service and let that go that's very important because this server needs to be running all the time and when you reboot it needs to start again it's a server service now next what we want to do is launch a command prompt and we're going to look at our Windows Defender Firewall to make sure that it's open TCP Port 22 which is what SSH uses and that our server service is listening on that Port so I'm going to use netstat and I'm just simply going to go minus n a and I'm going to execute that and then scroll back up under TCP and there is Port 22 right there and you can see that I have a process that is listening on Port 22. so my firewall is open I've got a service listening on Port 22 which obviously is my SSH server good to go now if that wasn't correct let's go look at our firewall to check I'd go to settings and I would find my Windows Defender Firewall and I'm going to come down here and go to Advanced and because I'm on a domain I'm going to come to inbound rules and I'm going to come in filter by profile so I I don't care about the firewall for a private Network or a public network I'm looking at the firewall for a domain which is what I'm on and then I'm just going to scroll down here and look for open SSH and there it is right there so my open SSH ssh server firewall setting I'll go ahead and look at the properties and it is enabled and the port is 22. so we're good to go if that wasn't there you could configure that inbound Rule now we're continuing our configuration of the open SSH server and we need to finish that by getting into a configuration file in program data which is normally hidden on your C drive route you're going to have to go into your folder options and show hidden files folders and drives you also need admin rights to get into this folder once we're in program data there's a folder called SSH right here and it will have a number of files in there were specifically interested in the configuration file for open SSH server which is called sshd underscore config you can open up a notepad but I encourage you start getting into some of the more powerful text to editors I use a tool called Notepad plus plus it's free once you start using that text editor which you're going to be using text editors a lot in it you're never going to go back to notepad so I'm going to do this by taking my admin workstation and I'm going to go across the network to a virtual machine that's on the network win 11 ENT virtual machine 12. it has open SSH server and I'm going to Across the network grab that text file bring it back to my admin station edit it in notepad plus plus and then we will test our configuration to see if it works so I'm going to go across the network I'm going to do backslash backslash the name of the host when 11 now I'm going to get through the administrative share which is C dollar sign and then go to program data and I know that right in that folder is the SSH folder and we'll go ahead and pull that up and so now I'm pulling up those files on my remote virtual machine and there's the file that I want to configure that's going to be my open SSH configuration file if you'll notice I have Office 365 installed on my workstation and it's looking at these files notice these key files as publisher files their extension has dot Pub so publisher is thinking those are files associated with the application they're not we're going to get into what those key files are so I'm going to go ahead and open this in my editor it's going to have to pull this across the network now once we open up this configuration file for the open SSH server it has a lot of text information in the way that they have done this is they've put exactly how they've configured it by default so everything you see in here is simple simply comments each comment tells you what they've set up this server by default for example here you see pound Port 22 that is the default Port that SSH open server is going to use if you wanted to change that all you have to do is remove the pound symbol take that away change this to 23 save this text file restart the open SSH server service and voila it's not going to look at Port 22 anymore it's now going to be looking at Port 23. that's simple now it's very important any change you make in this configuration file you must restart the server service on that remote host to get more information about this configuration of file and what do all those configurations mean you can simply go to Google and type in open SSH for Windows GitHub and notice the GitHub link showed up go to the wiki and you will have the manual for this configuration file well and in that manual you can scroll and look at every one of those open SSH server configuration options and see all the information you want about how do you want to change it what you can do it's also in our video notes in the video description link below honestly when I had to use SSH many many years ago I had to beat my head against the wall trying to figure out how to use this complex software communication protocol to connect to a switch or a router or some other network device Microsoft has moved a lot of the friction and pain so a new it student a new it employee can start learning SSH with as little friction as possible your pain will come but at least you can start using it without having hours of frustration in order to connect something to something for open SSH for Windows if you configured your server software then you can launch your client and in this case if this is a work group host if you know a username and password that will work on this work group you can go to your client and say SSH the username that's appropriate for that host at the hostname or IP address and your SSH client will get you in now look below same thing except now we're on a domain I've got two host devices on a domain and I'm going to use SSH and I can do a number of different ways to log on to these domain hosts on the network so I'm going to use one of those but you can see you can do it a number of different ways all right so we start with our open SSH client on Windows 11 and I'm going to open up my Powershell console and there it is I've opened up my Powershell console I'm going to type in SSH which is going to launch the console software the client software I'm going to use the logon option of username at domain and yes I know my domain name is long at either the host name or the IP address I'm going to use my remote host is 192.1680.140 so I'm going to use the IP address so if you notice up here in my Powershell SSH home boss at homelab.tech savvyproductions.com at and then the IP address hit enter and we're in okay let's look at another method of logging on again for the domain I'm going to type in SSH that launches the SSH client and I'm going to top type in a username at and my domain and then again an at and this will be the host name or the IP address and I'm going to go into my virtual machine hit enter and notice I've connected now because I'm connecting to this SSH server for the first time notice the prompt my client is warning me you've never connected to this SSH server before and we need to move a key to your desktop and that key has been signed an algorithm of ed25519 that's an algorithm for encryption do you want to move this key to your desktop so it will not prompt you for this SSH host again so do you really want to connect to it and we'll say yes now it kept failing when I attempted to log on and it took me a minute to realize that I had typed in the wrong domain name so let's do it again this time we'll do it right SSH our client our user and then our host and then our password and there I'm successful notice it took time it didn't happen instantly and there was a little bit of network delay I'm now at a command prompt I'm not in Powershell I started off in Powershell but by the time I connected to the SSH server it brought back a command CMD console now if I want to have that Powershell console brought back to my desktop I can simply launch Powershell and now I'm back to Powershell now if you remember when we first connected our client to our SSH server we've got a message shown below the client was warning us that it never connected to the server there was some kind of fingerprint that it wasn't aware of and did we really want to connect to it and we said in this case yes go ahead and connect well this is a spoofing protection for you as an admin let's take a look at it now on your client PC under C users your profile name is a DOT SSH folder and in that folder is a file called known underscore host and every time I connect to an SSH server a hash value comes over and is put into this file you can see I connected to 192.168.0.140 it put a series of fingerprint information into this known host file I also connected to win 11 ENT vm12 it put the fingerprint information into this known host file this is a spoofing protection for you as an admin so for example you connect to a container on a regular basis you're a developer you have this fingerprint in your client today you connect and all of a sudden you get prompted that you've never connected before do you want to connect again you're thinking wait a minute I was just on that container two days ago SSH is saying to you something is up because that information is saved in your known host file you shouldn't be prompted after the first time so anytime you're prompted be aware you could be a victim of malicious activity and someone is spoofing a device you're connecting to you should only see this warning during the first time and the initial time you connect now the windows open SSH client and software package primarily support username and password authentication and key generated authentication which we're going to get into in just a minute but you can also enable what's known as Kerberos in other words take advantage of your domain so if you're using open SSH strictly for a Windows domain connectivity tool you can simply go to your your SSH configuration file enable kerbos authentication and from now on you can just log on to all your SSH servers with SSH minus capital K and the hostname and you're in using Kerberos so let's step back and ask this question so why windows open SSH we already have remote Powershell we already have winrs for those command line admins that want to use CMD we have remote desktop if you're a GUI admin windows open SSH is not a complete client server software package there are many things that open SSH for Windows does simply does not support that many third-party software implementations do do support it doesn't meet Microsoft's JEA security technology which is called just enough Administration so what's the purpose of another administrative tool that's kind of halfway developed why is Windows doing open SSH well a lot of Windows admin and developers are working on both window Docker containers and Linux Docker containers and this makes it so much easier for them to connect to and manage Microsoft's new terminal which is the command line interface that I have used in all my demos up to this point supports multiple profiles so then one interface you can support the configuration of many SSH servers it allows admins to stay in Powershell without launching a third-party software to complete their tasks SSH is default for Linux and BSD environments and Microsoft is working on JEA for windows open SSH now another method for authentication with SSH H is the use of private and public keys we're going to put a private key on the SSH client and we're going to put a public key on the SSH server that key pair is going to give us a very secure authentication method now functionally that private key on the client is in a sense a password when you use these keys they Grant access and control as to what you can do these Keys have to be managed they are a credential technically these keys are simply a file and the contents contain cryptographic information this is the contents of a private key and you can actually see what is inside that private key using this key pair to log on to SSH is very attractive one it meets compliance and regulatory requirements for higher levels of security it's very resistant to Brute Force attack when used with a passphrase days you gain actually two-factor authentication a key pair logon can not only authenticate you but restrict what functions you can perform private keys can be stored in password managers for additional security and if you compromise your private key then you only compromise the device you configured it for for example you set up a specific key pair for a Docker container if somehow your private key is compromised the only device that's compromised is one container if I compromise my domain username and password my whole domain is compromised now we're going to learn how to generate these key Pairs and you can use a variety of encryption algorithms to encrypt these key pairs you can use DSA RSA ecd-s-a ad25519 which is the strongest algorithm it depends on what you're dealing with if you're dealing with this old network switch you may have to use some of the older encryption algorithms on the other hand if you're trying to create a key pair for a brand new version of ubuntu's Linux server you can probably use the latest greatest algorithm now Powershell has a utility that allows you to generate these private and public keys for your SSH so here's an example in my windows terminal where I've went ahead and I've generated a key pair and this is what we would see on the screen a very safe way of managing your private key is simply put them into your password manager LastPass or keepass or any other password manager now when I generate a key pair you can see from the screen I'm on Terminal I've went ahead and generated a key pair it's going to generate two files one is a private key and one is a DOT Pub or a public key it's going to save those two files inside my user's profile dot SSH directory now we're going to walk through step by step generating key Pairs and I'm going to begin with using default names and then we'll generate a series of key pairs for a router and some switches that I want to generate these key pairs for so I've got a web server that I want to connect using these key pairs for SSH and then I've got router 01 router 02 switch 01 switch O2 let's see how this tool generates these key pairs for these SSH connections now my utility is ssh.keygen and I'm using the minus t which allows me to specify the encryption algorithm in this case I'm going to use ed25519 I'm going to hit enter and here I'm prompted for my passphrase remember this is my 2 Factor Authentication and then you'll type that in and confirm it now here you can see in the location of C users home boss which is my user who's logged on dot SSH subfolder are my two files the first one is the private file this one is the public file and yes my Microsoft Publisher thinks that's one of its files because it's got dot pub now let's go ahead and continue my key pairs for my router 01 I looked at my documentation for router 1 and it doesn't support the latest greatest algorithms for SSH but it does support DSA so that's what I put in my command line so I'm going to hit enter and notice it wants to give it a specific name but I want to call it router the one now watch where it saves the file do I want to put a passphrase yes I do and then confirm and you can see that my private key has been created and my public key has been created and notice file names router01 router r01 let's go see where they're saved now notice they were not put in the dot SSH folder under my home directory they were just thrown in my home directory right in the root so there they are router 01 router01.pub and remember they're just files I can put them wherever I want but right now it just creates them and dumps them right there now I can finish with router 02 switch 01 switch 02 you get the idea now step two we're going to go to our services and there is a service called open SSH authentication agent and by default it's disabled we are going to set its start type to automatic we're going to fire it up we're going to start it and then we're going to check to make sure it's running this agent is going to allow us to use our private Keys more effective with SSH client so let's go ahead and get the service start type set to automatic and I'm just popping in some Powershell and that's done we'll next go ahead and start the service and then we'll check the status and it shows it running and if I go back to my GUI I can see that it is now running and set to automatic so here on this slide you can see we've done all of these things we went ahead and started the SSH agent set up startup type got the service started we checked the status next we want to register our private key with the SSS agent I'm going to execute this Command right here and it will now register that private key with the SSA Dash agent service so down below I've added the command to register my private key hit enter it wants my passphrase now my identity has been added into this service now we need to move and deploy our public key which is right now sitting as a file on our SSH client we need to move it to our SSH server now all of these steps are important we're going to move the public file public key we're going to rename the public key as we move it to the server because I want this public key when I authenticate to be an administrator on this device I'm going to put it in a certain location and give that public key a certain text file name and then I'm going to set ntf permissions in a special way if you fail any of those steps it won't work so I'm going to take my public key I'm going to rename it and I'm going to move it to program data SSH and then change that file into a new file name called add administrators underscore authorized underscore Keys No extension just that's the file name and then I'm going to set permissions with system with full control and the local administrator group with full control those are very important steps and this key is now ready to be used I'm going to execute a series of Powershell scripts and we'll see we're going to be doing each of these steps the first Powershell script here I'm preparing my public key remember I'm still on the client now my next Powershell script will actually rename the file move the file and set the permissions we'll go ahead and hit enter so here's what I've done these are the scripts this will all be in the documentation in the video notes that you can download here I've executed this Powershell and then I've executed this all of this is still on the client now we're getting ready to log on to our SSH server for the first time now when I log on to my SSH server I am going to use SSH my username at domain at and then the host and then I'm going to use dollar sign remote Powershell and that's going to execute all of this prepared script that I've got ready when I do this it's going to prompt me for my password this will be the last time I ever use my password after that when I log on from now on no password is needed okay here I've typed in SSH homeboss at home lab and the remote host and then I've added the dollar sign remote Powershell hit enter it's saying this is the first time you've connected do you want to add this to your known host file and I'll say yes and now it's prompting for my password so now it's added that fingerprint into my no nose file good and it's saying okay but you need to authenticate this user and so I'm going to have to put in my password for the last time now it's going to execute that script so successfully processed one file and hopefully at this point we're logged on the key pair is established now let's go ahead and clear my screen and I'm going to this time I'm going to log back on in fact before I do that I'm just going to put what host am I on so right now I'm on my client this is my client and so I'm going to go back and remote SSH into my SSH server and notice I'm not going to use that dollar remote Powershell I'm just going to use this as my logon should not require a password boom I'm in let me do a hostname and now I'm in to my SSH server at a command prompt voila if you're watching this at this point in the video you are a hardcore technology person ninety percent of the people who are on YouTube who watch a video that I create are gone in three minutes so the fact that you're watching me right now tells me you're pretty hardcore and you're the very reason we do all the work all the video editing all the preparation is because of you you're the person we're after you want to learn you want to understand and you're willing to watch 25 minutes 30 minutes of just geek stuff and we really really appreciate you one way that you can help us tremendously is support us by liking a video and subscribing it's simple two clicks and it doesn't cost you anything and it really really helps us if you can join that's great it really does help us it's two dollars and something and a month that's a cup of coffee a month we really really appreciate it but it's more important if you can like And subscribe and it's the best way of supporting this channel as you can see SSH installing configuring and setting up the connection is quite complex and can be intimidating if you need an SSH client that has more feature sets you can try putty I've done a video using putty showing you how to connect it via serial and then turn around and set up your SSH using the putty utility open SSH for Windows is relatively easy to set up a configure and use and once you start learning how to do this you will fall in love with this system it administrators today are going to interact with a lot of non-windows environments whether it's unix free FreeBSD Solaris or Linux you're going to get involved with non-windows environments especially in hardware and SSH is the most popular way of connecting and administering those then using key pairs when you set up your SSH gives you all the benefits of high levels of security and once you have got it set up the ease of administration is really nice [Music] [Music] thank you [Music]
Info
Channel: TechsavvyProductions
Views: 15,707
Rating: undefined out of 5
Keywords:
Id: s-ad0xVuKr4
Channel Id: undefined
Length: 33min 53sec (2033 seconds)
Published: Wed Dec 07 2022
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.