Ssh Bear

Our PeopleSoft system has a couple of maintenance tasks which are kicked off from the database server. I am converting it to use Ansible and a management server, but in the meantime I need this to work. We had been using Bitvise SSH server on Windows, but experienced problems with it locking up occasionally. Also we needed to create some new Windows VMs and wondered if there was a way to do. Steps to Install Dropbear SSH Server. By Jithin on March 4th, 2017. Dropbear is a small SSH server using in Linux distributions. It is an open source software. Dropbear SSH completely runs with SSH version 2 protocol, it never supports SSH version 1. Dropbear is an advanced version of open SSH, it only uses low memory and processor resources. Dropbear is a relatively small SSH server and client. It runs on a variety of POSIX-based platforms. Dropbear is particularly useful for 'embedded' type Linux systems. To test the Dropbear SSH service, try to connect to your ELS host using either ssh (on a Linux client) or PuTTY (on a Windows client). If the connection is not successful, here are some things to check. Use netstat -tln to make sure that port 22 is listening on the server.

Our PeopleSoft system has a couple of maintenance tasks which are kicked off from the database server.I am converting it to use Ansible and a management server, but in the meantime I need this to work.

We had been using Bitvise SSH server on Windows, but experienced problems with it locking upoccasionally. Also we needed to create some new Windows VMs and wondered if there was a wayto do the work without paying for more licenses. Also as we are upgrading to Windows server 2016, I amseeing if there is a way to automate this as part of my Ansible build.

The Options

The title is a bit of a spoiler, but the options I considered were:

  • RDP from linux e.g. using FreeRDP. This is remotedesktop protocol and may be heavier weightthan we need. It also isn’t clear whether it is possible to exit the session after the scriptcompletes. Probably only one connection is allowed at a time which is likely to cause problemslater on.
  • WinRM - This is what ansible uses. PYWinRMis an option but needs to be installed.
  • Install an OpenSSH server. TheMicrosoft Powershell team maintain a versionwhich is integerated into the next version of Windows. This is probably the way to go.
  • WinEXE. This has not been maintained for 6 yearsso is not a good option.

We are using Windows Server 2016. Server 2019 has OpenSSH integrated, so hopefully usingit now will ease the transition.

Installing OpenSSH

Ansible uses Chocolatey as a package manager for Windows, which iskind of like the package managers that come with the Linux operating systems. So all I have todo to make sure I have the latest version of OpenSSH is the following in ansible:

Configuring OpenSSH

Once the above play is run, OpenSSH is installed and running with sensible defaults. The defaultshell is the command prompt, which is what we wanted, and it is running and we can log in usinga username and password. This is almost too easy! All I need now is to work out how to configurepaswsordless logins, using keys.

In Unix all you have to do is create an authorized_keys file in the .ssh directory under theusers home, and make sure the permissions are correct. It looks like this should work in Windows(The home directory is /users/username) but it didn’t seem to work. I think in partit is because I wanted to connect as an administrator. I don’t understand the Microsoft permissionmodel very well, it seems quite complicated.

The OpenSSH configuration options are in C:ProgramDatassh. In this folder is a file calledsshd_config,which contains the configuration options. Mac catalina dmg download. At the end of this file is a sectionwhich reads:

So I created the file administrators_authorized_keys and added the public key for the serverI was connecting from (Which was in /home/user/.ssh/id_rsa.pub), and changed the permissionsas per the screenshot below. Note in partticular the owner hostnameAdministrators, andpermissions, SYSTEM and Administrators have full control, but no others. In particularI had to remove the read permission for all users. To do this, I had to disable inheritance.

Automating with Ansible

Ssh

So, all we have to do is add a line to a file, and then make sure the permissions are correct.How hard can that be?

Note that in the first step, I am using a lookup for the public key I am storing in another role. You will probablywant to store that key more sensibly, but it contains the contents of ~/.ssh/id_rsa.pub from the databaseserver user I want to connect from. Also I should probably store the filename in a variable.

Debugging

Chocolatey failing

There was a change in the return codes that chocolatey delivered when no software was installedwhich isn’t reflected in the version of Ansible I have. To get round this I needed to revert theprevious behaviour of chocolatey:

Checking Authorised Key File Permissions

To check the permissions are set up properly, a PowerShell script is delivered. Once I had donethe above, it worked fine:

Ssh Bear

This produces output like the following:

Ssh Beardrop

Running OpenSSH in Debug Mode

To test the connection it is possible to stop the SSH service then run it in debug mode.Bear in mind that you have to connect as the user who is running the SSHd.

Shear

Test connecting, and if there are problems, hopefully the debug messages will be helpful. When I disconnected,the SSHd exited. Then I started the service again:

Graalok Ash Bear Bionicle

It is also possible to run the client in verbose mode. Logging is increased for each v added up to three: