Microsoft To Support SSH In Windows and Contribute To OpenSSH

An anonymous reader writes: Microsoft has announced plans for native support for SSH in Windows. "A popular request the PowerShell team has received is to use Secure Shell protocol and Shell session (aka SSH) to interoperate between Windows and Linux – both Linux connecting to and managing Windows via SSH and, vice versa, Windows connecting to and managing Linux via SSH. Thus, the combination of PowerShell and SSH will deliver a robust and secure solution to automate and to remotely manage Linux and Windows systems." Based on the work from this new direction, they also plan to contribute back to the OpenSSH project as well.

finally

it's only 2015 guys...

Re:finally

Just imagine the time warp when they discover rsync.

Re:finally

[drinkypoo]

New, as in everyone who wants this already has this via cygwin. It even installs as a service. Presumably I should ssh in and use powershell, but I've never tried because if I want to do real computing, I do it on a real OS with a real shell.

Re:finally

[Zontar+The+Mindless]

rsync is proof that God loves us and wants us to be happy.

excellent

now you can use Windows computers the way they were meant to be used, as dummy linux clients

I wonder

[John+Allsup]

Are M$ getting sensible in their old age?

Re:I wonder

[kosmosik]

They have no choice. Well they could just stick with Windows Server and Windows Clients but it actually happens that they are offering Linux as a product/service (in their Cloud). So why not embrace and extend methods to manage Linux via their tools? In my opinion this is good trend.

Re:I wonder

[the_povinator]

The linked-to blog contains an interesting statement which could be interpreted as bashing Ballmer:

Finally, I'd like to share some background on today’s announcement, because this is the 3rd time the PowerShell team has attempted to support SSH. The first attempts were during PowerShell V1 and V2 and were rejected. Given our changes in leadership and culture, we decided to give it another try and this time, because we are able to show the clear and compelling customer value, the company is very supportive.

Re:I wonder

[slaker]

The new Microsoft CEO is much more comfortable with FOSS software. We're also seeing initiatives to support Docker containers on Windows and apt/yum/ports style software repositories and I don't think we'd have gotten any of that if Ballmer were still in charge.

Re:I wonder

[JebusIsLord]

You guys are so jaded, it's insufferable.

Back in the Real World, we use PowerShell to automate all sorts of processes. Particularly provisioning VDI. while lots of non-MS stuff has PowerShell APIs (VMware, Citrix etc.) sometimes you want to execute a remote command on a device that only supports SSH. Like power up a blade PC, or add a static route to a switch. Sounds like they're going to make that possible. Awesome!

Cygwin

[ls671]

You mean I don't need to install Cygwin anymore like I have been doing for the past 15 years to accomplish just that?

Next proposal: implement rsync natively...

Odd thoughts:

[Penguinisto]

* I remember joking about connecting to a 'doze server via SSH in 2005. Usually the response was a disgusted shiver.

* I guess Microsoft finally got sick of seeing PuTTY's hegemony in the terminal/SSH client market, and decided that this, *this* was a market they could finally dominate in this day and age?

* I shudder to think of how bastardized the command options are going to be, given the PowerShell's habit of using stuff like '-omgLookAtThisMassiveOptionNamingConvention', to the point where they have to alias a frickin' option...

Ah well, good on 'em. I'll stick with using Linux and OSX clients, thanks much.

Re:Odd thoughts:

[viperidaenz]

* I shudder to think of how bastardized the command options are going to be, given the PowerShell's habit of using stuff like '-omgLookAtThisMassiveOptionNamingConvention', to the point where they have to alias a frickin' option...

Linux is full of aliased options.
Can you explain the difference between:
cp -r
cp -R
cp --recursive

There are long options too, with no aliases
ls --dereference-command-line-symlink-to-dir

Re:Odd thoughts:

[Penguinisto]

The big difference is that *nix started with short easy-to-type options... PowerShell did it the other way 'round. The difference is stark, truth be told; the former grew from a CLI mindset, whereas the latter is easing (back) into CLI from a GUI mindset.

TBH, I rarely if ever use --option unless I have to, since the original -o is right frickin' there.

Re:Odd thoughts:

[kosmosik]

> I guess Microsoft finally got sick of seeing PuTTY's hegemony in
> the terminal/SSH client market

You guess wrong. There is basically no market for terminal/ssh clients. And if it is it is peanuts. There is HUGE market for centralized management tools like OpenStack, Chief, Puppet, etc. - and that is at what Microsoft is aiming. Basically they need SSH compatibility to manage Linux boxes and they want and they do (Azure) manage Linux boxes.

> I shudder to think of how bastardized the command options are going
> to be, given the PowerShell's habit of using stuff like
> '-omgLookAtThisMassiveOptionNamingConvention', to the point where
> they have to alias a frickin' option...

Oh like in GNU/Linux/BSD utils are just kosher and standardized... please... each tiny utility comes from few other schools of command line switches and are usually different. Threre is no standardisation of switches in commands used on Linux. Usually if you need to do something comples (that you haven't yet memorized) you need to open other terminal window with manual to do it. Of course this is a different *convention* from PowerShell but PS is not that bad - it is just different.

> Ah well, good on 'em. I'll stick with using Linux and OSX clients, thanks much.

Oh OSX clients and bastardized commands. Come on... ;)

And for the record I really like Linux and use it all the time. I also happen to use Windows and OSX as clients and they are also fine. Any effort to bring more interoperability between those systems is welcome in my opinion.

Re:Odd thoughts:

[nmb3000]

Well, when you're typing out Unix commands on an teletype that's 80 characters wide, creating short options first made a lot of sense.

Powershell's approach is more verbose, but it's also a little more readable (same as long options in Linux), especially when you're dealing with things more complicated than "copy a file", such as "create AD forest trust" or "reconfigure Exchange retention policies". That said, I still tend to use short options by default.

One thing nice about Powershell is that you can truncate options as long as they're not abmiguous. So you can make -Recursive be -Rec, or even -R, as long as there's not also a -Recreate or -Recover options. That seems to be a nice middle-ground.

Re:Odd thoughts:

[bondsbw]

PowerShell did it the other way 'round.

Not really. PowerShell had many short commands since 1.0 in addition to the long versions... it's not that PS "started" one way or the other.

the former grew from a CLI mindset, whereas the latter is easing (back) into CLI from a GUI mindset.

Also not true. There's nothing about the long syntax that grew from a GUI mindset. It was created for consistency and ease of learning.

PowerShell primary commands are formatted Verb-Noun. This is awfully convenient, as a PowerShell user can guess hundreds of commands just by learning a few verbs and a few nouns. I just counted, and to understand half of the 300+ built-in commands on my machine requires only learning 7 verbs.

Re:Odd thoughts:

[tlhIngan]

Linux is full of aliased options.
Can you explain the difference between:
cp -r
cp -R
cp --recursive

There are long options too, with no aliases
ls --dereference-command-line-symlink-to-dir

Easy. The difference is you're using GNU.

UNIX traditionally only has short options, which are parsed using getopt(3). GNU adds getopt_long(3) which adds the long options, but I think only to GPL applications because you must link against a GPL library (libiberty?) in order to use them.

Using getopt() to parse your command line is extremely common and makes your utility work just like all the other utilities.

Using getopt_long() only works if you have GNU.

Re:Odd thoughts:

[sexconker]

help copy
    you Linux asspie

As someone who spends a lot of time RTFMing (often on shit I have no intention of ever using), I'll say that MS's documentation shits all over the inconsistent hodge podge you get on the Linux side. Thorough, explicit, detailed.

Re: Odd thoughts:

[Gadget_Guy]

I just tried typing help copy on my computer and it worked, yet I don't have an msdn subscription. That said, help is not installed by default. From the equally free online version of Microsoft's documention:

Windows PowerShell 3.0 does not come with help files. To download and install the help files that Get-Help reads, use the Update-Help cmdlet. You can use the Update-Help cmdlet to download and install help files for the core commands that come with Windows PowerShell and for any modules that you install. You can also use it to update the help files so that the help on your computer is never outdated.

Finally, if you want to write help for your own Powershell code, just type help about_Comment_Based_Help for details on how to do this. No need to buy any licences.

Re:Odd thoughts:

[metamatic]

According to the man page on my Mac:

          The getopt_long() and getopt_long_only() functions first appeared in GNU
          libiberty. The first BSD implementation of getopt_long() appeared in
          NetBSD 1.5, the first BSD implementation of getopt_long_only() in
          OpenBSD 3.3. FreeBSD first included getopt_long() in FreeBSD 5.0,
          getopt_long_only() in FreeBSD 5.2.

Re:Odd thoughts:

[AFCArchvile]

My biggest gripe with some Powershell commands is that their defaults are not as time-tested as the near-equivalent *nix commands. Probably the best example is "get-winevent -log System" showing all of the events in the System log (which on a given system, might be as large as 4 GB in size).

Sure, that's functionally the equivalent of performing "sudo cat /var/log/messages", but of course one could run "sudo less /var/log/messages" and obtain the powerful features of less, such as forward and backward navigation, and not loading the entire file into memory (this is a key weakness of "get-winevent" in general; if its output is piped, it is forced to load everything, therefore forcing the user to use the "-MaxEvents (int64)" switch to limit to the newest X events... and this is also setting aside the fact that Windows sorts by newest events first by default, though this can be changed with the "-Oldest" switch).

The Windows event system in general is strange when looking back at it. You have the post-Vista API (accessible with "get-winevent" or the Event Viewer), and the pre-Vista API (accessible with "get-eventlog"). There are some event sources whose events aren't rendered properly (i.e.: the description of the event will read something like "The description for Event ID X in Source Y could not be found. It contains the following insertion strings: (text)" ( https://support.microsoft.com/... ). Some will render properly only in the post-Vista API, but not the pre-Vista API. Others will render properly only in the pre-Vista API, and not the post-Vista API. To my utter surprise and bafflement, event sources such as "Ntfs" and "mpio" fall into the category of rendering properly in pre-Vista API, but not post-Vista API... in Windows Server 2012. That's right, for some reason, the events of a couple of the most critical event sources could not be fixed.

Powershell is nice as a scripting language, but it's a bear as a command shell. There have been years of complaints of slow loading, especially on systems with high disk I/O activity and/or stalled disks (it doesn't even have to be the system drive; ANY stalled disk on a Windows system may cause Powershell to stall eternally until the system is rebooted; I've seen this for years, in Server 2008 as well as Server 2012). The main reasons why the Command Prompt hasn't been entirely supplanted is because it's lightweight, and has stood the test of time for over 2 decades in NT.

I recently changed careers from a mostly-Windows role to a mostly-Linux role, and it feels great to work with bash, even if I still haven't memorized most of the higher esoteric layers of shell scripting. It feels like the shell was designed for the OS, instead of being duct-taped into a jack-of-all-trades role. The way I log into a RDP-windowed Windows Server 2012 system is visual humor in itself: I right-click the taskbar to click "Task Manager", use it to open "File -> New Task", run "cmd.exe", maybe start Powershell off to the side, and don't EVER click on the Start corner (or button if it's 2012 R2) or the Charms bar. Control panel? Run "control". Computer management? "compmgmt.msc" still works. Search for a file? "dir /b /s" for it, or else creative uses of "find" will work. But don't EVER call up the abomination that is the Start Screen.

Re:Odd thoughts:

[donaldm]

Well, when you're typing out Unix commands on an teletype that's 80 characters wide, creating short options first made a lot of sense.

Graphical interfaces have been around since the 1970's and on workstations or any graphical interface you can display the equivalent of a standard 80x24 tty terminal or any sized terminal (within reason of course) so that was not the reason why creating so called short options made sense. Basically Unix people preferred efficiency in typing over long winded typing. As an example why type "copy" when you can type "cp" or "ls" when you wish to list files and directories. You can even alias commands and their options if you are using them allot so there is even less typing to do.

You should realise that Powershell is basically a copy of the Bourne Shell with allot of Microsoft additions so that they can say this is our unique command line shell.

Re:Odd thoughts:

[drinkypoo]

Bash auto completion?

Yep, every time a Microsoftie thinks that Windows has something new, I lol.

Using source from OpenSSH ...

[Alain+Williams]

In which case they will have to release the code that corresponds to binaries - would be useful for checking that there is not some little tweaks to help the NSA -- but if they have already put those into the system DLLs (eg for encryption) we would not really know. Maybe I am too cynical but I am very suspicious of what they did to skype.

Re:Cygwin

[the_B0fh]

No. Cygwin runs everything under one process. This will run separate processes for each SSH session, with privilege separation. Cygwin also uses its own /etc/passwd. This will use local windows users, and, hopefully, AD users.

And code will be sent upstream.

Much better if this works out.

Re:Nice

[ArmoredDragon]

Maybe. Assuming Microsoft makes a proper SSH client that is as good as PuTTY, instead of software like that piece of shit called HyperTerminal from way back when, which almost always couldn't establish a proper working terminal with anything, had basically no file transfer support (or rather, it had very buggy and limited support,) and required a very annoying (and mostly pointless) setup process each time you wanted to connect to a different host.

Then again, why not just fork and bundle PuTTY? But do something to make the sessions easily exportable (I really hate how PuTTY stores those in the registry by default.)

In fact, it would be awesome if the registry just disappeared entirely. I haven't met anybody who actually likes it, and god knows it's been a dream come true for malware authors who want to hide shit (easy to do since it's so big, maze-like, and unwieldy for anybody to sift through.)

Re:Timeo Danaos et dona ferentes

[MightyMartian]

Too bad opening an SSH into Windows will drop you into the complex abomination that is PowerShell.

Re:Timeo Danaos et dona ferentes

[ls671]

name of the company: SSH Communications Security

since they grabbed a lot from open source in the beginning, I guess they allowed openssh to develop an open source version.

The original SSH version is still proprietary nowadays.

Re:What do they need to contribute back?

[viperidaenz]

What piece of code would the Open SSH project possibly want from any developer?

It's not like it's defect-free software that requires no more development.
https://bugzilla.mindrot.org/s...

Re:What do they need to contribute back?

[GungaDan]

I think it will be the MS cli interface helper, sshclippy. "It looks like you're trying to ssh into a remote server. Wouldn't you like to use RDP instead?"

Re:Timeo Danaos et dona ferentes

[chispito]

complex abomination

That's funny. I find PS slow and lacking basic functionality in a few areas, but "complex" is one of the last criticisms I would make. Compared to DOS or Bash, it's very straightforward and intuitive.

Rule of tumb

[ls671]

ssh and openshh: ssh is proprietary
solaris and opensolaris: solaris is proprietary
apache and no openapache: apache is open source

Come now

[s.petry]

You know it's going to be just yet another way of hacking into a Windows box.

Re:Timeo Danaos et dona ferentes

[JebusIsLord]

As long as by "complex abomination" you mean completely standardarized switch syntax with tab completion and integrated help.

Strange bedfellows.

[nimbius]

Losing nearly a billion dollars over an 8 year period, firing four-thousand permanent staff, and being dead last in search and browser rankings will do strange things to you. Steve Ballmer shoulders some of the blame for the nosedive with his nearly cult-like adherence to the redmond ethos of embrace-extend-extinguish in the face of a brand like linux that just can't be killed with it. But to think after 15 years as other slash dotters have commented that this will make any significant dent in the status quo is self-defeating at best.

SSH gives windows users the ability to do real work, and thats a controversial sentiment but in most large corporations admins that handle LAMP, percona, or hadoop do it from a windows machine by company policy. Microsoft doesn't understand that outside of email and office, the real juggernauts of industry are so far removed from redmonds product line it may as well be a different language entirely. conceding a pittance, this ssh, and promising to commit code to openssh do two things. One, they add continued relevance to windows in an office environment that otherwise is the next prime target to be extinguished as quickly as the home market for windows. Two, they provide code to openssh not because they have any particular valuable insight to add to the project which has handled itself just fine for 15 years, but because they need to ensure their openssh implementation actually works with other well-established and quite serviceable implementations. So don't expect any real innovation.

Re:Timeo Danaos et dona ferentes

[Kryptonut]

Granted, Powershell 1.0 was pretty horrible, I don't get all the Powershell hate. Have you even tried to learn to use recent versions of it?

I absolutely despised it back when I was deploying Exchange 2007 RTM on Windows Server 2003, but that's going back almost a decade.

These days I use Powershell for a ton of stuff. I love the fact that everything is an object. For example, manager asks me for stats from AD, powershell script requesting user objects and filtering the appropriate fields, BAM, create a CSV, pretty it up in Excel and send it off to my manager.

Plus tying into .NET is kick ass too. I've got scripts that update and extract data from MSSQL, amongst other things. Hell, I even played with scripting text to speech alerting just to see if I could, and it was really easy!

Give it another try, it's actually a lot better

And no, before I'm labelled an MS evangelist: I've worked for 2 ISP's in 100% Linux and BSD environments and have thoroughly used at least 7 or 8 different distro's, I run Linux at home for NAS and Asterisk PBX and I own and operate 2 Macs - in addition to my Windows Desktop PC. My current role just happens to be maintaining a 90% Microsoft Environment

Re:What do they need to contribute back?

[silas_moeckel]

Probably the best thing they can do is throw resources at it, hire an existing dev to do it full time sort of thing.

Re:What do they need to contribute back?

[Burdell]

You obviously haven't ported OpenSSH to a different OS before. Even among Unix/POSIX-like OSes, there is significant variance between platforms that something like OpenSSH has to deal with. Go look at the diff between OpenBSD OpenSSH and portable OpenSSH (for all the other supported platforms).

Also, portable OpenSSH uses extended security features that tend to be platform-specific (but useful enough to make it worthwhile to use on each specific system). I expect that there is Windows security functionality that doesn't map onto the current OpenSSH setup (but is worth extending OpenSSH to use).

I really hope that Microsoft makes a native port of portable OpenSSH to Windows. Nothing against the Cygwin folks (the Cygwin OpenSSH is great), but a native port that is more integrated into the "Windows" way of doing things would be good.

Re:Timeo Danaos et dona ferentes

[mi]

What exactly are you scared about?

That, for example, in order to ssh into a remote Windows system you'll have to use Microsoft's ssh-client — because they'll use some funky cipher/digest combination or some other "extension". They did it to Kerberos before...

Or that interactive logins will only work on certain terminal emulators — because nothing else will be able to properly emulate powershell's window — just imagine the termcaps entry...

In the link I gave there is a large list of Microsoft's earlier attempts to kill a standard by first adopting it — read it up...

Re:Timeo Danaos et dona ferentes

[DocHoncho]

PuTTy is already an incompatible mess all of it's own. It even has it's own special format for keys, so we get the joy of running every ssh key generated on a *nix system through puttygen.exe just to spit out some fugly PPK file. Oh, you need me to add your public key to authorized_keys? What's that you say? You used puttygen? Well fuck me, time to look up the command to convert that stupid shit again. Wonderful!

Not to mention the fractured disorganization of the configuration, the crap profile system and all the other reasons why PuTTy is a pain in the ass.

The fact that Microsoft is talking about using OpenSSH means at the very least the key files will be compatible. I have no idea why no one bothered porting OpenSSH to Windows before, but it's about damn time! I'm looking forward to a version of PuTTy (or KiTTy, actually) that uses the native OpenSSH instead of the existing legacy PuTTy implementation of SSH. I'd love to delete all those PPK files and never see another one again as long as I live.

Re:Timeo Danaos et dona ferentes

[chispito]

It's really powerful and a lot better than trying to use sed or perl to parse the output of programs in shell scripts.

Exactly! It's so much better to have to pipe the output to something just to print to the console! Hurrah for objects! /s

You're misinformed. PowerShell defaults to the console.

Re:Timeo Danaos et dona ferentes

[exomondo]

Or they'll expect remote servers to implement whatever changes Microsoft will require for interoperatibility. We've been through this in the 1990-ies, when Microsoft's Internet Explorer was introduced with subtle incompatibilities in HTML-rendering...

And how has that worked out? Back then that affected personal computing - an area which Microsoft had a monopoly - and it still ultimately failed. This is across desktop, server and mobile, this conspiracy theory of yours has no chance at all, in fact you don't even posit what Microsoft would gain out of it.

Well, a successful attempt is still an attempt: Netscape died.

But it failed, you need to learn your history: Netscape lived on thanks to Mozilla and now we have IE dying in favor of open standards, Microsoft themselves are killing IE in favor a browser that does not even support proprietary extensions like ActiveX.

Or not — depending on the nature of incompatibilities and the marketing/advertising...

Incompatibilities would make people less likely to use Microsoft's implementation, not more likely. You don't seem to understand that this isn't the 90s anymore, Microsoft doesn't even come close to dominating computing these days. Breaking their product just locks them out of the market, not everybody else in.

Re:Timeo Danaos et dona ferentes

[Gadget_Guy]

K. Construct a for loop in PS that lists a directory and adds the words "This is cool" to the 13th line of any file of type "text" without downloading a module.

Off the top of my head (and using verbose commands to make it more obvious), I got:

dir | where -Property Extension -match '.te?xt' | foreach {

$i=0;
$s=(Get-Content $_.FullName);
$s | foreach { if ( (($i++) % 13) -eq 0) { $_+" This is cool" } else { $_ } } | Set-Content $_.FullName

}

I haven't thought of a way to do the file type determination (other than by the extension), but that will do just for a post to an AC. It can all be done on a single line; I added the line breaks and indentation so it wasn't a big line of gobbledegook. Now it is several lines of gobbledegook!

The impressive part of the tab completion of Powershell is how context sensitive it is. When I typed the where command, I entered -p<TAB> and it expanded it to -Property (although just -p would work too). But the fun part was that I could then type e<TAB> and then go through the list of property names that are returned from the dir command that begin with the letter e; first Exists, then Extension. So it was aware what was being passed to the where command on the pipeline and returning the correct properties for that object.

So if I typed the following:

get-content "file.txt" | where -Property

...and pressed the tab key, it gives me the property name of Length as it knows that it is returning a string rather than a file. The same where command will work on (and give appropriate tab completion) on a directory listing, file output, database query, or XML tree list.

Probably concerned with authentication

[cbhacking]

Indeed. I expect one of the things they'll be looking at doing is adding support for some of Windows' built-in authentication options. For example, recent versions of RDP use machine certificates, typically with a trust-on-first-use model similar to SSH. It would be nice if SSHing into a Windows box could re-use that machine cert, and SSHing from a Windows box could take advantage of the list of IP+cert pairs that you already trust. This would require some code changes to OpenSSH though, since it is of course currently utterly unaware of Windows' certificate stores.

Also, powershell isn't really used to displaying to anything except Windows consoles. Just for the hell of it, I tried running it in xterm (which, while antique, any *nix program would be OK with) by SSHing into a Windows box. It launched, but trying to run any commands - even exit - appeared to hang (though Ctrl+C worked to exit out of PS entirely). This may not be something that Microsoft needs the help of the OpenSSH devs to fix, but it's something that needs to be fixed, regardless. If people can SSH into Powershell, then Powershell needs to be able to display to whatever console they're SSHing from.

Re:Nice

[acoustix]

Maybe. Assuming Microsoft makes a proper SSH client that is as good as PuTTY, instead of software like that piece of shit called HyperTerminal...

If I remember correctly, Microsoft didn't make HyperTerminal. They either bought it or licensed its use in Windows.