Tag: SSH

PowerShell Unplugged 2022

PowerShell Unplugged 2022 Edition

April Edwards and I had the chance to host the PowerShell Unplugged 2022 Edition and the video is now available on YouTube! In the PowerShell Unplugged 2022 Edition we talked to the PowerShell product group at Microsoft to learn more about PowerShell 7, secret management, PowerShell Crescendo, Remoting, Predictive IntelliSense, VS Code, the roadmap, and the future of PowerShell!

PowerShell Unplugged 2022 Timestamps

The timestamps for the video:

  • 0:00 – Video Intro
  • 03:29 – Secret Management in PowerShell
  • 07:10 – Installing PowerShell 7
  • 09:20 – Installing the SecretManagement Module
  • 31:08 – PowerShell Crescendo
  • 1:03:47 – PowerShell Team Blog
  • 1:08:50 – Remoting with PowerShell
  • 1:36:05 – Shell of an Idea
  • 1:36:12 – Predictive IntelliSense with PowerShell
  • 1:52:05 – Using VSCode with PowerShell
  • 1:57:16 – PowerShell 7 Roadmap

Some useful links:

I hope you liked the PowerShell Unplugged 2022 Edition, let me know what you think!



Azure VM Run Command Run PowerShell Script

How to Run Scripts in your Azure VM using Run Command

You can access your Azure IaaS virtual machine (VM) in multiple ways like SSH or RDP, depending on your operating system and configuration. However, if you have issues with the RDP or SSH network configuration, you need to have a way to troubleshoot your virtual machine (VM). Luckily Azure offers you different management tools to work with Azure VMs for automation or troubleshooting. With the Run Command can run a PowerShell or shell script within an Azure VM remotely by using the VM agent. This scenario is especially useful when you need to troubleshoot operating system network configurations or user access configuration. For example, it can be convenient to reset RDP configurations on Windows Server virtual machines.

You use Run Command for Azure VMs through the Azure portalREST API, Azure CLI, or PowerShell. Here are some examples:

Azure VM Run Command in the Azure Portal

You can run the command directly from the Azure Portal. In the menu of the Azure VM, you can select Run command. Here you can find some predefined scripts to troubleshoot your Azure VM. In the case of a Windows VM, you will find scripts like configuring RDP port or enable PowerShell remoting. But you can also run your custom PowerShell script.

Azure VM Run Command Run PowerShell Script

Azure VM Run Command Run PowerShell Script

For Linux VMs, you will find predefined options to run a Linux shell script or ifconfig to list the network configuration.



How to SSH into an Azure VM from Windows Terminal Menu

How to SSH into an Azure VM from Windows Terminal Menu

A couple of days ago, I released a blog post on how you can add a PowerShell remote session in the Windows Terminal menu. In my example, I created a menu item in Windows Terminal to use PowerShell remoting to connect to an Azure virtual machine (VM). In the meantime, I got a lot of questions on how you can add an SSH connection to an Azure VM in the Windows Terminal. That is why I am going to share here, how you can add an SSH connection to an Azure VM in the Windows Terminal menu.

Scott Hanselman wrote a great blog post on how you can add tabs to open an SSH connection, so I highly recommend that you read his blog for all the details.



PowerShell Remoting over SSH in PowerShell 7

Enable PowerShell SSH Remoting in PowerShell 7

In this blog post, we will have a look at how you can enable and set up PowerShell SSH Remoting or PowerShell Remoting over SSh with PowerShell 7. With PowerShell Core 6, Microsoft introduced PowerShell 7 Remoting over SSH, which allows true multiplatform PowerShell remoting between Linux, macOS, and Windows. PowerShell SSH Remoting creates a PowerShell host process on the target machine as an SSH subsystem. Normally, Windows PowerShell remoting uses WinRM for connection negotiation and data transport. However, WinRM is only available on Windows-based machines.

There are also some downsides to it. SSH-based remoting doesn’t currently support remote endpoint configuration and JEA (Just Enough Administration). It is also important to understand that this is not just another PowerShell SSH client.

Use SSH Transport with PowerShell Remoting

To use PowerShell 7 remoting with SSH on Windows, Linux, and macOS machines, you can use the same cmdlets you are already familiar from Windows PowerShell remoting with WinRM.

  • New-PSSession
  • Enter-PSSession
  • Invoke-Command

There are three new parameters for these cmdlets if you are using PowerShell SSH remoting.

  • -HostName (Instead of -Computername, you define the SSH target)
  • -UserName (Instead of -Credentials you use the -UserName parameter)
  • -KeyFilePath (If you are using SSH key authentication you can use the -KeyFilePath parameter to point to the key file)
New-PSSession -HostName tomsssh.server.com -UserName thomas


Visual Studio Code Azure Virtual Machines Extension

Create and Manage Azure VMs from VS Code

With the new Azure Virtual Machines (VMs) extension for Visual Studio Code (VS Code), you can now create and manage Azure VMs directly from VS Code. This is a great new extension if you are working with VS Code and Microsoft Azure. The extension is currently in preview and lets you view, create, delete, start and stop Azure Virtual machines, as well as adding SSH keys to existing Azure VMs.

Get started

To get started with the Azure Virtual Machine extension in Visual Studio Code, simply follow these steps:

  1. Download and install the Azure Virtual Machines extension for Visual Studio Code
  2. Once complete, you’ll see an Azure icon in the Activity Bar
  3. Sign in to your Azure account by clicking Sign in to Azure. If you don’t have an Azure account yet, you can create a free Azure account here.

Free Azure Account

If you don’t have an Azure account yet, you can sign up today for your free Azure account and receive 12 months of free popular services, $200 free credit, and 25+ always free services.

Create an Azure VM in VS Code

You can now create Azure VMs directly from Visual Studio Code. The wizard will ask you for a VM name, username, Azure region, and passphrase.

VS Code creating Azure Virtual Machines

VS Code creating Azure Virtual Machines

This will create an Azure VM Standard D2s V3 (2 CPU Cores & 8 GB of ram) with the image Ubuntu 18.04-LTS. An SSH key will be created, and your SSH Config file (~/.ssh/config) will be updated so you can immediately connect via SSH ($ ssh vm-name) or using the Remote-SSH extension. You can find more information about how you can connect to Azure VM using Visual Studio Code in my blog post.

Azure VM management in VS Code

Azure VM management in VS Code

Having the possibility to manage Azure VMs and connect with them directly within Visual Studio makes working with these tools and Azure much more convenient.

I hope you can go and try out the Azure VM extension for VS Code. If you have any questions, please feel free to leave a comment.



SSH Remote Edit File with Visual Studio Code

Remote Edit Files on Azure Linux VMs using VS Code

There are a lot of different ways to remote manage your Azure virtual machines using various tools and technics. In this blog post, I am going to show you how you can remotely edit files on Azure Linux virtual machines using Visual Studio Code. Visual Studio Code has a new Remote Development Extention which allows you to open any folder in a container, on a remote computer, or in the Windows Subsystem for Linux (WSL) and take advantage of the VS Code feature set. With the Remote – SSH extensions, you can easily browse and edit files on an Azure VM or any other system where you can connect using SSH.

Installation

As mentioned to edit the files on the Azure Linux virtual machine remotely, we are using the light-weight, cross-platform, opensource editor Visual Studio Code. You can download and install VS Code from the official website.

Visual Studio Code Remote Development Extension

In addition to Visual Studio code, we need to install the Remote – SSH extension, which comes with Remote Development Extension Pack. This also includes remote extensions for containers or the Windows Subsystem for Linux (WSL).

If you are running on a Windows 10 machine, you will also need to install the OpenSSH client on your machine. You can do that going through this blog post, or by running this command.

# Install the OpenSSH Client
Add-WindowsCapability -Online -Name OpenSSH.Client~~~~0.0.1.0

Azure VM connection using SSH

The Remote – SSH extensions currently only supports connecting to x86_64 Linux-based SSH servers using key-based authentication.

Optional: Create Azure Linux VM with key-based SSH authentication using the Azure CLI

Create Azure Linux VM Azure CLI SSH Keys DNS Name

If you want to try it out, and you haven’t set up a Linux VM SSH and key-based authentication. This Azure CLI command here helps you to create a new Azure virtual machine and sets up ssh keys as well as an optional unique Azure DNS name.

az vm create --resource-group demosshvm --name tomsVM --image UbuntuLTS --admin-username thomas --generate-ssh-keys --public-ip-address-dns-name tomsazurelinuxvm

In this example, you can use the public IP address or the Azure FQDN to connect to the Azure VM. If you have a VPN or Express Route set up, you can also use private IP addresses and DNS names. If you are using public IP addresses in production, make sure you are using a service like Azure Just in Time VM access.

Connect Visual Studio Code to Azure VM using SSH

After you have installed Visual Studio Code, the Remote – SSH extension, the SSH client and have a VM with key-based authentication, you can now easily connect. Open Visual Studio Code, on the bottom left, you see the Remote connection button. If you press it, you will find the remoting options. Select “Remote-SSH: Connect to Host…

Visual Studio Open Remote SSH Connection

This will ask you for the username and IP address or DNS name of the virtual machine. In my case, I am going to use the DNS name.

Visual Studio Code SSH Remoting Connection

 

After pressing enter, this will connect your Visual Studio Code environment to the Azure virtual machine.

Visual Studio Code SSH Connection

 

Remote edit files on Azure Linux VMs using VS Code

You can start opening folders and files on the remote Azure Linux VM and begin browsing the file system. On the bottom left, you see the name or IP address of the machine you are connected with.

SSH Remote File System Visual Studio Code

You can also open files and start remote edit files on your Azure Linux VM. If you save the changes you made to the file, this is directly saved on the remote Azure virtual machine.

SSH Remote Edit File with Visual Studio Code

You get all the advanced VS Code features you know from your local Visual Studio Code like syntax-highlighting and more.

I hope this shows you an easy way to remotely edit files on your Azure Linux virtual machines using Visual Studio Code and SSH. If you have any questions, please let me know in the comments.



Azure Bastion Windows VM

Azure Bastion – Private RDP and SSH access to Azure VMs

Azure Bastion is a new service which enables you to have private and fully managed RDP and SSH access to your Azure virtual machines. If you wanted to access your Azure virtual machines using RDP or SSH today, and you were not using a VPN connection, you had to assign a public IP address to the virtual machine. You were able to secure the connection using Azure Just in Time VM access in Azure Security Center. However, this had still some drawbacks. With Azure Bastion you get a private and fully managed service, which you deploy to your Virtual Network, which then allows you to access your VMs directly from the Azure portal using your browser over SSL.

Azure Bastion Architecture

Source: Microsoft Docs

Azure Bastion brings a couple of advantages

  • Removes requirement for a Remote Desktop (RDP) client on your local machine
  • Removes element for a local SSH client
  • No need for local RDP or SSH ports (handy when your company blocks it)
  • Uses secure SSL/TLS encryption
  • No need to assign public IP addresses to your Azure Virtual Machine
  • Works in basically any modern browser on any device (Windows, macOS, Linux, etc.)
  • Better hardening and more straightforward Network Security Group (NSG) management
  • Can remove the need for a Jumpbox

If you want to know more directly here is the link to the Azure Bastion announcement blog and the Microsoft Docs.

Public Preview

Azure Bastion is currently in public preview. The public preview is limited to the following Azure public regions:

  • West US
  • East US
  • West Europe
  • South Central US
  • Australia East
  • Japan East

To participate in this preview, you need to register. Use these steps to register for the preview:

Register-AzureRmProviderFeature -FeatureName AllowBastionHost -ProviderNamespace Microsoft.Network
 
Register-AzureRmResourceProvider -ProviderNamespace Microsoft.Network
 
Get-AzureRmProviderFeature -ProviderNamespace Microsoft.Network

To use the Azure Bastion service, you will also need to use the Azure Portal – Preview.

How to set up an Azure Bastion host for a private RDP and SSH access to Azure VMs

Create Azure Bastion Host

First, you will need to deploy Bastion Host in your virtual network (VNet). The Azure Bastion Host will need at least a /27 subnet.

AzureBastionSubnet

Access Azure virtual machines using Azure Bastion

Azure Bastion integrates natively in the Azure portal. The platform will automatically be detected if Bastion is deployed to the virtual network your virtual machine is in. To connect to a virtual machine, click on the connect button for the virtual machine. Now you can enter your username and password for the virtual machine.

Azure Portal connect to Linux VM SSH

This will now open up a web-based SSL RDP session in the Azure portal to the virtual machine. Again, there is no need to have a public IP address assigned to your virtual machine.

Private access to Azure Linux VM

 

Roadmap – more to come

As Yousef Khalidi (CVP Azure Networking) mentions in his preview announcement blog, the team will add more great capabilities, like Azure Active Directory and MFA support, as well as support for native RDP and SSH clients.

The Azure networking and compute team are doing more great work on creating a great Azure IaaS experience. I hope this gives you an overview of how you can get a private RDP or SSH access to your Azure VM. If you want to know more about the Azure Bastion service, check out the Microsoft Docs for more information. If you have any questions, feel free to leave a comment.



PowerShell SSH Remoting Linux to Windows

Setup PowerShell SSH Remoting in PowerShell 6

With PowerShell version 6, Microsoft introduced PowerShell Remoting over SSH, which allows true multiplatform PowerShell remoting between Linux, macOS and Windows. PowerShell SSH Remoting creates a PowerShell host process on the target machine as an SSH subsystem. Normally, PowerShell remoting uses WinRM for connection negotiation and data transport, however WinRM is only available on Windows based machines.

There are also some downsides to it. SSH-based remoting doesn’t currently support remote endpoint configuration and JEA (Just Enough Administration). It is also important to understand, that this is not just another PowerShell SSH client.

Use SSH Transport with PowerShell Remoting

To use PowerShell remoting with SSH you can use the same cmdlets, you know from PowerShell remoting with WinRM.

  • New-PSSession
  • Enter-PSSession
  • Invoke-Command

There are 3 new parameters for these cmdlets, if you are using PowerShell SSH remoting.

  • -HostName (Instead of -Computername, you define the SSH target)
  • -UserName (Instead of -Credentials you use the -UserName parameter)
  • -KeyFilePath (If you are using SSH key authentication you can use the -KeyFilePath parameter to point to the key file)
 
New-PSSession -HostName tomsssh.server.com -UserName thomas


Mastering Azure with Cloud Shell

Mastering Azure with Cloud Shell

There are multiple ways to interact and manage resources in Microsoft Azure. You can use the Azure Portal or command line tools like the Azure PowerShell module or the Azure CLI, which you can install on your local machine. However, to set up a cloud management workstation for administrators and developers can be quite a lot of work. Especially if you have multiple computers, keeping consistency between these machines can be challenging. Another challenge is keeping the environment secure and all the tools up to date. The Azure Cloud Shell addresses this any many more things.

Cloud Shell is not brand new, Microsoft announced Cloud Shell at Build 2017. This blog post is about how you can master Azure with Cloud Shell and give you an overview of the possibilities of Cloud Shell.

 

What is Cloud Shell

Cloud Shell Azure Portal

Cloud Shell offers a browser-accessible, pre-configured shell experience for managing Azure resources without the overhead of installing, versioning, and maintaining a machine yourself. Azure Cloud Shell is assigned per unique user account and automatically authenticated with each session. This makes it a private and secure environment.

You get a modern web-based command line experience which can be accessed from several endpoints like the Azure Portal, shell.azure.com and the Azure mobile app, Visual Studio Code or directly in the Azure docs.

In the backend, Azure uses containers and automatically attaches an Azure File Share to the container. You can store the data on it, so your data is persistent. This persists your data across different Cloud Shell sessions.

Cloud Shell Bash and PowerShell

You can choose your preferred shell experience. Cloud Shell supports Bash and PowerShell and included your favorite third-party tools and standard tools and languages. If something like a module is missing, you can add it.



Inked Azure Security Center Just in time VM access_LI

Azure – Just in Time VM access

If you run virtual machines with a public IP address connected to the internet, attackers immediately try to run attacks against it. Brute force attacks commonly target management ports, like RDP or SSH, to gain access to a VM. If the attacker is successful, he can take control over the VM and access other resources in the environment. To address that issue it is highly recommended to reduce the ports open, especially for the management ports. However, sometimes you will need to open to ports for some of the virtual machines for management tasks. Microsoft Azure has a simple way to address this issue, called Azure JIT virtual machine (VM) access. Just in time VM access can be used to lock down inbound traffic to your Azure VMs, reducing exposure to attacks while providing easy access to connect to VMs when needed.

To find more about Just-in-time virtual machine access in Azure Security, check out the Microsoft Docs.

How does Azure Just in Time VM Access work

In the Azure Security Center, you can enable just in time VM access; this will create a Network Security Rule (NSG) to lock down inbound traffic to the Azure VM. During the initial JIT VM access configuration, you will be configuring the ports specified, which will be managed by Azure Security Center, these ports will be locked down by the Azure Security Center using an NSGs.

Configure Azure JIT VM access

Inked Configure Just in time VM access_LI

Azure JIT VM access is configured in the Azure Security Center. To configure and enable JIT on a virtual machine open up the Azure Security Center and click on Just in time VM access.

Here you will find three states, Configured, Recommended and No recommendation.

  • Configured – VMs that have been set to support just in time VM access. The data presented is for the last week and includes for each VM the number of approved requests, last access date and time, and last user.
  • Recommended – VMs that can support just in time VM access but have not been configured to. We recommend that you enable just in time VM access control for these VMs. See Configuring a just in time access policy.
  • No recommendation – Reasons that can cause a VM not to be recommended are:
    • Missing NSG – The just in time solution requires an NSG to be in place.
    • Classic VM – Security Center just in time VM access currently supports only VMs deployed through Azure Resource Manager. A classic deployment is not supported by the just in time solution.
    • Other – A VM is in this category if the just in time solution is turned off in the security policy of the subscription or the resource group, or that the VM is missing a public IP and doesn’t have an NSG in place.

To configure you click on Recommended and select the Virtual Machine, for which you want to enable JIT.

Click on Enable JIT on VMs and configure the ports which should be managed by Just in time VM Access. Just in time VM access will recommend some default ports like RDP, SSH, and PowerShell Remoting. You can also add other ports to the virtual machine if you want or need to.

Requesting Just in time VM Access for Azure Virtual Machine

Request Just in time VM access

On the Configured section, you can select the VM you want to request access to and click on Request access. You can now choose the ports you want to be open for a specific time and a particular IP address. This will open up the ports, and after 2-3 minutes, you will be able to access the virtual machine.

To send such a request, the user who requests access to the Virtual Machine needs to have write access to the virtual machines in the Azure Role-Based Access Control (RBAC).

Auditing access activity

Of course, all the request get logged and can be reviewed in the Activity Log.

Licensing

Azure just in time VM access is licensed over Azure Security Center and needs the Standard Tier to be enabled for the specific virtual machine.

I hope this gives you an idea of how you can leverage Just in time VM access in Azure for your workloads.