PowerShell Remoting equivalent of SSH scp
Dave Clarke
server (I'm trying to move my web hosting from an OpenBSD/Apache box
to IIS7 on W2K8r2). The journey has been long and arduous. I'm looking
for the equivalent of rsync or scp (secure copy) to deploy files from
my development environment into the new server. The server is Internet-
facing so I want to run the minimum services required and plug up the
firewall to help reduce the attack surface, i.e. no ftp and no file
sharing. I was hoping that PowerShell Remoting or WinRS would be the
answer (or it would be once I managed to get my configuration issues
sorted).
I guess the larger question is, without file sharing (i.e. no UNC
paths), BITS, ftp, how do I deploy files from Vista to a (non-domain)
W2K8r2 server? It seems weird that I can use MMC remotely to modify
the firewall, view the event log, start/stop services, etc but I can't
get a file from a to b. Hopefully I'm just being dense. Please point
me in the right direction.
Thanks
- Dave
DennisD
but you might be able to 'port' parts of the code to PowerShell.
Dave Clarke
Thanks Dennis, it's not really what I had in mind but I can see how it
could work. It would require the server to have a SSH Server
installed, something I thought I might be able to avoid by using the
PowerShell Remoting/WinRS environments. It's not really about being
able to connect to a SSH server, I really just want to get files
securely from my development environment into my web server without
having to write custom code and without having to install file
sharing, ftp or BITS. I've seen /n software's NetCmdlets mentioned but
that's a commercial product and that isn't a economic option for me.
Given I already have a secure remote PowerShell connection, I had kind
of assumed (hoped) that there would be a file transfer cmdlet that
allowed some form of secure file copy between the endpoints.
- Dave
Bob Landau
WinRM from my investigation is strictly to _manage_ a remote machine. You
issue cmdets/scripts and these are ran on the specified machine with the
results being returned to you. You have the option to set the authentication
method used as well as map a different set of commands to each authenticated
user.
What this doesn't do is copy a local file to the remote machine or visa
versa using TCP/HTTP/HTTPS.
BITS does this which can be setup to be done securely. Again you can
determine the authentication schema. This correctly configured will be secure
as scp. I don't understand why you'd consider opening up a port for SSH but
not want BITS which uses the standard HTTP/HTTPS. You are exposing _less_ of
a surface area by using BITS
Powershell CTP3 does provide a module called FileTransfer which exposes BITS
to a Powershell user or script. While its pretty well documented I've not
seen a demo on this. Anyone care to demo this for us? That would be a great
topic given its not been discussed to the best of my knowledge.
Note while BITS is capabile of certificate based client/server
authentication. I don't see that this is available in the above module.
Lastly, Jeffery Snover has given a couple demo's showing the capabilites of
using IIS/WinRM/Powershell but these have all been at the end of his talk.
This in my opinion would be a great topic to demo in one of the live meetings
this DL has.
Dave Clarke
SSH. Why would I want to open a port for SSH? So that I can secure
that port at the firewall by specifying access to it only from the
local subnet for example. On a web server HTTP/HTTPS ports are a free
for all and are used by BITS/WinRM to make it easy to traverse
firewalls. Plus to me being able to _manage_ a remote machine does
include getting files to and from that machine. I'm not sure if you're
familiar with rsync? It's a great tool for keeping file systems
synchronised in the *nix world and really useful for deploying changes
to websites and it works over ssh. I did have a look at the
FileTransfer module that uses BITS and I may go back and revisit,
unfortunately when I last tried using it I was getting a weird error
and not much useful diagnostics, obviously not helped by being
unfamiliar with BITS. Frankly it all just seems more difficult than it
should be. BITS is a heavy handed approach for a job that should be as
simple as Transfer-File \\hosta\c\xyz.txt \\hostb\d\abc.txt.
On Feb 20, 6:23 am, Bob Landau <BobLan...@discussions.microsoft.com>
wrote:
Bob Landau
learning this as you are. (this is one reason I suggested that some of the
MVP's here setup a demo for us)
Learning anything seems dauting at first however by seperating independant
functionality you gain a lot at the expense of adding a little more in the
learning curve. Frankly the Powershell group has admitted that the
FileTransfer module may need tweaking after playing with it for a bit I
suggest you let them know.
At least one thing you gain is the ability very securely expose only the
required features to users. By seperating uploading files from the
powershells remote capabilites; we are able to not just add ACL's to
designate who is able to upload a file and execute it but totally eliminate
the capiblility (the code for uploading simply is not there) which is about
as secure as you can be.
To up/dowload a file port 80 is the default. You could set up th vdir to
listen on a different port.
Lastly no I'm not familiar with rsync or whether there is an equivalent in
the Windows world
"Dave Clarke" wrote:
> > using IIS/WinRM/Powershell but these have all been at the end of his talk..
Dave Clarke
presented with greater convenience versus greater security I will tend
to opt for greater security. In this case I'm not convinced the
greater inconvenience of using BITS represents any increase in
security. E.g. I've authenticated myself and I have valid credentials
that represent authority to manage the remote server, why then
shouldn't I also be able to make changes to the parts of the file
system to which I have access (and in fact this is exactly what BITS/
PowerShell remoting provide but in a less friendly way)? With this
facility and changing the WinRM port I can then secure the port at the
firewall as well. I think BITS probably is a useful tool for a
different problem, I just want to deploy files from my development
environment to a secure web server and a remote file copy facility
should exist in WInRM to facilitate this.
On Feb 21, 5:15 am, Bob Landau <BobLan...@discussions.microsoft.com>
Dave Clarke
is possible to transfer files over WinRM. I can't vouch for the
efficacy of my approach but it definitely works using PowerShell
Remoting. The nutshell version, transferring makecert.exe from my
server W2k8r2 to my local machine, is:
PS C:\> $so = New-WSManSessionOption -SkipCACheck
PS C:\> invoke-command -useSSL -SessionOption $so W2k8r2 {get-content -
encoding byte -ReadCount 0 "C:/Users/dave/Documents/makecert.exe"} |
set-content -encoding byte .\Documents\makecert.exe
The longer version is available here: <http://
stillpearling.blogspot.com/2009/02/more-powershell-remoting.html>
- Dave