SSH in Linux / Unix world is a good thing, SSH Secure Shell is an abbreviation, using it can easily connect to the specified server and execute a specific command line. In addition to supporting remote terminal as a secure communications protocol, as well as many other features provide secure communications tools (such as Git).

In this article, SSH refer primarily to the connection terminal based SSH secure communication protocol built. SSH remote connection is very simple, the following is an example of a ssh:

image

Specify the server address to open the connection - simple to be true! Then, the next command is running on the target machine. Work done, you want to disconnect? A usual exit command to terminate the session, as close a terminal as easy!

image

Since SSH itself is based command line environment, so if you want to perform a number of tasks on remote servers is also very easy to write a for statement, it is easy to complete:

image

So many people find very easy to bulk manage Linux servers, even without those tools feature large and, as long as management experience (using) a single server, plus ssh can easily manage a cluster of. If you want the server to remote management, you need to install openssh-server configuration on the server. This is the basic Linux command also just a few easy to get. Everything is so beautiful!

Windows Remote Management World

When a similar return to work on Windows, people first think of ways to remotely manage the remote desktop connection, it is this window:

image

Remote Desktop Connection (RDP) is an artifact, as long as know the network address (the machine name), and the user name and password, you can connect to any Windows computer. After the connection is established, almost like using a remote computer as in the operation of the local computer. In practice, we found, RDP performance is quite good. Even when the network is not good, but also has good performance; remote operation is not only resource-rich desktop, as well as audio and video, and a clipboard. In addition, RDP client is very rich, not only cross-platform (including macOS, Linux and mobile tablets, etc.), there are many computers can simultaneously connect multiple tools. Here is the effect of Windows servers connected on Mac:

image

RDP compared to SSH, it provides a more powerful graphics connectivity, could have been more powerful, but the problem lies in the batch. When we want to manage a cluster of large numbers of servers, Remote Desktop can not do anything. When we need an operation, when operating on multiple servers, RDP can not provide the ability to automatically repeat. In essence, this is not a problem RDP, it is a common problem graphical interface.

Based on the PowerShell Remoting WinRM

Since the graphical interface on Windows can not provide remote management capabilities volume, the command line interface it? Wait a minute, Windows command line interface? Windows has a command line interface? Many people probably have some questions. The answer is self-evident, Windows not only built-in command line, and is very powerful. But most people just do not use it. In the early, Windows has a command prompt (cmd), and later added a Windows .NET-based PowerShell, greatly enhanced scripting programming capabilities.

Fortunately, the system includes a command line of Windows PowerShell provides the ability to remotely connect and complete execution of the batch. And SSH similar, PowerShell Remoting only need to know the server address, you can easily connect; and to end the session, it is the same exit command:

image

In addition, PowerShell command also specializes in many optimized for remote execution, such as Invoke-Command and so on. The following code to query the two remote computer's interface language (the code cited in the document ):

1

Invoke-Command -ComputerName Server01, Server02 -ScriptBlock { Get-UICulture }

The output is:

1
2
3
4

LCID    Name     DisplayName               PSComputerName
----    ----     -----------               --------------
1033    en-US    English (United States)   server01.corp.fabrikam.com
1033    en-US    English (United States)   server02.corp.fabrikam.com

PowerShell Remoting is based on the Windows built-in remote management technology WinRM provided. If you want the server to Windows, you need to enable remote management server WinRM, and configure the firewall rules:

1
2

Enable-PSRemoting -SkipNetworkProfileCheck -Force
Set-NetFirewallRule -Name "WINRM-HTTP-In-TCP-PUBLIC" -RemoteAddress Any

After completing the above configuration, the client can use PowerShell using Enter-PSSession commands to connect to the server.

No password is configured PowerShell Remoting experience

Password is a simple and intuitive, but not enough to secure authentication method. It is not enough security, mainly for the large number of servers in the cluster, if you want to use a different password for each, then the password table maintenance has become a cumbersome thing. But if both use the same password. Once the password leaks, the entire cluster is mired in risk. So many people had to choose a compromise, use the password for the computers in a cluster at the same time, and the timing (for example, every two months) centralized change their passwords. So as to strike a balance between convenience and security. But the way always, password security is not enough. When login server, SSH supports the use of a password, also supports the use of public key certificate (public key). Principles of public key certificate login, administrators generate a key pair, copy the public key to the server, they hold private keys and protect private content. After connecting to the server when needed, will conduct a series of login authentication using the private key on the client and server, turn on secure communications. Since the public disclosure did not result in private (private key) security risk, so that login does not have the risk of leakage.

image

WinRM PowerShell Remoting server supports two ways without the password. One is log on using a client certificate, and SSH authentication process is very similar. It also supports Active Directory environment by means of centralized login. To turn to WinRM client certificate logon (Client Certificate), the main steps are: Enable Client Certificate Login functionality on the server side to enable HTTPS support for WinRM WinRM on the service side, set the firewall rules to generate a certificate on the client side, and a certificate of public key (public key) imported to the server, and mapped to the user on the specified server certificate into the local computer certificate on the client connects to the server using these steps are not complex, but did not like the SSH server configuration so simple. So I put these scripts are written, please go to GitHub to view and download . Here is an article details the steps in order to be used.

image

In addition to WinRM client certificate-based logon, the new cross-platform version of PowerShell 6 also supports OpenSSH SSH directly on the Linux server exactly the same experience. Please go to the official documentation for specific configuration, more information on PowerShell Remoting, you can also refer to this e-book .

Once you enable WinRM on the server, not only can support the PowerShell Remoting feature, but also provide many other remote management capabilities for Windows servers. For example, the famous automation configuration software Ansible you can use the same PowerShell Remoting way to provide automated configuration for Windows server capacity, but also well supported client certificate described above login. It turns out that after the above simple configuration, can also be very easily on Windows server batch automation to manage.