Connecting To Windows Over OpenSSH Using The Ansible Automation Platform
The tried and true method to connect to a Windows host using Ansible has been WinRM since the inception of Ansible. Now this upstart OpenSSH is here for Windows and folks want to use it for their automation.
I’ve heard that connecting to a Windows host over SSH should be just the same as using WinRM, but in my experience this isn’t the case. Using OpenSSH has caused some odd/unpredictable issues with various modules…rendering some all but unusable. For example I recently was using the win_hotfix module and it all but refused to work correctly in my testing. Your milage may vary, I just wanted to give a word of warning in advance.
OpenSSH Configuration
First, the Ansible OpenSSH for Windows documentation is pretty solid.
Using the instructions to turn on and enable worked well:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 | Get-WindowsCapability -Name OpenSSH.Server* -Online |
Add-WindowsCapability -Online
Set-Service -Name sshd -StartupType Automatic -Status Running
$firewallParams = @{
Name = 'sshd-Server-In-TCP'
DisplayName = 'Inbound rule for OpenSSH Server (sshd) on TCP port 22'
Action = 'Allow'
Direction = 'Inbound'
Enabled = 'True' # This is not a boolean but an enum
Profile = 'Any'
Protocol = 'TCP'
LocalPort = 22
}
New-NetFirewallRule @firewallParams
$shellParams = @{
Path = 'HKLM:\SOFTWARE\OpenSSH'
Name = 'DefaultShell'
Value = 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
PropertyType = 'String'
Force = $true
}
New-ItemProperty @shellParams |
It’s not enough to just turn on OpenSSH, you also need to change what it’s default shell is. Here, as in the documentation, I’m setting it to be powershell. This way when Ansible connects and attempts to do work it will happen via PowerShell rather than cmd.exe:
1 2 3 4 5 6 7 8 9 | # Set default to powershell.exe
$shellParams = @{
Path = 'HKLM:\SOFTWARE\OpenSSH'
Name = 'DefaultShell'
Value = 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
PropertyType = 'String'
Force = $true
}
New-ItemProperty @shellParams |
I had to additionally adjust the firewall beyond what the Ansible documentation showed to allow remote hosts to access OpenSSH:
1 | Set-NetFirewallRule -Name "OpenSSH-Server-In-TCP" -Enabled True -Profile Domain,Private,Public |
Configure AAP
In AAP I have to tell it what communication method to talk to my Windows host with. I could assign these options directly on the host, but for this special group of Windows hosts I’ve created an inventory group named “windows-openssh” with the following values:
1 2 3 | ansible_remote_tmp: C:\Windows\Temp\ansible ansible_pipelining: true ansible_connection: ssh |
ansible_remote_tmp: Here you can see I setup a temp directory where files will be temporarily stored on the remote host so Ansible can execute them.
The remaining are optional.
ansible_pipelining: Tries to issue multiple commands without having to create multiple connections.
ansible_connection: This is defining ssh as the connection type, which is the default option, this isn’t needed. Since most folks utilize WinRM I spell it out here for documentation.
Privilege Escalation Windows
This isn’t specific to OpenSSH on Windows, but rather something that is a gotcha for folks. If you are doing privilege escalation “become: true” on Windows you will need to instruct Ansible how to properly do it. In your credential, be sure to set the “Privilege Escalation Method” to “runas”. You’ll likely need to set the Escalation Username information too.
Conclusion
Well, it’s not too crazy to get it all setup, but again, your milage may vary. I wholly expect support to just keep getting better. Well, good luck and happy OpenSSH’n to your Windows hosts 🙂