Executing Powershell over SSH (no WinRM, no powershell plugin)

If you've been in a similar situation to mine a few times at customers, you may run into issue where a policy prevents the enablement of WinRM, PSRemoting or where authentication schemes like CredSSP / Kerberos produces more trouble than it's all worth.

Why Powershell from Linux? Well, think Active Directory / DNS management or other Windows-Specific systems which have Powershell-based management tools.

There are use cases where I've used Ansible before in an attempt to execute Remote Powershell, but the multi-hop auth issue (without CredSSP) causes authentication failures. 
Picture an enterprise using multiple Domain Controllers or DNS Servers. Now you want to execute a Powershell Module which adds / removes / modifies certain objects. Now imagine you want to use WinRM. Certain companies may not allow WinRM on their Domain Controllers. Also, consider firewall constraints. So, the solution one might think of is to install the RSAT (Remote Server Administration Tools) package on an intermediary server, and then establish a connection to that server using WinRM. This means that the AD / DNS Servers remain untouched, because you can install the tools (and PS modules) on an intermediary server.

Ah, but wait. Now when you run commands, they fail authentication. Why? This is known as the multi-hop feature. Microsoft's recommendation to overcome this is to enable CredSSP on the target. The target here would be the Domain Controllers / DNS Servers. That just feels wrong, right?

In such a situation, you might be delighted to hear that there is a much simpler solution.

The solution involves the use of a 3rd party Windows SSH Server. This Windows SSH Server then executes powershell whenever a connection comes in. Windows authentication is supported, you can often lock down access in many of the SSH servers available, and some are very configurable.

Now, in the below diagram, the vRO object on the left is interchangeable with any Linux server since w'ere talking about SSH. This includes awesome tools like Puppet, Ansible etc. So here's how it works:

Now, there is likely a large number of SSH Servers available, but the best I've used so far is a paid version called BitVise SSH Server. It's highly configurable, very cheap and low on resource utilization. I found the free versions clunky, unreliable and erratic.

For reference, I installed and used the Bitvise SSH Server on a Windows Server in production for a customer before and it worked flawlessly.

Some links to SSH Servers that will support part or all of the solution above:

Bitvise SSH Server Efficient, low cost, configurable, secure
freeSSHd and freeFTPd - open source SSH and SFTP ... free, eats memory, clunky
MobaSSH SSH server for Windows

Hope it helps someone out there.

--Chris