A few days ago, Microsoft announced their plans to support SSH.
At first, I only skimmed the news articles and misinterpreted the news as PowerShell getting SSH support to act as a client, but it appears this goes much deeper: SSH coming to Windows Server is both client and server support.
A popular request the PowerShell team has received is to use Secure Shell protocol and Shell session (aka SSH) to interoperate between Windows and Linux – both Linux connecting to and managing Windows via SSH and, vice versa, Windows connecting to and managing Linux via SSH.
While the announcement in and of itself is worth a read, the comments show a lot of concern into the how of the implementation, hoping for industry standard implementations instead of quirky forks of the protocol.
In the comments, the PowerShell official user also confirms the SSH implementation having both client and server support.
The SSH implementation will support both Client and Server.
This is super exciting.
SSH Public Key Authentication
SSH is just a protocol. Windows already has several protocols & methods for managing a server (RPC, PowerShell, AD Group Policies, …), so why bring another one?
Supporting the SSH server on Windows can bring the biggest advancement to Windows in a long time: SSH public key authentication.
Historically, managing a Windows server was either based on username/password combinations or NTLM. There are other alternatives, but these 2 are the most widely used. You either type your username and password, or you belong to an Active Directory domain for easier access.
Managing standalone Windows machines has therefore always been a serious annoyance. It requires keeping a list of username/password combinations.
If SSH support in Windows is done right, it would mean a new authentication method that is perfect for automation tasks.
It inevitably also means that supporting SSH on Windows isn’t trivial: it ties into the user management, authentication & authorization. This would be a major feature to push out.
Config Management For Windows
Configuration Management isn’t new for Windows. In fact, in many regards, automating state and configuration is far more advanced in Windows than it is on Linux.
However, the tools to automate on Windows have mostly been proprietary, complex and very expensive to both purchase and maintain. In the Open Source world there are many alternatives for config management a user could choose from.
Since a couple of years, even the Open Source tools have begun to show rudimentary support for managing Windows Server (ref.: Puppet, Chef, Ansible, …).
Having SSH access to a Windows Server with proper SSH public key support would allow all kind of SSH-based config management tools to be used for managing a Windows Server, whether it’s in an Active Directory domain or a standalone server.
Even if Ansible didn’t have native Windows support, just having SSH available would be sufficient to use Ansible to completely manage a Windows server.
Imagine the power.
The Proof Of The Eating Is In The Pudding
Hmmm, pudding …
Sorry, I digress.
As Microsoft has correctly admitted, this is the 3rd attempt to integrate SSH into Windows.
The first attempts were during PowerShell V1 and V2 and were rejected. Given our changes in leadership and culture, we decided to give it another try and this time, because we are able to show the clear and compelling customer value, the company is very supportive.
A public statement proclaiming support for native SSH is a powerful thing, but it’s by no means a guarantee that it’ll happen. The lack of a clear timeline also shows how early on the process this idea lies.
I’m hoping support for SSH server in Windows Server eventually becomes a standard on every server. I’m biased because I come from a Linux background, but having an SSH server with public key authentication would greatly simplify my life of automating Windows environments.
There are alternatives for doing that. There have always been alternatives. I just don’t like them. I like having SSH access to manage a server and I’m rooting for Microsoft to pull this off as well.