PowerShell Server: Security Questions and Answers
Introduction
PowerShell Server provides a secure mechanism to connect to remote machines and execute PowerShell scripts. This document will cover some of the common questions specific to the security options used by PowerShell Server.
What SSH protocol does PowerShell SSH use?
PowerShell Server operates of the SSH2 protocol. As such your SSH client will need to support SSH2. Most SSH clients support SSH2 so this should typically not be a concern.
What encryption algorithms are supported by PowerShell Server?
By default PowerShell Server is configured to support all available SSH Encryption Algorithms
However, PowerShell Server can be configured to support only specific SSH Encryption Algorithms by setting the SSHEncryptionAlgorithms registry key in the registry path HKEY_LOCAL_MACHINE\SOFTWARE\nsoftware\PowerShell\Server\16. This key should be set to a comma-delimited list of supported SSH Encryption Algorithms, such as: “aes256-ctr,aes256-cbc,3des-cbc”.
The supported SSH Encryption Algorithms are as follows:
aes256-ctr | 256-bit AES encryption in CTR mode. |
aes256-cbc | 256-bit AES Encryption in CBC mode. |
aes192-ctr | 192-bit AES Encryption in CTR mode. |
aes192-cbc | 192-bit AES Encryption in CBC mode. |
aes128-ctr | 128-bit AES Encryption in CTR mode. |
aes128-cbc | 128-bit AES Encryption in CBC mode. |
3des-cbc | 192-bit (3-key) triple DES Encryption in CTR mode. |
3des-cbc | 192-bit (3-key) triple DES Encryption in CBC mode. |
cast128-cbc | CAST-128 Encryption. |
blowfish-cbc | Blowfish Encryption. |
arcfour | ARC4 Encryption |
arcfour128 | 128-bit ARC4 Encryption |
arcfour256 | 256-bit ARC4 Encryption |
aes256-gcm@openssh.com | 256-bit AES encryption in GCM mode. |
aes128-gcm@openssh.com | 128-bit AES encryption in GCM mode. |
By default, PowerShell Server is configured to allow all available algorithms.
Similar to the SSH Encryption Algorithms above, PowerShell Server's supported MAC algorithms can be configured by setting the SSHMacAlgorithms registry key in the registry path HKEY_LOCAL_MACHINE\SOFTWARE\nsoftware\PowerShell\Server\16. This key should be set to a comma-delimited list of supported SSH MAC Algorithms, such as: “hmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96″
The supported SSH MAC Algorithms are as follows:
- hmac-sha1
- hmac-md5
- hmac-sha1-96
- hmac-md5-96
- hmac-sha2-256
- hmac-sha2-256-96
- hmac-sha2-512
- hmac-sha2-512-96
- hmac-ripemd160
- hmac-ripemd160-96
How does the key exchange process happen between the SSH client and PowerShell Server?
PowerShell Server conforms with the SSH2 protocol and utilizes the standard Diffie-Hellman methods for Key Exchange. In general this means that the client and server compare their lists of supported Encryption and MAC Algorithms to find a mutually supported algorithm, then agree to utilize these algorithms for the connection.
What authentication methods are supported by PowerShell Server?
PowerShell Server supports Password, GSSAPI, and Public Key authentication. When Password or GSSAPI authentication are used PowerShell Server will query the user for their username and password at login (after the SSH connection is secured, but before the user is allowed access to the prompt). When the Username and Password are supplied, PowerShell Server will use the Windows Login APIs to log the user in and authenticate them.
Public Key Authentication does not make use of the user’s username and password but instead logs the user in based on whether the SSH Public Key data supplied is found in the allowed keys specified for PowerShell Server. Note: Since Public Key Authentication does not make use of username or password, the logged in users will run with the security privileges of the account under which PowerShell Server is running (e.g., the local SYSTEM account if PowerShell Server is running as a service).
What is the encryption process between client and host?
In general, when connecting to an SSH server, the client and server both notify each other of all of the encryption algorithms they support. The SSH negotiation then chooses the strongest mutually compatible encryption algorithm and the SSH connection proceeds using this algorithm. Since, by default, PowerShell Server supports aes256-ctr, aes256-cbc, and 3des-cbc this means that you can connect with a client that supports any or all of the listed encryption algorithms. As long as there is at least one mutual encryption algorithm, PowerShell Server will be able to negotiate a secure SSH connection.
How do the MAC algorithms differ?
The MAC Algorithm is used to ensure message integrity is maintained but does not directly encrypt the data. Essentially, the Encryption Algorithms (above) encrypt the data and the MAC Algorithm allows the data to be verified (e.g., that it was not altered or corrupted during transmission). Like the Encryption Algorithms, the MAC Algorithm used in an SSH connection is negotiated between the client and server based on the supported algorithms of both sides. A mutual MAC algorithm is agreed upon so that data integrity can be guaranteed once data transmission begins. As long as the client supports at least one of the supported Encryption Algorithms and at least one of the supported MAC Algorithms then the client will be able to successfully connect to PowerShell Server.
What happens when PowerShell Server encounters a timeout when attempting to send data to the client?
In the event that there is packet loss or other issues with the connection between PowerShell Server and the client, the socket will attempt to retry the sending of the data packets until a Timeout is determined. If a Timeout is detected then PowerShell Server will report that the connection has timed out and close the timed out connection. Note: PowerShell Server utilizes the Windows Socket APIs which control the behavior of the retransmission of any dropped packets.
We appreciate your feedback. If you have any questions, comments, or suggestions about this article please contact our support team at kb@nsoftware.com.