PowerShell Server 2016
PowerShell Server 2016
Questions / Feedback?

Security

The Security tab controls authentication options.

Below are the available options for this tab:

  • Security Group: This is the name of a Windows group used for authorizing access to the server. Only users who are members of this group will be allowed access. This can be a group in the local machine or a group on the domain.
  • Enable Password Authentication: This specifies whether or not Password authentication is allowed. This is enabled by default.
    Note that when using Password Authentication, the recommended format for user authentication is "DOMAIN\Username".
  • Enable GSSAPI Authentication: This allows GSSAPI authentication for connecting clients. This is enabled by default in licensed versions.
    • Supported Mechanisms: Specifies the authentication mechanism used. Possible values are All, Kerberos, NTLM. The default value is NTLM.
    Note that when using Kerberos as an authentication mechanism, it is recommended that PowerShell Server be run as a service. When not running as a service and instead running under a user account, the default SPN (Service Principal Name) format of host/machine@domain used may result in errors. In that case, a new SPN should be registered (for instance ssh/machine) with the domain controller, and the KerberosSPN registry setting for PowerShell Server must be set. Additionally any connecting SSH client will need to be configured to use the newly defined SPN.
  • Logon Type: Controls the type of logon performed by the application when attempting to authenticate users. Possible values are:
    • Network Logon: Regular network logon is performed. This is more secure, but access to remote network resources is prohibited.
    • Interactive Logon: Interactive logon is performed. This is less secure, but allows access to remote network resources.
    The default value is Network Logon.

Public Key Authentication

  • Enable Public Key authentication: If checked, clients will be able to authenticate using a public key instead of a username/password. When using Public Key Authentication, no impersonation of the logged on user will be done by the server, so all commands will run in the context of the user the server process is running under. Clients connecting to the server using any certificate found in the selected store will be granted access. Public Key Authentication can be configured to use either the Windows certificate store or a keys file on disk.
  • Windows Store Based Public Key Authentication: When selected the client's public key is validated against the certificates in the Windows certificate store specified by the following options:
    • Store Type: Tells the server to look for client certificates in the Machine or User stores.
    • Store Name: Tells the server to look for client certificates under the selected store.
  • File Based Public Key Authentication: If selected, the client client's public key is validated against a list of SSH public keys in the specified file. The file path indicated may contain the %USERNAME% macro, which will resolve to the name of the user being authenticated. The file must contain one key per line. The keys must be in the following format:
    ssh-rsa AAAAB3NzaC1yc2EA...rPFBe7Pnc= rsa-key-20110822

    When File Based Public Key Authentication is used you can also control the IP addresses from which the key may be used by using the "from" keyword in the SSH public keys file. Please see the following examples:

    • Only accept connections using the specified public key from 192.168.1.12:
      from="192.168.1.12" ssh-rsa AAAAB3NzaC1yc2EA...rPFBe7Pnc= rsa-key-20110822
    • Only accept connections using the specified public key for the IP Address range 192.168.1.30 - 192.168.1.39:
      from="192.168.1.3?" ssh-rsa AAAAB3NzaC1yc2EA...rPFBe7Pnc= rsa-key-20110822
    • Only accept connections using the specified public key for the IP Address range 192.168.1.100 - 192.168.1.199:
      from="192.168.1.1??" ssh-rsa AAAAB3NzaC1yc2EA...rPFBe7Pnc= rsa-key-20110822
    • Only accept connections using the specified public key for the IP Address range 192.168.0.12 - 192.168.255.12 (must end in .12):
      from="192.168.*.12" ssh-rsa AAAAB3NzaC1yc2EA...rPFBe7Pnc= rsa-key-20110822
    • Only accept connections using the specified public key for the IP Address range 192.168.1.0 - 192.168.1.255 EXCEPT 192.168.1.12:
      from="192.168.1.*,!192.168.1.12" ssh-rsa AAAAB3NzaC1yc2EA...rPFBe7Pnc= rsa-key-20110822

    As demonstrated above, the special characters "?", "!", and "*" may be used to specify an IP address pattern that is to be matched.

    Note that when File Based Public Key Authentication is enabled, similar settings to define the allowed public keys are available in the registry, as documented on the Authorized Keys page.

    Note: Only IPv4 addresses are currently supported. Hostname matching and IPv6 address matching are currently not supported.

 
 
Copyright (c) 2017 /n software inc. - All rights reserved.
PowerShell Server 2016 - Version 16.0 [Build 6240]