Invoke-Command with Kerberos authentication

[pavel-calin]

Hello,

We configured our machines (Client: Windows and Server: Linux) in order to allow client to connect to server with ssh -K . In this case Kerberos authentication is used and everything is fine.

But we want to execute Powershell Invoke-Command on client machine which runs a script on remote Linux. This works if you provide a -Hostname as parameter and an username or private/public key file.
a) Is there any possibility to execute Invoke-Command over ssh and enforce it to use Kerberos authentication (like it is ssh -K ...)?
b) Is there a way to configure what parameters are used for SSH connection (like a ssh_config file) where we could enforce Kerberos / GSSAPIAuthentication

[jborean93]

It's certainly possible but just not simple. There are two ways you can do this:

• Configure ssh/config

Add the following to your ~/.ssh/config file

Host hostpattern
    GSSAPIAuthentication yes

Where hostpattern is a pattern for the hostname(s) you wish to use GSSAPI/Kerberos auth with. For example I have Host *.domain.test to enable GSSAPI for any host in the .domain.test domain.

• Override ssh binary used to include the -K argument

# Use .bat file for Windows here
$script = Set-Content ./my_ssh -Value @'
#!/usr/bin/env bash

ssh -K "$@"
'@
chmod +x ./my_ssh

$ExecutionContext.InvokeCommand.PostCommandLookupAction = {
    param ($Command, $EA)

    if ($Command -eq 'ssh') {
        $EA.Command = Get-Command (Join-Path $PSScriptRoot 'my_ssh')
    }
}
try {
    Invoke-Command -HostName hostname -ScriptBlock { $env:USERPROFILE }
}
finally {
    $ExecutionContext.InvokeCommand.PostCommandLookupAction = $null
}

This will change the binary that PSRemoting is called from ssh to your custom script. This custom script will then just call ssh with the added -K argument plus the arguments pwsh was calling it with.

[pavel-calin]

Thank you for your answer. First solution worked for us.