Posh-SSH icon indicating copy to clipboard operation
Posh-SSH copied to clipboard
verified publisher icon darkoperator

Cannot get host key when Windows is in FIPS mode

Open wilddev65 opened this issue 2 years ago • 8 comments

POSH-SSH 3.1.1 Windows set to FIPS mode via Local Security Policy: Security Settings > Local Policies > Security Options System cryptography: Use FIPS 140 compliant cryptographic algorithms, including encryption, hashing and signing algorithm: Enabled Reboot to enable

Test: "host.domain.com" | Get-SSHHostKey | ConvertTo-Json Get-SSHHostKey : Exception has been thrown by the target of an invocation. At line:1 char:22

  • "host.domain.com" | Get-SSHHostKey | ConvertTo-Json
  •                  ~~~~~~~~~~~~~~
    • CategoryInfo : ConnectionError: (host.domain.com:String) [Get-SSHHostKey], TargetInvocationException
    • FullyQualifiedErrorId : SSH.GetSSHHostKey

Test using Renci.SshNet.dll directly: $hostname = 'host.domain.com' $port = 22 $username = 'user' $password = 'password' #path to posh-ssh/Assembly/Renci Add-Type -Path 'C:\Program Files\WindowsPowerShell\Modules\Posh-SSH\3.1.1\Assembly\Renci.SshNet.dll' $ssh =[Renci.SshNet.SshClient]::new($hostname, $port, $username, $password) $ssh.Connect()

ForwardedPorts ConnectionInfo IsConnected KeepAliveInterval

{} Renci.SshNet.PasswordConnectionInfo True -00:00:00.0010000

It would seem that due to Windows in FIPS mode preventing you even trying to make the connection when using non-FIPS algorithms, the Get-SSHHostKey command fails.

wilddev65 avatar Jan 25 '24 22:01 wilddev65

Sadly it is a known issue with the library of SSH.Net

darkoperator avatar Jan 25 '24 22:01 darkoperator

How is it a known issue when the sshnet.dll connects successfully? To me that points to the Get-SSHHostKey as having an issue as the underlying library works. Is this the issue you are referring to? https://github.com/sshnet/SSH.NET/issues/276#issuecomment-322877786

wilddev65 avatar Jan 26 '24 15:01 wilddev65

Will take a look we had so many people rnable fipd in that past and it not even loading o though it was the same issue Sent from my iPhoneOn Jan 26, 2024, at 11:30 AM, Chris Lyttle @.***> wrote: How is it a known issue when the sshnet.dll connects successfully? To me that points to the Get-SSHHostKey as having an issue as the underlying library works.

—Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you commented.Message ID: @.***>

darkoperator avatar Jan 26 '24 18:01 darkoperator

seems that Windows PowerShell 5.1 is the issue, I would recommend for now to use PowerShell 7.x

darkoperator avatar Jan 26 '24 21:01 darkoperator

Oh, how interesting! It works in PS7.4.1 just fine. This gives me a work around that I can use. Thanks for this!

wilddev65 avatar Jan 29 '24 19:01 wilddev65

Based on the error I believe it is becase PS 5.1 is based on CLR 4.0 so an old version of .net and since MS will not be updating Windows PowerShell I think in this case it is better to stick with PS Core

darkoperator avatar Jan 29 '24 21:01 darkoperator

Makes sense. I think that is the best way forward as well. Just to note here (if anyone is wanting to do this), due to the way my application runs, it uses .NET4.8 on the platform to run PS scripts. It's not possible to have it use PS7.x directly, only to run PS 5.1. My plan is to create a PSSession to localhost from the 5.1 using a PS7 config & scriptblock: $session = New-PSSession -ComputerName localhost -ConfigurationName PowerShell.7 -Credential $credObject Invoke-Command -Session $session -ScriptBlock $myScriptBlock This should enable the work around and still use PS7 when needed to run POSH-SSH commands.

wilddev65 avatar Jan 29 '24 23:01 wilddev65

Carlos, you can close this one. It's working with PS 7.x

wilddev65 avatar Feb 06 '24 22:02 wilddev65