Make Powershell default ssh shell in Windows

[manojampalam]

No description provided.

[benkevan]

Rather this should be configurable and not statically set. I'd prefer it to be opened in cmd as my profile.ps1 is pretty heavy.

[aduzsardi]

this can be solved by adding
ForceCommand powershell.exe in your sshd_config , you can also do

Match User user1 user2 ...
    ForceCommand powershell.exe

or Match Group for groups

[taynes13]

@aduzsardi using ForceCommand powershell.exe will help just to interactive session but it breaks things like SFTP. Try to do SFTP connection to server which has ForceCommand enabled, SFTP won't be happy with powershell logo message :-)

[nkrepo]

Is there workaround for getting sftp work when powershell is the default ssh shell?

[bagajjal]

We couldn't find a perfect solution.

Here is our current proposal,

1. Read the default SSH shell from an user environment variable that has the full path (ex - C:\Windows\System32\cmd.exe)

2. Check if the default SSH shell is trusted,
   a) If the executable is from system32 path (ex - C:\Windows\System32)
   (or)
   b) If the executable is published from a trusted source (ex - Microsoft).

3. If step 2 succeeds then launch the default SSH shell.
   If step 2 fails then launch the cmd.exe

Issue with this proposal,
If a user has unpublished powershell.exe, step-2 will fail and we end up launching cmd.exe..

We would like to hear from the community, alternative proposals or any suggestions..

[lucastheisen]

Anything that can be done to make powershell the default will be good for me, but I wonder how the SSH shell from an user environment variable will get set... I usually set environment variables in my user profile, but the won't get executed until powershell starts...

[DarwinJS]

Looks like powershell.exe from powershell core is not signed by Microsoft (at least beta 4), so does that mean it would have to be installed under system32 to work with OpenSSH?

What does "trusted" mean in this context?

In the past Microsoft has considered "Program Files" locations more trustworthy than user writable locations because it takes admin permissions to place something there.

[manojampalam]

The intention here is address the security concern around "sshd launching malware injected arbitrary session process". Sticking with cmd.exe keeps it plain simple.

Otherwise we are trying to understand if there are any specific requirements mandating Powershell by default (apart from the convenience aspect). I see a drawback - its difficult to adjust Powershell session prompt (PS:>) to make it identify a remote session (like we do for cmd.exe).

BTW, Powershell could be launched straight away as follows
ssh.exe -t user@target powershell

[Scrxtchy]

@manojampalam was there an update to support this?
Using this command puts the local terminal in a forever waiting state.
The server then climbs CPU usage

[diogocp]

@manojampalam

Otherwise we are trying to understand if there are any specific requirements mandating Powershell by default

Git server does not work properly if cmd is the default (#752).

[manojampalam]

@Scrxtchy please open a new issue for what you are seeing. That's not expected (I don't see it on my end). Fill in the template and we'll take it forward.

[Rondom]

Can't you set the COMSPEC variable to powershell.exe and use that? (I admit that I left Windows behind before the switch to NT/XP, so this may be outdated knowledge)

[bagajjal]

@Rondom - Using COMPSPEC variable is not ideal solution.

There can be a situation where the default shell has to be PowerShell for ssh sessions but other applications still needs the default shell as cmd.exe..

As mentioned earlier one of our proposals is to use a new environment variable instead of COMPSPEC.

Also we need to add few security checks when we start using environment variables as any malware can modify the environment variable thus causing a security threat.

[Rondom]

There can be a situation where the default shell has to be PowerShell for ssh sessions but other applications still needs the default shell as cmd.exe..

If there is such a use case (which one?), wouldn't it be enough to instruct those users to write their own wrapper that checks whether it is run in an SSH-session and put it into their profile?

[hsson]

Is there any workaround to get Powershell as default shell without breaking things like SFTP? All I can see as a solution for now is to prepend every command in our automation scripts at work with powershell.exe. This is not very ideal though. We typically execute single commands in an automated fashion with ssh Administrator@<ip> <command>

[manojampalam]

Here's one proposal if its OK to change the default shell for all users.
Support a registry entry like this:

[erichiller]

What about a flag to indicate whether or not it is an interactive session. For example in linux, I can place a stanza at the top of my .bashrc to drop non interactive sessions out from the remainder of the config

# If not running interactively, don't do anything
# this keeps SCP (file transfer from throwing errors) -- stops here
case $- in
        *i*) ;;
                *) return;;
esac