ssh session not working in powershell script executed from IISRSS

4 replies

Last post Mar 26, 2020 10:21 AM by lukaszK

‹ Previous Thread|Next Thread ›
  • ssh session not working in powershell script executed from IIS

    Mar 12, 2020 12:43 PM|lukaszK|LINK

    Hi,

    I encountered problem with plink or posh-ssh when used from IIS-hosted webpage.

    my environment: WindowsServer 2016 + IIS 10 + PHP v7.4.3 + Powershell 5

    I need that end-user working on his client machine accessing web page hosted on IIS server (IIS used because AD authentication is involved) and is able to see some details collected on-demand from another linux machine, by clicking particular button on web page.

    My web page launches powershell script using PHP :

    $psScriptPath = "C:\\inetpub\\wwwroot\\test\\testscript.ps1";

    $query = Shell_Exec("powershell.exe -ExecutionPolicy Bypass -NoProfile -InputFormat none -Command $psScriptPath < NUL");

    echo "returned by powershell script: <br /> $query";

    and powershell in turn opens ssh connection to given linux host and executes some commands there.

    I tried both 'plink' and Posh-SSH (New-SSHSession).

    here are my testing examples just to collect hostname of remote linux system:

    plink -ssh -batch -i "C:\Temp\mypriv.ppk" -l root $linuxhostname "hostname"

    $mycreds = New-Object System.Management.Automation.PSCredential ("root", (new-object System.Security.SecureString))

    New-SSHSession -Computer $linuxhostname -KeyFile 'C:\Temp\myprivkey2' -Credential $mycreds -AcceptKey

    Invoke-SSHCommand -SessionID 0 -Command "hostname"

    Get-SSHSession | Remove-SSHSession

    The script is working fine with both ssh options only when launched manually from powershell window directly - no matter of administrator or regular user.

    Unfortunately does not work when launched from webpage - on tcpdump it looks ssh session does not get established or even attempted (Posh-SSH). Other actions not requiring SSH session are fine also when triggered from webpage and outputs are displayed correctly on the page, only places supposed to provide SSH-based data are empty.

    please kindly advice hot to proceed with troubleshooting, since I am not too much experienced with IIS and powershell.

    BR, Lukasz

  • Re: ssh session not working in powershell script executed from IIS

    Mar 13, 2020 05:19 AM|Jalpa Panchal|LINK

    Hi,

    Does your PowerShell script generate any pop-up window that needs user interaction?

    Try to assign the iis user permission to the C:\Temp\mypriv.ppk and C:\\inetpub\\wwwroot\\test\\testscript.ps1.

    Set the application pool identity to the admin user or network service/local system.

    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue.
    If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.
  • Re: ssh session not working in powershell script executed from IIS

    Mar 13, 2020 11:08 AM|lukaszK|LINK

    Hi,

    thanks for hints,

    My script is just for testing at this stage, not much actions inside, no prompts.

    right now except checking hostname from remote linux only webserver-local actions Get-ADUser and Get-Process are used just to confirm it works with anything other than ssh.

    also to avoid using key files I already tested plink in format below, but no change.

    plink -ssh -batch -pw "password" -l root 10.88.4.22 "hostname"

    my webpage is located under C:\inetpub\wwwroot\test with files access rights like follows.

    Is this correct approach for IIS environment ?

    PS C:\inetpub\wwwroot\test> dir .. | Get-acl


    Directory: C:\inetpub\wwwroot


    Path Owner Access
    ---- ----- ------
    test BUILTIN\Administrators BUILTIN\IIS_IUSRS Allow ReadAndExecute, Synchronize...
    iisstart.htm NT AUTHORITY\SYSTEM NT AUTHORITY\SYSTEM Allow FullControl...
    iisstart.png NT AUTHORITY\SYSTEM NT AUTHORITY\SYSTEM Allow FullControl...


    PS C:\inetpub\wwwroot\test> dir | Get-Acl


    Directory: C:\inetpub\wwwroot\test


    Path Owner Access
    ---- ----- ------
    index.html USERMGMT\admin BUILTIN\IIS_IUSRS Allow ReadAndExecute, Synchronize...
    index.php USERMGMT\admin BUILTIN\IIS_IUSRS Allow ReadAndExecute, Synchronize...
    index2.html BUILTIN\Administrators BUILTIN\IIS_IUSRS Allow ReadAndExecute, Synchronize...
    test.php USERMGMT\admin BUILTIN\IIS_IUSRS Allow ReadAndExecute, Synchronize...
    test2.php USERMGMT\admin BUILTIN\IIS_IUSRS Allow ReadAndExecute, Synchronize...
    test3.php USERMGMT\admin BUILTIN\IIS_IUSRS Allow ReadAndExecute, Synchronize...
    testscript.ps1 USERMGMT\admin BUILTIN\IIS_IUSRS Allow ReadAndExecute, Synchronize...
    testscript1.ps1 BUILTIN\Administrators BUILTIN\IIS_IUSRS Allow ReadAndExecute, Synchronize...
    web.config BUILTIN\Administrators BUILTIN\IIS_IUSRS Allow ReadAndExecute, Synchronize...

    I tried with changing the Application pool Identitity of my IIS site  to NetworkService and to local admin user. but no change. Any restart/reload is needed to apply changes, btw ? i tried 'recycle'

    having in mind long chain of tools involved in my solution IIS->PHP->powershell->SSH-to-linux, to narrow the investigation

    i prepared test3.php script listed below to trigger the powershell, just like webpage is doing. launching the script manually from cmd or powershell window (both as regular or admin user) returns good output with data sucessfully fetched via ssh from remote linux host.

    To my uderstanding the issue is located somewhere in how or with what rights the IIS is executing the script.

    <?php

    $psScriptPath = "C:\\inetpub\\wwwroot\\test\\testscript.ps1";$query = Shell_Exec("powershell.exe -ExecutionPolicy Bypass -NoProfile -InputFormat none -Command $psScriptPath < NUL");
    echo "returned by powershell script: <br /> $query";

    ?>

  • Re: ssh session not working in powershell script executed from IIS

    Mar 20, 2020 08:46 AM|Jalpa Panchal|LINK

    Hi,

    You could try to host PHP on Apache to see if the same issue happens on the apache server or not.

    if it works to try to create a simple hello world PowerShell script and try to run.

    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue.
    If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.
  • Re: ssh session not working in powershell script executed from IIS

    Mar 26, 2020 10:21 AM|lukaszK|LINK

    Hi,

    actually i took the ssh-related actions out of powershell script and inserted them directly into php using ssh2_exec functions.

    I am not happy to have some actions inside script and other actions directly in php code on web page but works at least as workaround.

‹ Previous Thread|Next Thread ›