I'm having some trouble with my Windows Server 2022 setup. I'm trying to configure a Just Enough Administration (JEA) PSSessionConfiguration under an SSH server, but I'm running into an issue where connected users can drop out into an unrestricted PowerShell shell whenever they type `exit`. I'm using a non-admin user, `vmcontrol`, and the JEA session is restricted to a few specific functions: `Get-VM`, `Start-VM`, `Stop-VM`, and `Restart-VM`. I want to ensure that when users exit the JEA session, the entire SSH session closes instead of allowing them to access normal PowerShell commands. I've fiddled with the SSH configuration and even looked into overriding `Exit-PSSession` with a StartupScript to terminate the SSH session cleanly, but I'm wondering if there's a better approach or if I should stick with that idea. Any thoughts?
3 Answers
I’m curious why you chose SSH over WinRM in the first place? WinRM is typically easier to manage for this kind of setup because it’s built into Windows. Just wondering what your use case is!
Have you thought about creating a mock function for the user that invokes a command using the same JEA session? While it’s not a perfect fix, it might help with keeping users from accidentally launching into an unrestricted environment. Also, SSH can be tricky with how it ends remote sessions, but you could set it up to close automatically when the child process finishes.
It’s important to note that JEA isn’t officially supported over SSH. You might want to consider switching to WinRM for your session configurations. It seems like using WinRM aligns more naturally with how `Enter-PSSession` is supposed to work anyway. Check out Microsoft's documentation for alternatives—might save you some headaches!
Thanks for the heads-up! I missed that detail in the documentation. I'm going to explore WinRM since I really don't want to keep hitting this wall with SSH.
I initially thought SSH would make for a simpler solution since I’ve been using it on Debian for a while. I needed a way to control the VM through a web interface, and thought SSH would fit best. After looking deeper, I think WinRM might be the better route, though!