OneFuse Bastion Host Walk-through for Windows Powershell execution

Overview

This article is an overview of using a bastion host (proxy server) for execution of Powershell scripts via the OneFuse scripting module. The goal is to provide a sample framework that can modified based on Environmental requirements.

Considerations

This method allows for connection over Powershell/Winrm to a target server. This is to support execution of scripts on Provisioned nodes that do not have SSH running. Currently the Scripting module only supports the use of OpenSSH connection types on Windows servers. This will require WinSSH to the Bastion host from the OneFuse appliance (TCP 22) to copy and execute the desired PowerShell script. Then utilize WinRM (TCP 5985, 5986) to the Provisioned Node. See Additional Information below for link to Microsoft.com for to Enable-PSRemoting on the Windows Guest.

**Disclaimer - the code provided in the walk-through is a sample only. It should be thoroughly reviewed and tested by those referencing it.

Procedure

Option 1: Basic Powershell Remoting to Target server (assumes passthrough authorization)

In the One Fuse Scripting Policy copy and paste the following script into the “Launch Command” field
powershell -ExecutionPolicy Bypass -File {{ scriptName }}

In the One Fuse Scripting Policy copy and paste the following script into the “Script Template” field

Invoke-Command -ComputerName {{hostname}} -ScriptBlock {
    $path = "C:\Test_Script_Folder"
    New-Item -Path $path -ItemType "directory" -Force
    New-Item -Path $path -Name OneFuseExecution.txt -ItemType "file" -Value "This is an example script policy to execute on {{hostname}}."
}

Modify the code with in the “Script Block {} with functional PowerShell code.

Note: PowerShell code should be tested locally on Bastion Server to insure functionality.

Option 2: PS Remoting to allow different User Authorization and/or Authentication method

In the One Fuse Scripting Policy copy and paste the following script into the “Launch Command” field
powershell -ExecutionPolicy Bypass -File {{ scriptName }}

In the One Fuse Scripting Policy copy and paste the following script into the “Script Template” field

param (
    $ComputerName,
    $Username,
    $Password
)

# Authentication can be changed to CredSSP (needs to be configured). Kerberos is the easier option
$Authentication = "Kerberos"

# Determing which Credentials to use based on what was passed in as a parameter
if ($Username -and $Password) {
    $SecurePassword = ConvertTo-SecureString $Password -AsPlainText -Force
    $Credential = New-Object System.Management.Automation.PSCredential ($Username, $SecurePassword)
    Write-Host "Creating Credential Object"
} else {
    $Username = "[username@domain]"
    $File = "C:\SovLabs\Password.txt"
    $Credential= New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $Username, (Get-Content $File | ConvertTo-SecureString)
    Write-Host "Generating Credential Object using hashed password from $File"
}

# Running commands on the target computer
Invoke-Command -ComputerName $ComputerName -Authentication $Authentication -Credential $Credential -ScriptBlock {
    $path = "C:\Test_Script_Folder"
    New-Item -Path $path -ItemType "directory" -Force
    New-Item -Path $path -Name target_build_info2.txt -ItemType "file" -Value "This is a text string."
}

If desired change the Authentication method, or create a Password File in code above. Modify the code with in the “Script Block {} with functional PowerShell code.

Note: PowerShell code should be tested locally on Bastion Server to insure functionality.