Welcome to the Chocolatey Community Package Repository! The packages found in this section of the site are provided, maintained, and moderated by the community.
Moderation
Every version of each package undergoes a rigorous moderation process before it goes live that typically includes:
- Security, consistency, and quality checking
- Installation testing
- Virus checking through VirusTotal
- Human moderators who give final review and sign off
More detail at Security and Moderation.
Organizational Use
If you are an organization using Chocolatey, we want your experience to be fully reliable. Due to the nature of this publicly offered repository, reliability cannot be guaranteed. Packages offered here are subject to distribution rights, which means they may need to reach out further to the internet to the official locations to download files at runtime.
Fortunately, distribution rights do not apply for internal use. With any edition of Chocolatey (including the free open source edition), you can host your own packages and cache or internalize existing community packages.
Disclaimer
Your use of the packages on this site means you understand they are not supported or guaranteed in any way. Learn more...
-
STEP1
Package Review
-
STEP2
Integration Method
-
STEP3
Internal Repo Url
-
STEP4
Environment Setup
-
STEP5
Install Script
Step 1: Review Your Packages
Step 2: Choose Your Integration Method
Step 3: Enter Your Internal Repository Url
(this should look similar to https://community.chocolatey.org/api/v2/)
Step 3: Copy Your Script or Download Config
Option 1: Copy Script
Option 2: Download Config
Step 4: Setup Your Environment
1. Ensure you are set for organizational deployment
Please see the organizational deployment guide
2. Get the package into your environment
Option 1: Cached Package (Unreliable, Requires Internet - Same As Community)-
Open Source or Commercial:
- Proxy Repository - Create a proxy nuget repository on Nexus, Artifactory Pro, or a proxy Chocolatey repository on ProGet. Point your upstream to https://community.chocolatey.org/api/v2/. Packages cache on first access automatically. Make sure your choco clients are using your proxy repository as a source and NOT the default community repository. See source command for more information.
-
You can also just download the packages and push them to a repository
Download Packages
-
Open Source
-
Download the packages:
Download Packages - Follow manual internalization instructions
-
-
Package Internalizer (C4B)
-
Run: (additional options)
-
For package and dependencies run:
- Automate package internalization
-
Run: (additional options)
Step 5: Copy Your Script
See options you can pass to upgrade.
See best practices for scripting.
Add this to a PowerShell script or use a Batch script with tools and in places where you are calling directly to Chocolatey. If you are integrating, keep in mind enhanced exit codes.
If you do use a PowerShell script, use the following to ensure bad exit codes are shown as failures:
## 1. REQUIREMENTS ##
### Here are the requirements necessary to ensure this is successful.
### a. Internal/Private Cloud Repository Set Up ###
#### You'll need an internal/private cloud repository you can use. These are
#### generally really quick to set up and there are quite a few options.
#### Chocolatey Software recommends Nexus, Artifactory Pro, or ProGet as they
#### are repository servers and will give you the ability to manage multiple
#### repositories and types from one server installation.
### b. Download Chocolatey Package and Put on Internal Repository ###
#### You need to have downloaded the Chocolatey package as well.
#### Please see https://chocolatey.org/install#organization
### c. Other Requirements ###
#### We initialize a few things that are needed by this script - there are no other requirements.
$ErrorActionPreference = "Stop"
#### Set TLS 1.2 (3072) as that is the minimum required by various up-to-date repositories.
#### Use integers because the enumeration value for TLS 1.2 won't exist
#### in .NET 4.0, even though they are addressable if .NET 4.5+ is
#### installed (.NET 4.5 is an in-place upgrade).
[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072
#### We use this variable for future REST calls.
$RequestArguments = @{
UseBasicParsing = $true
}
## 2. TOP LEVEL VARIABLES ##
### a. Your internal repository url (the main one). ###
#### Should be similar to what you see when you browse
#### to https://community.chocolatey.org/api/v2/
$NugetRepositoryUrl = "INTERNAL REPO URL"
### b. Internal Repository Credential ###
#### If required, add the repository access credential here
# $NugetRepositoryCredential = [PSCredential]::new(
# "username",
# ("password" | ConvertTo-SecureString -AsPlainText -Force)
# )
# $RequestArguments.Credential = $NugetRepositoryCredential
### c. Chocolatey nupkg download url ###
#### This url should result in an immediate download when you navigate to it
$ChocolateyDownloadUrl = "$($NugetRepositoryUrl.TrimEnd('/'))/package/chocolatey.1.1.0.nupkg"
### d. Chocolatey Central Management (CCM) ###
#### If using CCM to manage Chocolatey, add the following:
#### i. Endpoint URL for CCM
# $ChocolateyCentralManagementUrl = "https://chocolatey-central-management:24020/ChocolateyManagementService"
#### ii. If using a Client Salt, add it here
# $ChocolateyCentralManagementClientSalt = "clientsalt"
#### iii. If using a Service Salt, add it here
# $ChocolateyCentralManagementServiceSalt = "servicesalt"
## 3. ENSURE CHOCOLATEY IS INSTALLED ##
### Ensure Chocolatey is installed from your internal repository
#### Download the Nupkg, appending .zip to the filename to handle archive cmdlet limitations
if (-not (Get-Command choco.exe -ErrorAction SilentlyContinue)) {
$TempDirectory = Join-Path $env:Temp "chocolateyInstall"
if (-not (Test-Path $TempDirectory -PathType Container)) {
$null = New-Item -Path $TempDirectory -ItemType Directory
}
$DownloadedNupkg = Join-Path $TempDirectory "$(Split-Path $ChocolateyDownloadUrl -Leaf).zip"
Invoke-WebRequest -Uri $ChocolateyDownloadUrl -OutFile $DownloadedNupkg @RequestArguments
#### Extract the Nupkg, and run the chocolateyInstall script
if (Get-Command Microsoft.PowerShell.Archive\Expand-Archive -ErrorAction SilentlyContinue) {
Microsoft.PowerShell.Archive\Expand-Archive -Path $DownloadedNupkg -DestinationPath $TempDirectory -Force
} else {
# PowerShell versions <4.0 do not have this function available
try {
$shellApplication = New-Object -ComObject Shell.Application
$zipPackage = $shellApplication.NameSpace($DownloadedNupkg)
$destinationFolder = $shellApplication.NameSpace($TempDirectory)
$destinationFolder.CopyHere($zipPackage.Items(), 0x10)
} catch {
Write-Warning "Unable to unzip package using built-in compression."
throw $_
}
}
& $(Join-Path $TempDirectory "tools\chocolateyInstall.ps1")
}
if (-not (Get-Command choco.exe -ErrorAction SilentlyContinue)) {
refreshenv
}
## 4. CONFIGURE CHOCOLATEY BASELINE ##
### a. FIPS Feature ###
#### If you need FIPS compliance - make this the first thing you configure
#### before you do any additional configuration or package installations
# choco feature enable -n useFipsCompliantChecksums
### b. Apply Recommended Configuration ###
#### Move cache location so Chocolatey is very deterministic about
#### cleaning up temporary data and the location is secured to admins
choco config set --name cacheLocation --value C:\ProgramData\chocolatey\cache
#### Increase timeout to at least 4 hours
choco config set --name commandExecutionTimeoutSeconds --value 14400
#### Turn off download progress when running choco through integrations
choco feature disable --name showDownloadProgress
### c. Sources ###
#### Remove the default community package repository source
choco source list --limitoutput | ConvertFrom-Csv -Header 'Name', 'Location' -Delimiter '|' | ForEach-Object {
if ($_.Location -eq 'https://community.chocolatey.org/api/v2/') {
choco source remove -n $_.Name
}
}
#### Add internal default sources
#### You could have multiple sources here, so we will provide an example
#### of one using the remote repo variable here
#### NOTE: This EXAMPLE may require changes
if ($NugetRepositoryCredential) {
choco source add --name ChocolateyInternal --source $NugetRepositoryUrl --user $NugetRepositoryCredential.UserName --password $NugetRepositoryCredential.GetNetworkCredential().Password --priority 1
} else {
choco source add --name ChocolateyInternal --source $NugetRepositoryUrl --priority 1
}
### b. Keep Chocolatey Up To Date ###
#### Keep chocolatey up to date based on your internal source
#### You control the upgrades based on when you push an updated version
#### to your internal repository.
#### Note the source here is to the OData feed, similar to what you see
#### when you browse to https://community.chocolatey.org/api/v2/
choco upgrade chocolatey --confirm
## 5. ENSURE CHOCOLATEY FOR BUSINESS ##
### If you don't have Chocolatey for Business (C4B), you'll want to remove from here down.
### a. Ensure The License File Is Installed ###
#### Create a license package using script from https://docs.chocolatey.org/en-us/how-tos/setup-offline-installation#exercise-4-create-a-package-for-the-license
choco install chocolatey-license --source $NugetRepositoryUrl --confirm
### b. Disable The Licensed Source ###
#### The licensed source cannot be removed, so it must be disabled.
#### This must occur after the license has been set by the license package.
if ("chocolatey-license" -in (choco list --localonly --limitoutput | ConvertFrom-Csv -Header "Name" -Delimiter "|").Name) {
choco source disable --name chocolatey.licensed
} else {
Write-Warning "Not disabling 'chocolatey.licensed' feed, as Chocolatey-License has not been installed."
}
### c. Ensure Chocolatey Licensed Extension ###
#### You will have downloaded the licensed extension to your internal repository
#### as you have disabled the licensed repository in step 5b.
#### Ensure the chocolatey.extension package (aka Chocolatey Licensed Extension)
if ("chocolatey-license" -in (choco list --localonly --limitoutput | ConvertFrom-Csv -Header "Name" -Delimiter "|").Name) {
choco install chocolatey.extension --source $NugetRepositoryUrl --confirm
} else {
Write-Warning "Not installing 'chocolatey.extension', as Chocolatey-License has not been installed."
}
#### The Chocolatey Licensed Extension unlocks all of the following, which also have configuration/feature items available with them. You may want to visit the feature pages to see what you might want to also enable:
#### - Package Builder - https://docs.chocolatey.org/en-us/features/paid/package-builder
#### - Package Internalizer - https://docs.chocolatey.org/en-us/features/paid/package-internalizer
#### - Package Synchronization (3 components) - https://docs.chocolatey.org/en-us/features/paid/package-synchronization
#### - Package Reducer - https://docs.chocolatey.org/en-us/features/paid/package-reducer
#### - Package Audit - https://docs.chocolatey.org/en-us/features/paid/package-audit
#### - Package Throttle - https://docs.chocolatey.org/en-us/features/paid/package-throttle
#### - CDN Cache Access - https://docs.chocolatey.org/en-us/features/paid/private-cdn
#### - Branding - https://docs.chocolatey.org/en-us/features/paid/branding
#### - Self-Service Anywhere (more components will need to be installed and additional configuration will need to be set) - https://docs.chocolatey.org/en-us/features/paid/self-service-anywhere
#### - Chocolatey Central Management (more components will need to be installed and additional configuration will need to be set) - https://docs.chocolatey.org/en-us/features/paid/chocolatey-central-management
#### - Other - https://docs.chocolatey.org/en-us/features/paid/
### d. Ensure Self-Service Anywhere ###
#### If you have desktop clients where users are not administrators, you may
#### to take advantage of deploying and configuring Self-Service anywhere
choco feature disable --name showNonElevatedWarnings
choco feature enable --name useBackgroundService
choco feature enable --name useBackgroundServiceWithNonAdministratorsOnly
choco feature enable --name allowBackgroundServiceUninstallsFromUserInstallsOnly
choco config set --name allowedBackgroundServiceCommands --value "install,upgrade,uninstall"
### e. Ensure Chocolatey Central Management ###
#### If you want to manage and report on endpoints, you can set up and configure
### Central Management. There are multiple portions to manage, so you'll see
### a section on agents here along with notes on how to configure the server
### side components.
if ($ChocolateyCentralManagementUrl) {
choco install chocolatey-agent --source $NugetRepositoryUrl --confirm
choco config set --name CentralManagementServiceUrl --value $ChocolateyCentralManagementUrl
if ($ChocolateyCentralManagementClientSalt) {
choco config set --name centralManagementClientCommunicationSaltAdditivePassword --value $ChocolateyCentralManagementClientSalt
}
if ($ChocolateyCentralManagementServiceSalt) {
choco config set --name centralManagementServiceCommunicationSaltAdditivePassword --value $ChocolateyCentralManagementServiceSalt
}
choco feature enable --name useChocolateyCentralManagement
choco feature enable --name useChocolateyCentralManagementDeployments
}
See docs at https://docs.ansible.com/ansible/latest/modules/win_chocolatey_module.html.
If Applicable - Chocolatey Configuration/Installation
## 1. REQUIREMENTS ##
### Here are the requirements necessary to ensure this is successful.
### a. Internal/Private Cloud Repository Set Up ###
#### You'll need an internal/private cloud repository you can use. These are
#### generally really quick to set up and there are quite a few options.
#### Chocolatey Software recommends Nexus, Artifactory Pro, or ProGet as they
#### are repository servers and will give you the ability to manage multiple
#### repositories and types from one server installation.
### b. Download Chocolatey Package and Put on Internal Repository ###
#### You need to have downloaded the Chocolatey package as well.
#### Please see https://chocolatey.org/install#organization
### c. Other Requirements ###
#### i. chocolatey.chocolatey
##### You will require the chocolatey.chocolatey collection to be installed
##### on all machines using this playbook.
##### Please see https://github.com/chocolatey/chocolatey-ansible/#installing-the-collection-from-ansible-galaxy
- name: Install and Configure Chocolatey
hosts: all
## 2. TOP LEVEL VARIABLES ##
vars:
### a. Your internal repository url (the main one). ###
#### Should be similar to what you see when you browse
#### to https://community.chocolatey.org/api/v2/
nuget_repository_url: INTERNAL REPO URL
### b. Internal Repository Credential ###
#### If required, add the repository access credential here and
#### uncomment lines with source_username and source_password below
# nuget_repository_username: username
# nuget_repository_password: password
### c. Chocolatey Central Management (CCM) ###
#### If using CCM to manage Chocolatey, add the following:
#### i. Endpoint URL for CCM
# chocolatey_central_management_url: https://chocolatey-central-management:24020/ChocolateyManagementService
#### ii. If using a Client Salt, add it here
# chocolatey_central_management_client_salt: clientsalt
#### iii. If using a Service Salt, add it here
# chocolatey_central_management_service_salt: servicesalt
## 3. ENSURE CHOCOLATEY IS INSTALLED ##
### Ensure Chocolatey is installed from your internal repository
tasks:
- name: Install chocolatey
win_chocolatey:
name: chocolatey
source: {{ nuget_repository_url }}
# source_username: {{ nuget_repository_username }}
# source_password: {{ nuget_repository_password }}
## 4. CONFIGURE CHOCOLATEY BASELINE ##
### a. FIPS Feature ###
#### If you need FIPS compliance - make this the first thing you configure
#### before you do any additional configuration or package installations
# - name: Enable FIPS compliance
# win_chocolatey_feature:
# name: useFipsCompliantChecksums
# state: enabled
### b. Apply Recommended Configuration ###
#### Move cache location so Chocolatey is very deterministic about
#### cleaning up temporary data and the location is secured to admins
- name: Set the cache location
win_chocolatey_config:
name: cacheLocation
state: present
value: C:\ProgramData\chocolatey\cache
#### Increase timeout to at least 4 hours
- name: Set the command execution timeout
win_chocolatey_config:
name: commandExecutionTimeoutSeconds
state: present
value: 14400
#### Turn off download progress when running choco through integrations
- name: Disable showing download progress
win_chocolatey_feature:
name: showDownloadProgress
state: disabled
### c. Sources ###
#### Remove the default community package repository source
- name: Remove Chocolatey Community Repository
win_chocolatey_source:
name: chocolatey
state: absent
#### Add internal default sources
#### You could have multiple sources here, so we will provide an example
#### of one using the remote repo variable here
#### NOTE: This EXAMPLE may require changes
- name: Add Internal Repository
win_chocolatey_source:
name: ChocolateyInternal
state: present
source: {{ nuget_repository_url }}
# source_username: {{ nuget_repository_username }}
# source_password: {{ nuget_repository_password }}
priority: 1
### b. Keep Chocolatey Up To Date ###
#### Keep chocolatey up to date based on your internal source
#### You control the upgrades based on when you push an updated version
#### to your internal repository.
#### Note the source here is to the OData feed, similar to what you see
#### when you browse to https://community.chocolatey.org/api/v2/
- name: Upgrade Chocolatey
win_chocolatey:
name: chocolatey
state: latest
## 5. ENSURE CHOCOLATEY FOR BUSINESS ##
### If you don't have Chocolatey for Business (C4B), you'll want to remove from here down.
### a. Ensure The License File Is Installed ###
#### Create a license package using script from https://docs.chocolatey.org/en-us/how-tos/setup-offline-installation#exercise-4-create-a-package-for-the-license
- name: Install Chocolatey License
win_chocolatey:
name: chocolatey-license
source: ChocolateyInternal
state: latest
### b. Disable The Licensed Source ###
#### The licensed source cannot be removed, so it must be disabled.
#### This must occur after the license has been set by the license package.
- name: Disable Chocolatey Community Repository
win_chocolatey_source:
name: chocolatey.licensed
state: disabled
### c. Ensure Chocolatey Licensed Extension ###
#### You will have downloaded the licensed extension to your internal repository
#### as you have disabled the licensed repository in step 5b.
#### Ensure the chocolatey.extension package (aka Chocolatey Licensed Extension)
- name: Install Chocolatey Extension
win_chocolatey:
name: chocolatey.extension
source: ChocolateyInternal
state: latest
#### The Chocolatey Licensed Extension unlocks all of the following, which also have configuration/feature items available with them. You may want to visit the feature pages to see what you might want to also enable:
#### - Package Builder - https://docs.chocolatey.org/en-us/features/paid/package-builder
#### - Package Internalizer - https://docs.chocolatey.org/en-us/features/paid/package-internalizer
#### - Package Synchronization (3 components) - https://docs.chocolatey.org/en-us/features/paid/package-synchronization
#### - Package Reducer - https://docs.chocolatey.org/en-us/features/paid/package-reducer
#### - Package Audit - https://docs.chocolatey.org/en-us/features/paid/package-audit
#### - Package Throttle - https://docs.chocolatey.org/en-us/features/paid/package-throttle
#### - CDN Cache Access - https://docs.chocolatey.org/en-us/features/paid/private-cdn
#### - Branding - https://docs.chocolatey.org/en-us/features/paid/branding
#### - Self-Service Anywhere (more components will need to be installed and additional configuration will need to be set) - https://docs.chocolatey.org/en-us/features/paid/self-service-anywhere
#### - Chocolatey Central Management (more components will need to be installed and additional configuration will need to be set) - https://docs.chocolatey.org/en-us/features/paid/chocolatey-central-management
#### - Other - https://docs.chocolatey.org/en-us/features/paid/
### d. Ensure Self-Service Anywhere ###
#### If you have desktop clients where users are not administrators, you may
#### to take advantage of deploying and configuring Self-Service anywhere
- name: Hide not-elevated warnings
win_chocolatey_feature:
name: showNonElevatedWarnings
state: disabled
- name: Use background mode for self-service
win_chocolatey_feature:
name: useBackgroundService
state: enabled
- name: Use background service for non-admins
win_chocolatey_feature:
name: useBackgroundServiceWithNonAdministratorsOnly
state: enabled
- name: Allow background uninstallation for user installs
win_chocolatey_feature:
name: allowBackgroundServiceUninstallsFromUserInstallsOnly
state: enabled
- name: Set allowed background service commands
win_chocolatey_config:
name: backgroundServiceAllowedCommands
state: present
value: install,upgrade,uninstall
### e. Ensure Chocolatey Central Management ###
#### If you want to manage and report on endpoints, you can set up and configure
### Central Management. There are multiple portions to manage, so you'll see
### a section on agents here along with notes on how to configure the server
### side components.
- name: Install Chocolatey Agent
when: chocolatey_central_management_url is defined
win_chocolatey:
name: chocolatey-agent
source: ChocolateyInternal
state: latest
- name: Set the Central Management Service URL
when: chocolatey_central_management_url is defined
win_chocolatey_config:
name: CentralManagementServiceUrl
state: present
value: {{ chocolatey_central_management_url }}
- name: Set the Central Management Client Salt
when: chocolatey_central_management_client_salt is defined
win_chocolatey_config:
name: centralManagementClientCommunicationSaltAdditivePassword
state: present
value: {{ chocolatey_central_management_client_salt }}
- name: Set the Central Management Service Salt
when: chocolatey_central_management_service_salt is defined
win_chocolatey_config:
name: centralManagementServiceCommunicationSaltAdditivePassword
state: present
value: {{ chocolatey_central_management_service_salt }}
- name: Use Central Management
when: chocolatey_central_management_url is defined
win_chocolatey_feature:
name: useChocolateyCentralManagement
state: enabled
- name: Use Central Management Deployments
when: chocolatey_central_management_url is defined
win_chocolatey_feature:
name: useChocolateyCentralManagementDeployments
state: enabled
See docs at https://docs.chef.io/resource_chocolatey_package.html.
If Applicable - Chocolatey Configuration/Installation
## 1. REQUIREMENTS ##
### Here are the requirements necessary to ensure this is successful.
### a. Internal/Private Cloud Repository Set Up ###
#### You'll need an internal/private cloud repository you can use. These are
#### generally really quick to set up and there are quite a few options.
#### Chocolatey Software recommends Nexus, Artifactory Pro, or ProGet as they
#### are repository servers and will give you the ability to manage multiple
#### repositories and types from one server installation.
### b. Download Chocolatey Package and Put on Internal Repository ###
#### You need to have downloaded the Chocolatey package as well.
#### Please see https://chocolatey.org/install#organization
### c. Other Requirements ###
#### The Chocolatey resources are available with any recent version of Chef.
#### We utilise the Chocolatey recipe to install the Chocolatey binaries.
include_recipe "chocolatey"
## 2. TOP LEVEL VARIABLES ##
### a. Your internal repository url (the main one). ###
#### Should be similar to what you see when you browse
#### to https://community.chocolatey.org/api/v2/
NugetRepositoryUrl = "INTERNAL REPO URL"
### b. Internal Repository Credential ###
#### If required, add the repository access credential here
# NugetRepositoryUsername = "username"
# NugetRepositoryPassword = "password"
### c. Chocolatey nupkg download url ###
#### This url should result in an immediate download when you navigate to it in
#### a web browser
ChocolateyNupkgUrl = "INTERNAL REPO URL/package/chocolatey.1.1.0.nupkg",
### d. Chocolatey Central Management (CCM) ###
#### If using CCM to manage Chocolatey, add the following:
#### i. Endpoint URL for CCM
# ChocolateyCentralManagementUrl = "https://chocolatey-central-management:24020/ChocolateyManagementService"
#### ii. If using a Client Salt, add it here
# ChocolateyCentralManagementClientSalt = "clientsalt"
#### iii. If using a Service Salt, add it here
# ChocolateyCentralManagementServiceSalt = "servicesalt"
## 3. ENSURE CHOCOLATEY IS INSTALLED ##
### Ensure Chocolatey is installed from your internal repository
node['chocolatey']['install vars'] = {
'chocolateyDownloadUrl' => "#{ChocolateyNupkgUrl}",
}
## 4. CONFIGURE CHOCOLATEY BASELINE ##
### a. FIPS Feature ###
#### If you need FIPS compliance - make this the first thing you configure
#### before you do any additional configuration or package installations
# chocolatey_feature 'useFipsCompliantChecksums' do
# action :enable
# end
### b. Apply Recommended Configuration ###
#### Move cache location so Chocolatey is very deterministic about
#### cleaning up temporary data and the location is secured to admins
chocolatey_config 'cacheLocation' do
value 'C:\ProgramData\chocolatey\cache'
end
#### Increase timeout to at least 4 hours
chocolatey_config 'commandExecutionTimeoutSeconds' do
value '14400'
end
#### Turn off download progress when running choco through integrations
chocolatey_feature 'showDownloadProgress' do
action :disable
end
### c. Sources ###
#### Remove the default community package repository source
chocolatey_source 'chocolatey' do
action :remove
end
#### Add internal default sources
#### You could have multiple sources here, so we will provide an example
#### of one using the remote repo variable here
#### NOTE: This EXAMPLE may require changes
chocolatey_source 'ChocolateyInternal' do
source "#{NugetRepositoryUrl}"
priority 1
action :add
end
execute 'ChocolateyInternal' do
command "choco source add --name ChocolateyInternal -s #{NugetRepositoryUrl} -u=#{NugetRepositoryUsername} -p=#{NugetRepositoryPassword} --priority=1"
only_if { NugetRepositoryUsername != nil || NugetRepositoryPassword != nil }
end
### b. Keep Chocolatey Up To Date ###
#### Keep chocolatey up to date based on your internal source
#### You control the upgrades based on when you push an updated version
#### to your internal repository.
#### Note the source here is to the OData feed, similar to what you see
#### when you browse to https://community.chocolatey.org/api/v2/
chocolatey_package 'chocolatey' do
action :upgrade
source "#{NugetRepositoryUrl}"
end
## 5. ENSURE CHOCOLATEY FOR BUSINESS ##
### If you don't have Chocolatey for Business (C4B), you'll want to remove from here down.
### a. Ensure The License File Is Installed ###
#### Create a license package using script from https://docs.chocolatey.org/en-us/how-tos/setup-offline-installation#exercise-4-create-a-package-for-the-license
chocolatey_package 'chocolatey-license' do
action :install
source "#{NugetRepositoryUrl}"
end
### b. Disable The Licensed Source ###
#### The licensed source cannot be removed, so it must be disabled.
#### This must occur after the license has been set by the license package.
chocolatey_source 'chocolatey.licensed' do
action :disable
end
### c. Ensure Chocolatey Licensed Extension ###
#### You will have downloaded the licensed extension to your internal repository
#### as you have disabled the licensed repository in step 5b.
#### Ensure the chocolatey.extension package (aka Chocolatey Licensed Extension)
chocolatey_package 'chocolatey.extention' do
action install
source "#{NugetRepositoryUrl}"
end
#### The Chocolatey Licensed Extension unlocks all of the following, which also have configuration/feature items available with them. You may want to visit the feature pages to see what you might want to also enable:
#### - Package Builder - https://docs.chocolatey.org/en-us/features/paid/package-builder
#### - Package Internalizer - https://docs.chocolatey.org/en-us/features/paid/package-internalizer
#### - Package Synchronization (3 components) - https://docs.chocolatey.org/en-us/features/paid/package-synchronization
#### - Package Reducer - https://docs.chocolatey.org/en-us/features/paid/package-reducer
#### - Package Audit - https://docs.chocolatey.org/en-us/features/paid/package-audit
#### - Package Throttle - https://docs.chocolatey.org/en-us/features/paid/package-throttle
#### - CDN Cache Access - https://docs.chocolatey.org/en-us/features/paid/private-cdn
#### - Branding - https://docs.chocolatey.org/en-us/features/paid/branding
#### - Self-Service Anywhere (more components will need to be installed and additional configuration will need to be set) - https://docs.chocolatey.org/en-us/features/paid/self-service-anywhere
#### - Chocolatey Central Management (more components will need to be installed and additional configuration will need to be set) - https://docs.chocolatey.org/en-us/features/paid/chocolatey-central-management
#### - Other - https://docs.chocolatey.org/en-us/features/paid/
### d. Ensure Self-Service Anywhere ###
#### If you have desktop clients where users are not administrators, you may
#### to take advantage of deploying and configuring Self-Service anywhere
chocolatey_feature 'showNonElevatedWarnings' do
action :disable
end
chocolatey_feature 'useBackgroundService' do
action :enable
end
chocolatey_feature 'useBackgroundServiceWithNonAdministratorsOnly' do
action :enable
end
chocolatey_feature 'allowBackgroundServiceUninstallsFromUserInstallsOnly' do
action :enable
end
chocolatey_config 'backgroundServiceAllowedCommands' do
value 'install,upgrade,uninstall'
end
### e. Ensure Chocolatey Central Management ###
#### If you want to manage and report on endpoints, you can set up and configure
### Central Management. There are multiple portions to manage, so you'll see
### a section on agents here along with notes on how to configure the server
### side components.
chocolatey_package 'chocolatey-agent' do
action install
source "#{NugetRepositoryUrl}"
# user "#{NugetRepositoryUsername}"
# password "#{NugetRepositoryPassword}"
only_if { ChocolateyCentralManagementUrl != nil }
end
chocolatey_config 'CentralManagementServiceUrl' do
value "#{ChocolateyCentralManagementUrl}"
only_if { ChocolateyCentralManagementUrl != nil }
end
chocolatey_config 'centralManagementClientCommunicationSaltAdditivePassword' do
value "#{ChocolateyCentralManagementClientSalt}"
only_if { ChocolateyCentralManagementClientSalt != nil }
end
chocolatey_config 'centralManagementServiceCommunicationSaltAdditivePassword' do
value "#{ChocolateyCentralManagementServiceSalt}"
only_if { ChocolateyCentralManagementServiceSalt != nil }
end
chocolatey_feature 'useChocolateyCentralManagement' do
action :enable
only_if { ChocolateyCentralManagementUrl != nil }
end
chocolatey_feature 'useChocolateyCentralManagementDeployments' do
action :enable
only_if { ChocolateyCentralManagementUrl != nil }
end
Requires cChoco DSC Resource. See docs at https://github.com/chocolatey/cChoco.
If Applicable - Chocolatey Configuration/Installation
#requires -Modules cChoco
## 1. REQUIREMENTS ##
### Here are the requirements necessary to ensure this is successful.
### a. Internal/Private Cloud Repository Set Up ###
#### You'll need an internal/private cloud repository you can use. These are
#### generally really quick to set up and there are quite a few options.
#### Chocolatey Software recommends Nexus, Artifactory Pro, or ProGet as they
#### are repository servers and will give you the ability to manage multiple
#### repositories and types from one server installation.
### b. Download Chocolatey Package and Put on Internal Repository ###
#### You need to have downloaded the Chocolatey package as well.
#### Please see https://chocolatey.org/install#organization
### c. Other Requirements ###
#### i. Requires chocolatey\cChoco DSC module to be installed on the machine compiling the DSC manifest
#### NOTE: This will need to be installed before running the DSC portion of this script
if (-not (Get-Module cChoco -ListAvailable)) {
$null = Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force
if (($PSGallery = Get-PSRepository -Name PSGallery).InstallationPolicy -ne "Trusted") {
Set-PSRepository -Name PSGallery -InstallationPolicy Trusted
}
Install-Module -Name cChoco
if ($PSGallery.InstallationPolicy -ne "Trusted") {
Set-PSRepository -Name PSGallery -InstallationPolicy $PSGallery.InstallationPolicy
}
}
#### ii. Requires a hosted copy of the install.ps1 script
##### This should be available to download without authentication.
##### The original script can be found here: https://community.chocolatey.org/install.ps1
Configuration ChocolateyConfig {
## 2. TOP LEVEL VARIABLES ##
param(
### a. Your internal repository url (the main one). ###
#### Should be similar to what you see when you browse
#### to https://community.chocolatey.org/api/v2/
$NugetRepositoryUrl = "INTERNAL REPO URL",
### b. Chocolatey nupkg download url ###
#### This url should result in an immediate download when you navigate to it in
#### a web browser
$ChocolateyNupkgUrl = "INTERNAL REPO URL/package/chocolatey.1.1.0.nupkg",
### c. Internal Repository Credential ###
#### If required, add the repository access credential here
# $NugetRepositoryCredential = [PSCredential]::new(
# "username",
# ("password" | ConvertTo-SecureString -AsPlainText -Force)
# ),
### d. Install.ps1 URL
#### The path to the hosted install script:
$ChocolateyInstallPs1Url = "https://community.chocolatey.org/install.ps1"
### e. Chocolatey Central Management (CCM) ###
#### If using CCM to manage Chocolatey, add the following:
#### i. Endpoint URL for CCM
# $ChocolateyCentralManagementUrl = "https://chocolatey-central-management:24020/ChocolateyManagementService",
#### ii. If using a Client Salt, add it here
# $ChocolateyCentralManagementClientSalt = "clientsalt",
#### iii. If using a Service Salt, add it here
# $ChocolateyCentralManagementServiceSalt = "servicesalt"
)
Import-DscResource -ModuleName PSDesiredStateConfiguration
Import-DscResource -ModuleName cChoco
Node 'localhost' {
## 3. ENSURE CHOCOLATEY IS INSTALLED ##
### Ensure Chocolatey is installed from your internal repository
Environment chocoDownloadUrl {
Name = "chocolateyDownloadUrl"
Value = $ChocolateyNupkgUrl
}
cChocoInstaller installChocolatey {
DependsOn = "[Environment]chocoDownloadUrl"
InstallDir = Join-Path $env:ProgramData "chocolatey"
ChocoInstallScriptUrl = $ChocolateyInstallPs1Url
}
## 4. CONFIGURE CHOCOLATEY BASELINE ##
### a. FIPS Feature ###
#### If you need FIPS compliance - make this the first thing you configure
#### before you do any additional configuration or package installations
# cChocoFeature featureFipsCompliance {
# FeatureName = "useFipsCompliantChecksums"
# }
### b. Apply Recommended Configuration ###
#### Move cache location so Chocolatey is very deterministic about
#### cleaning up temporary data and the location is secured to admins
cChocoConfig cacheLocation {
DependsOn = "[cChocoInstaller]installChocolatey"
ConfigName = "cacheLocation"
Value = "C:\ProgramData\chocolatey\cache"
}
#### Increase timeout to at least 4 hours
cChocoConfig commandExecutionTimeoutSeconds {
DependsOn = "[cChocoInstaller]installChocolatey"
ConfigName = "commandExecutionTimeoutSeconds"
Value = 14400
}
#### Turn off download progress when running choco through integrations
cChocoFeature showDownloadProgress {
DependsOn = "[cChocoInstaller]installChocolatey"
FeatureName = "showDownloadProgress"
Ensure = "Absent"
}
### c. Sources ###
#### Remove the default community package repository source
cChocoSource removeCommunityRepository {
DependsOn = "[cChocoInstaller]installChocolatey"
Name = "chocolatey"
Ensure = "Absent"
}
#### Add internal default sources
#### You could have multiple sources here, so we will provide an example
#### of one using the remote repo variable here.
#### NOTE: This EXAMPLE may require changes
cChocoSource addInternalSource {
DependsOn = "[cChocoInstaller]installChocolatey"
Name = "ChocolateyInternal"
Source = $NugetRepositoryUrl
Credentials = $NugetRepositoryCredential
Priority = 1
}
### b. Keep Chocolatey Up To Date ###
#### Keep chocolatey up to date based on your internal source
#### You control the upgrades based on when you push an updated version
#### to your internal repository.
#### Note the source here is to the OData feed, similar to what you see
#### when you browse to https://community.chocolatey.org/api/v2/
cChocoPackageInstaller updateChocolatey {
DependsOn = "[cChocoSource]addInternalSource", "[cChocoSource]removeCommunityRepository"
Name = "chocolatey"
AutoUpgrade = $true
}
## 5. ENSURE CHOCOLATEY FOR BUSINESS ##
### If you don't have Chocolatey for Business (C4B), you'll want to remove from here down.
### a. Ensure The License File Is Installed ###
#### Create a license package using script from https://docs.chocolatey.org/en-us/how-tos/setup-offline-installation#exercise-4-create-a-package-for-the-license
cChocoPackageInstaller chocolateyLicense {
DependsOn = "[cChocoPackageInstaller]updateChocolatey"
Name = "chocolatey-license"
}
### b. Disable The Licensed Source ###
#### The licensed source cannot be removed, so it must be disabled.
#### This must occur after the license has been set by the license package.
Script disableLicensedSource {
DependsOn = "[cChocoPackageInstaller]chocolateyLicense"
GetScript = {
$Source = choco source list --limitoutput | `
ConvertFrom-Csv -Delimiter '|' -Header Name, Source, Disabled | `
Where-Object Name -eq "chocolatey.licensed"
return @{
Result = if ($Source) {
[bool]::Parse($Source.Disabled)
} else {
Write-Warning "Source 'chocolatey.licensed' was not present."
$true # Source does not need disabling
}
}
}
SetScript = {
$null = choco source disable --name "chocolatey.licensed"
}
TestScript = {
$State = [ScriptBlock]::Create($GetScript).Invoke()
return $State.Result
}
}
### c. Ensure Chocolatey Licensed Extension ###
#### You will have downloaded the licensed extension to your internal repository
#### as you have disabled the licensed repository in step 5b.
#### Ensure the chocolatey.extension package (aka Chocolatey Licensed Extension)
cChocoPackageInstaller chocolateyLicensedExtension {
DependsOn = "[Script]disableLicensedSource"
Name = "chocolatey.extension"
}
#### The Chocolatey Licensed Extension unlocks all of the following, which also have configuration/feature items available with them. You may want to visit the feature pages to see what you might want to also enable:
#### - Package Builder - https://docs.chocolatey.org/en-us/features/paid/package-builder
#### - Package Internalizer - https://docs.chocolatey.org/en-us/features/paid/package-internalizer
#### - Package Synchronization (3 components) - https://docs.chocolatey.org/en-us/features/paid/package-synchronization
#### - Package Reducer - https://docs.chocolatey.org/en-us/features/paid/package-reducer
#### - Package Audit - https://docs.chocolatey.org/en-us/features/paid/package-audit
#### - Package Throttle - https://docs.chocolatey.org/en-us/features/paid/package-throttle
#### - CDN Cache Access - https://docs.chocolatey.org/en-us/features/paid/private-cdn
#### - Branding - https://docs.chocolatey.org/en-us/features/paid/branding
#### - Self-Service Anywhere (more components will need to be installed and additional configuration will need to be set) - https://docs.chocolatey.org/en-us/features/paid/self-service-anywhere
#### - Chocolatey Central Management (more components will need to be installed and additional configuration will need to be set) - https://docs.chocolatey.org/en-us/features/paid/chocolatey-central-management
#### - Other - https://docs.chocolatey.org/en-us/features/paid/
### d. Ensure Self-Service Anywhere ###
#### If you have desktop clients where users are not administrators, you may
#### to take advantage of deploying and configuring Self-Service anywhere
cChocoFeature hideElevatedWarnings {
DependsOn = "[cChocoPackageInstaller]chocolateyLicensedExtension"
FeatureName = "showNonElevatedWarnings"
Ensure = "Absent"
}
cChocoFeature useBackgroundService {
DependsOn = "[cChocoPackageInstaller]chocolateyLicensedExtension"
FeatureName = "useBackgroundService"
Ensure = "Present"
}
cChocoFeature useBackgroundServiceWithNonAdmins {
DependsOn = "[cChocoPackageInstaller]chocolateyLicensedExtension"
FeatureName = "useBackgroundServiceWithNonAdministratorsOnly"
Ensure = "Present"
}
cChocoFeature useBackgroundServiceUninstallsForUserInstalls {
DependsOn = "[cChocoPackageInstaller]chocolateyLicensedExtension"
FeatureName = "allowBackgroundServiceUninstallsFromUserInstallsOnly"
Ensure = "Present"
}
cChocoConfig allowedBackgroundServiceCommands {
DependsOn = "[cChocoFeature]useBackgroundService"
ConfigName = "backgroundServiceAllowedCommands"
Value = "install,upgrade,uninstall"
}
### e. Ensure Chocolatey Central Management ###
#### If you want to manage and report on endpoints, you can set up and configure
### Central Management. There are multiple portions to manage, so you'll see
### a section on agents here along with notes on how to configure the server
### side components.
if ($ChocolateyCentralManagementUrl) {
cChocoPackageInstaller chocolateyAgent {
DependsOn = "[cChocoPackageInstaller]chocolateyLicensedExtension"
Name = "chocolatey-agent"
}
cChocoConfig centralManagementServiceUrl {
DependsOn = "[cChocoPackageInstaller]chocolateyAgent"
ConfigName = "CentralManagementServiceUrl"
Value = $ChocolateyCentralManagementUrl
}
if ($ChocolateyCentralManagementClientSalt) {
cChocoConfig centralManagementClientSalt {
DependsOn = "[cChocoPackageInstaller]chocolateyAgent"
ConfigName = "centralManagementClientCommunicationSaltAdditivePassword"
Value = $ChocolateyCentralManagementClientSalt
}
}
if ($ChocolateyCentralManagementServiceSalt) {
cChocoConfig centralManagementServiceSalt {
DependsOn = "[cChocoPackageInstaller]chocolateyAgent"
ConfigName = "centralManagementServiceCommunicationSaltAdditivePassword"
Value = $ChocolateyCentralManagementServiceSalt
}
}
cChocoFeature useCentralManagement {
DependsOn = "[cChocoPackageInstaller]chocolateyAgent"
FeatureName = "useChocolateyCentralManagement"
Ensure = "Present"
}
cChocoFeature useCentralManagementDeployments {
DependsOn = "[cChocoPackageInstaller]chocolateyAgent"
FeatureName = "useChocolateyCentralManagementDeployments"
Ensure = "Present"
}
}
}
}
# If working this into an existing configuration with a good method for
$ConfigData = @{
AllNodes = @(
@{
NodeName = "localhost"
PSDscAllowPlainTextPassword = $true
}
)
}
try {
Push-Location $env:Temp
$Config = ChocolateyConfig -ConfigurationData $ConfigData
Start-DscConfiguration -Path $Config.PSParentPath -Wait -Verbose -Force
} finally {
Pop-Location
}
Requires Puppet Chocolatey Provider module. See docs at https://forge.puppet.com/puppetlabs/chocolatey.
If Applicable - Chocolatey Configuration/Installation
## 1. REQUIREMENTS ##
### Here are the requirements necessary to ensure this is successful.
### a. Internal/Private Cloud Repository Set Up ###
#### You'll need an internal/private cloud repository you can use. These are
#### generally really quick to set up and there are quite a few options.
#### Chocolatey Software recommends Nexus, Artifactory Pro, or ProGet as they
#### are repository servers and will give you the ability to manage multiple
#### repositories and types from one server installation.
### b. Download Chocolatey Package and Put on Internal Repository ###
#### You need to have downloaded the Chocolatey package as well.
#### Please see https://chocolatey.org/install#organization
### c. Other Requirements ###
#### i. Requires puppetlabs/chocolatey module
#### See https://forge.puppet.com/puppetlabs/chocolatey
## 2. TOP LEVEL VARIABLES ##
### a. Your internal repository url (the main one). ###
#### Should be similar to what you see when you browse
#### to https://community.chocolatey.org/api/v2/
$_repository_url = 'INTERNAL REPO URL'
### b. Chocolatey nupkg download url ###
#### This url should result in an immediate download when you navigate to it in
#### a web browser
$_choco_download_url = 'INTERNAL REPO URL/package/chocolatey.1.1.0.nupkg'
### c. Chocolatey Central Management (CCM) ###
#### If using CCM to manage Chocolatey, add the following:
#### i. Endpoint URL for CCM
# $_chocolatey_central_management_url = 'https://chocolatey-central-management:24020/ChocolateyManagementService'
#### ii. If using a Client Salt, add it here
# $_chocolatey_central_management_client_salt = "clientsalt"
#### iii. If using a Service Salt, add it here
# $_chocolatey_central_management_service_salt = 'servicesalt'
## 3. ENSURE CHOCOLATEY IS INSTALLED ##
### Ensure Chocolatey is installed from your internal repository
### Note: `chocolatey_download_url is completely different than normal
### source locations. This is directly to the bare download url for the
### chocolatey.nupkg, similar to what you see when you browse to
### https://community.chocolatey.org/api/v2/package/chocolatey
class {'chocolatey':
chocolatey_download_url => $_choco_download_url,
use_7zip => false,
}
## 4. CONFIGURE CHOCOLATEY BASELINE ##
### a. FIPS Feature ###
#### If you need FIPS compliance - make this the first thing you configure
#### before you do any additional configuration or package installations
#chocolateyfeature {'useFipsCompliantChecksums':
# ensure => enabled,
#}
### b. Apply Recommended Configuration ###
#### Move cache location so Chocolatey is very deterministic about
#### cleaning up temporary data and the location is secured to admins
chocolateyconfig {'cacheLocation':
value => 'C:\ProgramData\chocolatey\cache',
}
#### Increase timeout to at least 4 hours
chocolateyconfig {'commandExecutionTimeoutSeconds':
value => '14400',
}
#### Turn off download progress when running choco through integrations
chocolateyfeature {'showDownloadProgress':
ensure => disabled,
}
### c. Sources ###
#### Remove the default community package repository source
chocolateysource {'chocolatey':
ensure => absent,
location => 'https://community.chocolatey.org/api/v2/',
}
#### Add internal default sources
#### You could have multiple sources here, so we will provide an example
#### of one using the remote repo variable here
#### NOTE: This EXAMPLE requires changes
chocolateysource {'internal_chocolatey':
ensure => present,
location => $_repository_url,
priority => 1,
username => 'optional',
password => 'optional,not ensured',
bypass_proxy => true,
admin_only => false,
allow_self_service => false,
}
### b. Keep Chocolatey Up To Date ###
#### Keep chocolatey up to date based on your internal source
#### You control the upgrades based on when you push an updated version
#### to your internal repository.
#### Note the source here is to the OData feed, similar to what you see
#### when you browse to https://community.chocolatey.org/api/v2/
package {'chocolatey':
ensure => latest,
provider => chocolatey,
source => $_repository_url,
}
## 5. ENSURE CHOCOLATEY FOR BUSINESS ##
### If you don't have Chocolatey for Business (C4B), you'll want to remove from here down.
### a. Ensure The License File Is Installed ###
#### Create a license package using script from https://docs.chocolatey.org/en-us/guides/organizations/organizational-deployment-guide#exercise-4-create-a-package-for-the-license
# TODO: Add resource for installing/ensuring the chocolatey-license package
package {'chocolatey-license':
ensure => latest,
provider => chocolatey,
source => $_repository_url,
}
### b. Disable The Licensed Source ###
#### The licensed source cannot be removed, so it must be disabled.
#### This must occur after the license has been set by the license package.
## Disabled sources still need all other attributes until
## https://tickets.puppetlabs.com/browse/MODULES-4449 is resolved.
## Password is necessary with user, but not ensurable, so it should not
## matter what it is set to here. If you ever do get into trouble here,
## the password is your license GUID.
chocolateysource {'chocolatey.licensed':
ensure => disabled,
priority => '10',
user => 'customer',
password => '1234',
require => Package['chocolatey-license'],
}
### c. Ensure Chocolatey Licensed Extension ###
#### You will have downloaded the licensed extension to your internal repository
#### as you have disabled the licensed repository in step 5b.
#### Ensure the chocolatey.extension package (aka Chocolatey Licensed Extension)
package {'chocolatey.extension':
ensure => latest,
provider => chocolatey,
source => $_repository_url,
require => Package['chocolatey-license'],
}
#### The Chocolatey Licensed Extension unlocks all of the following, which also have configuration/feature items available with them. You may want to visit the feature pages to see what you might want to also enable:
#### - Package Builder - https://docs.chocolatey.org/en-us/features/paid/package-builder
#### - Package Internalizer - https://docs.chocolatey.org/en-us/features/paid/package-internalizer
#### - Package Synchronization (3 components) - https://docs.chocolatey.org/en-us/features/paid/package-synchronization
#### - Package Reducer - https://docs.chocolatey.org/en-us/features/paid/package-reducer
#### - Package Audit - https://docs.chocolatey.org/en-us/features/paid/package-audit
#### - Package Throttle - https://docs.chocolatey.org/en-us/features/paid/package-throttle
#### - CDN Cache Access - https://docs.chocolatey.org/en-us/features/paid/private-cdn
#### - Branding - https://docs.chocolatey.org/en-us/features/paid/branding
#### - Self-Service Anywhere (more components will need to be installed and additional configuration will need to be set) - https://docs.chocolatey.org/en-us/features/paid/self-service-anywhere
#### - Chocolatey Central Management (more components will need to be installed and additional configuration will need to be set) - https://docs.chocolatey.org/en-us/features/paid/chocolatey-central-management
#### - Other - https://docs.chocolatey.org/en-us/features/paid/
### d. Ensure Self-Service Anywhere ###
#### If you have desktop clients where users are not administrators, you may
#### to take advantage of deploying and configuring Self-Service anywhere
chocolateyfeature {'showNonElevatedWarnings':
ensure => disabled,
}
chocolateyfeature {'useBackgroundService':
ensure => enabled,
}
chocolateyfeature {'useBackgroundServiceWithNonAdministratorsOnly':
ensure => enabled,
}
chocolateyfeature {'allowBackgroundServiceUninstallsFromUserInstallsOnly':
ensure => enabled,
}
chocolateyconfig {'backgroundServiceAllowedCommands':
value => 'install,upgrade,uninstall',
}
### e. Ensure Chocolatey Central Management ###
#### If you want to manage and report on endpoints, you can set up and configure
### Central Management. There are multiple portions to manage, so you'll see
### a section on agents here along with notes on how to configure the server
### side components.
if $_chocolatey_central_management_url {
package {'chocolatey-agent':
ensure => latest,
provider => chocolatey,
source => $_repository_url,
require => Package['chocolatey-license'],
}
chocolateyconfig {'CentralManagementServiceUrl':
value => $_chocolatey_central_management_url,
}
if $_chocolatey_central_management_client_salt {
chocolateyconfig {'centralManagementClientCommunicationSaltAdditivePassword':
value => $_chocolatey_central_management_client_salt,
}
}
if $_chocolatey_central_management_service_salt {
chocolateyconfig {'centralManagementClientCommunicationSaltAdditivePassword':
value => $_chocolatey_central_management_client_salt,
}
}
chocolateyfeature {'useChocolateyCentralManagement':
ensure => enabled,
require => Package['chocolatey-agent'],
}
chocolateyfeature {'useChocolateyCentralManagementDeployments':
ensure => enabled,
require => Package['chocolatey-agent'],
}
}
Need Help? View our docs or file an issue.
There is already a version of this package in your Script Builder
Current Version | New Version |
---|---|
- Passing
- Failing
- Pending
- Unknown / Exempted

Downloads:
5,789,725
Downloads of v 8.6.0-beta1:
44,517
Last Update:
29 May 2021
Package Maintainer(s):
Software Author(s):
- Microsoft
Tags:
openssh admin- Software Specific:
- Software Site
- Software Source
- Software License
- Software Docs
- Software Issues
- Package Specific:
- Package Source
- Package outdated?
- Package broken?
- Contact Maintainers
- Contact Site Admins
- Software Vendor?
- Report Abuse
- Download

Win32 OpenSSH (Universal Installer)
This is a prerelease version of Win32 OpenSSH (Universal Installer).
- 1
- 2
- 3
8.6.0-beta1 | Updated: 29 May 2021
- Software Specific:
- Software Site
- Software Source
- Software License
- Software Docs
- Software Issues
- Package Specific:
- Package Source
- Package outdated?
- Package broken?
- Contact Maintainers
- Contact Site Admins
- Software Vendor?
- Report Abuse
- Download
Downloads:
5,789,725
Downloads of v 8.6.0-beta1:
44,517
Maintainer(s):
Software Author(s):
- Microsoft
Edit Package
To edit the metadata for a package, please upload an updated version of the package.
Chocolatey's Community Package Repository currently does not allow updating package metadata on the website. This helps ensure that the package itself (and the source used to build the package) remains the one true source of package metadata.
This does require that you increment the package version.
- 1
- 2
- 3
Win32 OpenSSH (Universal Installer)
8.6.0-beta1
This is a prerelease version of Win32 OpenSSH (Universal Installer).
- 1
- 2
- 3
All Checks are Passing
3 Passing Tests
Deployment Method: Individual Install, Upgrade, & Uninstall
To install Win32 OpenSSH (Universal Installer), run the following command from the command line or from PowerShell:
To upgrade Win32 OpenSSH (Universal Installer), run the following command from the command line or from PowerShell:
To uninstall Win32 OpenSSH (Universal Installer), run the following command from the command line or from PowerShell:
Deployment Method:
📝 NOTE: This applies to both open source and commercial editions of Chocolatey.
1. Enter Your Internal Repository Url
(this should look similar to https://community.chocolatey.org/api/v2/)
2. Setup Your Environment
1. Ensure you are set for organizational deployment
Please see the organizational deployment guide
2. Get the package into your environment
Option 1: Cached Package (Unreliable, Requires Internet - Same As Community)-
Open Source or Commercial:
- Proxy Repository - Create a proxy nuget repository on Nexus, Artifactory Pro, or a proxy Chocolatey repository on ProGet. Point your upstream to https://community.chocolatey.org/api/v2/. Packages cache on first access automatically. Make sure your choco clients are using your proxy repository as a source and NOT the default community repository. See source command for more information.
- You can also just download the package and push it to a repository Download
-
Open Source
-
Download the package:
Download - Follow manual internalization instructions
-
-
Package Internalizer (C4B)
-
Run: (additional options)
choco download openssh --internalize --pre --source=https://community.chocolatey.org/api/v2/
-
For package and dependencies run:
choco push --source="'INTERNAL REPO URL'"
- Automate package internalization
-
Run: (additional options)
3. Copy Your Script
choco upgrade openssh -y --source="'INTERNAL REPO URL'" --prerelease [other options]
See options you can pass to upgrade.
See best practices for scripting.
Add this to a PowerShell script or use a Batch script with tools and in places where you are calling directly to Chocolatey. If you are integrating, keep in mind enhanced exit codes.
If you do use a PowerShell script, use the following to ensure bad exit codes are shown as failures:
choco upgrade openssh -y --source="'INTERNAL REPO URL'" --prerelease
$exitCode = $LASTEXITCODE
Write-Verbose "Exit code was $exitCode"
$validExitCodes = @(0, 1605, 1614, 1641, 3010)
if ($validExitCodes -contains $exitCode) {
Exit 0
}
Exit $exitCode
- name: Install openssh
win_chocolatey:
name: openssh
version: '8.6.0-beta1'
source: INTERNAL REPO URL
state: present
allow_prerelease: yes
See docs at https://docs.ansible.com/ansible/latest/modules/win_chocolatey_module.html.
chocolatey_package 'openssh' do
action :install
source 'INTERNAL REPO URL'
version '8.6.0-beta1'
options '--prerelease'
end
See docs at https://docs.chef.io/resource_chocolatey_package.html.
cChocoPackageInstaller openssh
{
Name = "openssh"
Version = "8.6.0-beta1"
Source = "INTERNAL REPO URL"
chocoParams = "--prerelease"
}
Requires cChoco DSC Resource. See docs at https://github.com/chocolatey/cChoco.
package { 'openssh':
ensure => '8.6.0-beta1',
install_options => ['--prerelease'],
provider => 'chocolatey',
source => 'INTERNAL REPO URL',
}
Requires Puppet Chocolatey Provider module. See docs at https://forge.puppet.com/puppetlabs/chocolatey.
4. If applicable - Chocolatey configuration/installation
See infrastructure management matrix for Chocolatey configuration elements and examples.
This package was approved as a trusted package on 29 May 2021.
The primary Microsoft distribution mechanism for OpenSSH is through Windows.
This package is no longer tested with all the original scenarios it was created for when it was the primary mechanism and it will not be fixed for edge cases like Nano or old versions of Windows.
<#
.SYNOPSIS
Enables installing SSH even when your system does not have WOW64 or Chocolatey.
.DESCRIPTION
This script enables installing SSH even when your system does NOT have:
[1] Chocolatey installed
[2] WOW64 installed
[3] .NET Core (Nano)
The use cases are Server Nano and Server Core without WOW64 installed.
To use barebonesinstaller.ps1, expand the .nupkg that this file is contained in
and then place the \tools folder on the target system.
To push tools folder to Nano use 'Copy-Item -tosession $sessionvariable tools c:\tools -recurse'
.PARAMETER SSHServerFeature
Include SSH Server Feature.
.PARAMETER SSHServerPort
The port that SSHD Server should listen on.
.PARAMETER DeleteConfigAndServerKeys
Delete server private keys and configuration upon uninstall.
.PARAMETER Uninstall
Uninstall (default is to install)
.PARAMETER DisableKeyPermissionsReset
By default the install runs a custom utility script called "Reset-SSHKeyPermissions.ps1". This switch disables that functionality.
.EXAMPLE
.\barebonesinstaller.ps1 -SSHServerFeature
.EXAMPLE
.\barebonesinstaller.ps1 -SSHServerFeature -Uninstall
#>
Param (
[switch]$SSHServerFeature,
[switch]$SSHAgentFeature,
[string]$SSHServerPort='22',
[switch]$DeleteConfigAndServerKeys,
[switch]$Uninstall,
[switch]$OverWriteSSHDConf,
[string]$SSHLogLevel,
[switch]$ReleaseSSHLSAForUpgrade,
[string]$TERM,
[string]$PathSpecsToProbeForShellEXEString,
[string]$SSHDefaultShellCommandOption,
[switch]$AllowInsecureShellEXE,
[switch]$AlsoLogToFile
)
Write-Output "Configuring on Port $SSHServerPort"
cd "$(Split-Path -parent $MyInvocation.MyCommand.Definition)"
If (!$Uninstall)
{
. ".\chocolateyinstall.ps1"
}
Else
{
. ".\chocolateyuninstall.ps1"
}
<#
ATTENTION: This code is used extensively to run under PowerShell 2.0 to update
images from RTM / SP1 source for Windows 7 and Server 2008 R2. It is also
used under Powershell Core to add OpenSSH to Nano. Test all enhancements and
fixes under these two specialty cases (speciality for Chocolatey packagers who are
likely up to the latest version on everything PowerShell).
#>
$ErrorActionPreference = 'Stop'; # stop on all errors
$ProductName = (Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name 'ProductName').ProductName
$EditionId = (Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name 'EditionID').EditionId
#This has to work for Win7 (no get-ciminstance) and Nano (no get-wmiobject) - each of which specially construct win32_operatingsystem.version to handle before and after Windows 10 version numbers (which are in different registry keys)
If ($psversiontable.psversion.major -lt 3)
{
$OSVersionString = (Get-WMIObject Win32_OperatingSystem).version
}
Else
{
$OSVersionString = (Get-CIMInstance Win32_OperatingSystem).version
}
Write-Output "Running on: $ProductName, ($EditionId)"
Write-Output "Windows Version: $OSVersionString"
$RunningOnNano = $False
If ($EditionId -ilike '*Nano*')
{$RunningOnNano = $True}
If (Test-Path variable:shimgen)
{$RunningUnderChocolatey = $True}
Else
{ Write-Output "Running Without Chocolatey"}
$toolsDir = "$(Split-Path -parent $MyInvocation.MyCommand.Definition)"
$OSBits = ([System.IntPtr]::Size * 8) #Get-ProcessorBits
#On 64-bit, always favor 64-bit Program Files no matter what our execution is now (works back past XP / Server 2003)
If ($env:ProgramFiles.contains('x86'))
{
$PF = $env:ProgramFiles.replace(' (x86)','')
}
Else
{
$PF = $env:ProgramFiles
}
If (Test-Path "$env:windir\sysnative")
{ #We are running in a 32-bit process under 64-bit Windows
$sys32dir = "$env:windir\sysnative"
}
Else
{ #We are on a 32-bit OS, or 64-bit proc on 64-bit OS
$sys32dir = "$env:windir\system32"
}
$filename = "$toolsdir\OpenSSH-Win$($OSBits).zip"
#$TargetFolder = "$PF\OpenSSH"
#$TargetFolderOld = "$PF\OpenSSH-Win$($OSBits)"
$TargetFolder = "$PF\OpenSSH-Win$($OSBits)"
$ExtractFolder = "$env:temp\OpenSSHTemp"
$sshdpath = Join-Path $TargetFolder "sshd.exe"
$sshagentpath = Join-Path $TargetFolder "ssh-agent.exe"
$sshdatadir = Join-Path $env:ProgramData "\ssh"
$logsdir = Join-Path $SSHDataDir "logs"
$packageArgs = @{
packageName = 'openssh'
unziplocation = "$ExtractFolder"
fileType = 'EXE_MSI_OR_MSU' #only one of these: exe, msi, msu
checksum = '6C30A8BDF8CD6838AE05DE3CCD251399E6EA69E0'
checksumType = 'SHA1'
checksum64 = 'D3EA57408C0D3CF83167DF39639FED5397358B79'
checksumType64= 'SHA1'
}
If ($RunningUnderChocolatey)
{
# Default the values before reading params
$SSHServerFeature = $false
$KeyBasedAuthenticationFeature = $false
$SSHServerPort = '22'
$arguments = @{};
$packageParameters = $env:chocolateyPackageParameters
}
$OpeningMessage = @"
************************************************************************************
************************************************************************************
This package is a Universal Installer and can ALSO install Win32-OpenSSH on
Nano, Server Core, Docker Containers and more WITHOUT using Chocolatey.
See the following for more details:
https://github.com/DarwinJS/ChocoPackages/blob/master/openssh/readme.md
************************************************************************************
************************************************************************************
"@
Write-Output $OpeningMessage
function Get-PackageParametersCustom {
[CmdletBinding()]
param(
[string] $Parameters = $Env:ChocolateyPackageParameters,
# Allows splatting with arguments that do not apply and future expansion. Do not use directly.
[parameter(ValueFromRemainingArguments = $true)]
[Object[]] $IgnoredArguments
)
$res = @{}
$re = "\/([a-zA-Z0-9]+)(:[`"'].+?[`"']|[^ ]+)?"
$results = $Parameters | Select-String $re -AllMatches | select -Expand Matches
foreach ($m in $results) {
if (!$m) { continue } # must because of posh 2.0 bug: https://github.com/chocolatey/chocolatey-coreteampackages/issues/465
$a = $m.Value -split ':'
$opt = $a[0].Substring(1); $val = $a[1..100] -join ':'
if ($val -match '^(".+")|(''.+'')$') {$val = $val -replace '^.|.$'}
$res[ $opt ] = if ($val) { $val } else { $true }
}
$res
}
# Now parse the packageParameters using good old regular expression
if ($packageparameters) {
$pp = Get-PackageParametersCustom
if ($pp.SSHAgentFeature) {
Write-Host "/SSHAgentFeature was used, including SSH Agent Service."
$SSHAgentFeature = $true
}
if ($pp.SSHServerFeature) {
Write-Host "/SSHServerFeature was used, including SSH Server Feature."
$SSHServerFeature = $true
}
if ($pp.OverWriteSSHDConf) {
Write-Host "/OverWriteSSHDConf was used, will overwrite any existing sshd_conf with one from install media."
$OverWriteSSHDConf = $true
}
if ($pp.SSHServerPort) {
$SSHServerPort = $pp.Get_Item("SSHServerPort")
Write-Host "/SSHServerPort was used, attempting to use SSHD listening port $SSHServerPort."
If (!$SSHServerFeature)
{
Write-Host "You forgot to specify /SSHServerFeature with /SSHServerPort, autofixing for you, enabling /SSHServerFeature"
$SSHServerFeature = $true
}
}
if ($pp.SSHLogLevel) {
$ValidLogSettings = @('QUIET', 'FATAL', 'ERROR', 'INFO', 'VERBOSE', 'DEBUG', 'DEBUG1', 'DEBUG2','DEBUG3')
$SSHLogLevel = $pp.Get_Item("SSHLogLevel").toupper()
If ($ValidLogSettings -inotcontains $SSHLogLevel)
{Throw "$SSHLogLevel is not one of the valid values: $(($ValidLogSettings -join ' ') | out-string)"}
Write-Host "/SSHLogLevel was used, setting LogLevel in sshd_conf to $SSHLogLevel"
}
Else
{
$SSHLogLevel = $null
}
if ($pp.AlsoLogToFile) {
$AlsoLogToFile = $True
Write-Host '/AlsoLogToFile was used, setting AlsoLogToFile to $True'
}
if ($pp.TERM) {
$TERM = $pp.Get_Item("TERM")
Write-Host "/TERM was used, setting system TERM environment variable to $TERM"
$TERMSwitchUsed = $True
}
if ($pp.KeyBasedAuthenticationFeature) {
Write-Host "Including Key based authentication."
$KeyBasedAuthenticationFeature = $true
If (!$SSHServerFeature)
{
Write-Warning "KeyBasedAuthenticationFeature was specified, but is only value when SSHServerFeature is specified, ignoring..."
}
}
if ($pp.PathSpecsToProbeForShellEXEString) {
$PathSpecsToProbeForShellEXEString = $pp.Get_Item("PathSpecsToProbeForShellEXEString")
Write-Host "PathSpecsToProbeForShellEXEString was used, probing for suitable shell using search specs: $PathSpecsToProbeForShellEXEString"
}
if ($pp.AllowInsecureShellEXE) {
$AllowInsecureShellEXE = $True
}
if ($pp.SSHDefaultShellCommandOption) {
$SSHDefaultShellCommandOption = $pp.Get_Item("SSHDefaultShellCommandOption")
}
} else {
Write-Debug "No Package Parameters Passed in";
}
Function CheckServicePath ($ServiceEXE,$FolderToCheck)
{
if ($RunningOnNano) {
#The NANO TP5 Compatible Way:
Return ([bool](@(wmic service | ?{$_ -ilike "*$ServiceEXE*"}) -ilike "*$FolderToCheck*"))
}
Else
{
#The modern way:
Return ([bool]((Get-WmiObject win32_service | ?{$_.PathName -ilike "*$ServiceEXE*"} | select -expand PathName) -ilike "*$FolderToCheck*"))
}
}
#Extract Files Early
If ($RunningUnderChocolatey)
{
If (Test-Path $ExtractFolder)
{
Remove-Item $ExtractFolder -Recurse -Force
}
Get-ChocolateyUnzip "$filename" $ExtractFolder
}
Else
{
If (Test-Path "$toolsdir\7z.exe")
{
#covers nano
cd $toolsdir
start-process .\7z.exe -argumentlist "x `"$filename`" -o`"$ExtractFolder`" -aoa" -nonewwindow -wait
}
Else
{
Throw "You need a copy of 7z.exe next to this script for this operating system. You can get a copy at 7-zip.org"
}
}
If ($SSHServerFeature -OR $SSHAgentFeature)
{
. "$toolsdir\SetSpecialPrivileges.ps1"
}
If ($SSHServerFeature)
{ #Check if anything is already listening on port $SSHServerPort, which is not a previous version of this software.
$AtLeastOneSSHDPortListenerIsNotUs = $False
Write-Output "Probing for possible conflicts with SSHD server to be configured on port $SSHServerPort ..."
. "$toolsdir\Get-NetStat.ps1"
$procslisteningonRequestedSSHDPort = @(Get-Netstat -GetProcessDetails -FilterOnPort $SSHServerPort)
If ((checkservicepath 'svchost.exe -k SshBrokerGroup' 'Part of Microsoft SSH Server for Windows') -AND (checkservicepath 'svchost.exe -k SshProxyGroup' 'Part of Microsoft SSH Server for Windows'))
{
Write-Warning " > Detected that Developer Mode SSH is present (Probably due to enabling Windows 10 Developer Mode)"
$DeveloperModeSSHIsPresent = $True
}
If ($procslisteningonRequestedSSHDPort.count -ge 1)
{
ForEach ($proconRequestedSSHDPort in $procslisteningonRequestedSSHDPort)
{
Write-output " > Checking $($proconRequestedSSHDPort.Localaddressprocesspath) against path $TargetFolder"
If ("$($proconRequestedSSHDPort.Localaddressprocesspath)" -ilike "*$TargetFolder*")
{
Write-Output " > Found a previous version of Win32-OpenSSH installed by this package on Port $SSHServerPort."
}
Else
{
$AtLeastOneSSHDPortListenerIsNotUs = $True
Write-Warning " > Found something listening on Port $SSHServerPort that was not installed by this package."
Write-Warning " $($proconRequestedSSHDPort.LocalAddressProcessPath) is listening on Port $SSHServerPort"
$ProcessOccupyingPort = "$($proconRequestedSSHDPort.LocalAddressProcessPath)"
}
}
}
If ($AtLeastOneSSHDPortListenerIsNotUs)
{
$errorMessagePort = @"
"$ProcessOccupyingPort" is listening on port $SSHServerPort and you have not specified a different listening port (list above) using the /SSHServerPort parameter.
Please either deconfigure or deinstall whatever is running on Port $SSHServerPort and try again OR specify a different port for this SSHD Server using the /SSHServerPort package parameter.
If you see the message 'Detected that Developer Mode SSH is present' above, you may be able to simply disable the services 'SSHBroker' and 'SSHProxy'
"@
Throw $errorMessagePort
}
}
$SSHServiceInstanceExistsAndIsOurs = CheckServicePath 'sshd.exe' "$TargetFolder"
$SSHAGENTServiceInstanceExistsAndIsOurs = CheckServicePath 'ssh-agent.exe' "$TargetFolder"
If ($SSHServerFeature -AND (!$SSHServiceInstanceExistsAndIsOurs) -AND ([bool](Get-Service sshd -ErrorAction SilentlyContinue)))
{
$ExistingSSHDInstancePath = get-itemproperty hklm:\system\currentcontrolset\services\* | where {($_.ImagePath -ilike '*sshd.exe*')} | Select -expand ImagePath
Throw "You have requested that the SSHD service be installed, but this system appears to have an instance of an SSHD service configured for another folder ($ExistingSSHDInstancePath). You can remove the package switch /SSHServerFeature to install just the client tools, or you will need to remove that instance of SSHD to use the one that comes with this package."
}
If ((!$SSHServerFeature) -AND $SSHServiceInstanceExistsAndIsOurs)
{
Throw "There is a configured instance of the SSHD service, please specify the /SSHServerFeature to confirm it is OK to shutdown and upgrade the SSHD service at this time."
}
If ([bool](get-process ssh -erroraction silentlycontinue | where {$_.Path -ilike "*$TargetFolder*"}))
{
Throw "It appears you have instances of ssh.exe (client) running from the folder this package installs to, please terminate them and try again."
}
If ((Test-Path $TargetFolder) -AND (@(dir "$TargetFolder\*.exe").count -gt 0))
{
Write-Output "`r`nCURRENT VERSIONS OF SSH EXES:"
Write-Output "$(dir "$TargetFolder\*.exe"| select -expand fullname | get-command | select -expand fileversioninfo | ft filename, fileversion -auto | out-string)"
}
If ($SSHServiceInstanceExistsAndIsOurs -AND ([bool](Get-Service SSHD -ErrorAction SilentlyContinue | where {$_.Status -ieq 'Running'})))
{
#Shutdown and unregister service for upgrade
stop-service sshd -Force
Start-Sleep -seconds 3
If (([bool](Get-Service SSHD | where {$_.Status -ieq 'Running'})))
{
Throw "Could not stop the SSHD service, please stop manually and retry this package."
}
}
If ($SSHServiceInstanceExistsAndIsOurs)
{
Write-output "Stopping SSHD Service for upgrade..."
Stop-Service sshd
sc.exe delete sshd | out-null
}
If ($SSHAGENTServiceInstanceExistsAndIsOurs)
{
Stop-Service SSH-Agent -Force
Start-Sleep -seconds 3
If (([bool](Get-Service ssh-agent | where {$_.Status -ieq 'Running'})))
{
Throw "Could not stop the ssh-agent service, please stop manually and retry this package."
}
sc.exe delete ssh-agent | out-null
}
If ($OSBits -eq 64)
{
$SourceZipChecksum = $packageargs.checksum64
$SourceZipChecksumType = $packageargs.checksumType64
}
Else
{
$SourceZipChecksum = $packageargs.checksum
$SourceZipChecksumType = $packageargs.checksumType
}
If ([bool](get-command get-filehash -ea silentlycontinue))
{
If ((Get-FileHash $filename -Algorithm $SourceZipChecksumType).Hash -eq $SourceZipChecksum)
{
Write-Output "Hashes for internal source match"
}
Else
{
throw "Checksums for internal source do not match - something is wrong."
}
}
Else
{
Write-Output "Source files are internal to the package, checksums are not required nor checked."
}
Copy-Item "$ExtractFolder\*" "$PF" -Force -Recurse -Passthru -ErrorAction Stop
Copy-Item "$toolsdir\Set-SSHDefaultShell.ps1" "$TargetFolder" -Force -PassThru -ErrorAction Stop
Remove-Item "$ExtractFolder" -Force -Recurse
If ($RunningUnderChocolatey)
{
Install-ChocolateyPath "$TargetFolder" 'Machine'
}
Else
{
$PathToAdd = $TargetFolder
$ExistingPathArray = @(((Get-ItemProperty 'Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' | select -expand path).split(';')))
if (($ExistingPathArray -inotcontains $PathToAdd) -AND ($ExistingPathArray -inotcontains "$PathToAdd\"))
{
$Newpath = $ExistingPathArray + @("$PathToAdd")
$AssembledNewPath = ($newpath -join(';')).trimend(';')
Set-ItemProperty -Path 'Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name 'PATH' -Value "$AssembledNewPath"
}
}
If ($env:Path -inotlike "*$TargetFolder*")
{
$env:path += ";$TargetFolder"
}
$ExistingTermValue = $null
$ExistingTermValue = (get-ItemProperty -Path 'Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -EA SilentlyContinue | Select -Expand TERM -EA SilentlyContinue)
If ((!$ExistingTermValue) -OR ($ExistingTermValue -ine $TERM))
{
Write-Host "Updating machine environment variable TERM from `"$ExistingTermValue`" to `"$TERM`""
Set-ItemProperty -Path 'Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name 'TERM' -Value "$TERM"
}
If ($SSHAgentFeature)
{
New-Service -Name ssh-agent -BinaryPathName "$TargetFolder\ssh-agent.exe" -Description "SSH Agent" -StartupType Automatic | Out-Null
cmd.exe /c 'sc.exe sdset ssh-agent D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;RP;;;AU)'
Start-Service ssh-agent
Start-Sleep -seconds 3
}
If ($SSHServerFeature)
{
Write-Warning "You have specified SSHServerFeature - this machine is being configured as an SSH Server including opening port $SSHServerPort."
#create the ssh config folder and set its permissions
if(-not (test-path $sshdatadir -PathType Container))
{
$null = New-Item $sshdatadir -ItemType Directory -Force -ErrorAction Stop
}
$acl = Get-Acl -Path $sshdatadir
# following SDDL implies
# - owner - built in Administrators
# - disabled inheritance
# - Full access to System
# - Full access to built in Administrators
$acl.SetSecurityDescriptorSddlForm("O:BAD:PAI(A;OICI;FA;;;SY)(A;OICI;FA;;;BA)(A;OICI;0x1200a9;;;AU)")
Set-Acl -Path $sshdatadir -AclObject $acl
# create logs folder and set its permissions
if(-not (test-path $logsdir -PathType Container))
{
$null = New-Item $logsdir -ItemType Directory -Force -ErrorAction Stop
}
$acl = Get-Acl -Path $logsdir
# following SDDL implies
# - owner - built in Administrators
# - disabled inheritance
# - Full access to System
# - Full access to built in Administrators
$acl.SetSecurityDescriptorSddlForm("O:BAD:PAI(A;OICI;FA;;;SY)(A;OICI;FA;;;BA)")
Set-Acl -Path $logsdir -AclObject $acl
If((Test-Path "$TargetFolder\sshd_config"))
{
Write-Host "Migrating existing sshd_config to new location `"$sshdatadir`""
Move-Item "$TargetFolder\sshd_config" $sshdatadir -force
}
#for clean config copy sshd_config_default to $sshdatadir\sshd_config
$sshdconfigpath = Join-Path $sshdatadir "sshd_config"
$sshddefaultconfigpath = Join-Path $TargetFolder "sshd_config_default"
if(-not (test-path $sshdconfigpath -PathType Leaf))
{
$null = Copy-Item $sshddefaultconfigpath -Destination $sshdconfigpath -ErrorAction Stop
}
If((Test-Path "$TargetFolder\ssh_host_*"))
{
Write-Host "Migrating existing ssh host keys to new location `"$sshdatadir`""
Move-Item "$TargetFolder\ssh_host_*" $sshdatadir -force
}
If ($RunningOnNano)
{
Write-Warning "Forcing on"
$AlsoLogToFile = $True
}
If((Test-Path "$sshdconfigpath"))
{
$CurrentLogLevelConfig = ((gc "$sshdconfigpath") -imatch "^#*LogLevel\s\w*\b.*$")
Write-Output 'Setting up SSH Logging'
If ($SSHLogLevel)
{ #command line specified a log level - override whatever is there
If ([bool]($CurrentLogLevelConfig -inotmatch "^LogLevel\s$SSHLogLevel\s*$"))
{
Write-Output "Current LogLevel setting in `"$sshdconfigpath`" is `"$CurrentLogLevelConfig`", setting it to `"LogLevel $SSHLogLevel`""
(Get-Content "$sshdconfigpath") -replace "^#*LogLevel\s\w*\b.*$", "LogLevel $SSHLogLevel" | Set-Content "$sshdconfigpath"
}
}
$CurrentPortConfig = ((gc "$sshdconfigpath") -match "^#*Port\s\d*\s*$")
If ([bool]($CurrentPortConfig -notmatch "^Port $SSHServerPort"))
{
Write-Output "Current port setting in `"$sshdconfigpath`" is `"$CurrentPortConfig`", setting it to `"Port $SSHServerPort`""
(Get-Content "$sshdconfigpath") -replace "^#*Port\s\d*\s*$", "Port $SSHServerPort" | Set-Content "$sshdconfigpath"
}
Else
{
Write-Output "Current port setting in `"$sshdconfigpath`" already matches `"Port $SSHServerPort`", no action necessary."
}
If ($AlsoLogToFile)
{
If ((Get-Content "$sshdconfigpath") -notmatch "^Subsystem\ssftp\ssftp-server\.exe.*LOCAL0.*$")
{
(Get-Content "$sshdconfigpath") -replace "^Subsystem\ssftp\ssftp-server\.exe.*$", "SyslogFacility LOCAL0" | Set-Content "$sshdconfigpath"
}
}
}
If ($PathSpecsToProbeForShellEXEString)
{
$ParamsSSHDefaultShell = @{}
$ParamsSSHDefaultShell.add('PathSpecsToProbeForShellEXEString',"$PathSpecsToProbeForShellEXEString")
If ($AllowInsecureShellEXE) {$ParamsSSHDefaultShell += @{'AllowInsecureShellEXE'=$AllowInsecureShellEXE}}
If ($SSHDefaultShellCommandOption) {$ParamsSSHDefaultShell += @{'SSHDefaultShellCommandOption'="$SSHDefaultShellCommandOption"}}
Write-Host "$ParamsSSHDefaultShell"
. $TargetFolder\Set-SSHDefaultShell.ps1 @ParamsSSHDefaultShell
}
netsh advfirewall firewall add rule name='SSHD Port OpenSSH (chocolatey package: openssh)' dir=in action=allow protocol=TCP localport=$SSHServerPort
If (!$RunningOnNano)
{
$etwman = Join-Path $TargetFolder "openssh-events.man"
# unregister etw provider
wevtutil um `"$etwman`"
# adjust provider resource path in instrumentation manifest
[XML]$xml = Get-Content $etwman
$xml.instrumentationManifest.instrumentation.events.provider.resourceFileName = $sshagentpath.ToString()
$xml.instrumentationManifest.instrumentation.events.provider.messageFileName = $sshagentpath.ToString()
$xml.Save($etwman)
#register etw provider
wevtutil im `"$etwman`"
}
New-Service -Name sshd -BinaryPathName "$TargetFolder\sshd.exe" -Description "SSH Daemon" -StartupType Automatic | Out-Null
Write-Host "Ensuring all ssh key and configuration files have correct permissions for all users"
. "$TargetFolder\FixHostFilePermissions.ps1" -Confirm:$false
}
If (CheckServicePath 'sshd.exe' "$TargetFolder")
{
write-output "Starting SSHD..."
Start-Service SSHD
}
If (CheckServicePath 'ssh-agent.exe' "$TargetFolder")
{
write-output "Starting SSH-Agent..."
Start-Service SSH-Agent
}
$fullpathkeylist = "'$sshdatadir\ssh_host_dsa_key'", "'$sshdatadir\ssh_host_rsa_key'", "'$sshdatadir\ssh_host_ecdsa_key'", "'$sshdatadir\ssh_host_ed25519_key'"
If (Test-Path "$TargetFolder\ssh.exe")
{
Write-Output "`r`nNEW VERSIONS OF SSH EXES:"
Write-Output "$(dir "$TargetFolder\*.exe" | select -expand fullname | get-command | select -expand fileversioninfo | ft filename, fileversion -auto | out-string)"
}
write-output ""
Write-Warning "You must start a new prompt, or use the command 'refreshenv' (provided by your chocolatey install) to re-read the environment for the tools to be available in this shell session."
$ErrorActionPreference = 'Stop'; # stop on all errors
$ProductName = (Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name 'ProductName').ProductName
$EditionId = (Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name 'EditionID').EditionId
Write-Output "Running on: $ProductName, ($EditionId)"
$RunningOnNano = $False
If ($EditionId -ilike '*Nano*')
{$RunningOnNano = $True}
If (Test-Path variable:shimgen)
{$RunningUnderChocolatey = $True}
Else
{ Write-Output "Running Without Chocolatey"
$RunningUnderChocolatey = $False}
$packageName= 'openssh'
$toolsDir = "$(Split-Path -parent $MyInvocation.MyCommand.Definition)"
$OSBits = ([System.IntPtr]::Size * 8) #Get-ProcessorBits
#On 64-bit, always favor 64-bit Program Files no matter what our execution is now (works back past XP / Server 2003)
If ($env:ProgramFiles.contains('x86'))
{
$PF = $env:ProgramFiles.replace(' (x86)','')
}
Else
{
$PF = $env:ProgramFiles
}
#$TargetFolder = "$PF\OpenSSH"
$TargetFolder = "$PF\OpenSSH-Win$($OSBits)"
$TargetFolderOld = "$PF\OpenSSH-Win$($OSBits)"
$sshdpath = Join-Path $TargetFolder "sshd.exe"
$sshagentpath = Join-Path $TargetFolder "ssh-agent.exe"
$sshdatadir = Join-Path $env:ProgramData "\ssh"
$logsdir = Join-Path $sshdatadir "logs"
If ($RunningUnderChocolatey)
{
# Default the values before reading params
$SSHServerFeature = $false
$KeyBasedAuthenticationFeature = $false
$DeleteConfigAndServerKeys = $false
$arguments = @{};
$packageParameters = $env:chocolateyPackageParameters
}
# Now parse the packageParameters using good old regular expression
if ((test-path variable:packageparameters) -AND $packageParameters) {
$match_pattern = "\/(?<option>([a-zA-Z]+)):(?<value>([`"'])?([a-zA-Z0-9- _\\:\.]+)([`"'])?)|\/(?<option>([a-zA-Z]+))"
#"
$option_name = 'option'
$value_name = 'value'
if ($packageParameters -match $match_pattern ){
$results = $packageParameters | Select-String $match_pattern -AllMatches
$results.matches | % {
$arguments.Add(
$_.Groups[$option_name].Value.Trim(),
$_.Groups[$value_name].Value.Trim())
}
}
else
{
throw "Package Parameters were found but were invalid (REGEX Failure)"
}
if ($arguments.ContainsKey("SSHServerFeature")) {
Write-Host "/SSHServerFeature - Uninstalling SSH Server Feature if Present."
$SSHServerFeature = $true
}
if ($arguments.ContainsKey("DeleteConfigAndServerKeys")) {
Write-Host "/DeleteConfigAndServerKeys - Removing SSH Config and Server Keys."
$DeleteConfigAndServerKeys = $true
}
} else {
Write-Debug "No Package Parameters Passed in";
}
Function CheckServicePath ($ServiceEXE,$FolderToCheck)
{
if ($RunningOnNano) {
#The NANO TP5 Compatible Way:
Return ([bool](@(wmic service | ?{$_ -ilike "*$ServiceEXE*"}) -ilike "*$FolderToCheck*"))
}
Else
{
#The modern way:
Return ([bool]((Get-WmiObject win32_service | ?{$_.PathName -ilike "*$ServiceEXE*"} | select -expand PathName) -ilike "*$FolderToCheck*"))
}
}
#$SSHServiceInstanceExistsAndIsOurs = ([bool]((Get-WmiObject win32_service | ?{$_.Name -ilike 'sshd'} | select -expand PathName) -ilike "*$TargetFolder*"))
$SSHServiceInstanceExistsAndIsOurs = CheckServicePath 'sshd' "$TargetFolder"
#$SSHAGENTServiceInstanceExistsAndIsOurs = ([bool]((Get-WmiObject win32_service | ?{$_.Name -ilike 'ssh-agent'} | select -expand PathName) -ilike "*$TargetFolder*"))
$SSHAGENTServiceInstanceExistsAndIsOurs = CheckServicePath 'ssh-agent' "$TargetFolder"
If ($SSHServerFeature -AND (!$SSHServiceInstanceExistsAndIsOurs) -AND (Get-Service sshd -ErrorAction SilentlyContinue))
{
$ExistingSSHDInstancePath = (Get-WmiObject win32_service | ?{$_.Name -ilike 'sshd'} | select -expand PathName)
Throw "You have requested that the SSHD service be uninstalled, but this system appears to have an instance of an SSHD service configured for another folder ($ExistingSSHDInstancePath). Ignoring /SSHServerFeature"
$SSHServerFeature = $False
}
If ((!$SSHServerFeature) -AND $SSHServiceInstanceExistsAndIsOurs)
{
Throw "There is a configured instance of the SSHD service, please specify the /SSHServerFeature to confirm it is OK to UNINSTALL the SSHD service at this time."
}
If ([bool](get-process ssh -erroraction silentlycontinue | where {$_.Path -ilike "*$TargetPath*"}))
{
Throw "It appears you have instances of ssh.exe (client) running from the folder this package installs to, please terminate them and try again."
}
If ($SSHServiceInstanceExistsAndIsOurs -AND ([bool](Get-Service SSHD -ErrorAction SilentlyContinue | where {$_.Status -ieq 'Running'})))
{
Stop-Service SSHD -Force
Start-Sleep -seconds 3
If (([bool](Get-Service SSHD | where {$_.Status -ieq 'Running'})))
{
Throw "Could not stop the SSHD service, please stop it manually and retry this package."
}
$etwman = Join-Path $TargetFolder "openssh-events.man"
# unregister etw provider
wevtutil um `"$etwman`"
Stop-Service sshd -Force
sc.exe delete sshd | out-null
}
If ($SSHAGENTServiceInstanceExistsAndIsOurs)
{
Stop-Service SSH-Agent -Force
Start-Sleep -seconds 3
If (([bool](Get-Service ssh-agent | where {$_.Status -ieq 'Running'})))
{
Throw "Could not stop the ssh-agent service, please stop manually and retry this package."
}
sc.exe delete ssh-agent | out-null
}
If (Test-Path $TargetFolder) {Remove-Item "$TargetFolder" -Recurse -Force}
#Don't remove config in case they reinstall.
If (($SSHServiceInstanceExistsAndIsOurs -AND $DeleteConfigAndServerKeys) -OR (!$SSHServiceInstanceExistsAndIsOurs))
{
Write-Warning "Removing all config and server keys as requested by /DeleteConfigAndServerKeys"
If (Test-Path $sshdatadir) {Remove-Item "$sshdatadir" -Recurse -Force}
}
netsh advfirewall firewall delete rule name='SSHD Port OpenSSH (chocolatey package: openssh)'
$PathToRemove = "$TargetFolder"
#Code has been modified to work with Nano - do not change method of environment variable access
#foreach ($path in [Environment]::GetEnvironmentVariable("PATH","Machine").split(';'))
foreach ($path in ((Get-ItemProperty 'Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment').path.split(';')))
{
If ($Path)
{
If (($path -ine "$PathToRemove") -AND ($path -ine "$PathToRemove\"))
{
[string[]]$Newpath += "$path"
}
}
}
$AssembledNewPath = ($newpath -join(';')).trimend(';')
Set-ItemProperty -Path 'Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name 'PATH' -Value "$AssembledNewPath"
$TermVarExists = [bool](get-ItemProperty -Path 'Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name 'TERM' -EA SilentlyContinue)
If ($TermVarExists)
{
Remove-ItemProperty -Path 'Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name 'TERM'
}
function Get-NetStat
{
<#
.SYNOPSIS
This function will get the output of netstat -n and parse the output
.DESCRIPTION
This function will get the output of netstat -n and parse the output
.LINK
http://www.lazywinadmin.com/2014/08/powershell-parse-this-netstatexe.html
.NOTES
Francois-Xavier Cat
www.lazywinadmin.com
@LazyWinAdm
2016/09/20 - Modified by DawinJS to:
- only grab TCP ports so that parsing PID would be reliable (and is sufficient for my purposes)
- If -GetProcessDetails
- parse PID
- use "get-process" to find exe name (netstat -b is not pulling it for my scenario)
- finds a full process path name in a Nano TP5 compatible way (WMIC)
- If -ShowProgress - show progress bar - takes a while to grab all exe paths for all processes
- If -FilterOnPorts - filter results for these ports before grabbing process details
#>
Param (
[switch]$ShowProgress,
[string[]]$FilterOnPorts,
[switch]$GetProcessDetails
)
PROCESS
{
# Get the output of netstat
$data = netstat -a -n -o -p TCP | select -skip 4
# Keep only the line with the data (we remove the first lines)
#$data = $data[4..$data.count]
# Each line need to be splitted and get rid of unnecessary spaces
foreach ($line in $data)
{
If ($ShowProgress)
{
$ItemBeingProcessed++
$percentdone = [math]::round(($ItemBeingProcessed/$data.count) * 100)
Write-Progress -Activity "Probing Listening Ports" -Status "$percentdone% Complete:" -PercentComplete $percentdone
}
$AddInstance = $True
# Get rid of the first whitespaces, at the beginning of the line
$line = $line -replace '^\s+', ''
# Split each property on whitespaces block
$line = $line -split '\s+'
$PortFromNetStat = (($line[1] -split ":")[1]).trim(' ')
If ($FilterOnPorts)
{
If (!($FilterOnPorts -contains $PortFromNetStat))
{
$AddInstance = $False
}
}
If ($GetProcessDetails -AND $AddInstance)
{
If ($line[4].length -ge 1)
{
$ProcessInfo = Get-Process -id $($line[4])
$ProcessEXEPath = $null
If ([string](wmic process where "ProcessId='$($line[4])'" get ExecutablePath /format:list) -match "[A-Z]:\\.*exe")
{
#write-output "match: *$($Matches[0])*"
$ProcessEXEPath = "$($Matches[0])"
}
<#
If (Test-Path variable:matches) {write-host "got a match"}
If ($getresult.GetType().Name -eq 'Boolean')
{
$ProcessEXEPath = ($Matches[0]).trimend(' ')
}
ElseIf ($getresult.GetType().Name -eq 'String')
{
$ProcessEXEPath = $getresult.trimend(' ')
}
Else
{
$ProcessEXEPath = ''
}
#>
}
}
If ($AddInstance)
{
# Define the properties
$properties = @{
Protocol = $line[0].trim(' ')
LocalAddressIP = ($line[1] -split ":")[0].trim(' ')
LocalAddressPort = $PortFromNetStat
LocalAddressPID = ($line[4]).trim(' ')
LocalAddressProcessName = $ProcessInfo.Name
LocalAddressProcessPath = $ProcessEXEPath
ForeignAddressIP = ($line[2] -split ":")[0].trim(' ')
ForeignAddressPort = ($line[2] -split ":")[1].trim(' ')
State = $line[3]
}
# Output the current line
New-Object -TypeName PSObject -Property $properties
}
}
}
}
This file is part of the OpenSSH software.
The licences which components of this software fall under are as
follows. First, we will summarize and say that all components
are under a BSD licence, or a licence more free than that.
OpenSSH contains no GPL code.
1)
* Copyright (c) 1995 Tatu Ylonen <[email protected]>, Espoo, Finland
* All rights reserved
*
* As far as I am concerned, the code I have written for this software
* can be used freely for any purpose. Any derived versions of this
* software must be clearly marked as such, and if the derived work is
* incompatible with the protocol description in the RFC file, it must be
* called by a name other than "ssh" or "Secure Shell".
[Tatu continues]
* However, I am not implying to give any licenses to any patents or
* copyrights held by third parties, and the software includes parts that
* are not under my direct control. As far as I know, all included
* source code is used in accordance with the relevant license agreements
* and can be used freely for any purpose (the GNU license being the most
* restrictive); see below for details.
[However, none of that term is relevant at this point in time. All of
these restrictively licenced software components which he talks about
have been removed from OpenSSH, i.e.,
- RSA is no longer included, found in the OpenSSL library
- IDEA is no longer included, its use is deprecated
- DES is now external, in the OpenSSL library
- GMP is no longer used, and instead we call BN code from OpenSSL
- Zlib is now external, in a library
- The make-ssh-known-hosts script is no longer included
- TSS has been removed
- MD5 is now external, in the OpenSSL library
- RC4 support has been replaced with ARC4 support from OpenSSL
- Blowfish is now external, in the OpenSSL library
[The licence continues]
Note that any information and cryptographic algorithms used in this
software are publicly available on the Internet and at any major
bookstore, scientific library, and patent office worldwide. More
information can be found e.g. at "http://www.cs.hut.fi/crypto".
The legal status of this program is some combination of all these
permissions and restrictions. Use only at your own responsibility.
You will be responsible for any legal consequences yourself; I am not
making any claims whether possessing or using this is legal or not in
your country, and I am not taking any responsibility on your behalf.
NO WARRANTY
BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN
OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS
TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE
PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
REPAIR OR CORRECTION.
IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES.
2)
The 32-bit CRC compensation attack detector in deattack.c was
contributed by CORE SDI S.A. under a BSD-style license.
* Cryptographic attack detector for ssh - source code
*
* Copyright (c) 1998 CORE SDI S.A., Buenos Aires, Argentina.
*
* All rights reserved. Redistribution and use in source and binary
* forms, with or without modification, are permitted provided that
* this copyright notice is retained.
*
* THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
* WARRANTIES ARE DISCLAIMED. IN NO EVENT SHALL CORE SDI S.A. BE
* LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY OR
* CONSEQUENTIAL DAMAGES RESULTING FROM THE USE OR MISUSE OF THIS
* SOFTWARE.
*
* Ariel Futoransky <[email protected]>
* <http://www.core-sdi.com>
3)
ssh-keyscan was contributed by David Mazieres under a BSD-style
license.
* Copyright 1995, 1996 by David Mazieres <[email protected]>.
*
* Modification and redistribution in source and binary forms is
* permitted provided that due credit is given to the author and the
* OpenBSD project by leaving this copyright notice intact.
4)
The Rijndael implementation by Vincent Rijmen, Antoon Bosselaers
and Paulo Barreto is in the public domain and distributed
with the following license:
* @version 3.0 (December 2000)
*
* Optimised ANSI C code for the Rijndael cipher (now AES)
*
* @author Vincent Rijmen <[email protected]>
* @author Antoon Bosselaers <[email protected]>
* @author Paulo Barreto <[email protected]>
*
* This code is hereby placed in the public domain.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHORS ''AS IS'' AND ANY EXPRESS
* OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
* WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE
* LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
* BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
* WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
* OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
* EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
5)
One component of the ssh source code is under a 3-clause BSD license,
held by the University of California, since we pulled these parts from
original Berkeley code.
* Copyright (c) 1983, 1990, 1992, 1993, 1995
* The Regents of the University of California. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. Neither the name of the University nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
6)
Remaining components of the software are provided under a standard
2-term BSD licence with the following names as copyright holders:
Markus Friedl
Theo de Raadt
Niels Provos
Dug Song
Aaron Campbell
Damien Miller
Kevin Steves
Daniel Kouril
Wesley Griffin
Per Allansson
Nils Nordman
Simon Wilkinson
Portable OpenSSH additionally includes code from the following copyright
holders, also under the 2-term BSD license:
Ben Lindstrom
Tim Rice
Andre Lucas
Chris Adams
Corinna Vinschen
Cray Inc.
Denis Parker
Gert Doering
Jakob Schlyter
Jason Downs
Juha Yrj�l�
Michael Stone
Networks Associates Technology, Inc.
Solar Designer
Todd C. Miller
Wayne Schroeder
William Jones
Darren Tucker
Sun Microsystems
The SCO Group
Daniel Walsh
Red Hat, Inc
Simon Vallet / Genoscope
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
8) Portable OpenSSH contains the following additional licenses:
a) md5crypt.c, md5crypt.h
* "THE BEER-WARE LICENSE" (Revision 42):
* <[email protected]> wrote this file. As long as you retain this
* notice you can do whatever you want with this stuff. If we meet
* some day, and you think this stuff is worth it, you can buy me a
* beer in return. Poul-Henning Kamp
b) snprintf replacement
* Copyright Patrick Powell 1995
* This code is based on code written by Patrick Powell
* ([email protected]) It may be used for any purpose as long as this
* notice remains intact on all source code distributions
c) Compatibility code (openbsd-compat)
Apart from the previously mentioned licenses, various pieces of code
in the openbsd-compat/ subdirectory are licensed as follows:
Some code is licensed under a 3-term BSD license, to the following
copyright holders:
Todd C. Miller
Theo de Raadt
Damien Miller
Eric P. Allman
The Regents of the University of California
Constantin S. Svintsoff
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. Neither the name of the University nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
Some code is licensed under an ISC-style license, to the following
copyright holders:
Internet Software Consortium.
Todd C. Miller
Reyk Floeter
Chad Mynhier
* Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND TODD C. MILLER DISCLAIMS ALL
* WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
* OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL TODD C. MILLER BE LIABLE
* FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
* OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
* CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
Some code is licensed under a MIT-style license to the following
copyright holders:
Free Software Foundation, Inc.
* Permission is hereby granted, free of charge, to any person obtaining a *
* copy of this software and associated documentation files (the *
* "Software"), to deal in the Software without restriction, including *
* without limitation the rights to use, copy, modify, merge, publish, *
* distribute, distribute with modifications, sublicense, and/or sell *
* copies of the Software, and to permit persons to whom the Software is *
* furnished to do so, subject to the following conditions: *
* *
* The above copyright notice and this permission notice shall be included *
* in all copies or substantial portions of the Software. *
* *
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS *
* OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF *
* MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. *
* IN NO EVENT SHALL THE ABOVE COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, *
* DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR *
* OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR *
* THE USE OR OTHER DEALINGS IN THE SOFTWARE. *
* *
* Except as contained in this notice, the name(s) of the above copyright *
* holders shall not be used in advertising or otherwise to promote the *
* sale, use or other dealings in this Software without prior written *
* authorization. *
****************************************************************************/
------
$OpenBSD: LICENCE,v 1.19 2004/08/30 09:18:08 markus Exp $
md5: 7A0B52CDA06267A559487DC396FF6E73 | sha1: 6C30A8BDF8CD6838AE05DE3CCD251399E6EA69E0 | sha256: 0221324212413A6CAF260F95E308D22F8C141FC37727B622A6AD50998C46D226 | sha512: E3BA778AA2A13CDBAF9F35A6A04BB7CA12644D5B8AE1F008CC218CB987BDE7BCE757E622DC8E7252BFA513B4799718A21587D1E1096FD4DEE0FCB4273D163083
md5: 3C01A3A26AB72A20A49C41CCE64BA1C2 | sha1: D3EA57408C0D3CF83167DF39639FED5397358B79 | sha256: 9F9215DC0B823264D52603F4767D8531880DDFA9AEDF16404923814C0AB086B7 | sha512: 7AD09A934EEE678BB9D5DC14F5ADAF156A8BCBCD50D23C61597A2E651F7A1C3E9C1DD6539CFAC4481A588CEC5D912BA2B20DC4A52C6916F9581BF8D7F8F80FE6
<#
.SYNOPSIS
This script sets the default shell options for openssh. It is run during the opensssh universal installer and can be called separately to update the default shell exe after releated update (e.g. like updating PowerShell Core)
.DESCRIPTION
This script is used during OpenSSH install if the appropriate package options were specified.
It can also be used seperately (such as calling it after installing a new version of PowerShell Core
or updating another shell that should be the default for openssh)
#It never really makes sense to search for cmd.exe as that is the default behavior and you shouldn't try to put old versions of cmd.exe on a newer version of windows
(I guess the exception would be configuring ssh to use 32-bit cmd.exe under 64-bit sshd.exe system - no I don't know why you would do that - but Murphy predicts someone out there will need to - hopefully not you)
#"Windows Powershell" should always be at the end of a multi-filespec request because it will always be found
#Environment variables are preferred for paths so that your call applies to windows not being on C: and folder redirection scenarios
#If the list of path specs does not result in one or more valid results, then the default behavior (no registry keys) is used (graceful fall through)
# ATTENTION - if you run this package under a 32-bit process on 64-bit Windows (e.g. SCCM "Package" objects), it will result in setting up 32-bit system exes as the shell for 64-bit sshd.exe
Rules (For the sake of sanity, don't read these rules if you just want to do something simple like set Windows PowerShell to be your default ssh shell - use the examples)
- the combined results will be in order that the filespecs are provided so that precedence can be specified for specific shell EXE filenames
- the exes in each filespec can be the same (when searching multiple folder heirarchies for the same shell exe) or different (when giving preference to one shell EXE, but providing a fall through default if none are found)
- wildcards can only be used in the pathname, not the filename (filename wild cards will cause the filespec to be filtered out of the list)
- each filespec must be searching for a SPECIFIC exe file (cannot search for <something>\*.exe nor <something>\* nor anything not ending in .exe) (any that don't match are filtered out of the filespec list)
- each filespec result set is sorted by descending version number before being concatenated to the combined result list so that the newest of that shell exe will be chosen
- because early powershell core exe do not include versions in the PE header, they are sorted by full folder name which includes the version
- the file list will only contain actually found EXEs
- the file list is screened for known secure folders that require admin rights to update on windows configured with default security (the rest are filtered out)
- the first valid hit in the overall resultant file list will be used.
- if you do not want version autoselection, then specify the path exact location to the exact version you wish to have considered
.LINK
http://www.lazywinadmin.com/2014/08/powershell-parse-this-netstatexe.html
.EXAMPLE
#All of these filespecs will be filtered out (dropped) because you can't wildcard the exe name, for securities sake you must know what the shell is called to use it:
-PathSpecsToProbeForShellEXEString "$env:userprofile\downloads\*.exe;c:\Program Files\PowerShell\*\P*.exe;c:\windows\system32\*"
.EXAMPLE
#PowerShell for Windows instead of default cmd.exe, if not found, default behavior (no registry key created, cmd.exe is ssh default):
-PathSpecsToProbeForShellEXEString '$env:windir\system32\windowspowershell\v1.0\powershell.exe"
.EXAMPLE
#The latest version of powershell core (including favoring the new EXE name), if not found, use windows powershell
-PathSpecsToProbeForShellEXEString "$env:programfiles\PowerShell\*\pwsh.exe;$env:programfiles\PowerShell\*\Powershell.exe;c:\windows\system32\windowspowershell\v1.0\powershell.exe"
.EXAMPLE
#The latest version of Ruby, if not found, powershell core if not found, default behavior (no registry key created, cmd.exe is ssh default)
-PathSpecsToProbeForShellEXEString "c:\tools\ruby*\bin\ruby.exe;c:\Program Files\PowerShell\*\pwsh.exe;c:\Program Files\PowerShell\*\Powershell.exe"
#I have no idea if ruby can actually be an SSH shell - just an example
.EXAMPLE
#Windows Subsystem for Linux Bash.exe, if not found, the latest version of git's bash.exe, if not found, default behavior (no registry key created, cmd.exe is ssh default)
-PathSpecsToProbeForShellEXEString "$env:windir\system32\bash.exe;$env:programfiles\Git\usr\bin\bash.exe"
#I have no idea if git's bash can actually be an SSH shell - just an example
.EXAMPLE
#Specific version of powershell core, if not found, windows powershell
-PathSpecsToProbeForShellEXEString "c:\Program Files\PowerShell\6.0.0-beta.6\Powershell.exe;c:\windows\system32\windowspowershell\v1.0\powershell.exe"
.EXAMPLE
#malware.exe filtered out because it is not in a secure folder, Specific version of powershell core, if not found, windows powershell
-PathSpecsToProbeForShellEXEString "$env:userprofile\downloads\malware.exe;c:\Program Files\PowerShell\6.0.0-beta.6\Powershell.exe;c:\windows\system32\windowspowershell\v1.0\powershell.exe"
.EXAMPLE
#malware.exe is used because of -AllowInsecureShellEXE
-AllowInsecureShellEXE -PathSpecsToProbeForShellEXEString "$env:userprofile\downloads\malware.exe;c:\Program Files\PowerShell\6.0.0-beta.6\Powershell.exe;c:\windows\system32\windowspowershell\v1.0\powershell.exe"
.NOTES
Darwin Sanoy
cloudywindows.io
#>
Param (
[Parameter(Mandatory=$True)]
[string]$PathSpecsToProbeForShellEXEString,
[string]$SSHDefaultShellCommandOption=$null,
[switch]$AllowInsecureShellEXE
)
$OpeningMessage = @"
************************************************************************************
This utility script:
$($MyInvocation.MyCommand.Definition)
can be run outside of this package in order to update the OpenSSH DefaultShell when
an installer runs to update the default shell.
See the following for more details:
https://github.com/DarwinJS/ChocoPackages/blob/master/openssh/readme.md
https://cloudwindows.io
************************************************************************************
"@
Write-Output $OpeningMessage
If ($AllowInsecureShellEXE)
{
Write-Warning "AllowInsecureShellEXE was used, if probing results in selecting a shell exe that is user writable, it will still be used. Not wise!!"
}
<#
TEST string
#$PathSpecsToProbeForShellEXEString = '$env:userprofile\downloads\*.exe;$env:programfiles\powershell\*\powershell.exe;$env:windir\system32\cmd.exe;c:\windows'
#>
#Expand any literalized variable or environment variable references, also only resolves to items that exist
Write-Host "Set-SSHDefaultShell.ps1 processing request for `"$PathSpecsToProbeForShellEXEString`""
$ShellEXEToUse = $null
$PathSpecsToProbeForShellEXE = $ExecutionContext.InvokeCommand.ExpandString($PathSpecsToProbeForShellEXEString).split(';')
#write-host "`$PathSpecsToProbeForShellEXE: $PathSpecsToProbeForShellEXE"
$ListOfSecurePaths = "$env:programfiles","${env:ProgramFiles(x86)}","$env:windir\system32","$env:windir\syswow64"
$ListOfSecurePathsRegExPrep = $ListOfSecurePaths | ForEach {[Regex]::Escape($ExecutionContext.InvokeCommand.ExpandString($_)) + ".*`|"}
$ListOfSecurePathsRegExString = ($ListOfSecurePathsRegExPrep -join '').trimend("|")
#write-host "`$ListOfSecurePathsRegExString: $ListOfSecurePathsRegExString"
If ($PathSpecsToProbeForShellEXE.count -ge 1)
{
#Special Handling of "C:\Program Files\PowerShell" for versioned subfolders and EXEs with no PE header version
$ListOfEXEObjects = @()
[array]$SubListofEXEObjects
ForEach ($PathSpec in $PathSpecsToProbeForShellEXE)
{ write-host "processing $pathspec"
$SubListOfEXEPaths = @(Resolve-Path $PathSpec -ErrorAction SilentlyContinue)
write-host "`$SubListOfEXEPaths: $SubListOfEXEPaths"
$SubListOfEXEPaths = @($SubListOfEXEPaths | where {[IO.Path]::GetExtension($_) -ieq '.exe'})
If ($SubListOfEXEPaths.count -gt 0)
{
$SubListofEXEObjects = @(get-command $SubListOfEXEPaths)
If ($PathSpec -ilike "$env:ProgramFiles\PowerShell\*")
{ #apply a sort to full file names
$SubListOfEXEObjects = $SubListOfEXEObjects | sort-object -Property 'Definition' -Descending
}
else
{
$SubListOfEXEObjects = $SubListOfEXEObjects | sort-object -Property FileVersionInfo.ProductVersion -Descending
}
$ListOfEXEObjects += $SubListOfEXEObjects
}
}
If ($ListOfEXEObjects.count -lt 1)
{
Write-warning "On this system, searching $PathSpecsToProbeForShellEXEString does not result in any paths that end in .EXE, DefaultShell will not be explicitly set and ssh will use its default shell behavior or the existing registry key value."
}
else
{
$ListOfValidEXEObjects = @()
If (!$AllowInsecureShellEXE)
{
Write-Host "Filtering out EXEs that are not on the secure path list: $ListOfSecurePaths. To unwisely override this filtering use the AllowInsecureShellEXE switch."
ForEach ($EXEObject in $ListOfEXEObjects)
{ #Validate EXEs are on Secure Paths
If ($EXEObject.Definition -imatch "$ListOfSecurePathsRegExString")
{
Write-Host " Valid: $($EXEObject.Definition)"
$ListOfValidEXEObjects += $EXEObject
}
else
{
Write-Warning " Dropping: $($EXEObject.Definition)"
}
}
$ListOfEXEObjects = $ListOfValidEXEObjects
}
If ($ListOfEXEObjects.count -ge 1)
{
$ShellEXEToUse = $ListOfEXEObjects | Select-Object -First 1 -Expand Definition
Write-host "Shell to use: $ShellEXEToUse"
If ($ShellEXEToUse)
{
Write-Host "Writing default shell to registry ($ShellEXEToUse)"
$SSHRegKey = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\OpenSSH"
If (!(Test-Path "$SSHRegKey"))
{
New-Item -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE" -Name OpenSSH -Force | out-null
}
New-ItemProperty -Path $SSHRegKey -Name 'DefaultShell' -Value "$ShellEXEToUse" -PropertyType 'String' -Force | Out-Null
If ($SSHDefaultShellCommandOption)
{
Write-Host "Writing default shell command option to registry ($SSHDefaultShellCommandOption)"
New-ItemProperty -Path $SSHRegKey -Name 'DefaultShellCommandOption' -Value "$SSHDefaultShellCommandOption" -PropertyType 'String' -Force | Out-Null
}
else
{ #Revert to default behavior if not specified
Remove-ItemProperty -Path $SSHRegKey -Name 'DefaultShellCommandOption' -ErrorAction 'SilentlyContinue'
}
}
}
else {
Write-Warning "After all filtering criteria was applied, there is no matching EXE for your search string: $PathSpecsToProbeForShellEXEString"
}
}
}
#Idea borrowed from https://gallery.technet.microsoft.com/scriptcenter/Grant-Revoke-Query-user-26e259b0
$definition = @'
using System;
namespace MyLsaWrapper
{
using System.Runtime.InteropServices;
using System.Security;
using System.ComponentModel;
using System.Security.Principal;
using LSA_HANDLE = IntPtr;
[StructLayout(LayoutKind.Sequential)]
struct LSA_OBJECT_ATTRIBUTES
{
internal int Length;
internal IntPtr RootDirectory;
internal IntPtr ObjectName;
internal int Attributes;
internal IntPtr SecurityDescriptor;
internal IntPtr SecurityQualityOfService;
}
[StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)]
struct LSA_UNICODE_STRING
{
internal ushort Length;
internal ushort MaximumLength;
[MarshalAs(UnmanagedType.LPWStr)]
internal string Buffer;
}
sealed class Win32Sec
{
[DllImport("advapi32", CharSet = CharSet.Unicode, SetLastError = true)]
internal static extern uint LsaOpenPolicy(
LSA_UNICODE_STRING[] SystemName,
ref LSA_OBJECT_ATTRIBUTES ObjectAttributes,
int AccessMask,
out IntPtr PolicyHandle
);
[DllImport("advapi32", CharSet = CharSet.Unicode, SetLastError = true)]
internal static extern uint LsaAddAccountRights(
LSA_HANDLE PolicyHandle,
IntPtr pSID,
LSA_UNICODE_STRING[] UserRights,
int CountOfRights
);
[DllImport("advapi32", CharSet = CharSet.Unicode, SetLastError = true)]
internal static extern uint LsaRemoveAccountRights(
LSA_HANDLE PolicyHandle,
IntPtr pSID,
bool AllRights,
LSA_UNICODE_STRING[] UserRights,
int CountOfRights
);
[DllImport("advapi32")]
internal static extern int LsaNtStatusToWinError(int NTSTATUS);
[DllImport("advapi32")]
internal static extern int LsaClose(IntPtr PolicyHandle);
}
internal sealed class Sid : IDisposable
{
public IntPtr pSid = IntPtr.Zero;
public System.Security.Principal.SecurityIdentifier sid = null;
public Sid(string account)
{
try { sid = new SecurityIdentifier(account); }
catch { sid = (SecurityIdentifier)(new NTAccount(account)).Translate(typeof(SecurityIdentifier)); }
Byte[] buffer = new Byte[sid.BinaryLength];
sid.GetBinaryForm(buffer, 0);
pSid = Marshal.AllocHGlobal(sid.BinaryLength);
Marshal.Copy(buffer, 0, pSid, sid.BinaryLength);
}
public void Dispose()
{
if (pSid != IntPtr.Zero)
{
Marshal.FreeHGlobal(pSid);
pSid = IntPtr.Zero;
}
GC.SuppressFinalize(this);
}
~Sid() { Dispose(); }
}
public sealed class LsaWrapper : IDisposable
{
enum Access : int
{
POLICY_READ = 0x20006,
POLICY_ALL_ACCESS = 0x00F0FFF,
POLICY_EXECUTE = 0X20801,
POLICY_WRITE = 0X207F8
}
const uint STATUS_ACCESS_DENIED = 0xc0000022;
const uint STATUS_INSUFFICIENT_RESOURCES = 0xc000009a;
const uint STATUS_NO_MEMORY = 0xc0000017;
const uint STATUS_OBJECT_NAME_NOT_FOUND = 0xc0000034;
const uint STATUS_NO_MORE_ENTRIES = 0x8000001a;
IntPtr lsaHandle;
public LsaWrapper() : this(null) { } // local system if systemName is null
public LsaWrapper(string systemName)
{
LSA_OBJECT_ATTRIBUTES lsaAttr;
lsaAttr.RootDirectory = IntPtr.Zero;
lsaAttr.ObjectName = IntPtr.Zero;
lsaAttr.Attributes = 0;
lsaAttr.SecurityDescriptor = IntPtr.Zero;
lsaAttr.SecurityQualityOfService = IntPtr.Zero;
lsaAttr.Length = Marshal.SizeOf(typeof(LSA_OBJECT_ATTRIBUTES));
lsaHandle = IntPtr.Zero;
LSA_UNICODE_STRING[] system = null;
if (systemName != null)
{
system = new LSA_UNICODE_STRING[1];
system[0] = InitLsaString(systemName);
}
uint ret = Win32Sec.LsaOpenPolicy(system, ref lsaAttr, (int)Access.POLICY_ALL_ACCESS, out lsaHandle);
if (ret == 0) return;
if (ret == STATUS_ACCESS_DENIED) throw new UnauthorizedAccessException();
if ((ret == STATUS_INSUFFICIENT_RESOURCES) || (ret == STATUS_NO_MEMORY)) throw new OutOfMemoryException();
throw new Win32Exception(Win32Sec.LsaNtStatusToWinError((int)ret));
}
public void AddPrivilege(string account, string privilege)
{
uint ret = 0;
using (Sid sid = new Sid(account))
{
LSA_UNICODE_STRING[] privileges = new LSA_UNICODE_STRING[1];
privileges[0] = InitLsaString(privilege);
ret = Win32Sec.LsaAddAccountRights(lsaHandle, sid.pSid, privileges, 1);
}
if (ret == 0) return;
if (ret == STATUS_ACCESS_DENIED) throw new UnauthorizedAccessException();
if ((ret == STATUS_INSUFFICIENT_RESOURCES) || (ret == STATUS_NO_MEMORY)) throw new OutOfMemoryException();
throw new Win32Exception(Win32Sec.LsaNtStatusToWinError((int)ret));
}
public void RemovePrivilege(string account, string privilege)
{
uint ret = 0;
using (Sid sid = new Sid(account))
{
LSA_UNICODE_STRING[] privileges = new LSA_UNICODE_STRING[1];
privileges[0] = InitLsaString(privilege);
ret = Win32Sec.LsaRemoveAccountRights(lsaHandle, sid.pSid, false, privileges, 1);
}
if (ret == 0) return;
if (ret == STATUS_ACCESS_DENIED) throw new UnauthorizedAccessException();
if ((ret == STATUS_INSUFFICIENT_RESOURCES) || (ret == STATUS_NO_MEMORY)) throw new OutOfMemoryException();
throw new Win32Exception(Win32Sec.LsaNtStatusToWinError((int)ret));
}
public void Dispose()
{
if (lsaHandle != IntPtr.Zero)
{
Win32Sec.LsaClose(lsaHandle);
lsaHandle = IntPtr.Zero;
}
GC.SuppressFinalize(this);
}
~LsaWrapper() { Dispose(); }
// helper functions:
static LSA_UNICODE_STRING InitLsaString(string s)
{
// Unicode strings max. 32KB
if (s.Length > 0x7ffe) throw new ArgumentException("String too long");
LSA_UNICODE_STRING lus = new LSA_UNICODE_STRING();
lus.Buffer = s;
lus.Length = (ushort)(s.Length * sizeof(char));
lus.MaximumLength = (ushort)(lus.Length + sizeof(char));
return lus;
}
}
public class LsaWrapperCaller
{
public static void AddPrivilege(string account, string privilege)
{
using (LsaWrapper lsaWrapper = new LsaWrapper())
{
lsaWrapper.AddPrivilege(account, privilege);
}
}
public static void RemovePrivilege(string account, string privilege)
{
using (LsaWrapper lsaWrapper = new LsaWrapper())
{
lsaWrapper.RemovePrivilege(account, privilege);
}
}
}
}
'@
$references = @("System.Security.Principal.Windows", "Microsoft.Win32.Primitives")
try {
$null = [MyLsaWrapper.LsaWrapperCaller]
}
catch {
try {
$types = Add-Type $definition -ref $references -WarningAction SilentlyContinue -ErrorAction SilentlyContinue
}
catch {
$types = Add-Type $definition -WarningAction SilentlyContinue -ErrorAction SilentlyContinue
}
}
function Add-OpenSSHPrivilege
{
param(
[ValidateNotNullOrEmpty()]
[string] $Account,
[ValidateSet("SeAssignPrimaryTokenPrivilege", "SeServiceLogonRight")]
[string] $Privilege
)
[MyLsaWrapper.LsaWrapperCaller]::AddPrivilege($Account, $Privilege)
}
function Get-OpenSSHUserSID
{
[CmdletBinding(DefaultParameterSetName='User')]
param
( [parameter(Mandatory=$true, ParameterSetName="User")]
[ValidateNotNull()]
[System.Security.Principal.NTAccount]$User,
[parameter(Mandatory=$true, ParameterSetName="WellKnownSidType")]
[ValidateNotNull()]
[System.Security.Principal.WellKnownSidType]$WellKnownSidType
)
try
{
if($PSBoundParameters.ContainsKey("User"))
{
$sid = $User.Translate([System.Security.Principal.SecurityIdentifier])
}
elseif($PSBoundParameters.ContainsKey("WellKnownSidType"))
{
$sid = New-Object System.Security.Principal.SecurityIdentifier($WellKnownSidType, $null)
}
$sid
}
catch {
return $null
}
}
VERIFICATION.txt is intended to assist the Chocolatey moderators and community
in verifying that this package's contents are trustworthy.
To verify:
1. Download https://github.com/PowerShell/Win32-OpenSSH/releases/download/5_30_2016/OpenSSH-Win64.zip
2. Compare OpenSSH-Win64.zip hash with bundled OpenSSH-Win64.zip hash.
3. Download https://github.com/PowerShell/Win32-OpenSSH/releases/download/5_30_2016/OpenSSH-Win32.zip
4. Compare OpenSSH-Win64.zip hash with bundled OpenSSH-Win32.zip hash.
Log in or click on link to see number of positives.
- openssh.8.6.0-beta1.nupkg (8589d2c47c44) - ## / 62
- OpenSSH-Win32.zip (022132421241) - ## / 63
- OpenSSH-Win64.zip (9f9215dc0b82) - ## / 62
- libcrypto.dll (1dde87f338a2) - ## / 68
- scp.exe (461f53f4c236) - ## / 69
- sftp-server.exe (0a3e15937ba6) - ## / 65
- sftp.exe (22c48cef6d30) - ## / 62
- ssh-add.exe (8fd55b10e569) - ## / 69
- ssh-agent.exe (32dd564889dc) - ## / 69
- ssh-keygen.exe (74e9cbe42834) - ## / 69
- ssh-keyscan.exe (0b5cae35796c) - ## / 69
- ssh-shellhost.exe (f570cda3618b) - ## / 69
- ssh.exe (aade7239ae8f) - ## / 68
- sshd.exe (139afc49dd51) - ## / 69
In cases where actual malware is found, the packages are subject to removal. Software sometimes has false positives. Moderators do not necessarily validate the safety of the underlying software, only that a package retrieves software from the official distribution point and/or validate embedded software against official distribution point (where distribution rights allow redistribution).
Chocolatey Pro provides runtime protection from possible malware.
Add to Builder | Version | Downloads | Last Updated | Status |
---|---|---|---|---|
Win32 OpenSSH (Universal Installer) 8.6.0-beta1 | 44517 | Saturday, May 29, 2021 | Approved | |
Win32 OpenSSH (Universal Installer) 8.1.0-beta | 46529 | Tuesday, January 14, 2020 | Approved | |
Win32 OpenSSH (Universal Installer) 8.0.0.1 | 1739622 | Tuesday, June 25, 2019 | Approved | |
Win32 OpenSSH (Universal Installer) 7.9.0.1 | 559978 | Sunday, January 13, 2019 | Approved | |
Win32 OpenSSH (Universal Installer) 7.7.2.1 | 1873907 | Sunday, July 29, 2018 | Approved | |
Win32 OpenSSH (Universal Installer) 7.7.1.1 | 260134 | Tuesday, June 5, 2018 | Approved | |
Win32 OpenSSH (Universal Installer) 7.7.0.1 | 17707 | Friday, June 1, 2018 | Approved | |
Win32 OpenSSH (Universal Installer) 7.6.1.1 | 170720 | Sunday, April 15, 2018 | Approved | |
Win32 OpenSSH (Universal Installer) 7.6.0.1 | 215093 | Friday, March 2, 2018 | Approved | |
Win32 OpenSSH (Universal Installer) 1.0.0.20180202 | 187265 | Saturday, February 3, 2018 | Approved | |
Win32 OpenSSH (Universal Installer) 1.0.0.20180201 | 10800 | Thursday, February 1, 2018 | Approved | |
Win32 OpenSSH (Universal Installer) 1.0.0.20180131 | 5652 | Wednesday, January 31, 2018 | Approved | |
Win32 OpenSSH (Universal Installer) 1.0.0.0 | 1566 | Wednesday, January 31, 2018 | Approved | |
Win32 OpenSSH (Universal Installer) 0.0.24.0 | 157348 | Tuesday, December 5, 2017 | Approved | |
Win32 OpenSSH (Universal Installer) 0.0.23.0 | 44659 | Monday, November 20, 2017 | Approved | |
Win32 OpenSSH (Universal Installer) 0.0.22.0 | 62698 | Sunday, October 29, 2017 | Approved | |
Win32 OpenSSH (Universal Installer) 0.0.21.0 | 73470 | Tuesday, October 3, 2017 | Approved | |
Win32 OpenSSH (Universal Installer) 0.0.20.20170913 | 62367 | Thursday, September 14, 2017 | Approved | |
Win32 OpenSSH (Universal Installer) 0.0.20.0 | 10102 | Monday, September 11, 2017 | Approved | |
Win32 OpenSSH (Universal Installer) 0.0.19.0 | 40151 | Friday, August 25, 2017 | Approved | |
Win32 OpenSSH (Universal Installer) 0.0.18.0 | 50752 | Thursday, July 20, 2017 | Approved | |
Win32 OpenSSH (Universal Installer) 0.0.17.0 | 26473 | Tuesday, July 4, 2017 | Approved | |
Win32 OpenSSH (Universal Installer) 0.0.16.0 | 22527 | Friday, June 16, 2017 | Approved | |
Win32 OpenSSH (Universal Installer) 0.0.15.20170613 | 2061 | Wednesday, June 14, 2017 | Approved | |
Win32 OpenSSH (Universal Installer) 0.0.15.20170611 | 1466 | Monday, June 12, 2017 | Approved | |
Win32 OpenSSH (Universal Installer) 0.0.15.0 | 430 | Monday, June 12, 2017 | Approved | |
Win32 OpenSSH (Universal Installer) 0.0.14.0 | 28292 | Saturday, May 20, 2017 | Approved | |
Win32 OpenSSH (Microsoft Port) 0.0.12.0 | 9858 | Tuesday, April 18, 2017 | Approved | |
Win32 OpenSSH (Microsoft Port) 0.0.11.0 | 7043 | Friday, April 7, 2017 | Approved | |
Win32 OpenSSH (Microsoft Port) 0.0.10.20170402 | 1489 | Sunday, April 2, 2017 | Approved | |
Win32 OpenSSH (Microsoft Port) 0.0.10.20170329 | 1314 | Thursday, March 30, 2017 | Approved | |
Win32 OpenSSH (Microsoft Port) 0.0.10.0 | 3231 | Wednesday, March 15, 2017 | Approved | |
Win32 OpenSSH (Microsoft Port) 0.0.9.20170313 | 822 | Monday, March 13, 2017 | Approved | |
Win32 OpenSSH (Microsoft Port) 0.0.9.20170311 | 813 | Saturday, March 11, 2017 | Approved | |
Win32 OpenSSH (Microsoft Port) 0.0.9.20170308 | 1275 | Wednesday, March 8, 2017 | Approved | |
Win32 OpenSSH (Microsoft Port) 0.0.9.20170306 | 650 | Tuesday, March 7, 2017 | Approved | |
Win32 OpenSSH (Microsoft Port) 0.0.9.20170226 | 2445 | Sunday, February 26, 2017 | Approved | |
Win32 OpenSSH (Microsoft Port) 0.0.9.20170222 | 1409 | Wednesday, February 22, 2017 | Approved | |
Win32 OpenSSH (Microsoft Port) 0.0.9.0 | 1614 | Thursday, February 16, 2017 | Approved | |
Win32 OpenSSH (Microsoft Port) 0.0.8.0 | 3834 | Tuesday, January 31, 2017 | Approved | |
Win32 OpenSSH (Microsoft Port) 0.0.7.0 | 3792 | Monday, January 16, 2017 | Approved | |
Win32 OpenSSH (Microsoft Port) 0.0.6.0 | 2835 | Wednesday, January 4, 2017 | Approved | |
Win32 OpenSSH (Microsoft Port) 0.0.5.0 | 420 | Wednesday, January 4, 2017 | Approved | |
Win32 OpenSSH (Microsoft Port) 0.0.4.0 | 6719 | Wednesday, November 30, 2016 | Approved | |
Win32 OpenSSH (Microsoft Port) 0.0.3.0 | 6229 | Tuesday, November 8, 2016 | Approved | |
Win32 OpenSSH (Microsoft Port) 0.0.2.20161026 | 4699 | Wednesday, October 26, 2016 | Approved | |
Win32 OpenSSH (Microsoft Port) 0.0.2.0 | 936 | Tuesday, October 25, 2016 | Approved | |
Win32 OpenSSH (Microsoft Port) 0.0.1.0 | 3752 | Saturday, October 1, 2016 | Approved | |
Win32 OpenSSH (Microsoft Port) 0.0.0.901 | 1624 | Friday, September 23, 2016 | Approved | |
Win32 OpenSSH (Microsoft Port) 0.0.0.9 | 517 | Wednesday, September 21, 2016 | Approved |
Microsoft
Product release notes: https://github.com/PowerShell/openssh-portable/releases/tag/v8.6.0.0
Release Notes for Chocolatey Packaging:
8.6.0-beta1
- contains version: 8.6.0.0p1-Beta
- The primary Microsoft distribution mechanism for OpenSSH is through Windows.
This package is no longer tested with all the original scenarios it was created for when it was the primary mechanism and it will not be fixed for edge cases like Nano or old versions of Windows.
8.1.0-beta
- contains version: 8.1.0.0p1-beta
7.7.1.1
- contains version: 7.7.1.0p1-Beta
7.7.0.1
- contains version: 7.7.0.0p1-Beta
7.6.1.1
- contains version: 7.6.1.0p1-Beta
- New parameter AlsoLogToFile enables file logging in addition to default of new ETW / Winodows EventLogging
- ensured barebonesinstaller.ps1 can take -SSHAgentFeature
- removed unused parameter DisableKeyPermissionsReset throughout
- removed DeleteServerKeysAfterInstalled
- no longer sets log level to QUIET
- updated to configure ETW logging
- switch to enable file based logging
- known issue - updating ETW on Nano is not currently working, so the package forces file logging to be enabled for
7.6.0.1
- Fixed problems with install parameter /SSHAgentFeature
1.0.0.20180202
- Set-SSHDefaultShell.ps1 - fix corrupt characters
1.0.0.20180201
- Set-SSHDefaultShell.ps1 - creates OpenSSH registry key if it is not yet present
1.0.0.20180131
- no longer automatically adds ssh-agent when installing sshd. You must specify /SSHAgentFeature if you want it installed.
1.0.0.0
- complies with new changes to installation for 1.0.0.0 and attempts migration of pre-1.0.0.0 items.
- removed switch $DisableKeyPermissionsReset
- removed switch $UseNTRights and ntrights.exe from package
- uses new 1.0.0.0 model for service users and permissions
- no longer explicitly sets TERM for new installs (unless you specify the parameter) - instead relies on default behavior of sshd.exe
0.0.24.0
- Fixed bug in uninstall (https://github.com/DarwinJS/ChocoPackages/issues/52)
- Uses new code from OpenSSH project for adding special privileges (is more compatible with newer Nano releases)
0.0.23.0
- None
0.0.22.0
- Fix error when uninstall runs and openssh folder is already removed: https://github.com/DarwinJS/ChocoPackages/issues/49
- Fix error using PSH 5 Package Management to install on Server 2016: https://github.com/DarwinJS/ChocoPackages/issues/47
- Added switches for Default Shell configuration - for both chocolatey and barebonesinstall.ps1
(PathSpecsToProbeForShellEXEString, SSHDefaultShellCommandOption and AllowInsecureShellEXE)
Make the latest powershell core or windows powershell the default shell:
/PathSpecsToProbeForShellEXEString:$env:programfiles\PowerShell*\pwsh.exe;$env:programfiles\PowerShell*\Powershell.exe;c:\windows\system32\windowspowershell\v1.0\powershell.exe"
-PathSpecsToProbeForShellEXEString "$env:programfiles\PowerShell*\pwsh.exe;$env:programfiles\PowerShell*\Powershell.exe;c:\windows\system32\windowspowershell\v1.0\powershell.exe"
Rules and More Examples: https://github.com/DarwinJS/ChocoPackages/blob/master/openssh/tools/Set-SSHDefaultShell.ps1
This package supports the following parameters:
-params '"/SSHServerFeature"' (Install and Uninstall)
Also install sshd Windows Service - including opening port 22.
If this parameter is not included on an upgrade or uninstall and
the sshd server is installed - an error is generated. You must
use this switch to indicate you have made preparations for the
sshd service to be interrupted or removed.
-params '"/SSHAgentFeature"'
Installs SSH Agent Service even if SSHD Server is not being installed.
Requires admin rights to configure service.
-params '"/SSHServerFeature /SSHServerPort:3834"'
Allows the setup of the SSH server on an alternate port - sometimes done for security or to avoid conflicts with an existing service on port 22.
-params '"/OverWriteSSHDConf"'
Introduced in Version: 0.0.9.20170311
By default an existing sshd_conf file will not be overwritten (previous packaging versions always overwrote)
Use this switch to overwrite an existing sshd_conf with the one from the current install media
-params '"/SSHLogLevel:VERBOSE"'
Introduced in Version: 0.0.9.20170311
Allows the setup of the SSH logging level.
Valid Options: QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2, DEBUG3
On a fresh install LogLevel is set to QUIET
-params '"/TERM:xterm-new"'
Introduced in Version: 0.0.14.0
Allows the initial setup and subsequent update of the TERM system environment variable.
On a fresh install TERM is set to xterm whether or not this switch is used.
-params '"/SSHServerFeature /DeleteConfigAndServerKeys"' (Uninstall)
By default an uninstall does not remove config files nor server keys.
-params '"/PathSpecsToProbeForShellEXEString:$env:programfiles\PowerShell*\Powershell.exe;$env:windir\system32\windowspowershell\v1.0\powershell.exe"'
Introduced in Version: 0.0.22.0
A set of filespecs to probe for the latest version of a given shell exe. Wildcards can be used in the path, but not the filename.
The first filespec to result in a one or more valid hits will be choosen for the default SSH shell (newest version when there are multiple hits).
If not valid hits are located with the entire set of filespecs, the default behavior of not setting the registry key is taken (rather than an error).
Only exe's in either Program Files folder or either System32 folder (system32, syswow64) will considered safe. If the EXE is outside of these folders
you must use the /AllowInsecureShellEXE switch to have it configured.
Rules and Examples: https://github.com/DarwinJS/ChocoPackages/blob/master/openssh/tools/Set-SSHDefaultShell.ps1
-params '"/SSHDefaultShellCommandOption:/c"'
Introduced in Version: 0.0.22.0
Only used when /PathSpecsToProbeForShellEXEString is used and results in finding a valid shell executable.
Rules and Examples: https://github.com/DarwinJS/ChocoPackages/blob/master/openssh/tools/Set-SSHDefaultShell.ps1
-params '"/AllowInsecureShellEXE"'
Introduced in Version: 0.0.22.0
Only used when /PathSpecsToProbeForShellEXEString is used and results in finding a valid shell executable that is outside of the Programs Folders or system32.
Rules and Examples: https://github.com/DarwinJS/ChocoPackages/blob/master/openssh/tools/Set-SSHDefaultShell.ps1
-params '"/AlsoLogToFile"'
As of version 7.6.1.0p1-Beta default logging has shifted to ETW Windows Event Logging. Throwing this switch causes logging to also occur to the log file - now located in $env:ProgramData\ssh\logs.
This package has no dependencies.
Ground Rules:
- This discussion is only about Win32 OpenSSH (Universal Installer) and the Win32 OpenSSH (Universal Installer) package. If you have feedback for Chocolatey, please contact the Google Group.
- This discussion will carry over multiple versions. If you have a comment about a particular version, please note that in your comments.
- The maintainers of this Chocolatey Package will be notified about new comments that are posted to this Disqus thread, however, it is NOT a guarantee that you will get a response. If you do not hear back from the maintainers after posting a message below, please follow up by using the link on the left side of this page or follow this link to contact maintainers. If you still hear nothing back, please follow the package triage process.
- Tell us what you love about the package or Win32 OpenSSH (Universal Installer), or tell us what needs improvement.
- Share your experiences with the package, or extra configuration or gotchas that you've found.
- If you use a url, the comment will be flagged for moderation until you've been whitelisted. Disqus moderated comments are approved on a weekly schedule if not sooner. It could take between 1-5 days for your comment to show up.