OpenSSH: install as part of VM setup, not WinRM

It appears that executing `Add-WindowsCapability` via WinRM is not
viable, this commit moves the installation of OpenSSH.Server to the
various IaaS pre-boot scrips which are not executed via WinRM.

The installation of OpenSSSH.Server was added as follows:

Azure: add a `custom_script` parameter to packer config
AWS: added to `setup_winrm.txt`
GCP: add to `setup-winrm.ps1` and use `sysprep-specialize-script-ps1`

As of July 2025 windows stemcells have converted to using Microsoft's
official OpenSSH installation method[1]. This commit remove the remnants
of previous installation methods, and switches to the above non-WinRM
method for installation.

[1] https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse

Author: aramprice

ci/pipelines/stemcells-windows.yml

@@ -204,13 +204,6 @@ resources:
     password: ((docker.password))
 
 # type: github-release
-- name: openssh-release
-  type: github-release
-  source:
-    owner: PowerShell
-    repository: Win32-OpenSSH
-    access_token: ((github_public_repo_token))
-    tag_filter: v([^v].*)
 - name: stemcell-builder-github-release
   type: github-release
   source:
@@ -793,8 +786,6 @@ jobs:
         tags: [*worker_tag]
       - get: bosh-windows-stemcell-builder-ci-image
         tags: [*worker_tag]
-      - get: open-ssh
-        resource: openssh-release
       - get: stemcell-builder
         passed: [build]
         tags: [*worker_tag]
@@ -912,8 +903,6 @@ jobs:
         tags: [*worker_tag]
       - get: bosh-windows-stemcell-builder-ci-image
         tags: [*worker_tag]
-      - get: open-ssh
-        resource: openssh-release
       - get: stemcell-builder
         passed: [build]
         tags: [*worker_tag]
@@ -1362,8 +1351,6 @@ jobs:
       - get: main-version
         passed: [build]
         tags: [*worker_tag]
-      - get: sshd
-        resource: openssh-release
       - get: bosh-agent-release
         passed: [build]
       - get: blobstore-dav-cli
@@ -1543,8 +1530,6 @@ jobs:
       - get: main-version
         passed: [wuts-aws]
         tags: [*worker_tag]
-      - get: sshd
-        resource: openssh-release
       - get: bosh-agent-release
         passed: [wuts-aws]
       - get: blobstore-dav-cli
@@ -1704,8 +1689,6 @@ jobs:
       - get: main-version
         passed: [build]
         tags: [*worker_tag]
-      - get: sshd
-        resource: openssh-release
       - get: bosh-agent-release
         passed: [build]
       - get: blobstore-dav-cli
@@ -1901,8 +1884,6 @@ jobs:
       - get: main-version
         passed: [build]
         tags: [*worker_tag]
-      - get: sshd
-        resource: openssh-release
       - get: bosh-agent-release
         passed: [build]
       - get: blobstore-dav-cli

ci/tasks/create-azure-stemcell/task.yml

@@ -6,7 +6,6 @@ inputs:
   - name: version
   - name: stemcell-builder
   - name: lgpo-binary
-  - name: sshd
   - name: bosh-agent-release
   - name: blobstore-dav-cli
   - name: blobstore-s3-cli

ci/tasks/create-gcp-stemcell/task.yml

@@ -7,7 +7,6 @@ inputs:
   - name: base-gcp-image
   - name: version
   - name: lgpo-binary
-  - name: sshd
   - name: bosh-agent-release
   - name: blobstore-dav-cli
   - name: blobstore-s3-cli

ci/tasks/generate-deps-file/run.bash

@@ -1,9 +1,6 @@
 #!/usr/bin/env bash
 set -euo pipefail
 
-openssh_win64_sha256="$(shasum -a 256 open-ssh/OpenSSH-Win64.zip | cut -d " " -f 1)"
-openssh_win64_version="$(cat open-ssh/version)"
-
 psmodules_sha256="$(shasum -a 256 psmodules-zip-output/bosh-psmodules.zip | cut -d " " -f 1)"
 psmodules_version="$(cat version/version)"
 
@@ -15,10 +12,6 @@ lgpo_version="3"
 
 cat <<EOF > deps-file/deps.json
 {
-  "OpenSSH-Win64.zip": {
-    "sha": "${openssh_win64_sha256}",
-    "version": "${openssh_win64_version}"
-  },
   "bosh-psmodules.zip": {
     "sha": "${psmodules_sha256}",
     "version": "${psmodules_version}"

ci/tasks/generate-deps-file/task.yml

@@ -4,7 +4,6 @@ platform: linux
 inputs:
   - name: bosh-windows-stemcell-builder-ci
   - name: stemcell-builder
-  - name: open-ssh
   - name: lgpo-binary
   - name: version
   - name: bosh-agent

ci/tasks/zip-files/run.bash

@@ -6,7 +6,6 @@ ROOT_DIR=$(pwd)
 REPO_ROOT="${REPO_ROOT:-"$(cd "$(dirname "${BASH_SOURCE[0]}")/../../.." && pwd)"}"
 ZIP_FILE_DESTINATION="${ZIP_FILE_DESTINATION:-"${ROOT_DIR}/zip-file/StemcellAutomation-$(date +"%s").zip"}"
 
-OPENSSH_ZIP="${OPENSSH_ZIP:-"${ROOT_DIR}/open-ssh/OpenSSH-Win64.zip"}"
 BOSH_PSMODULES_ZIP="${BOSH_PSMODULES_ZIP:-"${ROOT_DIR}/psmodules-zip-output/bosh-psmodules.zip"}"
 AGENT_ZIP="${AGENT_ZIP:-"${ROOT_DIR}/bosh-agent/agent.zip"}"
 DEPS_JSON="${DEPS_JSON:-"${ROOT_DIR}/deps-file/deps.json"}"
@@ -20,7 +19,7 @@ mkdir -p "${stemcell_automation_dir}"
 
 declare -a files_to_zip
 mapfile -t files_to_zip < <(find "${REPO_ROOT}/stembuild/stemcell-automation" -type f -not -name "*Test*" -name "*.ps*1")
-files_to_zip+=("${OPENSSH_ZIP}" "${BOSH_PSMODULES_ZIP}" "${AGENT_ZIP}" "${DEPS_JSON}")
+files_to_zip+=("${BOSH_PSMODULES_ZIP}" "${AGENT_ZIP}" "${DEPS_JSON}")
 
 cp "${files_to_zip[@]}" "${stemcell_automation_dir}"
 

ci/tasks/zip-files/task.yml

@@ -4,7 +4,6 @@ platform: linux
 inputs:
   - name: bosh-windows-stemcell-builder-ci
   - name: stemcell-builder
-  - name: open-ssh
   - name: deps-file
   - name: bosh-agent
   - name: psmodules-zip-output

lib/packer/config/azure.rb

@@ -45,7 +45,8 @@ def builders
                 'winrm_use_ssl' => 'true',
                 'winrm_insecure' => 'true',
                 'winrm_timeout' => '1h',
-                'winrm_username' => 'packer'
+                'winrm_username' => 'packer',
+                'custom_script' => 'powershell -ExecutionPolicy Unrestricted -NoProfile -NonInteractive -Command "Add-WindowsCapability -Online -Name (Get-WindowsCapability -Online -Name OpenSSH.Server* | ForEach-Object Name)"'
             }
         ]
       end

lib/packer/config/gcp.rb

@@ -39,6 +39,7 @@ def initialize(
       end
 
       def builders
+        stemcell_builder_dir = File.expand_path('../../../../', __FILE__)
         [
           {
             'type' => 'googlecompute',
@@ -62,7 +63,7 @@ def builders
             'winrm_timeout' => '1h',
             'state_timeout' => '10m',
             'metadata' => {
-              'sysprep-specialize-script-url' => 'https://raw.githubusercontent.com/cloudfoundry/bosh-windows-stemcell-builder/master/scripts/gcp/setup-winrm.ps1',
+              'sysprep-specialize-script-ps1' => File.read(File.join(stemcell_builder_dir, 'scripts', 'gcp', 'setup-winrm.ps1')),
               'name' => "#{@vm_prefix}-#{Time.now.to_i}",
             }.compact_blank!
           }

lib/packer/config/templates/provision_windows2019.json.erb

@@ -137,11 +137,6 @@
       "Protect-CFCell -IaaS <%= iaas %>"
     ]
   },
-  {
-    "type": "file",
-    "source": "../sshd/OpenSSH-Win64.zip",
-    "destination": "C:\\provision\\OpenSSH-Win64.zip"
-  },
   {
     "type": "powershell",
     "inline": [