cloudfoundry · aramprice · Aug 14, 2025 · Aug 12, 2025 · Aug 4, 2025
diff --git a/ci/pipelines/stemcells-windows.yml b/ci/pipelines/stemcells-windows.yml
@@ -218,19 +218,12 @@ resources:
       password: ((docker.password))
 
   # type: github-release
-  - name: openssh-release
-    type: github-release
-    source:
-      owner: PowerShell
-      repository: Win32-OpenSSH
-      access_token: ((github_public_repo_token))
-      tag_filter: v([^v].*)
   - name: stemcell-builder-github-release
-    type: github-release
-    source:
-      owner: cloudfoundry
-      repository: bosh-windows-stemcell-builder
-      access_token: ((github_public_repo_token))
+  type: github-release
+  source:
+    owner: cloudfoundry
+    repository: bosh-windows-stemcell-builder
+    access_token: ((github_public_repo_token))
 
   - name: bosh-agent-release
     type: metalink-repository
@@ -816,20 +809,18 @@ jobs:
               tags: [*worker_tag]
             - get: bosh-windows-stemcell-builder-ci-image
               tags: [*worker_tag]
-            - get: open-ssh
-              resource: openssh-release
             - get: stemcell-builder
-              passed: [build]
-              tags: [*worker_tag]
-            - get: version
-              resource: stembuild-windows-build-number
-              passed: [build]
-              trigger: true
-              tags: [*worker_tag]
-            - get: main-version
-              passed: [build]
-              tags: [*worker_tag]
-            - get: bosh-agent-release
+        passed: [build]
+        tags: [*worker_tag]
+      - get: version
+        resource: stembuild-windows-build-number
+        passed: [build]
+        trigger: true
+        tags: [*worker_tag]
+      - get: main-version
+        passed: [build]
+        tags: [*worker_tag]
+      - get: bosh-agent-release
               passed: [build]
             - get: ovftool
             - get: blobstore-dav-cli
@@ -947,20 +938,18 @@ jobs:
               tags: [*worker_tag]
             - get: bosh-windows-stemcell-builder-ci-image
               tags: [*worker_tag]
-            - get: open-ssh
-              resource: openssh-release
             - get: stemcell-builder
-              passed: [build]
-              tags: [*worker_tag]
-            - get: version
-              resource: stembuild-linux-build-number
-              passed: [build]
-              trigger: true
-              tags: [*worker_tag]
-            - get: main-version
-              passed: [build]
-              tags: [*worker_tag]
-            - get: bosh-agent-release
+        passed: [build]
+        tags: [*worker_tag]
+      - get: version
+        resource: stembuild-linux-build-number
+        passed: [build]
+        trigger: true
+        tags: [*worker_tag]
+      - get: main-version
+        passed: [build]
+        tags: [*worker_tag]
+      - get: bosh-agent-release
               passed: [build]
             - get: ovftool
             - get: blobstore-dav-cli
@@ -1232,9 +1221,10 @@ jobs:
               SSH_TUNNEL_IP: ((nimbus_windows-demo_bosh_jumpbox_ip))
               SSH_TUNNEL_PRIVATE_KEY: ((nimbus_windows-demo_bosh_jumpbox_ssh.private_key))
               SSH_TUNNEL_USER: ((nimbus_windows-demo_bosh_jumpbox_username))
-              STEMCELL_OS: *windows_os_version
-              VM_EXTENSIONS: ""
-              VM_TYPE: default # TODO: Add "put" output of this passing test to release candidates bucket (?)
+              WINDOWS_SSH_FIREWALL_RULE_NAME: OpenSSH-Server-In-TCP
+        STEMCELL_OS: *windows_os_version
+        VM_EXTENSIONS: ""
+        VM_TYPE: default # TODO: Add "put" output of this passing test to release candidates bucket (?)
 
   - name: create-stembuild-windows-stemcell
     serial: true
@@ -1401,9 +1391,10 @@ jobs:
               SSH_TUNNEL_IP: ((nimbus_windows-demo_bosh_jumpbox_ip))
               SSH_TUNNEL_PRIVATE_KEY: ((nimbus_windows-demo_bosh_jumpbox_ssh.private_key))
               SSH_TUNNEL_USER: ((nimbus_windows-demo_bosh_jumpbox_username))
-              STEMCELL_OS: *windows_os_version
-              VM_EXTENSIONS: ""
-              VM_TYPE: default
+              WINDOWS_SSH_FIREWALL_RULE_NAME: OpenSSH-Server-In-TCP
+            STEMCELL_OS: *windows_os_version
+            VM_EXTENSIONS: ""
+            VM_TYPE: default
 
   - name: create-aws
     serial: true
@@ -1429,15 +1420,12 @@ jobs:
             - get: main-version
               passed: [build]
               tags: [*worker_tag]
-            - get: sshd
-              resource: openssh-release
             - get: bosh-agent-release
-              passed: [build]
-            - get: blobstore-dav-cli
-            - get: blobstore-s3-cli
-            - get: blobstore-gcs-cli
-            - get: windows-winsw
-      - task: lgpo-binary
+        passed: [build]
+      - get: blobstore-dav-cli
+      - get: blobstore-s3-cli
+      - get: blobstore-gcs-cli
+      - get: windows-winsw- task: lgpo-binary
         file: bosh-windows-stemcell-builder-ci/ci/tasks/lgpo-binary/task.yml
         image: bosh-windows-stemcell-builder-ci-image
       - put: version
@@ -1591,9 +1579,10 @@ jobs:
               SSH_TUNNEL_IP: ((iaas_directors_aws-director_bosh_jumpbox_ip))
               SSH_TUNNEL_PRIVATE_KEY: ((iaas_directors_aws-director_bosh_jumpbox_ssh.private_key))
               SSH_TUNNEL_USER: ((iaas_directors_aws-director_bosh_jumpbox_username))
-              STEMCELL_OS: *windows_os_version
-              VM_EXTENSIONS: ""
-              VM_TYPE: large
+              WINDOWS_SSH_FIREWALL_RULE_NAME: OpenSSH-Server-In-TCP
+        STEMCELL_OS: *windows_os_version
+        VM_EXTENSIONS: ""
+        VM_TYPE: large
 
   - name: create-aws-govcloud
     serial: true
@@ -1619,15 +1608,12 @@ jobs:
             - get: main-version
               passed: [wuts-aws]
               tags: [*worker_tag]
-            - get: sshd
-              resource: openssh-release
             - get: bosh-agent-release
-              passed: [wuts-aws]
-            - get: blobstore-dav-cli
-            - get: blobstore-s3-cli
-            - get: blobstore-gcs-cli
-            - get: windows-winsw
-      - task: lgpo-binary
+        passed: [wuts-aws]
+      - get: blobstore-dav-cli
+      - get: blobstore-s3-cli
+      - get: blobstore-gcs-cli
+      - get: windows-winsw- task: lgpo-binary
         file: bosh-windows-stemcell-builder-ci/ci/tasks/lgpo-binary/task.yml
         image: bosh-windows-stemcell-builder-ci-image
       - task: build-agent-zip
@@ -1762,10 +1748,11 @@ jobs:
               SSH_TUNNEL_IP: ((iaas_directors_aws-govcloud-director_bosh_jumpbox_ip))
               SSH_TUNNEL_PRIVATE_KEY: ((iaas_directors_aws-govcloud-director_bosh_jumpbox_ssh.private_key))
               SSH_TUNNEL_USER: ((iaas_directors_aws-govcloud-director_bosh_jumpbox_username))
-              STEMCELL_OS: *windows_os_version
-              NETWORK: default
-              VM_EXTENSIONS: ""
-              VM_TYPE: large
+              WINDOWS_SSH_FIREWALL_RULE_NAME: OpenSSH-Server-In-TCP
+        STEMCELL_OS: *windows_os_version
+        NETWORK: default
+        VM_EXTENSIONS: ""
+        VM_TYPE: large
 
   - name: create-azure
     serial: true
@@ -1789,15 +1776,12 @@ jobs:
             - get: main-version
               passed: [build]
               tags: [*worker_tag]
-            - get: sshd
-              resource: openssh-release
             - get: bosh-agent-release
-              passed: [build]
-            - get: blobstore-dav-cli
-            - get: blobstore-s3-cli
-            - get: blobstore-gcs-cli
-            - get: windows-winsw
-      - task: lgpo-binary
+        passed: [build]
+      - get: blobstore-dav-cli
+      - get: blobstore-s3-cli
+      - get: blobstore-gcs-cli
+      - get: windows-winsw- task: lgpo-binary
         file: bosh-windows-stemcell-builder-ci/ci/tasks/lgpo-binary/task.yml
         image: bosh-windows-stemcell-builder-ci-image
       - put: version
@@ -1966,9 +1950,10 @@ jobs:
               SSH_TUNNEL_IP: ((iaas_directors_azure-director_bosh_jumpbox_ip))
               SSH_TUNNEL_PRIVATE_KEY: ((iaas_directors_azure-director_bosh_jumpbox_ssh.private_key))
               SSH_TUNNEL_USER: ((iaas_directors_azure-director_bosh_jumpbox_username))
-              STEMCELL_OS: *windows_os_version
-              VM_EXTENSIONS: ""
-              VM_TYPE: ((AZURE_HEAVY_VM_TYPE))
+              WINDOWS_SSH_FIREWALL_RULE_NAME: OpenSSH-Server-In-TCP
+        STEMCELL_OS: *windows_os_version
+        VM_EXTENSIONS: ""
+        VM_TYPE: ((AZURE_HEAVY_VM_TYPE))
 
   - name: create-gcp
     serial: true
@@ -1995,15 +1980,12 @@ jobs:
             - get: main-version
               passed: [build]
               tags: [*worker_tag]
-            - get: sshd
-              resource: openssh-release
             - get: bosh-agent-release
-              passed: [build]
-            - get: blobstore-dav-cli
-            - get: blobstore-s3-cli
-            - get: blobstore-gcs-cli
-            - get: windows-winsw
-      - task: lgpo-binary
+        passed: [build]
+      - get: blobstore-dav-cli
+      - get: blobstore-s3-cli
+      - get: blobstore-gcs-cli
+      - get: windows-winsw- task: lgpo-binary
         file: bosh-windows-stemcell-builder-ci/ci/tasks/lgpo-binary/task.yml
         image: bosh-windows-stemcell-builder-ci-image
       - put: version
@@ -2128,10 +2110,11 @@ jobs:
               BOSH_CLIENT: ((iaas_directors_labs-gcp-director_bosh_client.username))
               BOSH_CLIENT_SECRET: ((iaas_directors_labs-gcp-director_bosh_client.password))
               BOSH_ENVIRONMENT: ((iaas_directors_labs-gcp-director_bosh_environment))
-              NETWORK: default
-              STEMCELL_OS: *windows_os_version
-              VM_EXTENSIONS: "50GB_ephemeral_disk"
-              VM_TYPE: large
+              WINDOWS_SSH_FIREWALL_RULE_NAME: OpenSSH-Server-In-TCP
+        NETWORK: default
+        STEMCELL_OS: *windows_os_version
+        VM_EXTENSIONS: "50GB_ephemeral_disk"
+        VM_TYPE: large
 
 
   - name: promote

diff --git a/ci/tasks/create-aws-stemcell/task.yml b/ci/tasks/create-aws-stemcell/task.yml
@@ -7,7 +7,6 @@ inputs:
   - name: base-amis
   - name: version
   - name: lgpo-binary
-  - name: sshd
   - name: bosh-agent-release
   - name: blobstore-dav-cli
   - name: blobstore-s3-cli

diff --git a/ci/tasks/create-azure-stemcell/task.yml b/ci/tasks/create-azure-stemcell/task.yml
@@ -6,7 +6,6 @@ inputs:
   - name: version
   - name: stemcell-builder
   - name: lgpo-binary
-  - name: sshd
   - name: bosh-agent-release
   - name: blobstore-dav-cli
   - name: blobstore-s3-cli

diff --git a/ci/tasks/create-gcp-stemcell/task.yml b/ci/tasks/create-gcp-stemcell/task.yml
@@ -7,7 +7,6 @@ inputs:
   - name: base-gcp-image
   - name: version
   - name: lgpo-binary
-  - name: sshd
   - name: bosh-agent-release
   - name: blobstore-dav-cli
   - name: blobstore-s3-cli

diff --git a/ci/tasks/generate-deps-file/run.bash b/ci/tasks/generate-deps-file/run.bash
@@ -1,9 +1,6 @@
 #!/usr/bin/env bash
 set -euo pipefail
 
-openssh_win64_sha256="$(shasum -a 256 open-ssh/OpenSSH-Win64.zip | cut -d " " -f 1)"
-openssh_win64_version="$(cat open-ssh/version)"
-
 psmodules_sha256="$(shasum -a 256 psmodules-zip-output/bosh-psmodules.zip | cut -d " " -f 1)"
 psmodules_version="$(cat version/version)"
 
@@ -15,10 +12,6 @@ lgpo_version="3"
 
 cat <<EOF > deps-file/deps.json
 {
-  "OpenSSH-Win64.zip": {
-    "sha": "${openssh_win64_sha256}",
-    "version": "${openssh_win64_version}"
-  },
   "bosh-psmodules.zip": {
     "sha": "${psmodules_sha256}",
     "version": "${psmodules_version}"

diff --git a/ci/tasks/generate-deps-file/task.yml b/ci/tasks/generate-deps-file/task.yml
@@ -4,7 +4,6 @@ platform: linux
 inputs:
   - name: bosh-windows-stemcell-builder-ci
   - name: stemcell-builder
-  - name: open-ssh
   - name: lgpo-binary
   - name: version
   - name: bosh-agent

diff --git a/ci/tasks/zip-files/run.bash b/ci/tasks/zip-files/run.bash
@@ -6,7 +6,6 @@ ROOT_DIR=$(pwd)
 REPO_ROOT="${REPO_ROOT:-"$(cd "$(dirname "${BASH_SOURCE[0]}")/../../.." && pwd)"}"
 ZIP_FILE_DESTINATION="${ZIP_FILE_DESTINATION:-"${ROOT_DIR}/zip-file/StemcellAutomation-$(date +"%s").zip"}"
 
-OPENSSH_ZIP="${OPENSSH_ZIP:-"${ROOT_DIR}/open-ssh/OpenSSH-Win64.zip"}"
 BOSH_PSMODULES_ZIP="${BOSH_PSMODULES_ZIP:-"${ROOT_DIR}/psmodules-zip-output/bosh-psmodules.zip"}"
 AGENT_ZIP="${AGENT_ZIP:-"${ROOT_DIR}/bosh-agent/agent.zip"}"
 DEPS_JSON="${DEPS_JSON:-"${ROOT_DIR}/deps-file/deps.json"}"
@@ -20,7 +19,7 @@ mkdir -p "${stemcell_automation_dir}"
 
 declare -a files_to_zip
 mapfile -t files_to_zip < <(find "${REPO_ROOT}/stembuild/stemcell-automation" -type f -not -name "*Test*" -name "*.ps*1")
-files_to_zip+=("${OPENSSH_ZIP}" "${BOSH_PSMODULES_ZIP}" "${AGENT_ZIP}" "${DEPS_JSON}")
+files_to_zip+=("${BOSH_PSMODULES_ZIP}" "${AGENT_ZIP}" "${DEPS_JSON}")
 
 cp "${files_to_zip[@]}" "${stemcell_automation_dir}"
 

diff --git a/ci/tasks/zip-files/task.yml b/ci/tasks/zip-files/task.yml
@@ -4,7 +4,6 @@ platform: linux
 inputs:
   - name: bosh-windows-stemcell-builder-ci
   - name: stemcell-builder
-  - name: open-ssh
   - name: deps-file
   - name: bosh-agent
   - name: psmodules-zip-output

diff --git a/lib/packer/config/azure.rb b/lib/packer/config/azure.rb
@@ -45,7 +45,8 @@ def builders
             "winrm_use_ssl" => "true",
             "winrm_insecure" => "true",
             "winrm_timeout" => "1h",
-            "winrm_username" => "packer"
+            "winrm_username" => "packer",
+            "custom_script" => 'powershell -ExecutionPolicy Unrestricted -NoProfile -NonInteractive -Command "Add-WindowsCapability -Online -Name (Get-WindowsCapability -Online -Name OpenSSH.Server* | ForEach-Object Name)"'
           }
         ]
       end

diff --git a/lib/packer/config/gcp.rb b/lib/packer/config/gcp.rb
@@ -39,6 +39,7 @@ def initialize(
       end
 
       def builders
+        stemcell_builder_dir = File.expand_path("../../../../", __FILE__)
         [
           {
             "type" => "googlecompute",
@@ -62,10 +63,10 @@ def builders
             "winrm_timeout" => "1h",
             "state_timeout" => "10m",
             "metadata" => {
-              "sysprep-specialize-script-url" => "https://raw.githubusercontent.com/cloudfoundry/bosh-windows-stemcell-builder/master/scripts/gcp/setup-winrm.ps1",
+              "sysprep-specialize-script-ps1" => File.read(File.join(stemcell_builder_dir, "scripts", "gcp", "setup-winrm.ps1")),
               "name" => "#{@vm_prefix}-#{Time.now.to_i}"
-            }.compact_blank!
-          }
+            }
+          }.compact_blank!
         ]
       end
 

diff --git a/lib/packer/config/templates/provision_windows2019.json.erb b/lib/packer/config/templates/provision_windows2019.json.erb
@@ -130,16 +130,19 @@
   },
   <% end %>
   {
-    "type": "file",
-    "source": "../sshd/OpenSSH-Win64.zip",
-    "destination": "C:\\provision\\OpenSSH-Win64.zip"
+    "type": "powershell",
+    "inline": [
+      "$ErrorActionPreference = \"Stop\";",
+      "trap { $host.SetShouldExit(1) }",
+      "Protect-CFCell -IaaS <%= iaas %>"
+    ]
   },
   {
     "type": "powershell",
     "inline": [
       "$ErrorActionPreference = \"Stop\";",
       "trap { $host.SetShouldExit(1) }",
-      "Install-SSHD -SSHZipFile 'C:\\provision\\OpenSSH-Win64.zip'"
+      "Install-SSHD"
     ]
   },
   {