save PSCredential in the file

2020-01-28 08:34发布

站内问答 / 前端开发
1743 2 5

I know I can save password to the file:

Read-Host "Enter Password" -AsSecureString |  ConvertFrom-SecureString | Out-File $passwordfile

and read it from file:

$secpasswd = (Get-Content $passwordfile | ConvertTo-SecureString)

and then create PSCredential object:

$credential = New-Object System.Management.Automation.PSCredential($user, $secpasswd)

But can I save $credential in the file, so username and his password were kept together?

2条回答
相关推荐>>
2楼-- · 2020-01-28 08:58

Building on Briantist & Graham: This will ask for a credential and store it on first run, then reuse it on subsequent runs from the same code. In my case drive H is the user's home directory, used for tidiness, not security.

# the path to stored credential
$credPath = "H:\Secrets\Cred_${env:USERNAME}_${env:COMPUTERNAME}.xml"
# check for stored credential
if ( Test-Path $credPath ) {
    #crendetial is stored, load it 
    $cred = Import-CliXml -Path $credPath
} else {
    # no stored credential: create store, get credential and save it
    $parent = split-path $credpath -parent
    if ( -not test-Path $parent) {
        New-Item -ItemType Directory -Force -Path $parent
    }
    $cred = get-credential
    $cred | Export-CliXml -Path $credPath
}

This block of code can be chucked in any script that needs it and the problem is more-or-less solved from then on.

Could possibly also check for a successful credential before writing it if the application permits it. Note that if the password changes the user must delete the file.

查看更多
0人赞 添加讨论(0) 举报
放我归山
3楼-- · 2020-01-28 08:59

To store and retrieve encrypted credentials easily, use PowerShell's built-in XML serialization (Clixml):

$credential = Get-Credential

$credential | Export-CliXml -Path 'C:\My\Path\cred.xml'

To re-import:

$credential = Import-CliXml -Path 'C:\My\Path\cred.xml'

The important thing to remember is that by default this uses the Windows data protection API, and the key used to encrypt the password is specific to both the user and the machine that the code is running under.

As a result, the encrypted credential cannot be imported by a different user nor the same user on a different computer.

By encrypting several versions of the same credential with different running users and on different computers, you can have the same secret available to multiple users.

By putting the user and computer name in the file name, you can store all of the encrypted secrets in a way that allows for the same code to use them without hard coding anything:

Encrypter

# run as each user, and on each computer

$credential = Get-Credential

$credential | Export-CliXml -Path "C:\My\Secrets\myCred_${env:USERNAME}_${env:COMPUTERNAME}.xml"

The code that uses the stored credentials:

$credential = Import-CliXml -Path "C:\My\Secrets\myCred_${env:USERNAME}_${env:COMPUTERNAME}.xml"

The correct version of the file for the running user will be loaded automatically (or it will fail because the file doesn't exist).

查看更多
0人赞 添加讨论(0) 举报
登录 后发表回答
相关问题
查看全部
相关文章
查看全部
收藏的人(5)