1

What I would do is using Putty (or other solution) on Windows to connect to a SAN switch and get results from a command with ssh.

I use Powershell as scripting language and it could be done easily but i don't want to save the password in the script.

I'm looking for a solution to use Putty from command line and set the password not stored in clear in the script.

What I thought is to launch the script with \RUNAS (through a Scheduled task) and pass the actual credentials directly to Putty. (The switch would have the same password as the account used with the Runas). Is that possible?

Or is there any solution using putty with a certificate or something like this?

timmalos
  • 532
  • 3
  • 9
  • 24
  • It's pretty hard to script things around on Windows, is there any reason you have to do it that way? what can you do the the result on Windows anyway? But you can try storing your password in a file and have Powershell read it. If you were to do this on Linux, it would be a LOT easier. – stevel Sep 16 '13 at 09:31
  • Ye, i know it would be a lot easier with Unix. But we are majority on Windows and munt an Unix server only for this will be the last solution. – timmalos Sep 17 '13 at 09:45
  • 1
    try Kitty, its Putty fork – kdureidy Sep 22 '13 at 22:13

4 Answers4

4

You may want to consider using key authentication as opposed to a password.

People will say use a password in addition to the key, but if your alternative is storing the password on your PC in a file anyway, someone with access to your machine owns you in either case.. So you just need to generate the keys. The requirement is: no-one but you has access to that key file.

http://www.linuxproblem.org/art_9.html

I'm in the same boat, have to use Windows, but for me www.mingw.org which gives you a shell, and the basic *nix tools - extremely useful for SSH, connect to remote Linux VPS, etc.. Cygwin, of course which is similar, and has an easier tool (setup.exe if I recall) to install new apps. I actually use git-bash with is mingw with git. No-GUIs. I've found this easy to just drop to the mingw shell when I need to use ssh openssl cut awk etc..

So running any remote command using SSH from the command line without third-party programs like Putty, or those with GUIs, etc.. Using the key authentication and offing password auth completely in ssh on the remote device (at least on devices where you have control) is some additional lockdown for the remote device, especially if you're the only one need access it.

Which leaves, scheduling the script. There should be a way to do that via batch file and Windows or within the command line environment.

C B
  • 12,482
  • 5
  • 36
  • 48
  • 1
    The key authentication is no more secure in this case :) If an attacker gains access to the server, he will get access to the keys as easy as he would to the password. The phrase "Key auntentication is more secure than password" without threat modelling is misconception. – DarkWanderer Sep 23 '13 at 06:36
  • I didn't say key auth was more secure than password. Disabling pw auth helps for someone trying to brute-force your SSH password. I generate the keypair on my PC. Only the public key is copied to the server. Just as long as no-one gets on my PC. Someone gets on the server to get the key, it's useless at that point trying to keep them out they're already in. – C B Sep 23 '13 at 23:40
2

I'll suggest following options:

  1. use password authentication. Store the text file with password in a file with limited access (some service account) and launch your script under this account's credentials
  2. same as above, but instead of text file use certificate file
  3. write a small program (C#) which uses DPAPI to store the certificate or password in service account-specific store.
  4. combine any of the above with the use of BitLocker/EFS

No options are can protect you from an attacker having admin access to the server, but implementing them will give an increasing (in order of number) headache to someone who will be trying to break it.

The script will be a weak spot in any case, though.

DarkWanderer
  • 8,739
  • 1
  • 25
  • 56
2

This is probably not the answer you're looking for, but I wouldn't use Putty for this, and would rather communicate with the SSH server directly using SSH.NET library. It's available in both source and binary form, and you could use it from PowerShell too if you like.

Examples: http://sshnet.codeplex.com/wikipage?title=Draft%20for%20Documentation%20page.

Then you'd have a lot of options to store your login credentials securely.

Community
  • 1
  • 1
noseratio
  • 59,932
  • 34
  • 208
  • 486
1

I recommend setting up 2-factor authentication on the ssh machine that you have to communicate with IF you can't use key authentication.

Google's 2 factor authentication can be implemented for ssh and is relatively easy to set up as long as SE linux is disabled...if it isn't disabled, you can add an exception and that would essentially help reduce the risk of compromise and increase security.

86bornprgmr
  • 111
  • 2