Use encrypted password for Plink/PuTTY

Question

I would like to encrypt a password in PowerShell and use it with plink and putty.

Yes, I know that it expects only cleartext password (Password encryption using SecureString for plink.exe command).

No, I will not use generated keys because we don't support it.

My questions:

1. Any suggestions how can I use encrypted password for -pw flag in putty or plink
2. Can I generate specific string as key? I mean taking current cleartext password and convert it to a key, then using it as -i instead of -pw

My securePass.ps1 code:

$password = read-host -prompt "Enter your Password" 
write-host "$password is password" 
$secure = ConvertTo-SecureString $password -force -asPlainText 
$bytes = ConvertFrom-SecureString $secure 
$bytes | out-file C:\encrypted_password1.txt

In main:

$securePass = Get-Content C:\encrypted_password1.txt
$pass = $securePass | ConvertTo-SecureString
plink -batch -ssh $defUser@$srv -pw $pass
putty -ssh $defUser@$srv -pw $pass

Answer 1

As you know, you cannot use encrypted password (SecureString) for PuTTY/Plink.

All you can do is to decrypt the secure string and pass the decrypted plain text password to the PuTTY/Plink.

For for decryption, see PowerShell - Decode System.Security.SecureString to readable password:

$securePass = Get-Content C:\encrypted_password1.txt
$pass = $securePass | ConvertTo-SecureString

$Ptr = [System.Runtime.InteropServices.Marshal]::SecureStringToCoTaskMemUnicode($pass)
$decrypted = [System.Runtime.InteropServices.Marshal]::PtrToStringUni($Ptr)
[System.Runtime.InteropServices.Marshal]::ZeroFreeCoTaskMemUnicode($Ptr)
plink -batch -ssh $defUser@$srv -pw $decrypted 

---

PuTTY 0.77 Plink newly supports -pwfile switch that allows more safe way to pass the password via a local text file (while still plain-text).

---

Your question 2) does not make any sense. You wrote that you cannot use keys. So you cannot use -i switch. Let alone use some "generated password" with it.

Answer 2

$Credential = $(Get-Credential)
$user = $Credential.GetNetworkCredential().Username
$pass = $Credential.GetNetworkCredential().Password

is what I use then in the script I use the -pw; $ $putty -ssh $server -l $user -pw $pass -m $command

I know that you were saying you did -I instead of -pw however I found this works pretty well that way there is no file with your password stored anywhere.

Answer 3

This was my solution, which runs in a menu loop. works very well. I just need "cache" my typed input or (pass prior entered credentials into the dialog, automatically) otherwise every time I have to re-enter credentials.

$Key = New-Object Byte[] 32
     [Security.Cryptography.RNGCryptoServiceProvider]::Create().GetBytes($Key)
$Key | Out-File AES.key
(get-credential).Password | ConvertFrom-   SecureString -key (get-content AES.key) | set-content "AESPassword.txt"
$password = Get-Content AESPassword.txt |   ConvertTo-SecureString -Key (Get-Content AES.key)
$credential = New-Object System.Management.Automation.PsCredential($env:userName,$password)
$ServerName = Read-Host -Prompt "What is the server name?"
$Command = ".\plink.exe"
$arg1  =  '-t'
$arg2 = $credential.GetNetworkCredential().username+'@'+$ServerName
$arg3 = '-pw'
$arg4 = $credential.GetNetworkCredential().Password
$arg5 = $scriptcmd
#Write-Output $Command $arg1 $arg2 $arg3 $arg4 $arg5
& $Command $arg1 $arg2 $arg3 $arg4 $arg5