PowerShell script to pass SecureString to Plink as account and sudo passwords

Question

I'm trying to use Powershell (in order to be able to mask the password) to run Plink command on remote Linux machine to give top 20 directories under /opt...

It connects, password is properly masked but no results Write-output shows the assembled command string is correct...

but it just appears to hang and does not return results. could the it be that the write-output results is different than what plink actually sends?

When I copy the write-output to cmd prompt and directly run it, it works (well it still requests the password a second time because of sudo, but it does work and returns the expected results...

getting it to not require second password for sudo would definitely be a big win, but now I just need to figure out why it's not returning results.

Note on using multiple arguments, I found it easier to assemble that way ;)

$UserName = Read-Host -Prompt "What is your username?"
$SecPassword = Read-host "what is your password?" -AsSecureString
$ServerName = Read-Host -Prompt "What is the server name?"
$Password = [Runtime.InteropServices.Marshal]::PtrToStringAuto([Runtime.InteropServices.Marshal]::SecureStringToBSTR($SecPassword))
$Command = "C:\Tools\plink.exe"
$arg1  =  '-ssh'
$arg2 = $UserName+'@'+$ServerName
$arg3 = '-pw'
$arg4 = $SecPassword 
$arg5 = '-t'
$arg6 = 'echo' 
$arg7 =  '-e'
$arg8 = $SecPassword
$arg10 = ' | ' 
$arg11 = 'sudo du -aSh /opt/*'
$arg12 = ' | '
$arg13 = 'sort -rh'+' | '
$arg14 = 'head -n 20'
$CommandOut = "$Command $arg1 $arg2 $arg3 $arg4 $arg5 $arg6 $arg7 $arg8 $arg10 $arg11 $arg12 $arg13 $arg14"
Write-Output $CommandOut
& $Command $arg1 $arg2 $arg3 $arg4 $arg5 $arg6 $arg7 $arg8 $arg10 $arg11 $arg12 $arg13 $arg14

How does your PowerShell script help you to *"mask the password"*? Note that you never use the `$Password`. + Why do you do twice `$Command $arg1 $arg2 $arg3 $arg4 $arg5 $arg6 $arg7 $arg8 $arg10 $arg11 $arg12 $arg13 $arg14`? — Martin Prikryl, Sep 21 '18 at 06:17
It would be way easier for us to help you, if you show us what the `$CommandOut` value is - Does that command work for you on Windows command-line? => Is this PowerShell question at all? — Martin Prikryl, Sep 21 '18 at 06:17
$CommandOut = "$Command $arg1 $arg2 $arg3 $arg4 $arg5 $arg6 $arg7 $arg8 $arg10 $arg11 $arg12 $arg13 $arg14" are just to see, how the arguments are assembled, here is what it looks like c:\Tools\plink.exe -ssh john@192.168.2.100 -w System.Security.SecureString -t echo -e System.Security.SecureString | sudo du -ash /opt/* | sort -rh | head -n 20 — Elektro Kinetik, Sep 21 '18 at 06:28

Martin Prikryl · Answer 1 · 2018-09-21T07:32:26.460

0

c:\Tools\plink.exe -ssh john@192.168.2.100 -w System.Security.SecureString -t echo -e System.Security.SecureString | sudo du -ash /opt/* | sort -rh | head -n 20

This cannot ever work.

Plink sees only System.Security.SecureString as a literal string. So Plink will use "System.Security.SecureString" as a password. Not the real password. What you are doing is actually nonsense. You cannot use PowerShell to "mask the password". That makes no sense. You have to pass real password to Plink. There is no way to "mask" the password (at least not, when specified on a command-line).

This is actually XY question.

edited Sep 21 '18 at 07:32

answered Sep 21 '18 at 06:51

Martin Prikryl

188,800
56
490
992

it appears to be making an ssh connection, I see the session logging on,have not been able to debug the detail but it's connecting.. I believe it's in memory... https://stackoverflow.com/questions/28352141/convert-a-secure-string-to-plain-text – Elektro Kinetik Sep 21 '18 at 07:09
https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/convertto-securestring?view=powershell-6 The ConvertTo-SecureString cmdlet converts encrypted standard strings into secure strings. It can also convert plain text to secure strings. It is used with ConvertFrom-SecureString and Read-Host. The secure string created by the cmdlet can be used with cmdlets or functions that require a parameter of type SecureString. The secure string can be converted back to an encrypted, standard string using the ConvertFrom-SecureString cmdlet. – Elektro Kinetik Sep 21 '18 at 07:11
https://www.pdq.com/blog/secure-password-with-powershell-encrypting-credentials-part-1/ which states System.Security.SecureString Section: Notice that the output is very similar to the output of the Get-Credential variable we used, $MyCredential. It shows the username as, “MyUserName” and the password as, “System.Security.SecureString.” This is great for manual runs of scripts as it helps to remove the password from the script, but it doesn’t really help with our automation. – Elektro Kinetik Sep 21 '18 at 07:21
Stop wasting your time. No link can help here. It just **won't work**. It's all your misunderstanding of the documentation. `SecureString` is .NET-only thing. **Plink will never understand it.** -- Of course that Plink is making SSH *connection*, but it's won't succeed with *authentication*, as it tries to use "System.Security.SecureString" as a password. – Martin Prikryl Sep 21 '18 at 07:30
Martin Prikryl, You were correct, while I was making a connection, it was not actually authenticating correctly. Thanks for the extra push :) figured it out by looking at another article on this site. will post link when I can locate it again – Elektro Kinetik Sep 21 '18 at 19:39
You are welcome. Though on Stack Overflow, we thank by accepting the answer. – Martin Prikryl Sep 21 '18 at 19:46

score -1 · Answer 2 · answered Sep 24 '18 at 16:33

I solved it, with help of the following link on this site. I was not decrypting the password correctly, so Plink could read it… (Thanks M Prikryl)

In my original attempt, the connection was being made but it wasn’t really authenticating correctly and It wasn’t evident… the session just hung..

PowerShell - Decode System.Security.SecureString to readable password

$password = ConvertTo-SecureString 'P@ssw0rd' -AsPlainText -Force

$Ptr = [System.Runtime.InteropServices.Marshal]::SecureStringToCoTaskMemUnicode($password)
$result = [System.Runtime.InteropServices.Marshal]::PtrToStringUni($Ptr)
$result

This makes no sense at all. There's no point converting a string to `SecureString` only to convert it back to a plain string. It's just complicates the script **without adding any security whatsoever**. Use "P@ssw0rd" straight away - Once again, as I've writen to you already: *"There is no way to "mask" the password [when passing it Plink command-line] - Stop wasting your time."* — Martin Prikryl, Sep 24 '18 at 16:55

PowerShell script to pass SecureString to Plink as account and sudo passwords

2 Answers2

Linked