Using encrypted password to SSH to multiple servers using Plink

Question

My batch file code requires to run some shell commands on multiple servers using SSH. For that I'm using Plink from a for loop.

I do not want to enter the password in plain text to the Plink command line using -pw. Instead, due to security concerns, I want to use a password encryption for my password and store the password into a separate text file.

I tried using sshpass, but that is not supported in batch. As request to run the code will be on multiple servers, so I don't want to generate SSH key pair for each server as it will not be possible for hundreds of servers in the environment.

@echo off
for /f "delims=" %%a in (path\to\servers.txt) DO (
    plink -v -ssh user@%%a -pw MY_PASSWORD echo %%a ; cat /path/to/config_file
)
pause

I expect the batch script to run on all servers using encrypted password. But with current code, the output is displayed using plain password.

You do not need to generate a new key pair for each server. You can use the same key (as you seem to be using the same password anyway). — Martin Prikryl, Jun 26 '19 at 13:42
Thanks for the help @MartinPrikryl, but i don't have the rights to make passwordless connections from windows server to all unix boxes. — theITgirl, Jun 26 '19 at 15:24

Martin Prikryl · Accepted Answer · 2020-02-21T08:53:56.943

It's difficult to achieve this with a plain batch file.

But you can use PowerShell instead with its ConvertTo-SecureString and ConvertFrom-SecureString cmdlets.

To encrypt a password use:

Read-Host -AsSecureString | ConvertFrom-SecureString

Type the password and save the output to a file (encryptedpassword.txt).

To use the encrypted password, use:

$encrypted = ConvertTo-SecureString(Get-Content ".\encryptedpassword.txt")
$bstr = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($encrypted)
$password = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto($bstr)

foreach ($hostname in (Get-Content ".\servers.txt"))
{
    .\plink user@$hostname -pw "$password"
}

In PowerShell 7, you can simplify the code to:

$encrypted = ConvertTo-SecureString(Get-Content ".\encryptedpassword.txt")
$password = ConvertFrom-SecureString -SecureString $encrypted -AsPlainText
# ...

Based on:

My article Protecting credentials used for automation
And SO question Convert a secure string to plain text

Though I have to repeat that using a public key authentication would be a way better solution.

Thanks @MartinPrikryl !! It worked just fine for me with this approach. — theITgirl, Jun 27 '19 at 04:33

Using encrypted password to SSH to multiple servers using Plink

1 Answers1