Protecting credentials used for automation :: Support Forum

BR365
Joined:: 2020-06-05
Posts:: 1

Protecting credentials used for automation

2020-06-05 08:21

Hello,
I've already read the information about the Protecting of credentials. But I still don't know exactly how to put all this together.

At the moment, I have a batch file and a config file. The Batch is defining some standard path informations and the config file manages the SFTP transfer.

I also understand how to encrypt the password and created an XML file as shown in the example with the encrypted password.

But how can I now use this part:

# Read XML configuration file
[xml]$config = Get-Content ".\config.xml"
 
# Use read credentials
$sessionOptions = New-Object WinSCP.SessionOptions -Property @{
    Protocol = [WinSCP.Protocol]::Sftp
    HostName = "example.com"
    UserName = $config.Configuration.UserName
    Password = $config.Configuration.Password
}

and

Read-Host -AsSecureString | ConvertFrom-SecureString

and

$sessionOptions.SecurePassword = ConvertTo-SecureString $config.Configuration.Password

Can someone provide me a complete example, not only these fragments?

Thanks,
Moritz

Reply with quote

martin◆ Site Admin
Joined:: 2002-12-10
Posts:: 41,034
Location:: Prague, Czechia

Re: Protecting credentials used for automation

2020-06-05

I have updated the article for more clarity.

For a more specific example of use of the Read-Host ..., see also the C# section of the article.

Reply with quote

asad
Joined:: 2023-11-06
Posts:: 1
Location:: uk

martin

2023-11-06 17:29

@martin Are you sure this works because I get the error below:

Exception calling "Open" with "1" argument(s): "SessionOptions.Password is set, but SessionOptions.UserName is not."
At C:\Temp\KKremoteConfig.ps1:17 char:1
+ $session.Open($sessionOptions)
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [], MethodInvocationException
+ FullyQualifiedErrorId : ArgumentException

Also, is it possible to encrypt the hostname and SSH fingerprint?

Reply with quote

martin◆ Site Admin

Re: martin

2023-11-09

@asad: What "this"? If you need our help, we need more information than just an error message.

Reply with quote

Guest

2023-11-09 12:57

Hi Martin,
Apologies, I’m following this article:
Protecting credentials used for automation
I’m using PowerShell and the ConvertFrom-SecureString method to encrypt the password in the XML file.
Here’s the contents of my configuration file:

<Configuration>
<UserName>myuser</UserName>
<Password>encrypted-password</Password>
</Configuration>

Here are the contents of my PowerShell script:

# Import the WinSCP assembly
Add-Type -Path "C:\Program Files (x86)\WinSCP\WinSCPnet.dll" # Modify the path as per your WinSCP installation location
 
$config = Get-Content "C:\Temp\config.xml"
 
# Configure WinSCP session options
$sessionOptions = New-Object WinSCP.SessionOptions -Property @{
   Protocol = [WinSCP.Protocol]::Sftp
   HostName = "sftp.myserver.com"
   UserName = $config.Configuration.UserName
   SecurePassword = ConvertTo-SecureString $config.Configuration.Password
   SshHostKeyFingerprint = "MySSHHostKeyFingerprint"
}
 
# Initialize a WinSCP session
$session = New-Object WinSCP.Session
 
# Open the WinSCP session with the specified session options
$session.Open($sessionOptions)

When running this I get the following output:

ConvertTo-SecureString : Cannot bind argument to parameter 'String' because it is null.
At C:\sftp.ps1:12 char:45
+ ... ecurePassword = ConvertTo-SecureString $config.Configuration.Password
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidData: (:) [ConvertTo-SecureString], ParameterBindingValidationException
+ FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,Microsoft.PowerShell.Commands.ConvertToSecureStringCommand

Exception calling "Open" with "1" argument(s): "SessionOptions.Password is set, but SessionOptions.UserName is not."
At C:\sftp.ps1:21 char:1
+ $session.Open($sessionOptions)
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [], MethodInvocationException
+ FullyQualifiedErrorId : ArgumentException

The password isn’t being picked up from the config.xml file
The UserName isn’t being picked up from the config.xml file

When I use the plain text password method I get the following:

Exception calling "Open" with "1" argument(s): "SessionOptions.Password is set, but SessionOptions.UserName is not."
At C:\sftp.ps1:21 char:1
+ $session.Open($sessionOptions)
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [], MethodInvocationException
+ FullyQualifiedErrorId : ArgumentException

In this instance just the following issue:
The UserName isn’t being picked up from the config.xml file

So to sumarise, I require some assistance to understand why:
The UserName isn’t being set
The SecurePassword method isn’t working.
Additionally, just a minor query, is it possible to store other parameters such as HostName and SshHostkeyFingerprint in the config.xml file?

Reply with quote

martin◆ Site Admin
Joined:: 2002-12-10
Posts:: 41,034
Location:: Prague, Czechia

2023-11-13

You have removed the [xml] declaration from this line:

[xml]$config = Get-Content ".\config.xml"

That's what breaks the script.

And yes, you can of course set any property using this method. Those are just plain string values, there's no magic.

Reply with quote

Protecting credentials used for automation