DEV Community

Laurent LIENHARD for FrPSUG

Posted on

Credential : How to use them ?

DISCLAIMER :
This article is translated by myself.
I do this to train but my level of English is not great so I apologize for any mistakes they might have.
If really it's not understandable at all thank you for pointing it out so that I can improve myself ;-)

Information

This article was written for a French Powershell UserGroup presentation.

You can find this presentation on Youtube : FRPSUG Channel

The different ways to use Credential ...

Initial request

Since I started on PowerShell, I very quickly asked the question of the management of credentials in my scripts

From the simple need that may be handled in a basic way to the use of credentials in automatic scripts I looked for the best way to do it.

Processing the request

1. Get-Credential

The easiest way to use credentials is to use the basic PowerShell command

$cred = Get-Credential -Message "Message show in the Popup" -UserName MyUser
Enter fullscreen mode Exit fullscreen mode

the result is

PS > $cred

UserName                           Password
--------                           --------
MyUser System.Security.SecureString
Enter fullscreen mode Exit fullscreen mode

This variable $cred can be used for example in the following command

Enter-PSSession -ComputerName MyComputer -Credential $cred
Enter fullscreen mode Exit fullscreen mode

2. ConvertFrom-SecureString : storage on disk

An another solution, a bit more advanced, is to store password in a file on your computer.

Naturally this storage must be done in a secure way.
As before, the first step is create the $Credobject

$cred = Get-Credential -Message "Message show in the Popup" -UserName MyUser
Enter fullscreen mode Exit fullscreen mode

Second step is store the password in file but encrypted
For this we used the ConvertFrom-SecureStringcommand

$Cred.Password | ConvertFrom-SecureString | Out-File C:\temp\password.txt
Enter fullscreen mode Exit fullscreen mode

In my file c:\temp\password.txt, my password is seen like this

01000000d08c9ddf0115d1118c7a00c04fc297eb0100000057670149ac674a41ad9d185a8a82724b0000000002000000000010660000000100002000000093aaaf1ed598a69bbfb4cc77e81dfeb2786f26db6184538833af18054ef1a8a3000000000e800000000200002000000098c97f4f344d0159f337966d55060ad3297cae7515938457a713ddd9eaac5cdf200000003d986891fb27cb3983f798082083ac734d97d6235a186d3cc43db26f63bd44684000000018620d4739c0a26a6261e8c9867e94605cd35c61090c982999d5bb09fb54ec7d9a3499ebeb304c67720edfa37a34fe7fd4bce8fd8468dbee5081f56c81f4ce46
Enter fullscreen mode Exit fullscreen mode

To use this encrypted password, you must first decrypt it.
For that we will used the ConvertTo-SecureString command
After that, with the decrypted password, we can make a new PSCredential object and use it

$Username = "MyUser"
$SecurePassword = Get-Content c:\temp\password.txt | ConvertTo-SecureString
$Cred = New-Object System.Management.Automation.PSCredential -ArgumentList $Username,$SecurePassword
Enter fullscreen mode Exit fullscreen mode
PS > $cred

UserName                           Password
--------                           --------
MyUser System.Security.SecureString
Enter fullscreen mode Exit fullscreen mode

As in point 1, we have a object $Cred that we can use in the follow script

Enter-PSSession -ComputerName MyComputer -Credential $cred
Enter fullscreen mode Exit fullscreen mode

3. Export-Clixml : storage on disk

The advantage of this method is that you can leverage the versatility of PowerShell to ensure that data is not only exported, but also stored securely using secure strings. It should be noted that these credentials files can only be opened by the same user on the same system.

To create the export file, we will used the Export-Clixml command

get-credential -message "User's Password ?" -UserName MyUser | Export-Clixml -Path "c:\temp\user.xml"
Enter fullscreen mode Exit fullscreen mode

In the file c:\temp\user.xml we can see the following information

<Objs Version="1.1.0.1" xmlns="http://schemas.microsoft.com/powershell/2004/04">
  <Obj RefId="0">
    <TN RefId="0">
      <T>System.Management.Automation.PSCredential</T>
      <T>System.Object</T>
    </TN>
    <ToString>System.Management.Automation.PSCredential</ToString>
    <Props>
      <S N="UserName">MyUser</S>
      <SS N="Password">01000000d08c9ddf0115d1118c7a00c04fc297eb0100000057670149ac674a41ad9d185a8a82724b00000000020000000000106600000001000020000000dadd8864c9b930a2eb07a6745ac4fb5711912c318c401f7e35bb91d4d1cc180b000000000e8000000002000020000000b5a862ba266c236357445b773ca38d73ed124cf82d863ac4c11e2b48d57fca4b2000000054180930ba9fd53a6c4bdd9d7f69c044c88072b0d411486bccc1ca3cca417bf440000000d6197eafe8a133235bd1b44e376c3ff02e94da9f39b7d24b9a68ef5dbd629e44180ce15c3e67830d758fa1296f60a98cb2371ef915990c921e728f44c72c4cbd</SS>
    </Props>
  </Obj>
</Objs>
Enter fullscreen mode Exit fullscreen mode

To use this information, we must use the reverse command Import-Clixml

 $Cred = Import-Clixml -Path "c:\temp\user.xml"
Enter fullscreen mode Exit fullscreen mode

again we are recovering an object $Cred

PS > $cred

UserName                           Password
--------                           --------
MyUser System.Security.SecureString
Enter fullscreen mode Exit fullscreen mode

Today my preference is the third solution with the use of XML files

Top comments (0)