在不提示的情况下在Powershell中获取当前用户的凭据对象 [英] Get current user's credentials object in Powershell without prompting
问题描述
我有一个Powershell脚本,该脚本将通过自动化工具针对多个服务器运行。它可以在Windows计算机上正常运行,因为远程调用使用该工具的服务帐户,而无需提示或公开代码中的任何凭据。该脚本还可以使用SharpSSH软件包通过SSH在Linux计算机上运行。 SharpSSH不会自动使用Powershell用户的凭据,但需要用户名和密码,RSA密钥文件或PSCredential对象。我无法使用Get-Credential提示输入凭据,因为它是通过自动化工具运行的。我不想在代码中公开用户名和密码,也不想使用RSA密钥。我想从当前Powershell用户(服务帐户)构造一个PSCredential对象。尝试[System.Net.CredentialCache] :: DefaultNetworkCredentials显示为空白,[System.Security.Principal.WindowsIdentity] :: GetCurrent()不提供我需要的对象或信息。
I have a Powershell script that is going to be run through an automation tool against multiple servers. It works fine on Windows machines, as the remote calls use the tool's service account without any need for prompting or exposing any credentials in code. This script also runs against Linux machines via SSH using the SharpSSH package. SharpSSH does not automatically use the Powershell user's credentials but requires either a username and password, an RSA key file, or a PSCredential object. I can't prompt for credentials using Get-Credential because it's being run through the automation tool. I don't want to expose the username and password in code or have an RSA key sitting out there. I would like to construct a PSCredential object from the current Powershell user (the service account). Trying [System.Net.CredentialCache]::DefaultNetworkCredentials shows a blank, and [System.Security.Principal.WindowsIdentity]::GetCurrent() doesn't provide the object or information I need.
是否有人可以从当前用户创建PSCredential对象?还是针对此问题的完全不同的选择?
Does anyone have a method for creating a PSCredential object from the current user? Or maybe a completely different alternative for this problem?
非常感谢!
推荐答案
Windows API不会公开您需要的信息,这就是Powershell无法获取它们的原因。这是安全子系统的故意功能。唯一可行的方法是让Linux计算机信任调用方计算机,例如将它们加入Active Directory(或实际上是任何kerberos设置)。
The Windows API will not expose the information you need, which is why Powershell can't get to them. Its an intentional feature of the security subsystem. The only way for this to work is for the Linux machines to trust the calling machine, such as joining them to an Active Directory (or any kerberos setup really).
除此之外,您还需要以某种方式存储和传递此信息。
Aside from that, you'd need to store and pass this information somehow.
您可以存储RSA密钥位于用户的密钥库中,并在运行时提取(使用.NET Crypto / Keystore库),因此您无需将密钥与代码一起存储。这样,密钥本身将受到操作系统的保护,并且仅在对呼叫用户进行身份验证时才可用。您还需要安装其他东西,但这可能是实现目标的唯一方法。
You could store the RSA key in the user's keystore and extract it at runtime (using the .NET Crypto/Keystore libs), so you aren't storing the key around with the code. That way the key itself would be protected by the OS and available only when the calling user was authenticated. You'd have one more thing to install, but may be the only way to achieve what you are aiming for.
这篇关于在不提示的情况下在Powershell中获取当前用户的凭据对象的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
