在不提示的情况下在 Powershell 中获取当前用户的凭据对象 [英] Get current user's credentials object in Powershell without prompting
问题描述
我有一个 Powershell 脚本,它将通过自动化工具针对多台服务器运行.它在 Windows 机器上运行良好,因为远程调用使用该工具的服务帐户,而无需在代码中提示或公开任何凭据.该脚本还使用 SharpSSH 包通过 SSH 在 Linux 机器上运行.SharpSSH 不会自动使用 Powershell 用户的凭据,但需要用户名和密码、RSA 密钥文件或 PSCredential 对象.我无法使用 Get-Credential 提示输入凭据,因为它是通过自动化工具运行的.我不想在代码中公开用户名和密码,也不想在那里放一个 RSA 密钥.我想从当前的 Powershell 用户(服务帐户)构造一个 PSCredential 对象.尝试 [System.Net.CredentialCache]::DefaultNetworkCredentials 显示空白,而 [System.Security.Principal.WindowsIdentity]::GetCurrent() 不提供我需要的对象或信息.
I have a Powershell script that is going to be run through an automation tool against multiple servers. It works fine on Windows machines, as the remote calls use the tool's service account without any need for prompting or exposing any credentials in code. This script also runs against Linux machines via SSH using the SharpSSH package. SharpSSH does not automatically use the Powershell user's credentials but requires either a username and password, an RSA key file, or a PSCredential object. I can't prompt for credentials using Get-Credential because it's being run through the automation tool. I don't want to expose the username and password in code or have an RSA key sitting out there. I would like to construct a PSCredential object from the current Powershell user (the service account). Trying [System.Net.CredentialCache]::DefaultNetworkCredentials shows a blank, and [System.Security.Principal.WindowsIdentity]::GetCurrent() doesn't provide the object or information I need.
有人有从当前用户创建 PSCredential 对象的方法吗?或者对于这个问题可能有一个完全不同的替代方案?
Does anyone have a method for creating a PSCredential object from the current user? Or maybe a completely different alternative for this problem?
非常感谢!
推荐答案
Windows API 不会公开您需要的信息,这就是 Powershell 无法获取它们的原因.它是安全子系统的一个有意特征.实现这一点的唯一方法是让 Linux 机器信任调用机器,例如将它们加入 Active Directory(或任何真正的 kerberos 设置).
The Windows API will not expose the information you need, which is why Powershell can't get to them. Its an intentional feature of the security subsystem. The only way for this to work is for the Linux machines to trust the calling machine, such as joining them to an Active Directory (or any kerberos setup really).
除此之外,您还需要以某种方式存储和传递这些信息.
Aside from that, you'd need to store and pass this information somehow.
您可以将 RSA 密钥存储在用户的密钥库中并在运行时提取它(使用 .NET Crypto/Keystore 库),这样您就不会将密钥与代码一起存储.这样,密钥本身将受到操作系统的保护,并且只有在调用用户通过身份验证时才可用.您还需要安装一件事,但这可能是实现您的目标的唯一方法.
You could store the RSA key in the user's keystore and extract it at runtime (using the .NET Crypto/Keystore libs), so you aren't storing the key around with the code. That way the key itself would be protected by the OS and available only when the calling user was authenticated. You'd have one more thing to install, but may be the only way to achieve what you are aiming for.
这篇关于在不提示的情况下在 Powershell 中获取当前用户的凭据对象的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
