因此,我的组织要求我清理一些与一些自动化脚本有关的安全问题,这些脚本在作为自动化任务运行的脚本中具有硬编码密码。其中一项任务包含 SFTP 脚本,这些脚本使用密码、主机名、凭据、端口和脚本中公开的所有内容来导出和导入文件。因此,我想先了解如何在可以隐藏的单独文件中调用此类凭据,然后再了解加密和加盐。但我的主要重点是让它们脱离脚本,以防流量被拦截。这是 PowerShell 代码的样子:
param (
$localPath = 'E:\FTP\SchooLinks\course_requests.csv',
$remotePath = '/schoolinks_exports/course_planning/course_requests.csv'
)
try
{
# Load WinSCP .NET assembly
Add-Type -Path "C:\Program Files (x86)\WinSCP\WinSCPnet.dll"
# Setup session options
$sessionOptions = New-Object WinSCP.SessionOptions -Property @{
Protocol = [WinSCP.Protocol]::Sftp
HostName = "<domain_name>"
UserName = "<username>"
Password = "<password>"
SshHostKeyFingerprint = "<fingerprint>"
}
$session = New-Object WinSCP.Session
try
{
# Connect
$session.Open($sessionOptions)
# Upload files
$transferOptions = New-Object WinSCP.TransferOptions
$transferOptions.TransferMode = [WinSCP.TransferMode]::Binary
$transferResult =
$session.GetFiles($remotePath, $localPath, $False, $transferOptions)
# Throw on any error
$transferResult.Check()
# Print results
foreach ($transfer in $transferResult.Transfers)
{
Write-Host "Download of $($transfer.FileName) succeeded"
}
}
finally
{
# Disconnect, clean up
$session.Dispose()
}
exit 0
}
catch
{
Write-Host "Error: $($_.Exception.Message)"
exit 1
}
我们的另一个看起来像这样:
param (
$localPath = 'E:\FTP\TalentEd\SkywardApplicantExportSQL.txt',
$remotePath = '/SkywardApplicantExportSQL.txt'
)
try
{
# Load WinSCP .NET assembly
Add-Type -Path "C:\Program Files (x86)\WinSCP\WinSCPnet.dll"
# Setup session options
$sessionOptions = New-Object WinSCP.SessionOptions -Property @{
Protocol = [WinSCP.Protocol]::Sftp
HostName = "<domain>"
UserName = "<username>"
Password = "<password>"
SshHostKeyFingerprint = "<sha_fingerprint>"
}
$session = New-Object WinSCP.Session
try
{
# Connect
$session.Open($sessionOptions)
# Upload files
$transferOptions = New-Object WinSCP.TransferOptions
$transferOptions.TransferMode = [WinSCP.TransferMode]::Binary
$transferResult =
$session.GetFiles($remotePath, $localPath, $False, $transferOptions)
# Throw on any error
$transferResult.Check()
# Print results
foreach ($transfer in $transferResult.Transfers)
{
Write-Host "Download of $($transfer.FileName) succeeded"
}
}
finally
{
# Disconnect, clean up
$session.Dispose()
}
exit 0
}
catch
{
Write-Host "Error: $($_.Exception.Message)"
exit 1
}
我熟悉 Python 和 json,并在类似于以下内容的 json 文件中调用内容:
import json
with open('secrets.json','r') as f:
config = json.load(f)
并用
(config['object']['nested_element'])
调用它在 Python 脚本中。我想用 PowerShell 做类似的事情,但是我对 PowerShell 的了解非常有限。
最佳答案
当然,Yeppers 从不将凭据以明文形式存储在文件中。
有几种方法可以存储凭据以供使用。安全文件(xml 等)、注册表或 Windows 凭据管理器,这在 Microsoft 网站以及网络上的许多文章中以及通过 StackOverflow 上的问答中都有详细记录。
只需搜索 'securely store credentials PowerShell'
样本结果...
Working with Passwords, Secure Strings and Credentials in Windows PowerShell
How to run a PowerShell script against multiple Active Directory domains with different credentials
...和/或通过 MS powershellgallery.com 直接从您的 PowerShell 环境安装的模块。
Find-Module -Name '*cred*' |
Format-Table -AutoSize
<#
# Results
Version Name Repository Description
------- ---- ---------- -----------
2.0 CredentialManager PSGallery Provides access to credentials in the Windows Credential Manager
2.0.168 VcRedist PSGallery A module for lifecycle management of the Microsoft Visual C++ Redistributables. Downloads the supp...
1.3.0.0 xCredSSP PSGallery Module with DSC Resources for WSMan CredSSP.
1.1 VPNCredentialsHelper PSGallery A simple module to set the username and password for a VPN connection through PowerShell. Huge tha...
1.0.11 pscredentialmanager PSGallery This module allows management and automation of Windows cached credentials.
4.5 BetterCredentials PSGallery A (compatible) major upgrade for Get-Credential, including support for storing credentials in Wind...
1.0.4 WindowsCredential PSGallery Management module for Windows Credential Store.
...
#>
关于windows - 如何使用硬编码密码修复 PowerShell 中 WinSCP SFTP 脚本中的安全性,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/60641356/