-
Notifications
You must be signed in to change notification settings - Fork 7.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
DPAPI in Remote PSSession from Linux to Windows #11011
Comments
I tried to 'forward' the credentials myself as follows: $Credential = New-Object System.Management.Automation.PSCredential -ArgumentList @(
'myusername',
(ConvertTo-SecureString -String 'mypassword' -AsPlainText -Force)
)
$Session = New-PSSession -ComputerName $RemoteHost -Credential $Credential -Authentication Negotiate
Invoke-Command -Session $Session -ScriptBlock{
$RemoteSession = New-PSSession -Credential $using:Credential
} But the following error is thrown:
|
See #1654. DPAPI is Windows only API and will be never ported on Unix. SecureString formally is on Unix but encrypt nothing. |
@iSazonov Thank you for your reply but I think you've missed that I'm not asking for DPAPI to be ported to *nix. - I'm wanting to use DPAPI on Windows, I just happen to be in a remote session from a Linux box. If anything, I'd be asking for CredSSP to be ported to *nix but I know that's probably not going to happen. So this request is for an alternative. |
From my understading you run New-PSSession on Unix. In the case the cmdlet would use DPAPI locally on Unix to protect data that is impossible. |
This issue has been marked as answered and has not had any activity for 1 day. It has been closed for housekeeping purposes. |
Using DPAPI in a remote PSSession requires using
-Authentication Credssp
so that the creds are forwarded.Creating a remote session from Linux to Windows only works using
-Authentication Negotiate
. This precludes the use of DPAPI.As a user I want to be able to encrypt data using DPAPI in a remote session created from a Linux host so that I can secure my data.
I appreciate this would be non-trivial to achieve but I have no idea if is is even feasible at all.
The text was updated successfully, but these errors were encountered: