PowerShell Remoting Project Home

Wednesday, March 22, 2006

Monad Remoting - Now Can Read SecureString From Remote Client

Implementation of ReadLineAsSecureString() in MshHostUserInterface.

Just upload a new version of "Monad Remoting". It can read SecureString from remote client console now.

SecureString will not be kept secret if you store its content in a normal string first. That is to say, we have to read it from console and store them directly as SecureString. But before sent them to remote server, we have to decrypt it to byte[ ]. NegotiateStream will encrypt (decrypted) byte[ ] before write to NetworkStream. At server side, we have to get the byte[ ] and restore it to a SecureString.

Although I tried to minimize exposure and clear my footprint behind me, there are still potential security problems. So use it at your own risk. I post the code here, in case someone want to take a close look at those steps I mentioned here.
                do
                {
                    keyinfo = Console.ReadKey(true);
                    if ((keyinfo.Modifiers & ConsoleModifiers.Alt) != 0 || (keyinfo.Modifiers & ConsoleModifiers.Control) != 0) continue;
                    if (keyinfo.Key == ConsoleKey.Enter)
                    {
                        Console.WriteLine();
                        break;
                    }
                    if (password.Length == 512)
                    {
                        Console.Write("\r\nRead 512 (Maxium) Characters!");
                        break;
                    }
                    if (keyinfo.Key == ConsoleKey.Backspace)
                    {
                        password.RemoveAt(password.Length - 1);
                        Console.Write('\b');
                        Console.Write(' ');
                        Console.Write('\b');
                        continue;
                    }
                    password.AppendChar(keyinfo.KeyChar);
                    Console.Write('*');
                }
                while (keyinfo.Key != ConsoleKey.Enter);
                if (password.Length > 0)
                {
                    Plantext = GetByteArrayFromSecurString(password);
                    authStream.Write(Plantext, 0, Plantext.Length);
                    Array.Clear(Plantext, 0, Plantext.Length);
                }
At this point, you can now enjoy the get-credential, new-securestring cmdlets.


I really wish we could have a in-process su command, because the trick of
[System.Diagnostics.Process]::Start()
will not work for remote client. Well, we have to expect that at next version of monad.

Have Fun.

Tags:    


Comments:

Post a Comment





<< Home