I am writing a program, which is like a swiss army knife of tools that my colleagues need in their day to day work. One feature of this tool is, to be able to connect to a client remotely and control it.
We already have an application called Dameware Mini Remote Control, not written by us, that does this exact job. My application just starts this software in a process and hands over username and password, the user has entered beforehand.
In the documentation of the Dameware Tool, it says that the process should be called with these arguments:
"dwrcc.exe [-?|-?:] [-c:] [-h:] [-m:MachineName] [-u:UserName] [-p:Password | -p:"Password"] [-d:Domain] [-o:TCPport] [-s:SharedSecret] [-r:] [-vnc:] [-a:0|1|2] [-prxa:MRCproxyAddress] [-prxp:MRCproxyPort] [-prxsMRCproxySecret] [-v:] [-md:] [-i:n] [-x:] [-bh:CentralServerHostAddress] [-bpn: CentralServerPortNumber] [-bu:CentralServerUserName] [-bps:CentralServerUserPassword]"
My concern is that providing the password in the -p option is not secure, because it is basically plain text.
Here is the part of my code where i provide the command line arguments:
proc.StartInfo.Arguments = $"-c: -h: -x: -m:{TxtHostname} -d:{MainUI.Credentials.DomainName} -u:{MainUI.Credentials.UserName} -p:{LoginCredentials.Decrypt(MainUI.Credentials.EncryptedPassword)}";
Is there a secure way of handing over the password to the Dameware application inside the process?
Any suggestions are greatly appreciated.
This is not possible in general. If the only option is to pass the password via a command line parameter, you do only have this option.
However it would be possible if the target application supports another way of receiving the password. This is application specific and doesn't apply to every application.
As I'm not familiar with Dameware Mini Remote Control, I can't tell if such an option exists in this specific case.
Related
I am trying to achive a situation:
I am logged as a user on my account.
I've created a two more accounts which I will try to log on in the
"background"
And now I want to execute my code to log on different user in the background,
so that if i can click ctrl+alt+del and go to the switch user screen
i can see that another account was logged on the system.
During investigation I've read that this was possbile with some undocumented winapi methods before Microsoft implemented Fast User Switch(FUS) which replaced GINA.
I don't want to Impersonate code as user. I want to start up the whole windows session for a user from code.
I've tried to do sth with CreateProcessWithLogonW() but this was unsuccessful.
Big virtual beer for anybody who can give me a hand with this! :)
Okay had to do a bit of digging to figure this out my self.
Essentially you would need to run a command in command prompt.
This should load explorer.exe as a second user.
runas /user:*computer name\*account name explorer.exe
Follow this to get an idea on running a command line command via c#:
How To: Execute command line in C#, get STD OUT results
Other sources:
http://www.computerhope.com/runas.htm
http://lifehacker.com/290435/switch-user-accounts-from-the-command-prompt
Can someone tell me what the InteractiveProcessRunner is for? Is it identical to Process.Start?
Here is the class.
And here an example :
InteractiveProcessRunner runner =
new InteractiveProcessRunner(notepad.exe,hSessionToken);
THX
Whit this class you can run a process with the complete environment of the user active: if you call this code from a service, you should find the user mapped resources, the desktop and all the resources that are available when the user is loggen on interactively even if launched from a service ie not logged interactively.
The source code to which your link leads referes to this article: http://asprosys.blogspot.com/2009/03/perils-and-pitfalls-of-launching.html which explains the motivation behind it.
Summary: You can't really use Process.Start() when you want to start a new process as certain user from a windows service. The InteractiveProcessRunner lets you do this (supposedly, never used it so I can't verify it). So it's not the same as Process.Start() - it uses a different Windows API.
The code I am currently working on runs on Windows Server 2003, but needs to be able to write to EventLogs on multiple machines. I am coding in C#, using VS2008 Pro, and .NET Framework 3.5.
The code itself is relatively simple (thanks to the framework):
using (EventLog remoteEvtLog = new EventLog(LogName, HostName, EventSource))
{
remoteEvtLog.WriteEntry(Body);
}
"LogName" is a string containing the name of the log to write to - in most cases "Application".
"HostName" is a string containing the NetBIOS Name of the machine where the log entry should be written.
"EventSource" is a string containing the name of the event sender (this is a utility used by multiple apps, so usually it will have the name of the consuming application).
"Body" is a string containing the text to be written to the event log.
In most cases this works fine, but when the machine being written to uses UAC, any write which creates a new EventSource fails. This occurs even though the Security credentials used are members of the Administrators group - and I have not been able to find a way to specify the elevated priviledge level. Apparently, members of the Administrators goroup get two tokens - one limited, and one elevated, but as far as I can tell, the only way to specifiy the elevated token is through the UI - which is obviously a problem when remotely accessing the Logs.
Any ideas out there?
Your code is not supposed to create new event sources (the legacy auto-create behavior is unfortunate, but still wrong). If you need a separate event source for your application, then the installer for that application - which runs with elevated administrative privileges - should create it.
I want to be able to execute openssh with some custom arguments and then be able to automatically login to the server. I want that my script will enter the password if needed and inject 'yes' if I'm prompted to add the fingerprint to the known hosts.
I've found SharpSsh for C# that do that, but I also need to use -D parameter and use ProxyCommand that I define in SSH, and the library is quite lacking for that usage.
Another thing that I've found was pexcept for Python that should do the trick but I couldn't find where to download it, on the offical page I'm being redirectred from sourceforge to some broken link.
Any help would be appreciated,
Bill.
If you use OpenSSH and then have a script to inject password in clear (meaning, you have stored the password unencrypted) it is defeating the purpose of secure shell.
Please strongly consider using public key mechanisms which can be easily and securely automated.
I'll second the recommendation to use public key authentication. Rather than hack around with expect, you might want to consider Paramiko - it's a native SSH client for Python which would greatly simplify the communications process, particularly if you ever need to interact with the remote server and it has support for things like SFTP built-in.
i use pexpect for similar purpose and download also work?
http://sourceforge.net/project/downloading.php?group_id=59762&filename=pexpect-2.3.tar.gz
here is a portion fro my ssh automate script, you can customize it for you usage
it may not run out of the box
import os
import getpass
import pexpect
import glob
import logging
import shutil
import time
class UpdateError(Exception): pass
g_password = None
def runSshCommand(cmd):
global g_password
ssh_newkey = 'Are you sure you want to continue connecting'
# my ssh command line
p=pexpect.spawn(cmd)
i=p.expect([ssh_newkey,'password:',pexpect.EOF])
if i==0:
print "Saying yes to connection.."
p.sendline('yes')
i=p.expect([ssh_newkey,'password:',pexpect.EOF])
if i==1:
while True:
if g_password is None:
g_password = getpass.getpass("password:")
p.sendline(g_password)
i = p.expect(['password:',pexpect.EOF])
if i==0:
g_password = None
print "Wrong password"
else:
break
elif i==2:
raise UpdateError("Got key or connection timeout")
return p.before
There is some excellent documentation on using Putty with generated SSH key authentication. This is an easy and secure way to accomplish your goals. Putty has a great set of features, for a windows SSH app. Even better when you consider that you can get it on the free.
pexpect can't import on Windows. So, I use plink.exe with a Python subprocess to connect to the ssh server.
Another way is to to use openssh and establish a trusted key; if both client and the user account on the server have this key, then openssh does not request a password.
I have a script that automates setup of this - it works under cygwin,
http://mosermichael.github.io/cstuff/all/projects/2011/07/14/ssh-friends.html
I hope Net::SSH::Expect Perl module will be of help to you.
I have a developer tool that I want to run from an internal site. It scans source code of a project and stores the information in a DB. I want user to be able to go to the site, chose their project, and hit run.
I don't want the code to be uploaded to the site because the projects can be large. I want to be able to run my assembly locally on their machine. Is there an easy way to do this?
EDIT: I should note, for the time being, this needs to be accomplished in VS2005.
EDIT 2: I am looking for similar functionality to TrendMicro's Housecall. I want the scan to run locally, but the result to be displayed in the web page
You could use a ClickOnce project (winform/wpf) - essentially a regular client app, deployed via a web-server. At the client, it can do whatever it needs. VS2005/VS2008 have this (for winform/wpf) as "Publish" - and results in a ".application" file that is recognised by the browser (or at least, some browsers ;-p).
You might be able to do the same with Silverlight, but that has a stricter sandbox, etc. It would also need to ask the web-server to do all the db work on its behalf.
I want to be able to run my assembly
locally on their machine
Sounds like you want them to download the tool and run it from their local machine, does that work for you?
Any code can scan files given the location and permissions. For a website to open an exe on a different machine and permit that to run and get access to the files contained on the web server would require a horrifically low level of security that would mean the entire system is practically completely open to attack. If your system is completely behind a firewall and hence protected from outside intererance then you want to look more at the permissions and less at the code.
To run an exe on a machine try following notepad example, though you may have to use a specified directory as well
ProcessStartInfo psi = new ProcessStartInfo("notepad.exe");
psi.WindowStyle = ProcessWindowStyle.Hidden;
Process p = new Process();
p.EnableRaisingEvents = true;
p.Exited += new EventHandler(ExitHandlerToKillProcess);
p.StartInfo = psi;
p.Start();
and when done dont forget to kill the Process. Alternately use javascript. Either way watch the security permissions and remember the risks of doing this.
I would probably write some sort of command line tool or service that does the processing and extraction of project data. Then I would use a page to update/register projects that the web server and the command line tool both have common access to. then at specified times either manually or via cron or similar mechanisms extract the data to your database. once you have this, you just use the website to display last extraction times and the extracted data.
if the projects/end users are on a different subnet etc, then you will need the end users to run the tool and then have it post the data into the database.