Start a new topic

Passwordstate Password Integration

Sorry wasn't sure where to put this.


I've created a script to integrated with Passwordstate for password retrieval. (attached)


It requires use of my PasswordState-management powershell module to use. Details here: https://github.com/dnewsholme/PasswordState-Management


Powershell Gallery Link: https://www.powershellgallery.com/packages/passwordstate-management/2.0.0


Feel free to use/alter as you like.



image




Hope it helps.



rdfe

You can disregard - I solved it by updating the PasswordState-Management scripts that were updated 4 days ago on GitHub.


Resolution Note:

Run PowerShell as admin and execute the following:


Install-Module -name PasswordState-Management -Force // this should install over the current script version to the latest version.  The new 4.4.34 works with PasswordState v9 just fine.




1 person likes this
Yep early passwordstate v9 support was added last week.

So this one has stopped working for me, installed the latest version of the script and the folder just throws an error with code on line 159 but there is no line 159 in the dynamic folder script.

Found the problem, your script either uses TLS1.0 by default or somewhere it is set to that, we have disabled all old unsupported protocols which means it kept failing, adding [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 to the top of the rdfe import forces it to use 1.2 and everything is happy again!


1 person likes this

Windows Powershell uses TLS 1.0 by default and you have to force to TLS 1.2 with the method above unless you have forced .Net framework 4 to use strong crypto by default.


# set strong cryptography on 64 bit .Net Framework (version 4 and above)

Set-ItemProperty -Path 'HKLM:\SOFTWARE\Wow6432Node\Microsoft\.NetFramework\v4.0.30319' -Name 'SchUseStrongCrypto' -Value '1' -Type DWord

# set strong cryptography on 32 bit .Net Framework (version 4 and above)

Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\.NetFramework\v4.0.30319' -Name 'SchUseStrongCrypto' -Value '1' -Type DWord

Daryl, quick one, due to some changes internally I am no longer allowed to query the API without auditing and my security guys are getting very annoyed that I query EVERY password when I start up Royal TS, is there anyway to make it so that it only does the query based on the name of the credential that I fill in on the connection dynamically so I only query for the things I am actually using.


I have tried to figure this out myself but I am really struggling with the whole dynamic credentials thing and how to actually consume them.

Hi Matthew. Looking at the docs i don't see an easy way to achieve this. 


https://docs.royalapps.com/r2021/scripting/rjson/dynamic-credentials.html


There would need to be a dynamic folder script which would enumerate all credentials (without the password) then the dynamic credential script would retrieve the password needed at connection time. The problem is retrieving all the objects from the api even without the passwords still triggers an auditing record in the logs for passwordstate. The only thing i can suggest you do is update line to to include a reason for auditing such as 

$results = Get-PasswordStatePassword -reason "RoyalTS"


At least that way it could be filtered out of the audit logs. Alternatively you could turn on caching under advanced for the dynamic folder in royalTS to query less often but this comes at the cost of security.

Hi there,


I just want to point out that there are two Passwordstate sample scripts available in our toolbox repository (and in the in-app gallery):

Probably neither of the two will get around the fact that an audit record is written when accessing the stored objects of the Passwordstate server. The one that does use dynamic credentials however only requests metadata of the credentials when reloading the dynamic folder. It only accesses the username and password fields when an actual connection using the credential is opened.


Hope that clears things up a bit!


cheers,

felix

I have made some progress by using a fusion of the management module, I have created a dynamic folder script that creates my dynamic credentials.


I used the Get-PasswordStatePassword -Title "$DynamicCredential.EffectiveID$" which then pushes a single password request based on the ID of the object but I cant get it to take the results and use them in the dynamic credential that I created.


My object details are below, I can see the API query is successful and when I test the powershell I get the results back and I can get the password out I just cant put it back into the object such that I can use it.


{
    "Objects": [
        {
            "Type": "DynamicCredential",
            "Name": "Test Object",
            "ID": "Test Object 1"
        }
       
    ]
}

Also in answer the problem is the noise this generates into the logs, we have no real idea of what people are actually using because it accesses everything and we have a such a huge amount of data in the logs its impossible to discern whats actually happening.

I have used what you had in your dynamic folder script as the basis for the code I was using in the dynamic credential section, this code works when I execute it in powershell directly and I get a properly formatted username, password and any notes or ID it just doesnt update the credential so I just get left with a login prompt:


 

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
$ErrorActionPreference = "Stop"
$results = Get-PasswordStatePassword -Title "$DynamicCredential.EffectiveID$"
$credentials = @()
foreach ($item in $results) {
    if ($item.Notes -like "-----BEGIN RSA PRIVATE KEY----*") {
        $credentials += [pscustomobject]@{
            Username       = $item.Username
            Password       = $item.GetPassword()
            ID             = $item.Title
            KeyFileContent = $item.Notes
        }
  
    }
    else {
        $credentials += [pscustomobject]@{
            Username = $item.Username
            Password = $item.GetPassword()
            ID       = $item.Title
        }
   
    }
}


$final = [pscustomobject]@{
    Objects = $credentials
}
$final | ConvertTo-Json -Depth 100 | Write-Output

 

As per the passwordstate documentation any search will always add a audit log for the action. Using dynamic or otherwise won't change this you will still have the same amount of logs.


The prevent auditing option is there precisely for these sort of use cases where you have something you aren't particularly interested in seeing in the logs because the frequency amounts to noise. Either you care enough about it to have the audit logs for it or you don't and the exclude it.


The problem is you have to retrieve all the credentials to be able to pick the one you want for your connection. I suppose you could prevent auditing on that and enable auditing for where dynamic part retrieves the password as a compromise between the two to allow logging without as much noise?


I can look at doing the compromise noted if that helps?

Right I get it but your script pulls ALL the passwords and usernames at the same time, what I am trying to get to and have managed to get like 75% of the way there is to create a dynamic credential in the folder, refer to that dynamic credential in an object in my file, double click the object to open it, trigger the resolution of that single credential from password state and then use the returned credentials to establish the connection.


Now I can see from the logs of passwordstate that I am correctly asking for only the one credential, from the testing I have done in powershell I can see that I am getting the username and password, what I have yet to figure out is a way of updating the dynamic credential so that the connection actually uses the username and password.


What i get currently is it says "resolving the credentials" waits a second, (i see the request in passwordstate via the API auditing) and then the connection starts, opens and just sits there asking for a login, so while it gets them it doesnt actually use them in any way shape or form.


I am trying to get an "on demand" solution rather than all at once and cache it because as you can image that creates thousands of meaningless logs, it doesnt provide any meaningful data of who actually used what password if everyone of the 27 users we have scrapes the entire password set every morning and then there is nothing for the rest of the day.

Is that the dynamic cred script you put above? If so you are returning too much info.


It should look like this:


 

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
$ErrorActionPreference = "Stop"
$results = Get-PasswordStatePassword -Title "$DynamicCredential.EffectiveID$"
$results.Password = $results.GetPassword()
$results | Select-Object Username,Password | ConvertTo-Json -Depth 100 | Write-Output

  


1 person likes this

Thanks for that, I knew I was close but not quite there, that worked perfectly, star!


1 person likes this
Login or Signup to post a comment