Secure Passwords #16
Comments
|
I'm thinking that dropping the -Password parameter from the Set-LabVMDefaults cmd completely. Specifying the password on the Start-LabConfiguration (and associated) cmdlet(s) would keep the password from being easily discoverable on disk and easily support the [PSCredential] type. As a side note; it's currently very easy to specify a different password in a configuration to the actual local administrator password that is currently set during the SYSPREP process. I think it would be beneficial to have to specify the local admin password when creating a lab/VM. |
|
Sound good to me. I think that would be quite intuitive as well. |
|
So having a -Password and/or -Credential parameter on Start-LabConfiguration, and removing -Password from Set-LabVMDefaults would be OK? It will remove the requirement of trying to store credentials securely, probably unsuccessfully! |
|
Yes absolutely. And a Credential param would be sweet, giving the option to provide any existing credential object you might have already. Would fit my needs very well indeed. |
|
Since it prompts for credentials, and expects a pscredential object, I am wondering if it would make more sense to:
Example: Get-Credential -Message 'Enter password to be used for the local administrator accounts' -UserName AdministratorI would be happy to make those changes and create a pull request - if you agree that is |
|
I'm with you on this one. However, I did play with various options, including using [System.Security.SecureString] instead of a [PSCredential]. Here's what I tried and how I ended up where we are.
Having said that, I'm open to changing its name back to -Credential if you still think it's worthwhile?! I've just tested the SecureString implementation, and it does prompt?! How did I miss this [shakes head]?! Should we change the -Password parameter to a SecureString? People can use a PSCredential object if they want? We could have a parameter set if we want to cover all bases? |
|
It's nice that SecureString does prompt, however it still does not allow for any informative text, and you will still need to do string conversion (or use [pscredential].GetNetworkCredential().Password) to supply a value for the parameter. No obvious solution here I guess. I will see if I can come up with something clever (even though if there is something clever to do about it, you would probably have found it already) |
|
I'm happy to leave it as a [PSCredential] and I don't see a need to change it. The question is whether we rename the parameter back to -Credential (consistency with most other cmdlets) or leave it as -Password (more descriptive of it's actual purpose)? Choices, choices.. We could have both? If we're going to have informative Get-Credential text we would need to do a null check. Ensuring that we have a password via either would only add a couple of lines.. Thoughts? |
|
These are thoughts rather than requirements (at the end of the day, it's your baby). But I would opt for "all of the above"
I think consistent naming and type of parameters will make it more intuitive for users. |
|
@csandfeld Just one more commit for today! Does the https://github.com/VirtualEngine/Lab/commits/Issue16 branch work for you? In short it:
I would like you to have a look before I merge it into the dev branch.. Forgot to say that this branch includes all today's commits too! |
|
Thank you Iain, the password/credential feature works a treat, and I find it much more intuitive this time. Good job! 👍 |
The default virtual machine password stored by the Get-LabVMDefaults/Set-LabVMDefaults cmdlets should be implemented as a SecureString. Failure to do so will probably lead to a rejection from the PS Gallery..
The text was updated successfully, but these errors were encountered: