View Only
  • 1.  Looking for inspiration ... Passwords in Scripts

    Posted Jun 28, 2018 08:34 AM

    Hey there,

    after i install our ESXi hosts and put them into the vcenter i use a powershell script which will do the rest of configuration needed...

    One of the points is to create a local readonly esxi User with a password. I dont like to have passwords in my scripts and in this case the script will only run with user interaction.

    So in the first case i try to use a simple

    $pwd = read-host "Enter a password:"

    the problem here is here you can read the password which is provided...

    I read  little bit and try..

    $pwd = read-host "Enter a password:" -asSecureString

    This looks nice in the first step but to avoid password missmatches i fetch the password twice and compare both. In this case $pwd1 & $pwd2 are securestrings and do not match.

    Now i try something like...


        $check = "0"

    while ($check -eq "0") {

            $encpasswort1 = Read-Host "Please Enter pwd: " -AsSecureString

            $encpasswort2 = Read-Host "again" -AsSecureString

            $password1 = [System.Runtime.InteropServices.marshal]::PtrToStringAuto([System.Runtime.InteropServices.marshal]::SecureStringToBSTR($encpassword1))

            $password2 = [System.Runtime.InteropServices.marshal]::PtrToStringAuto([System.Runtime.InteropServices.marshal]::SecureStringToBSTR($encpassword2))


            if ($passwort1 -eq $passwort2) {

                write-host -ForegroundColor Green "Lege Nutzer auf " $esx_Host.Name "an `n"

                $status = Connect-VIServer $esx_Host.Name -User root -wa 0

                $status = New-VMHostAccount -Id $user -Password $passwort1 -Description $desc -UserAccount

                $status = New-VIPermission -Principal $user -Role $role -Entity (Get-Datacenter)

                $status = Disconnect-VIServer $esx_Host.Name -Confirm:$false

                $check = "1"




    This works so far but maybe there is a better way...

    Maybe to compare to Securestring objects or pass them to an esxi host...

    Some ideas would be welcome.


  • 2.  RE: Looking for inspiration ... Passwords in Scripts

    Posted Jun 28, 2018 08:48 AM

    One simple builtin solution is to use the New-VICredentialStoreItem cmdlet.

    You can use the Get-VICredentialStoreItem cmdlet to retrieve user/password information.

    This can be used for credentials that have nothing to do with vSphere as well.

    Use the Server as a tag for the credentials.

    The credentials can only be decrypted by the same user and on the same station where the encryption was done.

    Note, since this is based on a Windows encryption/decryption API, it will not work on PowerShell Core.

  • 3.  RE: Looking for inspiration ... Passwords in Scripts

    Posted Jun 28, 2018 09:03 AM


    that looks good so far..

    the problem is that the Password must be System.String. I have to provide the password in the script or in the cmd. Both would be clear text..

    with the readline -asSecurestring command the input is hidden and cant be read.

  • 4.  RE: Looking for inspiration ... Passwords in Scripts
    Best Answer

    Posted Jun 28, 2018 09:17 AM

    You can do the following to compare them

    $encpasswort1 = Read-Host "Please Enter pwd: " -AsSecureString

    $encpasswort2 = Read-Host "again" -AsSecureString

    $clearpasswort1 = (New-Object pscredential "user",$encpasswort1).GetNetworkCredential().Password

    $clearpasswort2 = (New-Object pscredential "user",$encpasswort2).GetNetworkCredential().Password

    $clearpasswort1 -eq $clearpasswort2