2

I'm looking at deployment options at the moment. I'm using Jenkins on a Windows machine to control deployment to multiple remote Windows servers.

The deployment involves executing a batch script on the remote Windows servers, and so far psexec seems to do the trick. The one problem I have with it is that I need to give psexec my password in plain text.

Anyone know of an equivalent to the SSH public/private key for psexec, or some other passwordless remote login for Windows that will let me synchronise files and execute batch scripts?

Hippyjim
  • 211
  • 2
  • 7
  • 19
  • 1
    Are the target machines in the same domain as the host running the script? If not, just create local credentials on each remote host that match your domain credentials (same username/password) and windows will authenticate without the need to enter credentials. – John Homer Jul 17 '13 at 15:22

2 Answers2

1

I'm not aware of anything truly analagous to SSH key-based authentication for Windows. But here are a couple ideas:

From here, I find that if you first connect to the ipc$ share of the remote host, then run psexec, that psexec will automatically run in the context of the ipc$ connection.

So in your batch file:

net use \\myserver\IPC$ /user:MyID MyPassword
psexec \\myserver c:\whatever.cmd

That will stop your username/password from being sent over the network in cleartext. However, it does leave your username/password visible inside your batch file.

One way to get around that is to write an executable program whose only function is to run "net use \[commandline argument]\IPC$ /user:MyID MyPassword". (Personally I'd use something like autoit to write the .exe.) Let's say we name it "nu.exe". Then your secret username/password is at least embedded inside of "nu.exe" and thus is not in cleartext. While it's probably possible to reverse engineer via decompiling it, it's at least obfuscated somewhat.

Then your process is:

nu.exe myserver
psexec \\myserver c:\whatever.cmd

But then you need to keep nu.exe in a safe place, because anyone who had access to it could execute programs on remote hosts as whatever ID you've embedded into nu.exe.

So both options have drawbacks, but perhaps one of them will work for you...

Bob
  • 597
  • 2
  • 8
1

PAExec has a little bit better solution with the -p@ and -p@d parameters.

It lets you write your password to a file, run PAExec, and it will immediately read the file and then delete it. It's still not as good as SSH with public/private key, but an option...

DougN
  • 670
  • 2
  • 7
  • 16