search

PowerShell / SecretStore

MIT License
155 stars 23 forks source link

Unlock-SecretStore not working when using Remote-SSH connection in VsCode #89

Open dillardd opened 2 years ago

dillardd commented 2 years ago

When utilizing a remote ssh session in VsCode, I am not able to unlock the Secret Store.

Command ran:

Unlock-SecretStore -Password $credSecretStore

The Error given is basic:

The provided password is incorrect for the Microsoft.PowerShell.SecretStore module vault.

However, when I convert my secure string, it is indeed the correct password, and it works to unlock the vault when I am using it logged into the machine via remote desktop using the same account.

Is this a supported situation? I hope it is, since I was excited to use VsCode remote for connecting to my machine and running code on it, however I utilize the SecretStore in almost all of my processes. Appreciate any insight on this!!

PaulHigin commented 2 years ago

This sounds like it might be related to issue #62, which has to do with how SecretStore encrypts one layer using the current user account name. Windows can provide the user name in different cases, and this affects the ability to decrypt. The problem has been fixed in the latest version of SecretStore. What version are you using?

Keep in mind that SecretStore currently stores secrets for the current user account. 'AllUser' scope is not yet supported, so to access secrets means logging in with the account that stored the secrets.

dillardd commented 2 years ago

I think this is related to issue #62 , as I am not getting an error:

Padding is invalid and cannot be removed

I received this after updating the modules to latest versions:

ModuleType Version    PreRelease Name                                PSEdition ExportedCommands
---------- -------    ---------- ----                                --------- ----------------
Binary     1.1.1                 Microsoft.PowerShell.SecretManagem… Core      {Register-SecretVault, Unregister-SecretVault, Get-SecretVault, Set-SecretVaultDefault…}
Binary     1.0.5                 Microsoft.PowerShell.SecretStore    Core      {Unlock-SecretStore, Set-SecretStorePassword, Get-SecretStoreConfiguration, Set-SecretStoreConfiguration…}

I am logged in as the same user via the Remote-SSH session, so it shouldn't be an issue of 'AllUser' scope, but I definitely understand what you mean about Windows not presenting the user in a fashion that the Module is able to decrypt.

I would say the issues could be merged, however #62 looks like it is closed.

PaulHigin commented 2 years ago

Yes, the issue #62 has been fixed, but there is a chance that if you have a SecretStore database from before the fix, you will see this error. That is why I recommended to original author of #62 to reset and re-store secrets after installing the latest SecretStore with the fix.

There is a small chance that you may have older versions of the module. Please run:

Get-module -Name Microsoft.PowerShell.Secret* -list

to ensure any older versions have been removed.

dillardd commented 2 years ago

When running the command to get the installed versions of the Module, this is what I get. There aren't older versions, but there are versions installed into multiple folders:

Get-module -Name Microsoft.PowerShell.Secret* -list

    Directory: C:\Users\Administrator\Documents\PowerShell\Modules

ModuleType Version    PreRelease Name                                PSEdition ExportedCommands
---------- -------    ---------- ----                                --------- ----------------
Binary     1.1.1                 Microsoft.PowerShell.SecretManagem… Core      {Register-SecretVault, Unregister-SecretVault, Get-SecretVault, Se…
Binary     1.0.5                 Microsoft.PowerShell.SecretStore    Core      {Unlock-SecretStore, Set-SecretStorePassword, Get-SecretStoreConfi…

    Directory: C:\Program Files\WindowsPowerShell\Modules

ModuleType Version    PreRelease Name                                PSEdition ExportedCommands
---------- -------    ---------- ----                                --------- ----------------
Binary     1.1.1                 Microsoft.PowerShell.SecretManagem… Core      {Register-SecretVault, Unregister-SecretVault, Get-SecretVault, Se…
Binary     1.0.5                 Microsoft.PowerShell.SecretStore    Core      {Unlock-SecretStore, Set-SecretStorePassword, Get-SecretStoreConfi…

I started getting the error Padding is invalid and cannot be removed today, and it affected many scripts that I had running in Task Scheduler. After entering in the credentials again for one task, all of the others that used that account started working, however they stopped working again a couple of hours later.

I am going to take your advice and recreate the secret store, which I imagine will remedy this situation since it is now manifesting in exactly the way described in #62 .

I appreciate your attention to this and will update again.