javac#sshputtyplink

Securely pass password to PuTTY process on start


I am maintaining an application in our company (written in C#), which runs on a jumphost and provides the functionality to search across different servers and initiate a PuTTY connection to that server. For this the application currently starts the PuTTY process and passes arguments, like the hostname, username and password. The password for each server is retrieved from a password manager service. The arguments are passed to PuTTY through the command line interface. So the purpose of the application is to automate password retrieval and login to different servers.

The problem with the current approach is, that in the Windows Task Manager its possible for an administrator to see all started PuTTY instances and the corresponding credentials as command line arguments.

So far I haven't found any practical solution to circumvent this. These are the things I researched so far:

Some ideas, that might work:

Any further suggestions would be greatly appreciated. Are you aware of any other Windows alternative to PuTTY, which supports passing credentials in a more secure way?


Solution

  • Following the suggestion of Martin Prikryl I was able to create a minimal example, which creates a NamedPipe in C# and passes it as a pwfile argument to PuTTY:

    public void CreatePipe()
    {
        var server = new NamedPipeServerStream("SecretPipe");
        server.WaitForConnection();
        StreamWriter writer = new StreamWriter(server);
        writer.Write("top!!secret");
        writer.Flush();
        server.Dispose();
    }
    

    Then PuTTY can be started as follows with the pipe as pwfile argument:

    putty.exe -l testuser -pwfile "\\.\PIPE\SecretPipe" hostname