Posh-SSH icon indicating copy to clipboard operation
Posh-SSH copied to clipboard

Published 20 hours ago verified publisher icon darkoperator

v3.0.8: Module can't be imported when AllowStrongNameBypass registry key is set to "0".

Open NeoDN opened this issue 1 year ago • 5 comments

When following .NET STIG requirements, the AllowStrongNameBypass REG_DWORD registry item under HKLM\SOFTWARE\Microsoft.NETFramework\ must be set to a value of "0". When this is set, importing the module is blocked with a "Strong name validation failed" error. If the AllowStrongNameBypass registry is deleted, then the import will success. This issue basically has to due with the signing of the Renci.SsgNet.dll, and possibly others.

Can these signature(s) be fixed, or newer DLLs with proper signatures be used? Simply removing the required STIG setting is not an option.

CONSOLE OUTPUT

PS C:\windows\system32> Import-Module Posh-SSH -Verbose -force VERBOSE: Loading module from path 'C:\Program Files\WindowsPowerShell\Modules\Posh-SSH\Posh-SSH.psd1'. VERBOSE: Loading 'Assembly' from path 'C:\Program Files\WindowsPowerShell\Modules\Posh-SSH\Assembly\Newtonsoft.Json.dll'. VERBOSE: Loading 'Assembly' from path 'C:\Program Files\WindowsPowerShell\Modules\Posh-SSH\Assembly\Newtonsoft.Json.dll'. VERBOSE: Loading 'Assembly' from path 'C:\windows\Microsoft.Net\assembly\GAC_64\Renci.SshNet\v4.0_10.0.0.0__31bf3856ad364e35\Renci.SshNet.dll'. VERBOSE: Loading 'Assembly' from path 'C:\windows\Microsoft.Net\assembly\GAC_64\Renci.SshNet\v4.0_10.0.0.0__31bf3856ad364e35\Renci.SshNet.dll'. VERBOSE: Loading 'Assembly' from path 'C:\Program Files\WindowsPowerShell\Modules\Posh-SSH\Assembly\SshNet.Security.Cryptography.dll'. VERBOSE: Loading 'Assembly' from path 'C:\Program Files\WindowsPowerShell\Modules\Posh-SSH\Assembly\SshNet.Security.Cryptography.dll'. VERBOSE: Loading 'FormatsToProcess' from path 'C:\Program Files\WindowsPowerShell\Modules\Posh-SSH\Format\SSHSession.Format.ps1xml'. VERBOSE: Loading 'FormatsToProcess' from path 'C:\Program Files\WindowsPowerShell\Modules\Posh-SSH\Format\SFTPSession.Format.ps1xml'. VERBOSE: Loading 'FormatsToProcess' from path 'C:\Program Files\WindowsPowerShell\Modules\Posh-SSH\Format\Renci.SshNet.SshCommand.Format.ps1xml'. VERBOSE: Loading 'FormatsToProcess' from path 'C:\Program Files\WindowsPowerShell\Modules\Posh-SSH\Format\Renci.SshNet.Sftp.SftpFile.Format.ps1xml'. Import-Module : Could not load file or assembly 'Renci.SshNet, Version=10.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35' or one of its dependencies. Strong name validation failed. (Exception from HRESULT: 0x8013141A) At line:1 char:1

  • Import-Module Posh-SSH -Verbose -force
  •   + CategoryInfo          : InvalidOperation: (:) [Import-Module], FileLoadException
  + FullyQualifiedErrorId : FormatXmlUpdateException,Microsoft.PowerShell.Commands.ImportModuleCommand

PS C:\windows\system32> $psversiontable

Name Value

PSVersion 5.1.17763.771 PSEdition Desktop PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...} BuildVersion 10.0.17763.771 CLRVersion 4.0.30319.42000 WSManStackVersion 3.0 PSRemotingProtocolVersion 2.3 SerializationVersion 1.1.0.1

PS C:\windows\system32> Get-ComputerInfo | Select-Object WindowsProductName, WindowsVersion

WindowsProductName WindowsVersion

Windows Server 2019 Standard 1809

PS C:\windows\system32> Get-ItemProperty -Path HKLM:\SOFTWARE\Microsoft.NETFramework -Name AllowStrongNameBypass

AllowStrongNameBypass : 0 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft.NETFramework PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft PSChildName : .NETFramework PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry

PS C:\windows\system32>

NeoDN avatar Mar 27 '23 21:03 NeoDN

Binary is not signed because it is a fork of the development branch. Since there has not been a release for a couple of years. I do not make any money from the project so as to justify me buying a signing cert and signing my own copy. going with the nugget library multiple ciphers will bot be supported and old bugs will be reintroduced

darkoperator avatar Mar 27 '23 22:03 darkoperator

@NeoDN, if your security policies require signed libraries, maybe you yourself have access to code signing certificates and then you may sign everything you need yourself .. as we do ;-)

MVKozlov avatar Mar 28 '23 06:03 MVKozlov

@darkoperator After much further troubleshooting and research, I have discovered that this issue is much like the issue raised in Issue #284. If you notice in my verbose output in my OP, you will see it is trying to load a "10.0.0.0" version of the Renci.SshNet.dll file. This is not the version included in the Assembly folder. The Assembly folder contains a "2020.0.2.0" version of the DLL, and the "10.0.0.0" version of the DLL is the version installed by Windows to the C:\Windows\Microsoft.NET\assembly\GAC_64 folder.

Because the version "10.0.0.0" is in GAC, any call to a DLL named the same will use the copy in the GAC, so when the import-module command is executed, PowerShell tries to load the GAC copy, instead of the "2020.0.2.0" copy you provide with this module.

As such, I simply followed @moddingg33k's idea in Issue #284 and renamed your DLL to Renci.SshNet2.dll, and updated the Posh-SSH.psd1 and Posh-SSH.psm1 files to reflect the change in name, and then the module was able to load, with the "2020.0.2.0" DLL, without any issue.

Since there is this conflict between your DLL and the one MS provides into the GAC, perhaps you may want to think about making this DLL rename a permeant change to your build.

NeoDN avatar Mar 28 '23 19:03 NeoDN

Thanks for digging in to it. I will test and consider the option Sent from my iPhoneOn Mar 28, 2023, at 3:34 PM, NeoDN @.***> wrote: @darkoperator After much further troubleshooting and research, I have discovered that this issue is much like the issue raised in Issue #284. If you notice in my verbose output in my OP, you will see it is trying to load a "10.0.0.0" version of the Renci.SshNet.dll file. This is not the version included in the Assembly folder. The Assembly folder contains a "2020.0.2.0" version of the DLL, and the "10.0.0.0" version of the DLL is the version installed by Windows to the C:\Windows\Microsoft.NET\assembly\GAC_64 folder. Because the version "10.0.0.0" is in GAC, any call to a DLL named the same will use the copy in the GAC, so when the import-module command is executed, PowerShell tries to load the GAC copy, instead of the "2020.0.2.0" copy you provide with this module. As such, I simply followed @moddingg33k's idea in Issue #284 and renamed your DLL to Renci.SshNet2.dll, and updated the Posh-SSH.psd1 and Posh-SSH.psm1 files to reflect the change in name, and then the module was able to load, with the "2020.0.2.0" DLL, without any issue. Since there is this conflict between your DLL and the one MS provides into the GAC, perhaps you may want to think about making this DLL rename a permeant change to your build.

—Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you were mentioned.Message ID: @.***>

darkoperator avatar Mar 28 '23 21:03 darkoperator

Implemented the renaming of the main library in the alpha for 4.0; this version changes how password and key passphrases are used to support multiple authentication methods when a user wants to authenticate with both a private key and a password.

https://github.com/darkoperator/Posh-SSH/releases/tag/v4.0.0-alpha-0

darkoperator avatar Apr 02 '23 20:04 darkoperator