Topic "password security with portable WinSCP"

Author Message
bmuzzy
[View user's profile]

Joined: 2013-10-08
Posts: 3
Location: United States
I want to schedule FTPS transfers without having to put a password in clear text in the script file, e.g.;
open ftps://user:password@ftpsa.mydomain.com -implicit -certificate="01:fe:1c:7e:ae:a0:2e:9a:40:b0:8b:1d:ba:88:16:c2:92:71:a7:2b"

What are the options for password security with FTPS and the portable command line version of WinSCP? Preferences>Security isn't available with the portable version apparently, so using a Master Password isn't an option.

Thanks!
Advertisements
martin
[View user's profile]
Site Admin
Joined: 2002-12-10
Posts: 24530
Location: Prague, Czechia
How would you image this?
I'm not aware of any way to protect a password (or any other piece of information), yet be able to automatically use it.
_________________
Martin Prikryl
Guest




The password could be stored in encrypted format in a file. The open command would reference a variable like $pwd01 that would fetch the password from the file, decrypt it and pass it to the command line, e.g.;
open ftps://user:$pwd01@ftpsa.mydomain.com -implicit -certificate="01:fe:1c:7e:ae:a0:2e:9a:40:b0:8b:1d:ba:88:16:c2:92:71:a7:2b"
bmuzzy
[View user's profile]

Joined: 2013-10-08
Posts: 3
Location: United States
Oh wait, I just realized that WinSCP already does exactly this! I saved a session to winscp.ini and it includes:

[Sessions\user@mydomain.com]
HostName=myserver@mydomain.com
PortNumber=990
UserName=user
FSProtocol=5
LocalDirectory=C:%5C
RemoteDirectory=/
Ftps=1
Password=A35C7B54F34BB2B0D6D443443E30313A282C2F3D723433292F35323B723E392E373930392572393829332C39322F392F3D3139

However I just read in the documentation "For security reasons, when protocol (such as sftp://) is provided as part of session URL (possible execution from web browser/Windows Explorer), all command-like parameters that cause any automatic action are ignored, including /defaults, /log, /script and /command. "

In my case, I want to use WinSCP as part of a SQL Server Agent Job. The security risk is minimal because of the restricted access to the SQL server. Having WinSCP read the password from winscp.ini would be preferable to having to pass it in clear text on the command line.

Does that make sense?
Thanks!
martin
[View user's profile]
Site Admin
Joined: 2002-12-10
Posts: 24530
Location: Prague, Czechia
bmuzzy wrote:
The password could be stored in encrypted format in a file. The open command would reference a variable like $pwd01 that would fetch the password from the file, decrypt it and pass it to the command line

It is not possible to securely encrypt passwords in a way that still allows for automatic use.
That true even for password format WinSCP uses in INI file. It's not really secure. It's just a kind of obfuscation.

bmuzzy wrote:
However I just read in the documentation "For security reasons, when protocol (such as sftp://) is provided as part of session URL (possible execution from web browser/Windows Explorer), all command-like parameters that cause any automatic action are ignored, including /defaults, /log, /script and /command. "

But that's for winscp.exe <session_url> only. You are not doing this. You are using open command.
_________________
Martin Prikryl
bmuzzy
[View user's profile]

Joined: 2013-10-08
Posts: 3
Location: United States
>>That true even for password format WinSCP uses in INI file. It's not really secure. It's just a kind of obfuscation.

Perhaps, but it's a lot better than plain text on an "open" command in a batch file...
martin
[View user's profile]
Site Admin
Joined: 2002-12-10
Posts: 24530
Location: Prague, Czechia
bmuzzy wrote:
Perhaps, but it's a lot better than plain text on an "open" command in a batch file...

I do not agree. Had WinSCP allowed password obfuscation in a script, it would give a script author a false perception of being safe. While this way, it's clear he/she needs to keep the script safe.
_________________
Martin Prikryl
Advertisements

You can post new topics in this forum






Search Site

What is WinSCP?

It is award-winning SFTP client, SCP client, FTPS client and FTP client integrated into one software program for file transfer to FTP server or secure SFTP server. [More]

And it's free!

Donate

About donations

$9   $19   $49   $99

About donations

Recommend

WinSCP Privacy Policy

WinSCP License