Differences
This shows you the differences between the selected revisions of the page.
integration_keepass 2014-08-29 | integration_keepass 2023-01-17 (current) | ||
Line 1: | Line 1: | ||
- | ~~NOINDEX~~ | ||
====== Integration with KeePass ====== | ====== Integration with KeePass ====== | ||
- | If you use [[http://keepass.info/|KeePass]] password manager, you may use it as a site manager for WinSCP. | + | If you use [[https://keepass.info/|KeePass]] password manager, you may use it as a site manager for WinSCP. |
- | Note, that we recommend to manage your sites directly on WinSCP [[ui_login|Login window]] and use a [[master_password|master password]] to protect them (read [[integration_keepass#security_considerations|Security Considerations]] below). | + | Note, that we recommend to manage your sites directly on WinSCP [[ui_login|Login window]] and use a [[master_password|master password]] to protect them (read [[#security_considerations|Security Considerations]] below). |
+ | |||
+ | ~~AD~~ | ||
===== Defining Site ===== | ===== Defining Site ===== | ||
- | Each KeePass password entry has a //[[http://keepass.info/help/base/autourl.html|URL]]// field, in addition to //Password// and //User name// fields. You can use the //%%URL%%// field to store other session data, particularly a hostname and a protocol, optionally also a port number (when using non-standard port). For example: ''%%sftp://example.com/%%''. | + | Each KeePass password entry has a //[[https://keepass.info/help/base/autourl.html|URL]]// field, in addition to //Password// and //User name// fields. You can use the //%%URL%%// field to store other session data, particularly a hostname and a protocol, optionally also a port number (when using non-standard port). For example: ''%%sftp://example.com/%%''. |
&screenshotpict(keepass_entry) | &screenshotpict(keepass_entry) | ||
Line 13: | Line 14: | ||
===== Defining URL Overrides ===== | ===== Defining URL Overrides ===== | ||
- | To make the URLs in password entries working, define a [[http://keepass.info/help/base/autourl.html#override|URL override rule]] in KeePass Options. | + | To make the URLs in password entries working, define a [[https://keepass.info/help/base/autourl.html#override|URL override rule]] in KeePass Options. |
- | In KeePass 2.x ((See [[http://keepass.info/help/base/autourl.html#override|KeePass documentation]] for instructions for KeePass 1.x)) main window go to menu //Tools > Options//. Go to //Integration// tab and press //%%URL%% Overrides// button. On %%URL%% Overrides window press //Add// button. | + | In KeePass 2.x ((See [[https://keepass.info/help/base/autourl.html#override|KeePass documentation]] for instructions for KeePass 1.x.)) main window go to menu //Tools > Options//. Go to //Integration// tab and press //%%URL%% Overrides// button. On %%URL%% Overrides window press //Add// button. |
On %%URL%% Override window, to //Scheme// field, enter protocol you want to handle with WinSCP, e.g. ''sftp'' or ''ftp''. In //%%URL%% Override// field, enter: | On %%URL%% Override window, to //Scheme// field, enter protocol you want to handle with WinSCP, e.g. ''sftp'' or ''ftp''. In //%%URL%% Override// field, enter: | ||
<code> | <code> | ||
- | cmd://"%PROGRAMFILES(x86)%\WinSCP\WinSCP.exe" {BASE:SCM}://{USERNAME}:{PASSWORD}@{BASE:HOST}:{T-REPLACE-RX:/{BASE:PORT}/-1//} | + | cmd://"{ENV_PROGRAMFILES_X86}\WinSCP\WinSCP.exe" {BASE:SCM}://{USERNAME}:{PASSWORD}@{BASE:HOST}:{T-REPLACE-RX:/{BASE:PORT}/-1//}{BASE:PATH} |
</code> | </code> | ||
- | |||
- | On 32-bit systems, replace ''%PROGRAMFILES(x86)%'' with ''%PROGRAMFILES%''. &winpath &win32 | ||
The ''%%{T-REPLACE-RX:/{BASE:PORT}/-1//}%%'' is a workaround for KeePass resolving the ''{BASE:PORT}'' placeholder to ''-1'', when a password entry //%%URL%%// field does not specify the port explicitly and KeePass does not know the protocol (such as ''sftp'') to substitute a standard port. | The ''%%{T-REPLACE-RX:/{BASE:PORT}/-1//}%%'' is a workaround for KeePass resolving the ''{BASE:PORT}'' placeholder to ''-1'', when a password entry //%%URL%%// field does not specify the port explicitly and KeePass does not know the protocol (such as ''sftp'') to substitute a standard port. | ||
- | See KeePass documentation for [[http://keepass.info/help/base/placeholders.html|placeholders]]. | + | See KeePass documentation for [[https://keepass.info/help/base/placeholders.html|placeholders]]. |
- | Repeat override definition for each protocol you want to use with WinSCP (''sftp'', ''ftp'', ''ftps'', ''scp'', ''http'', ''https''). If you want to use [[webdav|WebDAV]] sessions, but you want to keep ''http'' protocol reserved for a web browser, you can use custom scheme for the protocol, e.g. ''webdav''. Then, in the //%%URL%% Override// field, you need to explicitly use ''http'', instead of referring by ''{BASE:SCM}'' to the protocol from the password entry //%%URL%%// field. | + | Repeat override definition for each protocol you want to use with WinSCP (''sftp'', ''ftp'', ''ftps'', ''ftpes'', ''scp'', ''http'', ''https''). If you want to use [[webdav|WebDAV]] sessions, but you want to keep ''http'' protocol reserved for a web browser, you can use [[integration_url#winscp|WinSCP-specific protocol]] ''winscp-http''. |
+ | |||
+ | //For improvements that allow passing additional parameters to WinSCP, see [[https://github.com/abakum/KeePassURLOverride|KeePassURLOverride project]].// | ||
===== Opening URL/Site ===== | ===== Opening URL/Site ===== | ||
To open the site defined by KeePass password entry, on the KeePass main window, double-click the entry's cell in //%%URL%%// column. You can also use //Open %%URL%%// toolbar button, //%%URL%% > Open// context menu command and ''Ctrl+U'' keyboard shortcut. | To open the site defined by KeePass password entry, on the KeePass main window, double-click the entry's cell in //%%URL%%// column. You can also use //Open %%URL%%// toolbar button, //%%URL%% > Open// context menu command and ''Ctrl+U'' keyboard shortcut. | ||
- | ===== Security Considerations ===== | + | ===== [[security_considerations]] Security Considerations ===== |
- | KeePass %%URL%% override rules pass the passwords to WinSCP via [[commandline|command-line]]. Command-line used to run any process can be read by malicious processes on your machine or another persons. We recommend you manage your sites on WinSCP [[ui_login|Login window]] and use a [[master_password|master password]] to protect them. | + | KeePass %%URL%% override rules pass the passwords to WinSCP via [[commandline|command-line]]. Command-line used to run any process is not secured in memory, thus it may be read by malicious processes on your machine. |
+ | |||
+ | Alternative solution is to use KeePass to manage host name and username information only and use private key authentication using [[ui_pageant|Pageant]], instead of password. To implement this, remove a reference to password from //%%URL%% Override// field (''%%:{PASSWORD}%%''). | ||
+ | For more direct integration with KeePass, see the KeePass plugin [[https://keepass.info/plugins.html#keeagent|KeeAgent]]. | ||
+ | For best security, it is good practice to limit how many processes you trust to securely handle your sensitive data. For this reason, we recommend you manage your sites on WinSCP [[ui_login|Login window]] and use a strong WinSCP [[master_password|master password]] to protect them. |