Differences
This shows you the differences between the selected revisions of the page.
2014-09-11 | 2014-11-02 | ||
in-page anchored links without page name (martin) | option of KeePass+SSH auth agent rather than trust cmd.exe (adam) | ||
Line 34: | Line 34: | ||
===== Security Considerations ===== | ===== Security Considerations ===== | ||
- | KeePass %%URL%% override rules pass the passwords to WinSCP via [[commandline|command-line]]. Command-line used to run any process can be read by malicious processes on your machine or another persons. We recommend you manage your sites on WinSCP [[ui_login|Login window]] and use a [[master_password|master password]] to protect them. | + | KeePass %%URL%% override rules pass the passwords to WinSCP via [[commandline|command-line]]. Command-line used to run any process is not secured in memory, thus it may be read by malicious processes on your machine. |
+ | One solution that may provide more security is to configure WinSCP to query an SSH authentication agent, like [[ui_pageant|Pageant]], for the private key. This would allow not having cmd.exe handle your private key in cleartext. To implement this, the //%%URL%% Override// field would not include ''%%:{PASSWORD}%%'': | ||
+ | <code> | ||
+ | cmd://"%PROGRAMFILES(x86)%\WinSCP\WinSCP.exe" {BASE:SCM}://{USERNAME}@{BASE:HOST}:{T-REPLACE-RX:/{BASE:PORT}/-1//} | ||
+ | </code> | ||
+ | For more direct integration with KeePass, see the KeePass plugin [[http://keepass.info/plugins.html#keeagent|KeeAgent]]. | ||
+ | Note however that private keys are decrypted and held in memory for use by the SSH authentication agent, so this may be less secure if keys are kept in memory for long periods of time. It would be recommended to have the key-store managed by an SSH authentication agent to lock after an idle period. For more details about the security of using an SSH authentication agent, see [[http://the.earth.li/~sgtatham/putty/latest/htmldoc/Chapter9.html#pageant-security|Chapter 9]] of the PuTTY documentation. | ||
+ | |||
+ | For best security, it is good practice to limit how many processes you trust to securely handle your sensitive data. For this reason, we recommend you manage your sites on WinSCP [[ui_login|Login window]] and use a strong WinSCP [[master_password|master password]] to protect them. |