Differences

This shows you the differences between the selected revisions of the page.

2014-11-02 2014-11-12
option of KeePass+SSH auth agent rather than trust cmd.exe (adam) explaining keepass integration without password + mremoving redundant information about security of pageant + removing copy of URL syntax (martin)
Line 36: Line 36:
KeePass %%URL%% override rules pass the passwords to WinSCP via [[commandline|command-line]]. Command-line used to run any process is not secured in memory, thus it may be read by malicious processes on your machine. KeePass %%URL%% override rules pass the passwords to WinSCP via [[commandline|command-line]]. Command-line used to run any process is not secured in memory, thus it may be read by malicious processes on your machine.
-One solution that may provide more security is to configure WinSCP to query an SSH authentication agent, like [[ui_pageant|Pageant]], for the private keyThis would allow not having cmd.exe handle your private key in cleartext.  To implement this, the //%%URL%% Override// field would not include ''%%:{PASSWORD}%%''+Alternative solution is to use KeePass to manage host name and username information only and use private key authentication using [[ui_pageant|Pageant]], instead of password. To implement this, remove a reference to password from //%%URL%% Override// field (''%%:{PASSWORD}%%'').
-<code> +
-cmd://"%PROGRAMFILES(x86)%\WinSCP\WinSCP.exe" {BASE:SCM}://{USERNAME}@{BASE:HOST}:{T-REPLACE-RX:/{BASE:PORT}/-1//} +
-</code> +
-For more direct integration with KeePass, see the KeePass plugin [[http://keepass.info/plugins.html#keeagent|KeeAgent]].  +
-Note however that private keys are decrypted and held in memory for use by the SSH authentication agent, so this may be less secure if keys are kept in memory for long periods of time.  It would be recommended to have the key-store managed by an SSH authentication agent to lock after an idle period.  For more details about the security of using an SSH authentication agent, see [[http://the.earth.li/~sgtatham/putty/latest/htmldoc/Chapter9.html#pageant-security|Chapter 9]] of the PuTTY documentation+For more direct integration with KeePass, see the KeePass plugin [[http://keepass.info/plugins.html#keeagent|KeeAgent]]. 
For best security, it is good practice to limit how many processes you trust to securely handle your sensitive data.  For this reason, we recommend you manage your sites on WinSCP [[ui_login|Login window]] and use a strong WinSCP [[master_password|master password]] to protect them. For best security, it is good practice to limit how many processes you trust to securely handle your sensitive data.  For this reason, we recommend you manage your sites on WinSCP [[ui_login|Login window]] and use a strong WinSCP [[master_password|master password]] to protect them.

Last modified: by martin