Differences
This shows you the differences between the selected revisions of the page.
| 2004-12-15 | 2004-12-15 | ||
| no summary (martin) (hidden) | no summary (martin) (hidden) | ||
| Line 18: | Line 18: | ||
| ===== About this Guide ===== | ===== About this Guide ===== | ||
| ==== Terms and Conventions Used ==== | ==== Terms and Conventions Used ==== | ||
| + | ===== Awards and Commendations ===== | ||
| + | ===== A word of warning ===== | ||
| + | As with any security or cryptographic product, there are a number | ||
| + | of concerns that should be addressed. In order to use this product | ||
| + | securely, you should make an effort to obtain a thorough understanding | ||
| + | of its operation and the concepts involved. Improper usage is often | ||
| + | insecure usage, so please be sure to read the manual completely. | ||
| + | ==== Host Security ==== | ||
| + | The security of the computer running WinSCP is a serious | ||
| + | concern. Trojan Horse and Backdoor programs can potentially be used to | ||
| + | steal authentication credentials such as passwords and private keys | ||
| + | that have been stored or entered on the computer. Public computers | ||
| + | often have session monitoring software which may include key loggers, | ||
| + | or may have malicious software installed by a previous user. | ||
| + | |||
| + | WinSCP can support "keyboard-interactive" authentication | ||
| + | methods if offered by the server. With keyboard-interactive | ||
| + | authentication, the server can prompt for special credentials such | ||
| + | as a S/Key one-time password or RSA SecurID generated value. These | ||
| + | "disposable" credentials are preferable if you must use a public | ||
| + | computer. Contact your system administrator to find out if any form | ||
| + | of one-time authentication is offered. | ||
| + | ==== Stored Credentials ==== | ||
| + | WinSCP supports storing passwords with saved sessions. This is | ||
| + | provided as a convenience, and is not recommended. If you need to be | ||
| + | able to log in without reentering your credentials, the recommended | ||
| + | method is to use public key authentication and protect your private | ||
| + | key with a pass phrase. The SSH Key Agent provided by Putty, Pagent, | ||
| + | can store the decrypted key in memory, allowing you to enter your | ||
| + | credentials once and continue using them until you close down the | ||
| + | agent or log off of Windows entirely. | ||
| + | |||
| + | Saved passwords are stored in a manner that they can easily be | ||
| + | recovered. It is not possible to securely encrypt passwords in a way | ||
| + | that still allows for automatic use. Do not use the save password | ||
| + | feature if you are not absolutely sure of the physical and | ||
| + | electronic security of the system on which you are storing | ||
| + | passwords. | ||