This is an old revision of the document!
Introducing WinSCP
WinSCP is an open source SFTP (SSH File Transfer Protocol) and SCP (Secure CoPy) client for Windows using SSH (Secure SHell). Its main function is safe copying of files between a local and a remote computer.
Advertisement
Features
- Graphical Interface
- Drag and Drop integration with shell (with optionally installed shell extension)
- Support for SFTP and SCP protocols over SSH1 and SSH2
- Integrated Text Editor
- Support for SSH password, keyboard-interactive, public key and Kerberos (GSS) authentication.
- Integrates with Pageant (Putty Agent) for full support of public key authentication
- Windows Explorer-like and Norton Commander-like interfaces.
- Optionally stores session information.
- Optionally supports standalone operation using a configuration file in place of registry entries, suitable for operation from removable media
- Directory Synchronization tool quickly synchronizes changes between local and remote directories.
About this Guide
Terms and Conventions Used
Awards and Commendations
A word of warning
As with any security or cryptographic product, there are a number of concerns that should be addressed. In order to use this product securely, you should make an effort to obtain a thorough understanding of its operation and the concepts involved. Improper usage is often insecure usage, so please be sure to read the manual completely.
Advertisement
Host Security
The security of the computer running WinSCP is a serious concern. Trojan Horse and Backdoor programs can potentially be used to steal authentication credentials such as passwords and private keys that have been stored or entered on the computer. Public computers often have session monitoring software which may include key loggers, or may have malicious software installed by a previous user.
WinSCP can support “keyboard-interactive” authentication methods if offered by the server. With keyboard-interactive authentication, the server can prompt for special credentials such as a S/Key one-time password or RSA SecurID generated value. These “disposable” credentials are preferable if you must use a public computer. Contact your system administrator to find out if any form of one-time authentication is offered.
Stored Credentials
WinSCP supports storing passwords with saved sessions. This is provided as a convenience, and is not recommended. If you need to be able to log in without reentering your credentials, the recommended method is to use public key authentication and protect your private key with a pass phrase. The SSH Key Agent provided by Putty, Pagent, can store the decrypted key in memory, allowing you to enter your credentials once and continue using them until you close down the agent or log off of Windows entirely.
Saved passwords are stored in a manner that they can easily be recovered. It is not possible to securely encrypt passwords in a way that still allows for automatic use. Do not use the save password feature if you are not absolutely sure of the physical and electronic security of the system on which you are storing passwords.