Forum » Support and Bug Reports »

Post a reply

Before posting, please read how to report bug or request support effectively.

Bug reports without an attached log file are usually useless.

Username

Subject

Message body

Font colour:

Font size:

Options

Disable BBCode in this post

Notify me when a reply is posted (registered users only)

Add an Attachment

If you do not want to add an Attachment to your Post, please leave the Fields blank.

Filename

(maximum 10 MB; please compress large files; only common media, archive, text and programming file formats are allowed)

File Comment

Options

Private file (available to author and site moderators only)

Topic review

martin

Re: Prevent user from getting session password

2024-03-26

I have added this request to the tracker:
Issue 2280 – Optionally prevent revealing passwords on the Generate URL/Code dialog
You can vote for it there.

Frank_2

2024-03-21 14:32

+1 for this.
Right now Generate session URL/Code allows the passphrase to be seen in clear text when using passwordsfromfiles. Is there a way to display the actual code as C:\tmp\pass.txt or as the OP said, a way to disable this button via argument/regedit?

Command :

sftp://Username@host.com /privatekey=""$file"" /passwordsfromfiles /passphrase=""C:\tmp\pass.txt""

In Generate Code:

open sftp://Username@host.com/ -hostkey="ssh-ed25519" -privatekey="\\XXXX\Key.ppk" -passphrase="PasswordClearText"

It would be better like:

open sftp://Username@host.com/ -hostkey="ssh-ed25519" -privatekey="\\XXXX\Key.ppk" -passphrase="C:\tmp\pass.txt"

martin

2023-10-19

Ok, I'll consider it.
Though are you aware, that this is security through obscurity, right? Once the password is in local machine memory, there's nothing that can prevent the user from retrieving it. You can only make it more difficult.

alexis

2023-10-18 15:59

Hi again, Martin, thank you for your answer!
I figured out how to use secured pipe for authentication.
Is there a chance that you will add possibility to disable 'Generate session URL' via some registry key or command line parameter?

martin

2023-10-02

A password file can be read by anyone too.
You would have to use a named pipe to make it somewhat secure.
Only then it would make sense to ask for WinSCP not to be able to reveal the password. And even then, only if you use an encrypted connection.

alexis

2023-09-28 12:10

Oh, thanks, I see that
if I will use password from file option?

martin

2023-09-28

Well then anyone can see the password in the Task Manager anyway.

alexis

2023-09-25 12:31

Via command-line option.
For example

winscp.exe sftp://admin:password@192.168.10.10

(or with private key path)

martin

2023-09-25

So how are you passing the password to WinSCP?

alexis

2023-09-25 11:38

Yes, exactly.
I need to give endpoint access for some user without giving credentials.
Perform automated connect, after that user should not be able to access password.

martin

Re: Prevent user from getting session password

2023-09-25

I'm not sure I understand what you are doing.
Are you starting WinSCP with some command-line parameters that automate the login (including the password)?

alexis

Prevent user from getting session password

2023-09-21 12:58

Greetings!
I am working on automation of launching WinSCP (GUI) and connecting to server for some user, that should not be able to access session password or key passphrase.
I disabled password storing using correspond registry value, but it is still possible to get password using "Generate session URL/Code".
Maybe you can help me, is there a way to totally prevent accessing password for session?

Post a reply

Topic review

Re: Prevent user from getting session password

Re: Prevent user from getting session password

Prevent user from getting session password

Documentation

Support

Associations

Follow Us