Post a reply

Before posting, please read how to report bug or request support effectively.

Bug reports without an attached log file are usually useless.

Add an Attachment

If you do not want to add an Attachment to your Post, please leave the Fields blank.

(maximum 10 MB; please compress large files; only common media, archive, text and programming file formats are allowed)


Topic review


+1 for this.
Right now Generate session URL/Code allows the passphrase to be seen in clear text when using passwordsfromfiles. Is there a way to display the actual code as C:\tmp\pass.txt or as the OP said, a way to disable this button via argument/regedit?

Command :
s /privatekey=""$file"" /passwordsfromfiles /passphrase=""C:\tmp\pass.txt""

In Generate Code:
open s -hostkey="ssh-ed25519" -privatekey="\\XXXX\Key.ppk" -passphrase="PasswordClearText"

It would be better like:
open s -hostkey="ssh-ed25519" -privatekey="\\XXXX\Key.ppk" -passphrase="C:\tmp\pass.txt"

Ok, I'll consider it.
Though are you aware, that this is security through obscurity, right? Once the password is in local machine memory, there's nothing that can prevent the user from retrieving it. You can only make it more difficult.

Hi again, Martin, thank you for your answer!
I figured out how to use secured pipe for authentication.
Is there a chance that you will add possibility to disable 'Generate session URL' via some registry key or command line parameter?

A password file can be read by anyone too.
You would have to use a named pipe to make it somewhat secure.
Only then it would make sense to ask for WinSCP not to be able to reveal the password. And even then, only if you use an encrypted connection.

Oh, thanks, I see that
if I will use password from file option?

Well then anyone can see the password in the Task Manager anyway.

Via command-line option.
For example
winscp.exe sftp://admin:password@

(or with private key path)

So how are you passing the password to WinSCP?

Yes, exactly.
I need to give endpoint access for some user without giving credentials.
Perform automated connect, after that user should not be able to access password.

Re: Prevent user from getting session password

I'm not sure I understand what you are doing.
Are you starting WinSCP with some command-line parameters that automate the login (including the password)?

Prevent user from getting session password

I am working on automation of launching WinSCP (GUI) and connecting to server for some user, that should not be able to access session password or key passphrase.
I disabled password storing using correspond registry value, but it is still possible to get password using "Generate session URL/Code".
Maybe you can help me, is there a way to totally prevent accessing password for session?