Post a reply

Options
Add an Attachment

If you do not want to add an Attachment to your Post, please leave the Fields blank.

(maximum 10 MB; please compress large files; only common media, archive, text and programming file formats are allowed)

Options

Topic review

martin

Re: password security with portable WinSCP

bmuzzy wrote:

Perhaps, but it's a lot better than plain text on an "open" command in a batch file...

I do not agree. Had WinSCP allowed password obfuscation in a script, it would give a script author a false perception of being safe. While this way, it's clear he/she needs to keep the script safe.
bmuzzy

Re: password security with portable WinSCP

>>That true even for password format WinSCP uses in INI file. It's not really secure. It's just a kind of obfuscation.

Perhaps, but it's a lot better than plain text on an "open" command in a batch file...
martin

Re: password security with portable WinSCP

bmuzzy wrote:

The password could be stored in encrypted format in a file. The open command would reference a variable like $pwd01 that would fetch the password from the file, decrypt it and pass it to the command line

It is not possible to securely encrypt passwords in a way that still allows for automatic use.
That true even for password format WinSCP uses in INI file. It's not really secure. It's just a kind of obfuscation.

bmuzzy wrote:

However I just read in the documentation "For security reasons, when protocol (such as sftp://) is provided as part of session URL (possible execution from web browser/Windows Explorer), all command-like parameters that cause any automatic action are ignored, including /defaults, /log, /script and /command. "

But that's for winscp.exe <session_url> only. You are not doing this. You are using open command.
bmuzzy

Re: password security with portable WinSCP

Oh wait, I just realized that WinSCP already does exactly this! I saved a session to winscp.ini and it includes:

[Sessions\user@mydomain.com]
HostName=myserver@mydomain.com
PortNumber=990
UserName=user
FSProtocol=5
LocalDirectory=C:%5C
RemoteDirectory=/
Ftps=1
Password=A35C7B54F34BB2B0D6D443443E30313A282C2F3D723433292F35323B723E392E373930392572393829332C39322F392F3D3139

However I just read in the documentation "For security reasons, when protocol (such as sftp://) is provided as part of session URL (possible execution from web browser/Windows Explorer), all command-like parameters that cause any automatic action are ignored, including /defaults, /log, /script and /command. "

In my case, I want to use WinSCP as part of a SQL Server Agent Job. The security risk is minimal because of the restricted access to the SQL server. Having WinSCP read the password from winscp.ini would be preferable to having to pass it in clear text on the command line.

Does that make sense?
Thanks!
Guest

Re: password security with portable WinSCP

The password could be stored in encrypted format in a file. The open command would reference a variable like $pwd01 that would fetch the password from the file, decrypt it and pass it to the command line, e.g.;
open ftps://user:$pwd01@ftpsa.mydomain.com -implicit -certificate="01:fe:1c:7e:ae:a0:2e:9a:40:b0:8b:1d:ba:88:16:c2:92:71:a7:2b"
martin

Re: password security with portable WinSCP

How would you image this?
I'm not aware of any way to protect a password (or any other piece of information), yet be able to automatically use it.
bmuzzy

password security with portable WinSCP

I want to schedule FTPS transfers without having to put a password in clear text in the script file, e.g.;
open ftps://user:password@ftpsa.mydomain.com -implicit -certificate="01:fe:1c:7e:ae:a0:2e:9a:40:b0:8b:1d:ba:88:16:c2:92:71:a7:2b"

What are the options for password security with FTPS and the portable command line version of WinSCP? Preferences>Security isn't available with the portable version apparently, so using a Master Password isn't an option.

Thanks!