techmd wrote:

It's a bit convoluted in this version mainly because it seems that Winscp would prefer people to use Pageant to hold the information.

Why do you think so?

To bypass the password as well as the Pageant defaults, on the login screen click Advanced, then Authentication (under SSH), unclick the Pageant option and also pull up the private key file. Could anyone explain what are the pos/neg of having Pageant remember the private key file instead?

See https://winscp.net/eng/docs/ui_pageant#security_considerations

@Speedster: You are looking for Private key file box:
https://winscp.net/eng/docs/ui_login_authentication

@Speedster: It's a bit convoluted in this version mainly because it seems that WinSCP would prefer people to use Pageant to hold the information. To bypass the password as well as the Pageant defaults, on the login screen click Advanced, then Authentication (under SSH), unclick the Pageant option and also pull up the private key file. Could anyone explain what are the pos/neg of having Pageant remember the private key file instead?

Hi – I just updated WinSCP from something like 5.1 to 5.5 and can no longer locate where to tell the program to use a passphrase instead of a password. Where can I tell winscp to please check a passphrase before logging in? I don't see a field before clicking login, nor in the advanced options. Is this option to use a passphrase for a key really gone?
Thanks!

@moises: can you please explain this option more. I am in need to automate with passphrase for my key and running out of options. I really hope this option is added.
Fadi

Hello,

I found a solution and I hope will be helpful.

In the Process Task that execute the WinSCP.com you can send the passphrase with the property "StandarInputVariable".

@ItsMeDattu: You cannot save passphrase into stored session (site). Only password.

There is a way to connect to sftp which has key and passphrase. We can create a session on winscp and we can use the session name to connect to that sftp . Please find the syntax below.

It wont ask for passphrase if you save passphrase for the same.

martin wrote:

As stated in the FAQ below, I do not see a benefit of that. Do you see any?
https://winscp.net/eng/docs/faq_passphrase

I just wanted to point out that the benefit is that you can store the passphrase inside a SSIS variable and msdb configuration table which can be encrypted. This means pageant doesn't have to be up and running the entire time on a server invoking a SSIS package using pscp/winscp and a private key with passphrase. Another option would be to add a switch to pageant for the passphrase, this would be an extra step in a SSIS package, but would also allow for pageant to not always be running (giving anyone with server access key access) and for the passphrase to be stored/protected in a SSIS package.

Hi @martin,

As from the post I could understand that your working for a script to include the passphrase. (fully automated script)

Could you please update when we can be able to get the latest fully automated script?

Thanks in advance.

@danis: This request has been added to tracker:
https://winscp.net/tracker/816

Yeah,
I need to use passphrases for the Private Keys, and whould be great if WinSCP support that !!
Meanwhile I have to use a different client :( and change all my scripts !

@danis: OK, I see :) Will consider it.

Hi @martin,
me personally – no!
But my company said, maybe they want to use passphrases for the Private Keys in future.
And then my script is not useful anymore :(

@danis: As stated in the FAQ below, I do not see a benefit of that. Do you see any?
https://winscp.net/eng/docs/faq_passphrase

Hello @martin,

is it planned to support entering the passphrase for a private key via command line in a future version of WinSCP?

Thank you.

@lsager, when you say you have your password saved in your session LauraTest, do you mean an .ini file? I am trying what you suggested but it is not working for me. When I put the actual password in my .ini file, it appears to connect but says "access denied. authentication failed."

An odd thing occurred today.
I got the automatic transfer to work without using private and public keys.
What was causing my particular problem was the following line of my script.

LauraTest is the session I created in WinSCP.
When I took out the @74.201.555.689 from the open statement, it no longer asked me for a password. I have the password saved in my session, LauraTest. I think it may have to do with the host key expecting just LauraTest and not finding a match on LauraTest@74.201.555.689.

Now, when I run my scheduled task, it runs perfectly without any requests for password.

Case closed. Thanks for your help.

My dev & test platform is also a Windows environment. I was unable to get a version of SSH for Windows to instal on Windows Server 2003, which was my preferred method, and I have since found out that there are issues with Windows Server 2003, so I ended up using two Windows XP boxes for my development. One acts as the SSH server and one is the client running SFTP/WinSCP.

You have to instal OpenSSH or some other implementation of SSH for Windows on the machine that is to act as the SSH server.

I also could not create a folder called .ssh but I was able to create a folder called SSH within the home folder of the user I used, i.e. C:\Documents and Settings\UserOne\SSH. Inside the SSH folder I put the public key file, called authorized_keys if I remember correctly. This file contains one of more public keys. You should keep your private key file(s) on your client machines.

You have to do a bunch of setup steps with SSH to include users that can be accessed by your client piece. You end up creating a groups file and a password file. The users that you add must correspond to users on the machine or users on the domain. Setting up SSH is a subject in itself and I did the bare minimum, just to get a test scenario running, since in production the SSH part is not my responsibility.

I do not run pageant in my solution so I cannot comment on its use.

Thank you so much for responding so quickly.
I think I did what you suggested in your reply. I left the passphrase out when generating the key.

I think my additional difficulty may be in where to put the public key on the server. My sftp server is windows. I do not have a .ssh directory nor can I create one.

What exactly do I have to do to put the public key out on the sftp server? I thought I just copied and pasted the key into the authenticate_keys file but I am unclear on the process.

Do I have to be running Pageant for this to work?

Please give me as many details as you can. I really appreciate your help.

Thanks.

@martin, thank you for clarifying the situation for me. I have got this working quite well now.

Isager asked: "How do I store the key unprotected?"

When you create a private key, you can add extra security into the mix by defining a passphrase (this is not the password of a user). This passphrase must be supplied by the user when you make a connexion to the SSH server (unless you use the authentication agent thing - which I have no experience of).

This means that if you want to build an unattended solution using WinSCP you cannot also have a passphrase built into your private key; if you do, you will have to physically enter it interactively. So I simply accepted the reduced level of security and left the passphrase out of process of generating the key pair.

I hope this helps.

In the article:
How can I connect without entering private key passphrase each time?
I saw the following:

The best solution is to use authentication agent, so that you enter the passphrase only once.
If you need to avoid entering the passphrase to automate a task (such as with scripting) and using authentication agent is not suitable for you, you can store the key unprotected (without an passphrase). Note that this imposes security risk, if someone gains access to the key.

How do I store the key unprotected?

Thanks for your help.

I am also curious about the automatic sending of files. I had a similar experience where I scheduled a task using winscp but the process was definitely not automatic because I had to enter my password everytime the task ran. Is there a way to send the password? Would using a batch command allow me to send the password? I am not too worried about security in my instance. I read what was posted by the others and I am led to believe it cannot be done with WinSCP. I am trying the public/private key approach but cannot seem to get it to work yet.

Please let me know your thoughts and ideas.

Thank you in advance for your help.

Okay thanks for that confirmation.
:D

Correct.

Edit 2021: There's now -passphrase switch:
https://winscp.net/eng/docs/scriptcommand_open#passphrase

I found the following page in the FAQ collection, entitled, "How can I connect without entering private key passphrase each time?"
https://winscp.net/eng/docs/faq_passphrase

If I understand this FAQ entry correctly, it would appear that what I was trying to do will not work with WinSCP; so the answer is to work without a passphrase or to use a different SSH FTP client.

Is this correct?

My objective is to call some SFTP scripts from SSIS packages, but so far I am experimenting with just running a script from a DOS command window. My example does a simple put from my Windows XP Pro workstation (with WinSCP installed) to another Windows XP workstation with OpenSSH installed.

I am using RSA private/public key encryption.

When I set up the keys, I entered a passphrase, because I understand that this is good practice.

However, when I run the script, the SFTP program prompts for the passphrase to complete the authorisation. I see no way to include the passphrase in a flag in the open command. This makes the process non-automated because it requires user interaction.

Additionally, sometimes I find that I must execute the script *twice* in order for the little text file to be copied from my PC to the remote PC. This seems wrong.

I should be grateful for assistance.