Prevent user from getting session password :: Support Forum

alexis
Joined:: 2023-09-21
Posts:: 5

Prevent user from getting session password

2023-09-21 12:58

Greetings!
I am working on automation of launching WinSCP (GUI) and connecting to server for some user, that should not be able to access session password or key passphrase.
I disabled password storing using correspond registry value, but it is still possible to get password using "Generate session URL/Code".
Maybe you can help me, is there a way to totally prevent accessing password for session?

Reply with quote

martin◆ Site Admin
Joined:: 2002-12-10
Posts:: 40,567
Location:: Prague, Czechia

Re: Prevent user from getting session password

2023-09-25

I'm not sure I understand what you are doing.
Are you starting WinSCP with some command-line parameters that automate the login (including the password)?

Reply with quote

alexis

2023-09-25 11:38

Yes, exactly.
I need to give endpoint access for some user without giving credentials.
Perform automated connect, after that user should not be able to access password.

Reply with quote

martin◆ Site Admin

2023-09-25

So how are you passing the password to WinSCP?

Reply with quote

alexis
Joined:: 2023-09-21
Posts:: 5

2023-09-25 12:31

Via command-line option.
For example

winscp.exe sftp://admin:password@192.168.10.10

(or with private key path)

Reply with quote

martin◆ Site Admin

2023-09-28

Well then anyone can see the password in the Task Manager anyway.

Reply with quote

alexis

2023-09-28 12:10

Oh, thanks, I see that
if I will use password from file option?

Reply with quote

martin◆ Site Admin

2023-10-02

A password file can be read by anyone too.
You would have to use a named pipe to make it somewhat secure.
Only then it would make sense to ask for WinSCP not to be able to reveal the password. And even then, only if you use an encrypted connection.

Reply with quote

alexis

2023-10-18 15:59

Hi again, Martin, thank you for your answer!
I figured out how to use secured pipe for authentication.
Is there a chance that you will add possibility to disable 'Generate session URL' via some registry key or command line parameter?

Reply with quote

martin◆ Site Admin

2023-10-19

Ok, I'll consider it.
Though are you aware, that this is security through obscurity, right? Once the password is in local machine memory, there's nothing that can prevent the user from retrieving it. You can only make it more difficult.

Reply with quote

Frank_2 Guest

2024-03-21 14:32

+1 for this.
Right now Generate session URL/Code allows the passphrase to be seen in clear text when using passwordsfromfiles. Is there a way to display the actual code as C:\tmp\pass.txt or as the OP said, a way to disable this button via argument/regedit?

Command :

sftp://Username@host.com /privatekey=""$file"" /passwordsfromfiles /passphrase=""C:\tmp\pass.txt""

In Generate Code:

open sftp://Username@host.com/ -hostkey="ssh-ed25519" -privatekey="\\XXXX\Key.ppk" -passphrase="PasswordClearText"

It would be better like:

open sftp://Username@host.com/ -hostkey="ssh-ed25519" -privatekey="\\XXXX\Key.ppk" -passphrase="C:\tmp\pass.txt"

Reply with quote

martin◆ Site Admin

Re: Prevent user from getting session password

2024-03-26

I have added this request to the tracker:
Issue 2280 – Optionally prevent revealing passwords on the Generate URL/Code dialog
You can vote for it there.

Reply with quote

Prevent user from getting session password