password security with portable WinSCP

Advertisement

bmuzzy
Joined:
Posts:
3
Location:
United States

password security with portable WinSCP

I want to schedule FTPS transfers without having to put a password in clear text in the script file, e.g.;
open ftps://user:password@ftpsa.mydomain.com -implicit -certificate="01:fe:1c:7e:ae:a0:2e:9a:40:b0:8b:1d:ba:88:16:c2:92:71:a7:2b"

What are the options for password security with FTPS and the portable command line version of WinSCP? Preferences>Security isn't available with the portable version apparently, so using a Master Password isn't an option.

Thanks!

Reply with quote

Advertisement

martin
Site Admin
martin avatar
Joined:
Posts:
27,227
Location:
Prague, Czechia

Re: password security with portable WinSCP

How would you image this?
I'm not aware of any way to protect a password (or any other piece of information), yet be able to automatically use it.
_________________
Martin Prikryl

Reply with quote

Guest

Re: password security with portable WinSCP

The password could be stored in encrypted format in a file. The open command would reference a variable like $pwd01 that would fetch the password from the file, decrypt it and pass it to the command line, e.g.;
open ftps://user:$pwd01@ftpsa.mydomain.com -implicit -certificate="01:fe:1c:7e:ae:a0:2e:9a:40:b0:8b:1d:ba:88:16:c2:92:71:a7:2b"

Reply with quote

bmuzzy
Joined:
Posts:
3
Location:
United States

Re: password security with portable WinSCP

Oh wait, I just realized that WinSCP already does exactly this! I saved a session to winscp.ini and it includes:

[Sessions\user@mydomain.com]
HostName=myserver@mydomain.com
PortNumber=990
UserName=user
FSProtocol=5
LocalDirectory=C:%5C
RemoteDirectory=/
Ftps=1
Password=A35C7B54F34BB2B0D6D443443E30313A282C2F3D723433292F35323B723E392E373930392572393829332C39322F392F3D3139

However I just read in the documentation "For security reasons, when protocol (such as sftp://) is provided as part of session URL (possible execution from web browser/Windows Explorer), all command-like parameters that cause any automatic action are ignored, including /defaults, /log, /script and /command. "

In my case, I want to use WinSCP as part of a SQL Server Agent Job. The security risk is minimal because of the restricted access to the SQL server. Having WinSCP read the password from winscp.ini would be preferable to having to pass it in clear text on the command line.

Does that make sense?
Thanks!

Reply with quote

martin
Site Admin
martin avatar
Joined:
Posts:
27,227
Location:
Prague, Czechia

Re: password security with portable WinSCP

bmuzzy wrote:

The password could be stored in encrypted format in a file. The open command would reference a variable like $pwd01 that would fetch the password from the file, decrypt it and pass it to the command line
It is not possible to securely encrypt passwords in a way that still allows for automatic use.
That true even for password format WinSCP uses in INI file. It's not really secure. It's just a kind of obfuscation.

bmuzzy wrote:

However I just read in the documentation "For security reasons, when protocol (such as sftp://) is provided as part of session URL (possible execution from web browser/Windows Explorer), all command-like parameters that cause any automatic action are ignored, including /defaults, /log, /script and /command. "
But that's for winscp.exe <session_url> only. You are not doing this. You are using open command.
_________________
Martin Prikryl

Reply with quote

bmuzzy
Joined:
Posts:
3
Location:
United States

Re: password security with portable WinSCP

>>That true even for password format WinSCP uses in INI file. It's not really secure. It's just a kind of obfuscation.

Perhaps, but it's a lot better than plain text on an "open" command in a batch file...

Reply with quote

martin
Site Admin
martin avatar
Joined:
Posts:
27,227
Location:
Prague, Czechia

Re: password security with portable WinSCP

bmuzzy wrote:

Perhaps, but it's a lot better than plain text on an "open" command in a batch file...
I do not agree. Had WinSCP allowed password obfuscation in a script, it would give a script author a false perception of being safe. While this way, it's clear he/she needs to keep the script safe.
_________________
Martin Prikryl

Reply with quote

Advertisement

You can post new topics in this forum