Topic "Private Key Login WITH Password!"

Author Message
hecktarzuli
[View user's profile]

Joined: 2005-01-10
Posts: 2
For some reason WinSCP grays out the password box when I tell it what Private Key to use. The problem is my Private Key is password protected, so I still get a password prompt! It would really be nice to be able to use the password box AND the Private Key feature at the same time.
_________________
- Heck
Advertisements
martin
[View user's profile]
Site Admin
Joined: 2002-12-10
Posts: 25015
Location: Prague, Czechia
The password box is for password authentication, not for private key passphrase. It would be security problem to allow the same box for both purposes. Imagine your server is spoofed and you connect to fake server. It refuses your public key and WinSCP falls back to password authentication. So it sends password to your private key to the fake server, because it is entered into password box. This is obviously somethink you would not like.

Also I do not see a reason for storing passphrase-protected private key, while saving the password into WinSCP session. You can save the private key unprotected straight with the same result.

Read the documentation.
hecktarzuli
[View user's profile]

Joined: 2005-01-10
Posts: 2
FYI, Putty allows me to do this via command line which is why I was asking for it via WinSCP. There is little/no chance my server is spoofed since it's a server within my local network to which I have direct control over.

So you are saying the way to go is just use Private/Public Key with no password? Isn't the password an extra layer of security, or do you consider putting a password on a key overkill?
_________________
- Heck
martin
[View user's profile]
Site Admin
Joined: 2002-12-10
Posts: 25015
Location: Prague, Czechia
hecktarzuli wrote:
FYI, Putty allows me to do this via command line which is why I was asking for it via WinSCP.

I guess that it was not intention of putty author to allow -pw parameter to apply to passphrases as well. It is rather side effect. It is quite obvious from the -pw option description.

Instead of passing password using -pw command, they recommend using public-key, by what I believe thay mean either unencrypted private key or Pageant authentication.

Quote:
Isn't the password an extra layer of security, or do you consider putting a password on a key overkill?

No I do not meant that it is overkill. It is extra layer of security to protect your private key when someone gets an access to your computer/harddisk. But only if you keep your passphare in your memory. If you keep it in WinSCP configuration on the same computer, that it has no effect.
Advertisements

You can post new topics in this forum






Search Site

What is WinSCP?

It is award-winning SFTP client, SCP client, FTPS client and FTP client integrated into one software program for file transfer to FTP server or secure SFTP server. [More]

And it's free!

Donate

About donations

$9   $19   $49   $99

About donations

Recommend

WinSCP Privacy Policy

WinSCP License