Topic "Opening session using command-line parameter is scripting is deprecated"

Author Message
rat
[View user's profile]

Joined: 2017-03-01
Posts: 3
Hi,
I'm new to winSCP, but not new to automation. I recently had to setup an automation using winSCP. I created a site in the GUI and then scripted this site to open. I noticed the message 'Opening session using command-line parameter in scripting is deprecated' when manually opening a connection to the site from the command prompt. I was curious as to why this is the case? Is there another way in winSCP that allows you to open up a connection without storing the credentials in clear text in a script file?
Advertisements
martin
[View user's profile]
Site Admin
Joined: 2002-12-10
Posts: 26331
Location: Prague, Czechia
Sure, as all examples on this site show, you should use the open command with a session URL:
https://winscp.net/eng/docs/scriptcommand_open
https://winscp.net/eng/docs/session_url

You can have a script template generated in WinSCP GUI:
https://winscp.net/eng/docs/ui_generateurl#script
rat
[View user's profile]

Joined: 2017-03-01
Posts: 3
martin wrote:
Sure, as all examples on this site show, you should use the open command with a session URL:
https://winscp.net/eng/docs/scriptcommand_open
https://winscp.net/eng/docs/session_url

You can have a script template generated in WinSCP GUI:
https://winscp.net/eng/docs/ui_generateurl#script


Martin,
Thanks for the reply. If I use a script with the session url, then the script seems to require the user name and password. I can't seem to get it to use what's stored in the save site session. If I store the credentials in the script file, then I have a file with the URL, username and password stored in clear text in a simple text file. This is a clear security violation. I see the 'open' command is supposed to open a site, but every time I use it that way in the script, it seems to want to open the URL, and the script is unable to open it. When I use the URL (without putting in the credentials - assuming it will pick up the saved details), the script then seems to hang waiting for credentials, even though they are stored in the site. There is a clear lack of examples of getting the scripting opening a site with stored credentials. Pretty much all the examples that I can see for winSCP refer to scripting, where using the url is used, not the site or stored credentials. The last thing I want to do is to store credentials in a text file in clear text. I'm convinced that I have overlooked something quite simple and fundamental with winSCP, as I can't imagine why the product would not have an option to use the saved sites somehow.
The generation of the scripts in the UI is essentially pointless in this case, as it generates the scripts with the credentials in it. Again, this seems to lead towards the storing of the credentials in a script file that is in clear text. Is there anything that I have missed or overlooked?
martin
[View user's profile]
Site Admin
Joined: 2002-12-10
Posts: 26331
Location: Prague, Czechia
rat wrote:
If I store the credentials in the script file, then I have a file with the URL, username and password stored in clear text in a simple text file. This is a clear security violation.

What makes you believe that saving the password to a site is better?
Anyway, see https://winscp.net/eng/docs/guide_protecting_credentials_for_automation

Quote:
There is a clear lack of examples of getting the scripting opening a site with stored credentials.

Because it's not recommended.
Anyway, see https://winscp.net/eng/docs/scriptcommand_open
You simply give the open name of the stored site:
open site

Quote:
I'm convinced that I have overlooked something quite simple and fundamental with winSCP

Your fundamental mistake is your belief that storing the credentials in the site is secure. It cannot be.
See https://winscp.net/eng/docs/security_credentials#storing_password
rat
[View user's profile]

Joined: 2017-03-01
Posts: 3
[quote="martin"]
rat wrote:
If I store the credentials in the script file, then I have a file with the URL, username and password stored in clear text in a simple text file. This is a clear security violation.
What makes you believe that saving the password to a site is better?
Anyway, see https://winscp.net/eng/docs/guide_protecting_credentials_for_automation


Thanks for that link. Will review that in more detail.

Quote:
There is a clear lack of examples of getting the scripting opening a site with stored credentials.
Because it's not recommended.
Anyway, see https://winscp.net/eng/docs/scriptcommand_open
You simply give the open name of the stored site:
open site


I've seen this example list, and I don't think the examples are quite clear as to how to use the <site> part of the parameter (imo). If I have a site called 'mysite', the way that the syntax suggests should simply be 'open mysite', but there is no examples of that kind of syntax. All the examples look like they use the ftp URL rather than the winSCP site name. When I try and use it as 'open mysite', it's unable to resolve the host. I think if you added more detail on the notes to indicate what your 'saved site' name was, I think that would clear up any confusion on how the syntax is used.
I assume the open site syntax is the example
Quote:
open scp://test@example.com:2222/ -privatekey=mykey.ppk
, but what is the site name component? Is 'test' the site name, and example.com the FTP url for that site?


Quote:
I'm convinced that I have overlooked something quite simple and fundamental with winSCP
Your fundamental mistake is your belief that storing the credentials in the site is secure. It cannot be.
See https://winscp.net/eng/docs/security_credentials#storing_password


According to this link, it's clear that it's not. Security is always a contentious point. It also depends from what view point you are looking at. I'm not actually looking it from the perspective of someone breaching the systems and getting them. I'm more looking from an ease of access perspective. Your average business user that might have access to the machine with winSCP (for valid reasons), typically wouldn't know how to gain access to the passwords stored in winSCP, but if they were in clear text script files, they could easily be seen if the scripts were opened up. I guess my point is, for the un-educated user, then storing is fine, there are obvious questions about how to handle for the more educated user, and larger policy decisions to be made by ensuring systems are secure from outside interference. But I do see the point that link you provided is making.

Thanks for the feedback for me to consider.
martin
[View user's profile]
Site Admin
Joined: 2002-12-10
Posts: 26331
Location: Prague, Czechia
rat wrote:
I've seen this example list, and I don't think the examples are quite clear as to how to use the <site> part of the parameter (imo). If I have a site called 'mysite', the way that the syntax suggests should simply be 'open mysite', but there is no examples of that kind of syntax. All the examples look like they use the ftp URL rather than the winSCP site name. When I try and use it as 'open mysite', it's unable to resolve the host. I think if you added more detail on the notes to indicate what your 'saved site' name was, I think that would clear up any confusion on how the syntax is used.
I assume the open site syntax is the example
Quote:
open scp://test@example.com:2222/ -privatekey=mykey.ppk
, but what is the site name component? Is 'test' the site name, and example.com the FTP url for that site?

There are no examples, because that syntax is supported for backward compatibility and is generally discouraged.

Anyway, if test is the site name, you use open test.
If that does not work, it's probably because the script runs in a different environment/with different configuration than the GUI (where you have defined and see the site).

This is covered here (even though the "title" does not really match your case):
https://winscp.net/eng/docs/faq_scheduler
See particularly the part starting "Note that when using registry as configuration storage...."
Advertisements

You can post new topics in this forum






Search Site

What is WinSCP?

It is award-winning SFTP client, SCP client, FTPS client and FTP client integrated into one software program for file transfer to FTP server or secure SFTP server. [More]

And it's free!

Donate

About donations

$9   $19   $49   $99

About donations

Recommend

WinSCP Privacy Policy

WinSCP License