If I store the credentials in the script file, then I have a file with the URL, username and password stored in clear text in a simple text file. This is a clear security violation.
What makes you believe that saving the password to a site is better?
Anyway, see https://winscp.net/eng/docs/guide_protecting_credentials_for_automation
Thanks for that link. Will review that in more detail.
There is a clear lack of examples of getting the scripting opening a site with stored credentials.
Because it's not recommended.
Anyway, see https://winscp.net/eng/docs/scriptcommand_open
You simply give the
name of the stored site:
I've seen this example list, and I don't think the examples are quite clear as to how to use the <site> part of the parameter (imo). If I have a site called 'mysite', the way that the syntax suggests should simply be 'open mysite', but there is no examples of that kind of syntax. All the examples look like they use the ftp URL rather than the winSCP site name. When I try and use it as 'open mysite', it's unable to resolve the host. I think if you added more detail on the notes to indicate what your 'saved site' name was, I think that would clear up any confusion on how the syntax is used.
I assume the open site syntax is the example
open scp://firstname.lastname@example.org:2222/ -privatekey=mykey.ppk
, but what is the site name component? Is 'test' the site name, and example.com the FTP url for that site?
According to this link, it's clear that it's not. Security is always a contentious point. It also depends from what view point you are looking at. I'm not actually looking it from the perspective of someone breaching the systems and getting them. I'm more looking from an ease of access perspective. Your average business user that might have access to the machine with winSCP (for valid reasons), typically wouldn't know how to gain access to the passwords stored in winSCP, but if they were in clear text script files, they could easily be seen if the scripts were opened up. I guess my point is, for the un-educated user, then storing is fine, there are obvious questions about how to handle for the more educated user, and larger policy decisions to be made by ensuring systems are secure from outside interference. But I do see the point that link you provided is making.
Thanks for the feedback for me to consider.