Do not show proxy password in full open command syntax suggestion

Advertisement

Malcolm.Simpson
Joined:
Posts:
1
Location:
Egham

Do not show proxy password in full open command syntax suggestion

When connecting using a saved site the proxy password is displayed in plain text. (The site password is masked as per bug fix 1452.)

WinSCP version 5.9.6 and earlier.

Through the GUI create a site using a proxy server. When this is used in a script, a suggestion is logged that displays the plain-text proxy credentials.

Script command:
open user@host

Log file:
Script: In scripting you should not rely on saved sites, use this command instead:
Script: open sftp://user:maskedpassword@host/ -rawsettings ProxyMethod=2 ProxyHost="proxyhost" ProxyPort=proxyportnumber ProxyUsername="proxyusername" ProxyPassword="plaintextpassword"

Expected: proxy password is masked.
Even better, the ability to completely suppress the suggestion, since we deliberately use saved sites and this suggestion is logged for every connection.

Reply with quote

Advertisement

martin
Site Admin
martin avatar
Joined:
Posts:
27,477
Location:
Prague, Czechia

Re: Do not show proxy password in full open command syntax suggestion

Thanks for your suggestion.
Will see if more people ask for this.

Reply with quote

stefan_s
Joined:
Posts:
18
Location:
munich, germany

I also use currently saved sessions/sites in scripting, to allow the user to edit the proxy parameters
by GUI and then to perform the transfer regular by a batch.
this makes switching to new style "open" parameters difficult.

So I would also appreciate to not see the plaintext password in
the console and the logfile.

in a following message in the logfile the password is already masked.
....
HostName: proxyhost (Port: 123); Username: prouser; Passwd: Yes


suppressing the whole message explicitely by e.g. "option echo off-deprecate" "open sessionname" "option echo on"
would be perfect, as the user is confused by this message, if the connect takes a time.

many thanks.
Stefan

Reply with quote

martin
Site Admin
martin avatar
Joined:
Posts:
27,477
Location:
Prague, Czechia

I'm sending both of you an email with a development version of WinSCP to the address you have used to register on this forum.

Reply with quote

stefan_s
Joined:
Posts:
18
Location:
munich, germany

no, the 5.12 (Dev Build 7897 2017-11-21) shows no change.
the cleartext password is still shown in console window and logfile
(find attached log an ini part)

in both variants of session config with:
ProxyPassword and ProxyPasswordEnc

I use ProxyPassword in the ini file, because a special configuration program asks before the 1. transfer
the user only for Proxy username and password, in a own special dialog window.
then write it into the session part of the ini file, test the connection once, and let winscp.exe
write ProxyPasswordEnc to hide it in the ini.

if this keeps working, without a cleartext message, would be great.

thanks in advance
Stefan


. 2017-11-21 15:06:16.267 --------------------------------------------------------------------------
. 2017-11-21 15:06:16.267 WinSCP Version 5.12 (Dev Build 7897 2017-11-21) - Do NOT distribute (OS 6.1.7601 Service Pack 1 - Windows 7 Home Premium)
. 2017-11-21 15:06:16.267 Configuration: C:\Temp-Nabios\datatrans-test\winscp_sync\winscp.ini
. 2017-11-21 15:06:16.267 Log level: Normal
. 2017-11-21 15:06:16.267 Local account: vmwin7\stefans
. 2017-11-21 15:06:16.267 Working directory: C:\Temp-Nabios\datatrans-test\winscp_sync
. 2017-11-21 15:06:16.267 Process ID: 1640
. 2017-11-21 15:06:16.267 Command-line: winscp.exe /console /ini=winscp.ini /log=sync_test-testtrans_nabios.log /xmllog=sync_test-testtrans_nabios-xml.log /command "open nabios_22" "option echo on" "option batch abort" "option confirm off" "option transfer binary" "cd /home/testtrans" "put sync_test-testtrans_nabios.log.last /home/testtrans/sync_test-testtrans_nabios.log" "put sync_test-testtrans_nabios.run /home/testtrans/sync_test-testtrans_nabios.run.log" "option batch continue" "mkdir sync" "option batch abort" "synchronize remote -mirror -criteria=both ""C:\Temp\Testdata"" sync" "exit"
. 2017-11-21 15:06:16.267 Time zone: Current: GMT+1, Standard: GMT+1 (Mitteleuropäische Zeit), DST: GMT+2 (Mitteleuropäische Sommerzeit), DST Start: 26.03.2017, DST End: 29.10.2017
. 2017-11-21 15:06:16.267 Login time: Dienstag, 21. November 2017 15:06:16
. 2017-11-21 15:06:16.267 --------------------------------------------------------------------------
. 2017-11-21 15:06:16.267 Script: Retrospectively logging previous script records:
> 2017-11-21 15:06:16.267 Script: open nabios_22
< 2017-11-21 15:06:16.267 Script: In scripting you should not rely on saved sites, use this command instead:
< 2017-11-21 15:06:16.267 Script: open sftp://test@server.xxx/ -hostkey="ssh-rsa ...." -privatekey="privkey.ppk" -timeout=60 -rawsettings Compression=1 CacheDirectories=0 CacheDirectoryChanges=0 ProxyMethod=3 ProxyHost="proxyhost" ProxyPort=123 ProxyUsername="prouser" ProxyPassword="propwd"
. 2017-11-21 15:06:16.267 --------------------------------------------------------------------------
. 2017-11-21 15:06:16.267 Session name: nabios_22 (Site)
. 2017-11-21 15:06:16.267 Host name: XXXXXX (Port: 22)
. 2017-11-21 15:06:16.267 User name: test (Password: No, Key file: Yes, Passphrase: No)
. 2017-11-21 15:06:16.267 Tunnel: No
. 2017-11-21 15:06:16.267 Transfer Protocol: SFTP (SCP)
. 2017-11-21 15:06:16.267 Ping type: Off, Ping interval: 30 sec; Timeout: 60 sec
. 2017-11-21 15:06:16.267 Disable Nagle: No
. 2017-11-21 15:06:16.267 Proxy: HTTP
. 2017-11-21 15:06:16.267 HostName: proxyhost (Port: 123); Username: prouser; Passwd: Yes
..

winscp.ini:
[Sessions\nabios_22]
Timeout=60
HostName=xxxxxx
UserName=test
PublicKeyFile=privkey.ppk
ProxyHost=proxyhost
ProxyPort=123
ProxyUsername=prouser
RemoteDirectory=/home/testtrans
CacheDirectories=0
CacheDirectoryChanges=0
Compression=1
ProxyMethod=3
ProxyPasswordEnc=A35C4A46E36C3B68830CC3DAEAD88F5368614B8A17F9C3C89DE6AAA917042C2E33292F392E2C2E33242534332F282C2E332C2B38

Reply with quote

zhekaus
Joined:
Posts:
2
Location:
Moscow

+1 for suppression of "In scripting you should not rely on saved sites" message

I'd like to have an option to ignore this warning.

Reply with quote

martin
Site Admin
martin avatar
Joined:
Posts:
27,477
Location:
Prague, Czechia

Re: +1 for suppression of "In scripting you should not rely on saved sites" message

zhekaus wrote:

I'd like to have an option to ignore this warning.
Do you have a good use case for using a stored session in scripting?

Reply with quote

zhekaus
Joined:
Posts:
2
Location:
Moscow

The general idea is not spoil with passwords.
I like the mysql's way idea. It allows to create a named encrypted config (login-path) and use it later without passwords.

Reply with quote

Advertisement

You can post new topics in this forum