-pw-stdin parameter

Advertisement

user-adm-33
Guest

-pw-stdin parameter

Hi,

When using the current command line parameter
WinSCP.EXE sftp://user:pass@server:22
the password can be shown inside the "Command Line" column of the Task Manager.

So, I suggest to add the parameter "-pw-stdin" to read the password from a PIPE.
That's already implemented in the KeePass to hide password passed in the command line.
See it at: https://keepass.info/help/base/cmdline.html

I hope you agree to implement something similar.
Regards.

Reply with quote

Advertisement

martin
Site Admin
martin avatar
Joined:
Posts:
36,205
Location:
Prague, Czechia

Re: -pw-stdin parameter

I believe that GUI applications have no stdin.

Reply with quote

user-adm-33
Guest

Sorry Martin!

1) KeePass is a Windows Graphical Application that implements the "-pw-stin" parameter.
2) Any Windows GUI Application can read from the console.

So, please check this:

- KeePass code (in C#) that reads the password from the console:
https://github.com/dlech/KeePass2.x/blob/5ea1b24ad2c1b17b6d0017d68731c885af6b539d/KeePass/Util/KeyUtil.cs#L154

- How a Windows GUI App can use the Console:
http://dslweb.nwnexus.com/~ast/dload/guicon.htm

- Microsoft examples about the use of the STDIN/STDOUT:
https://docs.microsoft.com/en-us/dotnet/api/system.console.readline

Please, note that the current implementation for setting the password from another process that starts it the WinSCP it's VERY INSECURE. So, another alternative should be explored.

Regards.

Reply with quote

Frongie
Guest

This idea is good. The AnyDesk tool uses the same interface. Example:
echo password | "C:\Program Files (x86)\AnyDesk\AnyDesk.exe" alias@ad --with-password
So I suggest to implement this alternative to pass the password using the commandline.

Reply with quote

Advertisement

martin
Site Admin
martin avatar
Joined:
Posts:
36,205
Location:
Prague, Czechia

@Frongie: That way, you will see a process like this in the Task Manager:
"C:\WINDOWS\system32\cmd.exe /c /s echo password | "C:\Program Files (x86)\AnyDesk\AnyDesk.exe" ...

Reply with quote

Frongie
Guest

Yes, but this is only one EXAMPLE !!!
With this method, if the program you use writes directly to the PIPE, then nothing will be stored in the Task Manager. Some tools can work in this way.
Futhermore, if you need to execute the same using scripts only, then the solution is to write the password to a TEMP file and use the Get-Content command (similar to cat in Power Shell) to pass the content of the file to the WinSCP.exe.

Please, try to think about the improvement in the security with this simple alternative to send passwords to WinSCP.
Regards.

Reply with quote

Advertisement

You can post new topics in this forum