Prevent user from getting session password

Advertisement

alexis
Joined:
Posts:
5

Prevent user from getting session password

Greetings!
I am working on automation of launching WinSCP (GUI) and connecting to server for some user, that should not be able to access session password or key passphrase.
I disabled password storing using correspond registry value, but it is still possible to get password using "Generate session URL/Code".
Maybe you can help me, is there a way to totally prevent accessing password for session?

Reply with quote

Advertisement

martin
Site Admin
martin avatar
Joined:
Posts:
40,866
Location:
Prague, Czechia

Re: Prevent user from getting session password

I'm not sure I understand what you are doing.
Are you starting WinSCP with some command-line parameters that automate the login (including the password)?

Reply with quote

alexis

Yes, exactly.
I need to give endpoint access for some user without giving credentials.
Perform automated connect, after that user should not be able to access password.

Reply with quote

Advertisement

martin
Site Admin
martin avatar

A password file can be read by anyone too.
You would have to use a named pipe to make it somewhat secure.
Only then it would make sense to ask for WinSCP not to be able to reveal the password. And even then, only if you use an encrypted connection.

Reply with quote

alexis

Hi again, Martin, thank you for your answer!
I figured out how to use secured pipe for authentication.
Is there a chance that you will add possibility to disable 'Generate session URL' via some registry key or command line parameter?

Reply with quote

Advertisement

martin
Site Admin
martin avatar

Ok, I'll consider it.
Though are you aware, that this is security through obscurity, right? Once the password is in local machine memory, there's nothing that can prevent the user from retrieving it. You can only make it more difficult.

Reply with quote

Frank_2
Guest

+1 for this.
Right now Generate session URL/Code allows the passphrase to be seen in clear text when using passwordsfromfiles. Is there a way to display the actual code as C:\tmp\pass.txt or as the OP said, a way to disable this button via argument/regedit?

Command :
sftp://Username@host.com /privatekey=""$file"" /passwordsfromfiles /passphrase=""C:\tmp\pass.txt""
In Generate Code:
open sftp://Username@host.com/ -hostkey="ssh-ed25519" -privatekey="\\XXXX\Key.ppk" -passphrase="PasswordClearText"
It would be better like:
open sftp://Username@host.com/ -hostkey="ssh-ed25519" -privatekey="\\XXXX\Key.ppk" -passphrase="C:\tmp\pass.txt"

Reply with quote

Advertisement

You can post new topics in this forum