Post a reply

Before posting, please read how to report bug or request support effectively.

Bug reports without an attached log file are usually useless.

Options
Add an Attachment

If you do not want to add an Attachment to your Post, please leave the Fields blank.

(maximum 10 MB; please compress large files; only common media, archive, text and programming file formats are allowed)

Options

Topic review

Frank_2

+1 for this.
Right now Generate session URL/Code allows the passphrase to be seen in clear text when using passwordsfromfiles. Is there a way to display the actual code as C:\tmp\pass.txt or as the OP said, a way to disable this button via argument/regedit?

Command :
sftp://Username@host.com /privatekey=""$file"" /passwordsfromfiles /passphrase=""C:\tmp\pass.txt""

In Generate Code:
open sftp://Username@host.com/ -hostkey="ssh-ed25519" -privatekey="\\XXXX\Key.ppk" -passphrase="PasswordClearText"

It would be better like:
open sftp://Username@host.com/ -hostkey="ssh-ed25519" -privatekey="\\XXXX\Key.ppk" -passphrase="C:\tmp\pass.txt"
martin

Ok, I'll consider it.
Though are you aware, that this is security through obscurity, right? Once the password is in local machine memory, there's nothing that can prevent the user from retrieving it. You can only make it more difficult.
alexis

Hi again, Martin, thank you for your answer!
I figured out how to use secured pipe for authentication.
Is there a chance that you will add possibility to disable 'Generate session URL' via some registry key or command line parameter?
martin

A password file can be read by anyone too.
You would have to use a named pipe to make it somewhat secure.
Only then it would make sense to ask for WinSCP not to be able to reveal the password. And even then, only if you use an encrypted connection.
alexis

Oh, thanks, I see that
if I will use password from file option?
martin

Well then anyone can see the password in the Task Manager anyway.
alexis

Via command-line option.
For example
winscp.exe sftp://admin:password@192.168.10.10

(or with private key path)
martin

So how are you passing the password to WinSCP?
alexis

Yes, exactly.
I need to give endpoint access for some user without giving credentials.
Perform automated connect, after that user should not be able to access password.
martin

Re: Prevent user from getting session password

I'm not sure I understand what you are doing.
Are you starting WinSCP with some command-line parameters that automate the login (including the password)?
alexis

Prevent user from getting session password

Greetings!
I am working on automation of launching WinSCP (GUI) and connecting to server for some user, that should not be able to access session password or key passphrase.
I disabled password storing using correspond registry value, but it is still possible to get password using "Generate session URL/Code".
Maybe you can help me, is there a way to totally prevent accessing password for session?