@p-st: I'm sending you an email with a development version of WinSCP to the address you have used to register on this forum.
- martin
WINSCP_PASSWORD -> for the session password
WINSCP_PASSPHRASE-> for parameter "/passphrase"
WINSCP_TUNNEL_PASSWORD -> for tunnel parameter "TunnelPasswordPlain"
WINSCP_TUNNEL_PASSPHRASE -> for tunnel parameter "TunnelPassphrasePlain"
In particular, people writing programs that are meant to communicate the password programatically are encouraged to use an anonymous pipe and pass the pipe's reading end to sshpass using the -d option.
WINSCP_PASSWORD
this would be a problem because of race conditions
set WINSCP_PASSWORD=password
winscp.exe sftp://username@example.com/
sshpass
uses SSHPASS
variable.
scp://user:%ENV_PASSWORD%@127.0.0.1
-pw
to -pwfile
for opening PuTTY sessions.
-pwfile
parameter and finally deleting it somehow, I took advantage of Windows' named pipes (motivated by this question on StackOverflow Securely pass password to PuTTY process on start). Pipes can be accessed like a file, but in a more secure way:
mypipe
for simplicity. The file is now accessible by the URL \\.\pipe\mypipe
-pwfile \\.\pipe\mypipe
and accesses the pipe to read the password
-pwfile
would be a secure way to communicate the password to WinSCP (more secure than e.g. using WinSCP.ini
). It would be great if WinSCP would also support that.
winscp.exe user@server /password=MY_PASS
winscp.exe user@server /pwfile=C:\TMP\hash.data
C:\TMP\hash.data
is a temporal file created by someone that includes the password in a clean form. For security this file will be created with a very restrictive ACL and automatically removed after WinSCP will starts (that's after reading it, so it will be perfect if optionally WinSCP will delete such file after read it).
/password=<pass>
. However, this has a high risk, as with the Windows Task Manager you can see the command used to launch any process.