Opening session using command-line parameter is scripting is deprecated

Advertisement

rat
Joined:
Posts:
3

Opening session using command-line parameter is scripting is deprecated

Hi,
I'm new to WinSCP, but not new to automation. I recently had to setup an automation using WinSCP. I created a site in the GUI and then scripted this site to open. I noticed the message 'Opening session using command-line parameter in scripting is deprecated' when manually opening a connection to the site from the command prompt. I was curious as to why this is the case? Is there another way in WinSCP that allows you to open up a connection without storing the credentials in clear text in a script file?

Reply with quote

Advertisement

rat
Joined:
Posts:
3

Re: Opening session using command-line parameter is scripting is deprecated

Martin,
Thanks for the reply. If I use a script with the session URL, then the script seems to require the user name and password. I can't seem to get it to use what's stored in the save site session. If I store the credentials in the script file, then I have a file with the URL, username and password stored in clear text in a simple text file. This is a clear security violation. I see the open command is supposed to open a site, but every time I use it that way in the script, it seems to want to open the URL, and the script is unable to open it. When I use the URL (without putting in the credentials – assuming it will pick up the saved details), the script then seems to hang waiting for credentials, even though they are stored in the site. There is a clear lack of examples of getting the scripting opening a site with stored credentials. Pretty much all the examples that I can see for WinSCP refer to scripting, where using the URL is used, not the site or stored credentials. The last thing I want to do is to store credentials in a text file in clear text. I'm convinced that I have overlooked something quite simple and fundamental with WinSCP, as I can't imagine why the product would not have an option to use the saved sites somehow.
The generation of the scripts in the UI is essentially pointless in this case, as it generates the scripts with the credentials in it. Again, this seems to lead towards the storing of the credentials in a script file that is in clear text. Is there anything that I have missed or overlooked?

Reply with quote

martin
Site Admin
martin avatar
Joined:
Posts:
41,454
Location:
Prague, Czechia

Re: Opening session using command-line parameter is scripting is deprecated

rat wrote:

If I store the credentials in the script file, then I have a file with the URL, username and password stored in clear text in a simple text file. This is a clear security violation.
What makes you believe that saving the password to a site is better?
Anyway, see Protecting credentials used for automation

There is a clear lack of examples of getting the scripting opening a site with stored credentials.
Because it's not recommended.
Anyway, see https://winscp.net/eng/docs/scriptcommand_open
You simply give the open name of the stored site:
open site

I'm convinced that I have overlooked something quite simple and fundamental with WinSCP
Your fundamental mistake is your belief that storing the credentials in the site is secure. It cannot be.
See https://winscp.net/eng/docs/security_credentials#storing_password

Reply with quote

rat
Joined:
Posts:
3

Re: Opening session using command-line parameter is scripting is deprecated

martin wrote:

What makes you believe that saving the password to a site is better?
Anyway, see Protecting credentials used for automation
Thanks for that link. Will review that in more detail.

Because it's not recommended.
Anyway, see https://winscp.net/eng/docs/scriptcommand_open
You simply give the open name of the stored site:
open site
I've seen this example list, and I don't think the examples are quite clear as to how to use the <site> part of the parameter (imo). If I have a site called mysite, the way that the syntax suggests should simply be open mysite, but there is no examples of that kind of syntax. All the examples look like they use the FTP URL rather than the WinSCP site name. When I try and use it as open mysite, it's unable to resolve the host. I think if you added more detail on the notes to indicate what your 'saved site' name was, I think that would clear up any confusion on how the syntax is used.
I assume the open site syntax is the example open scp://test@example.com:2222/ -privatekey=mykey.ppk, but what is the site name component? Is test the site name, and example.com the FTP URL for that site?

Your fundamental mistake is your belief that storing the credentials in the site is secure. It cannot be.
See https://winscp.net/eng/docs/security_credentials#storing_password
According to this link, it's clear that it's not. Security is always a contentious point. It also depends from what view point you are looking at. I'm not actually looking it from the perspective of someone breaching the systems and getting them. I'm more looking from an ease of access perspective. Your average business user that might have access to the machine with WinSCP (for valid reasons), typically wouldn't know how to gain access to the passwords stored in WinSCP, but if they were in clear text script files, they could easily be seen if the scripts were opened up. I guess my point is, for the un-educated user, then storing is fine, there are obvious questions about how to handle for the more educated user, and larger policy decisions to be made by ensuring systems are secure from outside interference. But I do see the point that link you provided is making.

Thanks for the feedback for me to consider.

Reply with quote

Advertisement

martin
Site Admin
martin avatar
Joined:
Posts:
41,454
Location:
Prague, Czechia

Re: Opening session using command-line parameter is scripting is deprecated

rat wrote:

I've seen this example list, and I don't think the examples are quite clear as to how to use the <site> part of the parameter (imo). If I have a site called mysite, the way that the syntax suggests should simply be open mysite, but there is no examples of that kind of syntax. All the examples look like they use the FTP URL rather than the WinSCP site name. When I try and use it as open mysite, it's unable to resolve the host. I think if you added more detail on the notes to indicate what your 'saved site' name was, I think that would clear up any confusion on how the syntax is used.
I assume the open site syntax is the example open scp://test@example.com:2222/ -privatekey=mykey.ppk, but what is the site name component? Is test the site name, and example.com the FTP URL for that site?
There are no examples, because that syntax is supported for backward compatibility and is generally discouraged.

Anyway, if test is the site name, you use open test.
If that does not work, it's probably because the script runs in a different environment/with different configuration than the GUI (where you have defined and see the site).

This is covered here (even though the "title" does not really match your case):
My script works fine when executed manually, but fails or hangs when run by Windows Scheduler, SSIS or other automation service. What am I doing wrong?
See particularly the part starting "Note that when using registry as configuration storage...."

Reply with quote

mightycpa
Joined:
Posts:
2

Hey Martin: I have to agree - documentation is sorely lacking. Actually, it's misleading.

Hi. New user here. Totally frustrated with how unintuitive the software is and how difficult it is to get the right answer.

The documentation says this works:
winscp.com /command open:ftps//user:pass@server:port/
But it doesn't work. The response is that this syntax is deprecated. In computer programming, a deprecated language entity is one that is tolerated or supported but not recommended. That's not the case. It just doesn't work. The documentation is wrong.

Next, if you follow the suggestion in the response, and "use the open command instead" and put the open command in a script, as shown in the examples,
open:ftps//user:pass@server:port/
that doesn't work either. It tells me that my first command in the file, "the open command is unknown."

So, next, I search through this barely searchable forum to find the command open <site> advice. OK. Guess what? The software complains that "In scripting you should not rely on saved sites, use this command instead:" and it gives me the EXACT COMMAND THAT I USED ABOVE THAT DOESN'T WORK. Then the saved site method works. Why is it complaining if it works? Why does is suggest a method that doesn't work?

Sorry for the ALL CAPS, but this is a frustrating experience that makes me dislike your software. Seriously. Does it really have to be this hard?

So I implore you. I'm trying to do something really simple. I just want to login to an FTPS site, send one known binary file and logout, with a log of the result. I should be able to accomplish this in maybe 4 or 5 lines, without spinning my wheels chasing down the right syntax.

I realize that I could have asked more nicely, so please forgive me. But would you mind giving me a straightforward example of how to do what I want from a Windows command line that will actually work if I just copy it, and change your values to mine?

That would be much appreciated.
Thanks,
mightycpa

Reply with quote

martin
Site Admin
martin avatar
Joined:
Posts:
41,454
Location:
Prague, Czechia

Re: Hey Martin: I have to agree - documentation is sorely lacking. Actually, it's misleading.

mightycpa wrote:

The documentation says this works:
winscp.com /command open:ftps//user:pass@server:port/
Where does the documentation say that? This syntax is not "deprecated". This syntax is simply wrong. It does not work and never did. Actually I do not even get any "deprecated" response to this syntax. I get: "Unknown command 'open:ftps//user:pass@server:port/'" (what is expected).

Next, if you follow the suggestion in the response, and "use the open command instead" and put the open command in a script, as shown in the examples,
open:ftps//user:pass@server:port/
that doesn't work either. It tells me that my first command in the file, "the open command is unknown."
That is also wrong syntax. And as I wrote above, I do not even get any hint to use this syntax.

And there's no point to responding to the rest, as it's all based on wrong assumptions.

Easiest solution for you is to have WinSCP GUI generate the script for you:
https://winscp.net/eng/docs/ui_generateurl#script

Reply with quote

Guest

Re: Hey Martin: I have to agree - documentation is sorely lacking. Actually, it's misleading.

WinSCP is a great piece of software, but like anything sometimes things can be frustrating especially if you are new or not familiar with something.

In you case, by chance are you using different account to save the site vs connecting to the site via cmd? If you are, then depending on which account you are using you maybe not be able to find the saved site.

In my case I have to use an administrator account to test due to security on our Windows system. If I opened WinSCP GUI and saved a site. It would not be available to my regular account and vice versa.

Also if you use the script generator, it may include the following synatax. I believe the saved sites are stored in the configuration file, but remove this section otherwise you wouldn't find the saved site.
/ini=nul

You can also test this. Using the same account for both. Open WinSCP GUI and save a site. Now go to CMD and run WinSCP. Type in open <name of saved site>. It should use your saved site info.

Hope this helps.

Reply with quote

Advertisement

You can post new topics in this forum