Ticket #124 (closed enhancement: wontfix)

Opened 8 years ago

Last modified 4 years ago

Adding the password saving feature for the concerned user in the "New SFTP Connection" settings.

Reported by: takahisa@softagency.co.jp Owned by: alamaison
Priority: major (affects peripheral workflow) Milestone: 0.5 Failure and UI cleanup
Component: authentication Version: 0.4.6
Keywords: Cc:

Description

Hi,

I am using Swish v0.4.6 with Windows7 Home Premium (64bit).
I found there is no Password inputting item for the concerned User
in "New SFTP Connection" window, and after creating the new SFTP
Connection and double-click it, another windows as "Keyboard-
interactive request" to input password was shown.

When the correct password was input in the above-mentioned window,
the SFTP connected drive contents are shown.

But, after the SFTP connected drive stays with no operation for a
while, and when when I tried to operate the SFTP connected drive,
I noticed the SFTP connected drive somehow cannot be operated
correctly and password input window was shown again.
When the correct password was input in the window, the SFTP connected
drive contents are shown again.

I think the above symptom happens because Swish doesn't have some
function to save the password of the concerned user, and I would
like Swish to enable the SFTP connected drive continuously with
no password input again.

Are you available to add some feature to save the password for the
concerned user as SFTP connection settings so that the above
symptom doesn't happen ?

Best regards,
Takahisa

Change History

comment:1 Changed 8 years ago by alamaison

  • Status changed from new to closed
  • Resolution set to wontfix

SSH was designed to be very secure (that's what the first S is about) so saving a password rather defeats the point. That aside, it's not possible to do it in general either.

Standard SSH supports three way to authenticate with the server only one of which (password) works the way you expect and this method is usually disabled nowadays (it appears to be disabled on your server).

Keyboard-interactive authentication (the type your server is using) only looks like it is expecting a simple password. In fact, the server can ask you any series of questions it chooses in any order. For instance, it might ask you your username first and then ask you for your password. Therefore we can't blindly respond to its first question with a saved password as this would be a gaping security hole.

What you really need is public-key authentication. Unfortunately Swish doesn't support this yet but it is definitely something we want to add soon. (See #18)

comment:2 Changed 6 years ago by d1t1

if you are using sftp for editing text files i suggest to use notepad++ with NppFTP plugin to connect and edit/save files, it saves the password until you click manualy disconnect !

comment:3 Changed 5 years ago by anonymous

Until this is added we wont be touching this program. We will continue to use WinSCP as they have no issues with remembering passwords. Forcing security on people is that of lazy programmers.

comment:4 follow-up: ↓ 5 Changed 5 years ago by anonymous

what about the customer is always right?
If they want to lower the security by saving the password for matter convenience, why not support it?

Plus, it does not have be that bad, you can always use windows cryptographic store to save the password, so that way remote users cannot steal the password, and it only made available to the user on the computer to autologin to the site.

Pity, the windows folder integration made the software very appealing, but due to the lack of password save have no use for it.

comment:5 in reply to: ↑ 4 Changed 5 years ago by alamaison

Swish has supported public-key authentication for several years now. Load your key in the key agent, you have the equivalent of a saved password.

comment:6 Changed 4 years ago by anonymous

The idea that the saved password is absurd...this is not always the case. Sonow what I have had to do is have a text file opened with my passwords clearly visible on my screen so that I can cut and pass it seemingly 100+ times a day!

Oh yeah that is much better...Please do not blame poor programming on security compliance.

comment:6 Changed 4 years ago by anonymous

The idea that the saved password is absurd...this is not always the case. Sonow what I have had to do is have a text file opened with my passwords clearly visible on my screen so that I can cut and pass it seemingly 100+ times a day!

Oh yeah that is much better...Please do not blame poor programming on security compliance.

comment:7 Changed 4 years ago by alamaison

As explained here (http://www.swish-sftp.org/wiki/PublicKeyAuthentication) you can use a public-private-key pair. The private key is a saved password, with the added security that it is never sent to the server.

Note: See TracTickets for help on using tickets.