Hi I am wondering if it is possible to setup a SFTP File Transfer Account to use agent forwarding for authentication? (IE Pageant)? I'd rather not save my password with Phped, nor have to type it in constantly. I tried specifying the SSH external program to use Tortoise SVN's Plink (has support for agent forwarding), however it doesn't appear that this program is referenced for SFTP.

I should also mention I am able to specify my password protected private key in the Keys tab of accounts and have it prompt me for the password there, but I'd rather be able to just use agent forwarding.. why is there no option for this?

Thanks,
David

it sounds like you want this feature to be added

That would be great!

Thanks,
David

are you talking about this:
PuTTY-Agent (pageant.exe) is a process which runs in the background and listens for "requests" from PuTTY clients needing your private key.

I'm not sure if there is any reason to use it. Why not just plain files with private keys? If pageant allows another processes to read the keys, it only mimics security and misleading you.

Here is the reasoning from the PuTTY documentation:



It is not any more secure than giving a passworded private key to PhpED and typing in the password there, but it is much more convenient for users to have PhpED reference an already in-place defacto key-ring system for Windows. This type of paradigm is widely used in *nix.

That's true, but it's not any less secure either. On the other hand, storing the key passphrase in PHPED is more convenient.

No I believe it is definitely less secure, you are storing the passphrase for the private key in a file somewhere on disk, which is much more easily accessible than pageant which only stores the decrypted key in memory during the lifecycle of the program (which I assume is also done by PhpED). And I also disagree with you on it being more convenient, it is much more convenient for me to enter a single password into one program that runs when I log into my machine than storing it in every program I use that needs to use my key.

hmm. I don't get your point. With pageant any software can read non-encrypted private key. Why do you think it is more secure than storing the keys in the files in non-encrypted form?

Firstly lets be clear, I am quite sure that PhpED also stores the private key in memory un-encrypted either as soon as you enter your password for the key (if not storing), or when the key is first requested for use and the password is loaded from disk. So in that regards both are equally vulnerable to memory snooping.

However the difference between PhpED and pageant is that with pageant the exposure is limited to the period of time that pageant is running. If pageant is off, or the computer is off nothing is exposed, nothing is stored to disk. If I lose my laptop and I have saved my password in PhpED, or someone else gains access to my hard drive, my password is fully exposed. So yes, in this sense pageant is more secure.

not exactly, because of swapfile where a copy of the process memory may be found.
Strictly speaking, Windows maps ALL memory (except kernel parts responsible for handling hardware interrupts and paging file manipulation routines) to the swap file and it's only matter of time to get a memory page written to this file. But it's much less predictable than location of the files with known data. So it adds some level of protection.


Thanks, this makes much better sense and explains your worries.
I thought you're protecting from the online attackers

I'll check if support for the pageant can be added. At the first glance it stores private keys in ppk file format which is also not supported in PhpED. It supports keys in file formats that can be recognized by openssl library. Not sure if ppk can be recognized.

Sorry I wasn't more clear about that up front.. it is the offline that I am much more concerned about. You may want to have a look at PuttyGen as well, it is where PPK's can be created, and can also be exported to a regular PEM format. You should be able to grab the PPK from pageant and borrow some code from PuttyGen to do the conversion for you.

Thanks,
David

I know it's been a while since the last post to this topic. But there must be more users out there that want this feature! It's just frustrating having to enter my passphrase at least 2(!) times during a session to a single server - one for the directory listing and one for downloading a file. If I haven't touched the editor for a few hours, I have to enter my passphrase again. Even much more simple editors like Editplus now support Pageant for authenticating (but hey, I can't work without PhpED, it's the best!).

Of course I don't know how hard it is to support Pageant, but I think it can't be too hard. Have a look at it, please!

If it's too hard to support Pageant, I can also live with PhpED remembering my passphrase for the private key for as long as the program runs so I don't have to enter my passphrase twice for each server I connect to.

Thanks!