Protect SFTP Passwords

A number of non-technical users currently manage secure data with FileZilla on Windows. The SFTP credentials are broadly shared in the organization as a result.

I would like to centrally manage credentials so that users cannot directly view them. With FileZilla, the credentials are stored in a non-encrypted file, Settings.xml.

Is there an approach using any user-friendly, Windows SFTP client to centrally manage SFTP credentials and prevent users from directly having access to the credentials?


Solution 1:

Don't use passwords. Use SSH Keys.

With SSH Keys, each user has his own private key(s) which are shared with no one. On each server+account for which you want to grant that user access, you add the key signature to the authorized_keys file. If you ever want to revoke access, you remove that user from the file. You can also specify restrictions on what each user (i.e. each key) can do, so if you log in with a given key certain limitations apply.

Solution 2:

Use 2 step authentication with google-authenticator. It can used with PAM so when connecting one have to enter password and a token generated by they mobile phones.