Not storing passwords in cleartext
Matthieu Moy
Matthieu.Moy at imag.fr
Sat Nov 19 16:57:02 GMT 2005
Hi,
With the implementation of the transport layer, and the implementation
of authenticated protocols (sftp, ftp, and probably soon DAV), we
often need to type passwords in cleartext, like
ftp://user:password@host.com/...
This is bad for several reasons:
* The password appears on the screen as the user types it. Someone
could see it.
* While the command runs, anybody logged in on the same machine can
type "ps -aux" and get the password.
* URLs are stored in cleartext in files like .bzr/parent and
~/.bazaar/branches.conf (for push_location). They are files that are
accessible to other users, and that you may want to backup,
replicate, ... (I do want to replicate important data, but not my
passwords in cleartext!).
So, we need a way to store the password outside the URL.
The best way to do it is probably the way ssh private keys work. You
can either store them in cleartext, or store them encrypted with a
passphrase. Then, ssh-agent allows you to type your passphrase only
once for each session.
A simpler but less secure way is to use a ~/.authinfo or similar file.
This is what I had implemented for baz (see
http://wiki.gnuarch.org/AuthInfo).
An even simpler way, secure, but unpleasant to use is off course to
prompt the password from the command line.
Any opinion about this?
--
Matthieu
More information about the bazaar
mailing list