Not storing passwords in cleartext

Robey Pointer robey at lag.net
Thu Dec 1 02:51:02 GMT 2005 

I meant to reply to this a long time ago, but never dug myself out of  
my email hole during vacation.  Sorry.


On 20 Nov 2005, at 2:51, Matthieu Moy wrote:

> Robey Pointer <robey at lag.net> writes:
>
>> I think it should track url type too.
>
> Then, ~/.authinfo is not the answer. The advantage of it is that it is
> user by other pieces of software (Gnus, mutt, slrn at least), so,
> reusing it means 1) less to type if you use the same
> machine/login/password and 2) only one chmod 600 not to forget.

I don't use any of those so I guess that's less important to me. ;)

>> I'm likely to have a different password for my website and sftp,
>> even though they use the same machine name.
>
> By curiosity, would it be for the same username?

Usually yes.  I don't trust HTTP auth so I use a different password  
than my shell password (which is what most sftp servers use).

> What I've implemented in Bazaar is: if you don't provide the username,
> it is found from the machine name in ~/.authinfo. If there are several
> lines with the same machine in ~/.authinfo, then you have to provide
> the username in the URL, and it will fetch the corresponding password
> in the ~/.authinfo file.
>
> If we decide not to use the .authinfo syntax, then we probably also
> want to keep the full URL, since you may have different WebDAV
> passwords and/or login in different directories for the same host.

It's true.  In fact I can easily imagine a DAV site hosting several  
repositories, each with their own set of username/password.


>
> How about a .ini file like
>
> [http://host.com]
> login=<default login for host.com with http>
> password=<defauld pass for host.com with http>
> password=<password for user John> login=john
> login=<login for http://host.com/webdav/jane directory> path=webdav/ 
> jane
> password=<password for http://host.com/webdav/jane directory>  
> path=webdav/jane

Maybe the formatting got messed up, but that looks very confusing.

What if there was just a different section for each url, and you  
picked the closest-matching url?

[http://example.com/webdav/jane]
login=john
password=abc

robey

More information about the bazaar mailing list