Should not store password in plaintext
stash configure
stores your password in plain text in ~/.stashconfig.yml
, with no warning. This is particularly bad since most installations will be using LDAP login (or something like it), so this password is valid for many more things than Stash.
Should use OAuth instead.
Comments (7)
-
Account Deactivated -
Perhaps https://rubygems.org/gems/ruby-keychain could be integrated...
-
Account Deactivated Naturally, ruby-keychain only supports the OSX keychain. I believe OAuth would be a better implementation as it does not require a password to be stored and is platform agnostic.
-
We had the same problem that we did not want to store any passwords. We came up with an extension of the ssh command interface: Pull-Request Support Via SSH
This way you can use the ssh key which is in .~/.ssh/ anyway.
-
Other password based config files allow you to use any shell command (such as a gpg command) to retrieve the password.
goobook and msmtp both use a "passwordeval" key that takes a system command, for example:
Goobook:
passwordeval: gpg --no-tty --quiet --decrypt ~/.account-password.gpg
msmtp:
passwordeval gpg --no-tty --quiet --decrypt ~/.msmtp-gmail.gpg passwordeval gpg --no-tty --quiet --decrypt ~/.msmtp-work.gpg
I like this approach as you can use whatever shell command you want to evaluate and return your password.
You could pull the command in via a yaml string and just execute it.
-
I submitted a pull request for this.
-
Account Deactivated - changed status to resolved
- Log in to comment
I agree. The configuration file is stored with a permission bit of
0600
to reduce impact.I doubt that I will have any time to implement OAuth in the command line tools.