authentication.conf doesnt provide sftp login password
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| Bazaar |
Fix Released
|
Undecided
|
Vincent Ladeuil | ||
Bug Description
I am tagging this as a security vulnerability in the same sense that Bug #34685 is considered one. Passing your password on the command line is a bad idea.
I have spent several hours studying the docs and even asked on irc. I have tried everything I can think of, and I can not get this to work.
I am using gentoo but installed Bazaar version 1.0 from a tarball since the gentoo is not current.
My authentication.conf looks like this:
[DEFAULT]
scheme=ssh
<email address hidden>@
user=root
password=~~~~~~~
I tried a lot of different things, including a blank scheme.
The documentation is very unclear about what exactly should go in the [brackets]
yes, I know that logging in as root is considered bad practice. but I have a controlled/trusted situation and am willing to accept the small increase in risk in order to avoid the endless su headache.
the command I am using is:
bzr merge sftp://
changing the user= to a different name does have the expected result. But the password is ignored, I am always prompted for it. If I supply a password manually then the command does connect and execute properly.
I also played with chmod of the authentication.conf file in case the program was being paranoid about the settings.
This is either a bug in the program or a bug in the documentation, take your pick.... if the program actually does work, then please fix the docs so that it is clear how to make this work. Perhaps there is a critical step that is missing?
I note however, that there are several 'fixed' bugs that seem to be affecting the same similar areas of code, perhaps something was broken by these recent changes.
Thanks
Related branches
| codeslinger (codeslinger) wrote | #1 |
| Robert Collins (lifeless) wrote | #2 |
| Vincent Ladeuil (vila) wrote | #3 |
| Changed in bzr: | |
| assignee: | nobody → v-ladeuil |
| status: | New → Confirmed |
| Martin Pool (mbp) wrote | #4 |
| Changed in bzr: | |
| status: | Confirmed → Fix Committed |
| Changed in bzr: | |
| milestone: | none → 1.5 |
| status: | Fix Committed → Fix Released |
in case it is not clear, the '@' signs are only for illustration purposes, I am not actually using them. just not interested in publicly publishing the actual domain name. The domain name is the same in both the conf file and the sftp command.
I did not try the above with a blank host= since I actually deal with several different domains and each has a different password, it would not be useful to have them all the same.
Please do update the docs to make the use of the [brackets] more clear. The examples make it appear as though any random value can be used? But I am guessing that it is actually supposed to be the branch name? anyway, I tried several different things and it did not make any difference.