maven-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Greg Wilkins (JIRA)" <j...@codehaus.org>
Subject [jira] Commented: (MNG-4928) mvn --encrypt-master-password is insecure
Date Wed, 08 Dec 2010 11:42:58 GMT

    [ http://jira.codehaus.org/browse/MNG-4928?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=246852#action_246852
] 

Greg Wilkins commented on MNG-4928:
-----------------------------------

Also a note should be made to anybody that is editing passwords in their setting.xml files,
that many editors keep histories of edits.

for example, I found several instances of my ssh passphrase in .viminfo because I had removed
it from my settings with a search and replace.

> mvn --encrypt-master-password is insecure
> -----------------------------------------
>
>                 Key: MNG-4928
>                 URL: http://jira.codehaus.org/browse/MNG-4928
>             Project: Maven 2 & 3
>          Issue Type: Bug
>          Components: Command Line
>    Affects Versions: 2.2.1, 3.0, 3.0.1
>            Reporter: Greg Wilkins
>
> gregw@Brick: ~
> [506] mvn --encrypt-master-password something-very-very-secret
> {zfC2klZItekHCPGwE+R0JZ2+RjyDlqxP343ThV0R3B5taWEHbI5t+QGfXOZ0mq9j}
> gregw@Brick: ~
> [507] history 2
>   506  mvn --encrypt-master-password something-very-very-secret
>   507  history 2
> commands that take passwords should not accept them from the command line, as they are
then visible in history and even in some PS output. They should prompt for passwords with
echo turned off.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

Mime
View raw message