ant-notifications mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 43941] Security note for sshexec downgrades security
Date Tue, 15 Jul 2008 18:33:28 GMT
https://issues.apache.org/bugzilla/show_bug.cgi?id=43941





--- Comment #4 from Franz Haeuslschmid <lukrez@gmx.at>  2008-07-15 11:33:27 PST ---
(In reply to comment #3)
> you mean use the same wording on sshexec's page that is currently used on scp's
> - or vice versa?

The former one.  The description for the Scp task contains the following
security note:

> Security Note: Hard coding passwords and/or usernames in scp task can be a 
> serious security hole. Consider using variable substitution and include the 
> password on the command line. For example:
>
>     <scp todir="${username}:${password}@host:/dir" ...>
>
> Invoking ant with the following command line:
>
>     ant -Dusername=me -Dpassword=mypassword target1 target2
>
> Is slightly better, but the username/password is exposed to all users on a
> Unix system (via the ps command). The best approach is to use the <input> task
> and/or retrieve the password from a (secured) .properties file.  

I think this clearly describes all options with their respective weaknesses.  I
think the Sshexec task should contain a similar hint.


-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

Mime
View raw message