ant-notifications mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject DO NOT REPLY [Bug 43941] Security note for sshexec downgrades security
Date Tue, 15 Jul 2008 18:33:28 GMT

--- Comment #4 from Franz Haeuslschmid <>  2008-07-15 11:33:27 PST ---
(In reply to comment #3)
> you mean use the same wording on sshexec's page that is currently used on scp's
> - or vice versa?

The former one.  The description for the Scp task contains the following
security note:

> Security Note: Hard coding passwords and/or usernames in scp task can be a 
> serious security hole. Consider using variable substitution and include the 
> password on the command line. For example:
>     <scp todir="${username}:${password}@host:/dir" ...>
> Invoking ant with the following command line:
>     ant -Dusername=me -Dpassword=mypassword target1 target2
> Is slightly better, but the username/password is exposed to all users on a
> Unix system (via the ps command). The best approach is to use the <input> task
> and/or retrieve the password from a (secured) .properties file.  

I think this clearly describes all options with their respective weaknesses.  I
think the Sshexec task should contain a similar hint.

Configure bugmail:
------- You are receiving this mail because: -------
You are the assignee for the bug.

View raw message