httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 51370] htdigest should accept password as a command-line argument
Date Tue, 14 Jun 2011 17:21:42 GMT
https://issues.apache.org/bugzilla/show_bug.cgi?id=51370

Philip <pmw+apache@qnan.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |REOPENED
         Resolution|WONTFIX                     |

--- Comment #2 from Philip <pmw+apache@qnan.org> 2011-06-14 17:21:42 UTC ---
I've acknowledged in the original post that passing a password on the command
line is insecure.  However, a good program allows the user to trade convenience
for security.  As I said, in my particular situation, there is no security
issue -- it's a personal laptop and I am the only user logged in.

Some well-known command-line programs *optionally* accept a password on the
command line.  Two off the top of my head: MySQL's official command-line client
(with the -p option) and PostgreSQL's official command-line client (with the
conninfo string).

The intended audience of 'htdigest' is not a soccer mom; it's presumably a
system/web administrator who's using it on a command line of a Unix-based
system.  If they need to use htdigest in a script, we should make it convenient
for them.

How about if I update the usage info and the manpage to indicate that passing a
password on the command line is not recommended for security reasons?

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message