login: warn about --password on command line #218
Conversation
Codecov Report
@@ Coverage Diff @@
## master #218 +/- ##
==========================================
+ Coverage 46.83% 46.84% +<.01%
==========================================
Files 172 172
Lines 11692 11692
==========================================
+ Hits 5476 5477 +1
+ Misses 5904 5903 -1
Partials 312 312 |
|
Needs a rebase. |
tych0
force-pushed
the
warn-about-password-on-cli
branch
from
fa92e4d
to
92c3ecf
Compare
|
Done, looks like the previous merge broke the build, so I fixed that too, let me know if my fix is wrong; I don't know anything about this code :) |
|
Hmm. And it seems the linter is complaining about this... but if we try it the way it was (the way the linter is suggesting), it doesn't compile. |
It builds (at least on go 1.8.3) but the linter crashes. |
cli/command/registry/login.go
Outdated
| @@ -47,6 +51,34 @@ func runLogin(dockerCli command.Cli, opts loginOptions) error { | |||
| ctx := context.Background() | |||
| clnt := dockerCli.Client() | |||
|
|
|||
| if opts.password != "" { | |||
| fmt.Fprintf(os.Stderr, "Using --password via the CLI is insecure. Please use --password-file.\n") | |||
There was a problem hiding this comment.
os.Stderr should be dockerCli.Err()
cli/command/registry/login.go
Outdated
| fmt.Fprintf(os.Stderr, "Using --password via the CLI is insecure. Please use --password-file.\n") | ||
| } | ||
|
|
||
| if opts.passwordFile != "" { |
There was a problem hiding this comment.
We should also support reading from stdin if passwordFile == "-". There is code to handle that from an arg in other commands. I'm not sure if we have a function for it yet, or if maybe we could extract one.
Other places this is done are docker build, docker import, docker secret create
cli/command/registry/login.go
Outdated
| * conforms to the principle of least surprise, but I could be | ||
| * wrong :) | ||
| */ | ||
| if contents[len(contents)-1] == '\n' { |
There was a problem hiding this comment.
Anytime I have a long comment like this I think it's a good idea to split it into a new function. That way the comment can serve as a docstring on the function instead of cluttering up the logic within a function. Even if the function is only 3 lines, that's fine.
Maybe something like normalizePasswordFileContent() ?
|
I'm looking into the other 2 linter errors. I don't see them failing on master. |
|
Linter errors are fixed in #221 if you want to rebase on that commit (or just wait until it gets merged). There's some explanation of the problem as well. |
|
On Tue, Jun 20, 2017 at 9:40 PM, Daniel Nephin ***@***.***> wrote:
but if we try it the way it was (the way the linter is suggesting), it
doesn't compile.
It does compile, CI was green. Are you building outside of a container
with an older version of GO maybe?
I'm just typing "make" :). My host go version is 1.7.4.
… —
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#218 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/AAv612gVBfkO3vY_T-GdtvVU4OzGvozOks5sGJDCgaJpZM4OAS0D>
.
|
|
You can use |
tych0
force-pushed
the
warn-about-password-on-cli
branch
from
92c3ecf
to
a7264ac
Compare
|
Thanks; seems that still didn't work for me (it didn't use the current version, where there was an obvious syntax error, but instead compiled successfully). Anyway, I dropped that commit and addressed all your feed back. I'm happy to rebase once #221 goes in, just ping me. |
cli/command/registry/login.go
Outdated
| * For users that do have a \n as the last character of their password, they | ||
| * need to store it as \n\n. I think this conforms to the principle of least | ||
| * surprise, but I could be wrong :) | ||
| */ |
There was a problem hiding this comment.
I believe the go convention is to use // single line comments for everything instead of /* ... */
tych0
force-pushed
the
warn-about-password-on-cli
branch
from
a7264ac
to
c754a2d
Compare
|
Fixed, thanks! |
tych0
force-pushed
the
warn-about-password-on-cli
branch
from
c754a2d
to
7677b98
Compare
|
I've just rebased this now that #221 is merged, so this should be good to go as well. |
|
@vdemeester big improvement on the discussion we had. I'll open an issue to make sure that users simply don't provide passwords on the commandline, either stdin or from file |
There was a problem hiding this comment.
Thanks for the PR, two comments/questions :
- Not a huge fan of
-fshort flag, doesn't tell me it's for password, user or both.-pfor no short flag - We should make those mutually exclusive (or warn that password file
--password-fileoverride--password)
(cc @thaJeztah)
This isn't safe, since every commands arguments are available via /proc/<pid>/cmdline. Let's print a nasty warning and then add a --password-file option, so people can use a password file instead if they want automated access. Signed-off-by: Tycho Andersen <tycho@tycho.ws>
tych0
force-pushed
the
warn-about-password-on-cli
branch
from
7677b98
to
ea37ec4
Compare
|
The CLI library doesn't seem to like -pf: so I've just dropped the short flag for now, and made them mutually exclusive. |
|
Looks like I'm a bit late to the party; I'm 👍 on a big red warning when using Having a password file means: hey! you should store your password in a plain-text file on your machine! I don't think we should promote this What if, instead, we allow the password to be piped in? Looks like it's currently not supported; # or whatever means to pipe the password
$ echo $SECRET | docker login -u myname
Error: Cannot perform an interactive login from a non TTY device |
|
please dont just have --password-file options but also have environment variables like DOCKER_ServerURL, DOCKER_Username and DOCKER_Secret. This can help in atomating the docker login process. |
|
Putting secrets in environment variables is just as unsafe as putting them in the command line (the task's initial environment is available via /proc/pid/environ). There are some other ways this leaks too: https://diogomonica.com/2017/03/27/why-you-shouldnt-use-env-variables-for-secret-data/ So the patches will only support taking passwords via stdin. |
This isn't safe, since every commands arguments are available via
/proc//cmdline.
Let's print a nasty warning and then add a --password-file option, so
people can use a password file instead if they want automated access.
Signed-off-by: Tycho Andersen tycho@tycho.ws