-
Notifications
You must be signed in to change notification settings - Fork 905
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
When defining a proxy without credentials - proxy password is shown in plain text when installing a package #503
Comments
@KurtTheBerner - can you please expand on this? |
From my understanding, you set up the proxy without a password, and then it asks you for the password (and displays it in plain text somewhere) in the logs? Is that correct? If the proxy requires explicit credentials, you should be adding both user and password to the config. They will be encrypted. The use case for not also setting credentials with a proxy is when they are not required to be specified to use the proxy (the permissions are passed with Kerberos or something similar). |
What is the use case for avoiding adding the credentials to the config? |
I don’t want the password stored in config file for the following reasons:
If no password is defined in config file, choco ask interactively for username and password. If I type the password it is displayed in plain text instead of stars (****). Von: Rob Reynolds [mailto:[email protected]] What is the use case for avoiding adding the credentials to the config? — If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. |
Can you give me an example of the password being shown? Screen shots with the sensitive items being removed would be great. I'm trying to determine if this is Chocolatey, NuGet or something else doing this. |
C:\Users\Customer>choco install SamplePackage SamplePackage v2.16.0.0 Von: Rob Reynolds [mailto:[email protected]] Can you give me an example of the password being shown? Screen shots with the sensitive items being removed would be great. I'm trying to determine if this is Chocolatey, NuGet or something else doing this. — If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. |
Awesome. If this is the only place then I know where to go to handle this. |
Thanks for logging this issue! This is fixed and will be in 0.9.10. |
when a source and/or a proxy does not have the credentials stored in the chocolatey.config file or when they are incorrect, choco will prompt for valid credentials. When requesting proxy/network password for a source, the password should be masked on the screen so that the password is not able to be seen by other folks.
From @KurtTheBerner at https://github.com/chocolatey/chocolatey.org/issues/288
The text was updated successfully, but these errors were encountered: