Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

When defining a proxy without credentials - proxy password is shown in plain text when installing a package #503

Closed
ferventcoder opened this issue Dec 8, 2015 · 8 comments

Comments

@ferventcoder
Copy link
Member

From @KurtTheBerner at https://github.com/chocolatey/chocolatey.org/issues/288

When defining a proxy without credentials in chocolatey.config:
The password of the credential query when installing a package is displayed in plain text.

@ferventcoder
Copy link
Member Author

@KurtTheBerner - can you please expand on this?

@ferventcoder
Copy link
Member Author

From my understanding, you set up the proxy without a password, and then it asks you for the password (and displays it in plain text somewhere) in the logs? Is that correct?

If the proxy requires explicit credentials, you should be adding both user and password to the config. They will be encrypted. The use case for not also setting credentials with a proxy is when they are not required to be specified to use the proxy (the permissions are passed with Kerberos or something similar).

@ferventcoder
Copy link
Member Author

What is the use case for avoiding adding the credentials to the config?

@KurtTheBerner
Copy link

I don’t want the password stored in config file for the following reasons:

  •      It is a domain password, we deliver these systems to our customers
    
  •      Password has to be changed
    

If no password is defined in config file, choco ask interactively for username and password. If I type the password it is displayed in plain text instead of stars (****).

Von: Rob Reynolds [mailto:[email protected]]
Gesendet: Dienstag, 8. Dezember 2015 21:19
An: chocolatey/choco
Cc: Burri Kurt
Betreff: [Newsletter] Re: [choco] When defining a proxy without credentials - proxy password is shown in plain text when installing a package (#503)

What is the use case for avoiding adding the credentials to the config?


Reply to this email directly or view it on GitHubhttps://github.com//issues/503#issuecomment-163004795.

If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.

@ferventcoder
Copy link
Member Author

Can you give me an example of the password being shown? Screen shots with the sensitive items being removed would be great. I'm trying to determine if this is Chocolatey, NuGet or something else doing this.

@KurtTheBerner
Copy link

C:\Users\Customer>choco install SamplePackage
Installing the following packages:
SamplePackage
By installing you accept licenses for the packages.
Please provide proxy credentials:
User name: myDomain\myUsername
Password: myPassword

SamplePackage v2.16.0.0
Copying SamplePackage
from 'C:\ProgramData\chocolatey\lib\SamplePackage\tools\SamplePackage.exe'
Installing SamplePackage...
SamplePackage has been installed.
ShimGen has successfully created a shim for SamplePackage.exe
The install of SamplePackage was successful.

Von: Rob Reynolds [mailto:[email protected]]
Gesendet: Mittwoch, 9. Dezember 2015 18:32
An: chocolatey/choco
Cc: Burri Kurt
Betreff: [Newsletter] Re: [choco] When defining a proxy without credentials - proxy password is shown in plain text when installing a package (#503)

Can you give me an example of the password being shown? Screen shots with the sensitive items being removed would be great. I'm trying to determine if this is Chocolatey, NuGet or something else doing this.


Reply to this email directly or view it on GitHubhttps://github.com//issues/503#issuecomment-163333495.

If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.

@ferventcoder
Copy link
Member Author

Please provide proxy credentials:
User name: myDomain\myUsername
Password: myPassword

Awesome. If this is the only place then I know where to go to handle this.

@ferventcoder ferventcoder added this to the 0.9.10 milestone Dec 11, 2015
@ferventcoder ferventcoder self-assigned this Feb 3, 2016
@ferventcoder
Copy link
Member Author

Thanks for logging this issue! This is fixed and will be in 0.9.10.

ferventcoder added a commit that referenced this issue Feb 4, 2016
when a source and/or a proxy does not have the credentials stored in
the chocolatey.config file or when they are incorrect, choco will
prompt for valid credentials. When requesting proxy/network password
for a source, the password should be masked on the screen so that the
password is not able to be seen by other folks.
ferventcoder added a commit that referenced this issue Feb 4, 2016
* stable:
  (doc) update CHANGELOG/nuspec
  (GH-604) Add licensed source automatically
  (GH-466) Credential cache validates against base url
  (GH-607) Pack Strips Out Choco Specific Metadata
  (GH-503) Credential request should mask password
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

3 participants