podman login leaves password in clear

[TomSweeneyRedHat]

I just used the most recent Docker for the first time in a long time and when doing docker login I get:

# docker login quay.io
Username: tomsweeneyredhat
Password: 
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

In the most up to date podman, 1.6-dev we don't do a similar warning for podman login and probably should. We'll also need to make sure podman login works with a credential helper too. Probably the same story in buildah login too.

[TomSweeneyRedHat]

@QiWang19 PTAL

[QiWang19]

support the "credsStore" has been working on containers/image#656

c/image and podman already support "credHelpers", but only works for config in /run/user/0/auth.json and sudo podman login

with config in /run/user/1000/auth.json and podman login got error

{
        "credHelpers": {
                "docker.io": "secretservice"
        }
}

Error: error reading auth file: error getting credentials - err: exit status 1, out: `Exhausted all available authentication mechanisms (tried: EXTERNAL) (available: EXTERNAL)`

I think this should be fixed before podman login return credentials-store WARNING.....
#4123

[github-actions]

This issue had no activity for 30 days. In the absence of activity or the "do-not-close" label, the issue will be automatically closed within 7 days.

[vrothberg]

Throwing a warning can be done independently of the ongoing work for credStores but it must be done in c/image. @TomSweeneyRedHat, are you interested in opening a PR for c/image? I guess we could do a fmt.Fprintf(os.Stderr, "$WARNING") when using an authfile while storing credentials.

[TomSweeneyRedHat]

I'll work with @QiWang19 to make this happen

[rhatdan]

@QiWang19 @TomSweeneyRedHat What should we do with this one?

[TomSweeneyRedHat]

We should keep it. It got lost in the weeds, but is needed.

[rhatdan]

@QiWang19 Could you look into fixing this and adding the warning?

[QiWang19]

Will fix on adding the warning after the credential helper can be used as default.

@QiWang19 Could you look into fixing this and adding the warning?

[rugk]

Accidentally opened #7254 as a duplicate.
So I'd very much like to see libsecret support, at least, so passwords are saved in the credential store on Linux desktops.

[rhatdan]

@QiWang19 What is the latest on this?

[github-actions]

A friendly reminder that this issue had no activity for 30 days.

[rhatdan]

@QiWang19 Any progress?

[QiWang19]

If https://github.com/containers/image/pull/971could finally merged, this can be issue closed by using credential helpers. But I haven't been working on this for a while. And I have no idea why the upstream fix docker/docker-credential-helpers#191 failed the CI.

[github-actions]

A friendly reminder that this issue had no activity for 30 days.

[github-actions]

A friendly reminder that this issue had no activity for 30 days.

[vrothberg]

What is the scope of the issue? I think there is a number of mentioned topics which makes it hard to know when can close. Is it credhelpers, is it a warning?

Throwing a warning for the default setup may raise the question why it is the default.

[rhatdan]

Once we have changed the credhelper to something other the auth.json file, we can close this. For rootless users we should default to gnome-secrets.

[rugk]

For rootless users we should default to gnome-secrets.

Yes! Respectively to some XDG standard of that…

E.g. this libsecret thing git uses…

[rhatdan]

Yes that looks perfect.

[github-actions]

A friendly reminder that this issue had no activity for 30 days.

[rugk]

shh #badbot 🔕🤖🔕

…that does still not mean the issue is magically solved.

[rhatdan]

@cdoern PTAL

[TomSweeneyRedHat]

Just noting that containers/image#1193 supplied the credential helpers bit of this along with this issue: #4123

[umohnani8]

This looks like it might be done based on @TomSweeneyRedHat's comment above. Is there anything else left to do here @rhatdan @vrothberg @QiWang19?

[rhatdan]

Yes I believe this is complete. Reopen if I am mistaken.