"hg archive" with remote URL
Mutlu Dogruel
mutludogruel at gmail.com
Fri Aug 9 15:58:21 UTC 2013
On 9 Aug 2013, at 16:02, "Kastner Masilko, Friedrich" <kastner-masilko at at.festo.com> wrote:
>
> Ah, I think I see your point now: you already have an SSH key on your machine (for Chef to work), and you want to re-use that.
>
> In this case the logs containing the password is not so big of a problem if they have the same viewing rights as the .ssh files. The key to get to the repo is already on the machine, so I think in terms of security you are on par with the password method. IMHO there is no difference between getting the password from a log and having the key right there in the .ssh directory. But I can understand that you are concerned about having them transmitted over the wire in first place.
>
> That said, wget offers the possibility to use a file for user/password settings. If you have to pre-install SSH keys on the remote machine for Chef to work, how about pre-installing a user/password file along with them? You could e.g. create a .wgetrc like so:
>
> user = CompanyChef
> password = <Lets_just_use_some_hash_here>
>
> and then issue this in the script:
>
> wget https://bitbucket.org/company/secretrepo/get/tip.zip
>
> I just tried that and it works like a charm. Maybe you can forward such ideas to the BB team, who knows what clever solution they could work out with them?
>
> Regards,
> Fritz
Hiding the password is a good practice but eventually if you use this basic authentication, wget still sends the password in plain. In practice, there is no difference between supplying your password on the URL or wget reading it and sending it along the URL, apart from the fact that the command line history will not have any line with your password. Thus, you need to encrypt the password sent, otherwise any person sniffing your network will get hold of it. The solution is to use a "digest access authentication" which is theoretically supported both by wget and curl. However, apparently wget has a bug with its digest auth implementation, so Bitbucket people are recommending curl:
https://bitbucket.org/site/master/issue/3225/commanline-download-compressed-tip
Also, we don't use the same ssh key used by Chef itself in accessing our project repos. But Chef has access to a set of encrypted ssh keys which are then decrypted on the client machine and then used to so stuff, before they are deleted.
More information about the Mercurial
mailing list