You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@maven.apache.org by "Mark Hobson (JIRA)" <ji...@codehaus.org> on 2009/03/20 20:47:13 UTC
[jira] Created: (MNG-4099) Password encryption CLI switches should
prompt for password if missing
Password encryption CLI switches should prompt for password if missing
----------------------------------------------------------------------
Key: MNG-4099
URL: http://jira.codehaus.org/browse/MNG-4099
Project: Maven 2
Issue Type: Improvement
Components: Command Line
Affects Versions: 2.1.0
Reporter: Mark Hobson
Priority: Trivial
The -emp and -ep CLI switches should prompt for a password if the user omits it. This would help to avoid having to escape shell characters in strong passwords.
Note that the docs mention that these switches prompt for a password when they do not:
http://maven.apache.org/guides/mini/guide-encryption.html
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] (MNG-4099) Password encryption CLI switches should prompt
for password if missing
Posted by "Knut Vidar Siem (JIRA)" <ji...@codehaus.org>.
[ https://jira.codehaus.org/browse/MNG-4099?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=312502#comment-312502 ]
Knut Vidar Siem commented on MNG-4099:
--------------------------------------
As far as I can tell, the password collection is implemented in [org.apache.maven.cli.MavenCli#encryption(CliRequest)|http://maven.apache.org/ref/3.0.4/maven-embedder/xref/org/apache/maven/cli/MavenCli.html#483] using [commons-cli|http://commons.apache.org/cli/]. A straight-forward implementation prompting for the password while not echoing it would be to use [java.io.Console#readPassword()|http://docs.oracle.com/javase/6/docs/api/java/io/Console.html#readPassword()] from JDK6 if possible. Suggested pre-JDK6 solutions seem surprisingly complex, such as [concurrently sending backspace characters|http://web.archive.org/web/20110604072946/http://java.sun.com/developer/technicalArticles/Security/pwordmask/], or non-portable (JNI).
There is a comment in the code suggesting that this functionality should be moved to a separate tool. Why is that and what kind of tool would that be, a plugin or a completely separate utility?
> Password encryption CLI switches should prompt for password if missing
> ----------------------------------------------------------------------
>
> Key: MNG-4099
> URL: https://jira.codehaus.org/browse/MNG-4099
> Project: Maven 2 & 3
> Issue Type: Improvement
> Components: Command Line
> Affects Versions: 2.1.0
> Reporter: Mark Hobson
> Priority: Trivial
> Fix For: 3.x / Backlog
>
>
> The -emp and -ep CLI switches should prompt for a password if the user omits it. This would help to avoid having to escape shell characters in strong passwords.
> Note that the docs mention that these switches prompt for a password when they do not:
> http://maven.apache.org/guides/mini/guide-encryption.html
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://jira.codehaus.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Updated: (MNG-4099) Password encryption CLI switches should
prompt for password if missing
Posted by "Brett Porter (JIRA)" <ji...@codehaus.org>.
[ http://jira.codehaus.org/browse/MNG-4099?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Brett Porter updated MNG-4099:
------------------------------
Fix Version/s: 2.1.x
> Password encryption CLI switches should prompt for password if missing
> ----------------------------------------------------------------------
>
> Key: MNG-4099
> URL: http://jira.codehaus.org/browse/MNG-4099
> Project: Maven 2
> Issue Type: Improvement
> Components: Command Line
> Affects Versions: 2.1.0
> Reporter: Mark Hobson
> Priority: Trivial
> Fix For: 2.1.x
>
>
> The -emp and -ep CLI switches should prompt for a password if the user omits it. This would help to avoid having to escape shell characters in strong passwords.
> Note that the docs mention that these switches prompt for a password when they do not:
> http://maven.apache.org/guides/mini/guide-encryption.html
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Updated: (MNG-4099) Password encryption CLI switches should
prompt for password if missing
Posted by "Brett Porter (JIRA)" <ji...@codehaus.org>.
[ http://jira.codehaus.org/browse/MNG-4099?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Brett Porter updated MNG-4099:
------------------------------
Fix Version/s: (was: 2.2.x)
3.x
> Password encryption CLI switches should prompt for password if missing
> ----------------------------------------------------------------------
>
> Key: MNG-4099
> URL: http://jira.codehaus.org/browse/MNG-4099
> Project: Maven 2 & 3
> Issue Type: Improvement
> Components: Command Line
> Affects Versions: 2.1.0
> Reporter: Mark Hobson
> Priority: Trivial
> Fix For: 3.x
>
>
> The -emp and -ep CLI switches should prompt for a password if the user omits it. This would help to avoid having to escape shell characters in strong passwords.
> Note that the docs mention that these switches prompt for a password when they do not:
> http://maven.apache.org/guides/mini/guide-encryption.html
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Commented: (MNG-4099) Password encryption CLI switches
should prompt for password if missing
Posted by "Julien Nicoulaud (JIRA)" <ji...@codehaus.org>.
[ http://jira.codehaus.org/browse/MNG-4099?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=236639#action_236639 ]
Julien Nicoulaud commented on MNG-4099:
---------------------------------------
It is a security issue too, passing passwords in the command line is not secure as one could browse shell history afterwards. Most commands such as ssh do not allow it.
> Password encryption CLI switches should prompt for password if missing
> ----------------------------------------------------------------------
>
> Key: MNG-4099
> URL: http://jira.codehaus.org/browse/MNG-4099
> Project: Maven 2 & 3
> Issue Type: Improvement
> Components: Command Line
> Affects Versions: 2.1.0
> Reporter: Mark Hobson
> Priority: Trivial
> Fix For: 3.x / Backlog
>
>
> The -emp and -ep CLI switches should prompt for a password if the user omits it. This would help to avoid having to escape shell characters in strong passwords.
> Note that the docs mention that these switches prompt for a password when they do not:
> http://maven.apache.org/guides/mini/guide-encryption.html
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Commented: (MNG-4099) Password encryption CLI switches
should prompt for password if missing
Posted by "Brett Porter (JIRA)" <ji...@codehaus.org>.
[ http://jira.codehaus.org/browse/MNG-4099?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=170608#action_170608 ]
Brett Porter commented on MNG-4099:
-----------------------------------
Arnaud has improved the documentation for this, will file this for a future enhancement.
> Password encryption CLI switches should prompt for password if missing
> ----------------------------------------------------------------------
>
> Key: MNG-4099
> URL: http://jira.codehaus.org/browse/MNG-4099
> Project: Maven 2
> Issue Type: Improvement
> Components: Command Line
> Affects Versions: 2.1.0
> Reporter: Mark Hobson
> Priority: Trivial
> Fix For: 2.1.x
>
>
> The -emp and -ep CLI switches should prompt for a password if the user omits it. This would help to avoid having to escape shell characters in strong passwords.
> Note that the docs mention that these switches prompt for a password when they do not:
> http://maven.apache.org/guides/mini/guide-encryption.html
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira