Tobias Bocanegra created JCRVLT-26:
--------------------------------------
Summary: File vault stores passwords in clear text in
~/.vault/auth.xml
Key: JCRVLT-26
URL: https://issues.apache.org/jira/browse/JCRVLT-26
Project: Jackrabbit FileVault
Issue Type: Bug
Affects Versions: 3.0
Reporter: Tobias Bocanegra
Assignee: Tobias Bocanegra
Fix For: 3.1
The file vault vlt utility stores passwords in clear text in
{{~/.vault/auth.xml}} without telling the user or asking for permission. vlt
should also not accept the password in the command line (because it remains in
the shell history and is visible in the process list while the program is
running). It should ask for it interactively.
Proposed solution:
* {{\-\-credentials}} are not stored in the {{auth.xml}} by default unless
{{--update-credentials}} is given or if they equal to {{"admin:admin"}}
* if the password is omitted in the {{--credentials}} argument it is prompted
using {{java.io.Console#readPassword()}}
* if in any case the password is written to {{auth.xml}} it is reported to the
user: "Credentials updated for <hostname> in ~/.vault/auth.xml"
* the passwords are obfuscated with a symmetric encryption.
--
This message was sent by Atlassian JIRA
(v6.1.5#6160)
