[
https://issues.apache.org/jira/browse/JCRVLT-26?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Tobias Bocanegra resolved JCRVLT-26.
------------------------------------
Resolution: Fixed
fixed as proposed. see JCRLVT-27 for 'rcp' followup
> File vault stores passwords in clear text in ~/.vault/auth.xml
> --------------------------------------------------------------
>
> Key: JCRVLT-26
> URL: https://issues.apache.org/jira/browse/JCRVLT-26
> Project: Jackrabbit FileVault
> Issue Type: Bug
> Affects Versions: 3.0
> Reporter: Tobias Bocanegra
> Assignee: Tobias Bocanegra
> Fix For: 3.1
>
>
> The file vault vlt utility stores passwords in clear text in
> {{~/.vault/auth.xml}} without telling the user or asking for permission. vlt
> should also not accept the password in the command line (because it remains
> in the shell history and is visible in the process list while the program is
> running). It should ask for it interactively.
> Proposed solution:
> * {{\-\-credentials}} are not stored in the {{auth.xml}} by default unless
> {{--update-credentials}} is given or if they equal to {{"admin:admin"}}
> * if the password is omitted in the {{--credentials}} argument it is prompted
> using {{java.io.Console#readPassword()}}
> * if in any case the password is written to {{auth.xml}} it is reported to
> the user: "Credentials updated for <hostname> in ~/.vault/auth.xml"
> * the passwords are obfuscated with a symmetric encryption.
--
This message was sent by Atlassian JIRA
(v6.1.5#6160)
