Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
823 views
in Technique[技术] by (71.8m points)

git - _netrc/.netrc alternative to cURL

I've been looking at Git and cURL and I found some references about .netrc, that may help on HTTP authentication. The problem is: .netrc is dumb, because it stores passwords in plain text format, which is a big security issue for the solution I'm developing.

Is there an alternative to the .netrc approach? Is it possible to develop an "authentication backend" to cURL?

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Reply

0 votes
by (71.8m points)

Update April 2013, git 1.8.3:

A new read-only credential helper (in contrib/) to interact with the .netrc/.authinfo files has been added.

That script would allow you to use gpg-encrypted netrc files, avoiding the issue of having your credentials stored in a plain text file.

To enable this credential helper:

git config credential.helper '$shortname -f AUTHFILE1 -f AUTHFILE2'

(Note that Git will prepend "git-credential-" to the helper name and look for it in the path.)

**See a full example at "Is there a way to skip password typing when using https:// github**"


Original answer (March 2011)

The only alternative (except not using it and going through ssh) would be to:

  • encrypt that file (for instance, on Windows, with the utility 'crypt')
  • decrypt it just before the curl call
  • then encrypt it again right after the curl call

Note that on Unix, that file is normally in mode 600, only visible by you.
On Windows (_netrc), that file should be in your HOMEDIR, which shouldn't be accessible (through Windows ACL) to any other users.
But I still don't like a password in plain text...

This thread, for example, goes through the same process (on Unix for gpg, but it still illustrates the solution nicely):

Below I have included a sample script implementing the usage of 'gpg', which can be used to encrypt the contents of a file. It's in shell script, however I'm sure you can adapt the concept to your perl script.

I think for your needs the basic idea is:

  1. create a plain-text file with your password (and other info) 2. encrypt it using gpg and store the encrypted file; dispose of the plain-text file 3. Within the perl script, decrypt the encrypted file into a plain-text file 4. read contents of plain-text file during runtime of your script 5. delete plain-text file as soon as possible.

Here's just an example of the workings of gpg:

#!/bin/sh
echo -n "Enter your password: "
read pass

FILE=~/mypassword
echo $pass > $FILE
gpg -c $FILE
rm -f $FILE

gpg $FILE.gpg
MYPASSWORD=`cat $FILE`
rm -f $FILE

echo $MYPASSWORD

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...