[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [Libvir] PATCH: 1/10: SASL authentication support



On Thu, Nov 29, 2007 at 07:20:08PM +0000, Daniel P. Berrange wrote:
> >    Actually there we should looks for a password and store it, that's very
> > common and convenient, e.g. use
> >    xen://foo:bar server/
> > 
> > as the connection URI, libxml2 will just return the user as 'foo:bar'
> > which could subsequently be split here to store the password (bar).
> 
> The virConnectCredentialPtr struct which is populated for the auth
> callback function contains a 'defresult' field where the default value
> of the credential should go. I intended to populate this value with the
> username part of the URI for VIR_CRED_AUTHNAME credentials, but forgot.
> Will add that in....
> 
> Using passwords in URIs is seriously frowned upon. URIs get into log files,
> in the command line ARGV, into gconf, into bug reports. We absolutely do 
> not want passwords visible in any of those places.
> 
> RFC 2396  explicitly recommends against using passwords in URIs
> 
>   "Some URL schemes use the format "user:password" in the userinfo
>    field. This practice is NOT RECOMMENDED, because the passing of
>    authentication information in clear text (such as URI) has proven to
>    be a security risk in almost every case where it has been used."


I know, I have also argued against it (and that's why libxml2 doesn't
parse it), but this can be way more convenient at times, and also 
has the potential to remove asynchronous interaction for example
when using scripts.
Anyway not a big deal,

Daniel

-- 
Red Hat Virtualization group http://redhat.com/virtualization/
Daniel Veillard      | virtualization library  http://libvirt.org/
veillard redhat com  | libxml GNOME XML XSLT toolkit  http://xmlsoft.org/
http://veillard.com/ | Rpmfind RPM search engine  http://rpmfind.net/


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]