ssh: disable repository config password #1615
Comments
|
@efiop, why this is not important? 🤔 This is a design flaw that can expose user's credentials |
|
@MrOutis Not everyone is really comfortable with ssh keys and might just want to try it out first with a password, same as he is able to simply ssh into another box using a password. So it doesn't harm to leave it as an option, there are a lot of other ways one could shoot himself in the leg, and this one is a pretty obvious one and easy to avoid. |
|
my bad, @efiop , I didn't want to disable the |
ghost
changed the title
|
@MrOutis But you might want to have a shared password, who knows :) I mean, the care should be taken, but is this really something that we should forbid specifically for .dvc/config? Seems excessive. |
|
It would be nice to have a warning at least? It can save a lot of time. It's one of the common mistakes people do - commit credentials to github. |
|
@shcheklein That also seems like an unnecessary complication. Generally not putting passwords into your configs is a piece of common knowledge, I don't think we need to explicitly protect against that. The implementation is not trivial and the value is questionable, we haven't seen any complaints about it at all. Also, if someone is indeed doing that for a reason, then he will be not happy about warnings and will ask us to implement a config option to disable that specific warning (like guys using fish), which is yet another piece of code that we don't need with questionable usefulness. |
|
@efiop It's not a "common knowledge". Even if people are aware about this problem they still keep doing it for a variety of reasons. There are even tools like this https://github.com/awslabs/git-secrets to prevent this from happening. There are blog posts like this: https://help.github.com/en/articles/removing-sensitive-data-from-a-repository and like this https://pomeroy.me/2017/10/stop-committing-credentials-to-github/ (with some links to how easy it is to discover secrets on public Github, and on private - don't even ask me - it's terrible :) ). May be I'm missing something, but why is it "non-trivial"? I also don't see how a simple message (I would actually prefer aborting in this case, and when you try to save S3/GCS/etc credentials to project's config) can harm the interface. I understand that there is a philosophy of building tools for "professionals" - brutal command line, no docs, you know what you do philosophy. Following it we should be overwriting data for example - because, users should be aware about what they doing. But, even if I share it in general, I don't see any reasons of not putting some nice safe-guards, nice help messages that can save someone a lot of time. After all trying to save password to the project's config is a mistake in 99% of the time. May be even 100%. (at least I would never allow this in my team). Also, another consideration. Even if I'm aware about the concept of not committing sensitive stuff, it's not immediately clear that |
|
@shcheklein Sorry for not replying to each part of your comment, but I will ask another question instead to save us some time. Ok, so storing your password in |
|
@efiop I don't suggest removing it. Just make this action a bit more explicit. Implementation seems to me simple, and it can vary from a simple warning (that what we already do in our docs, btw) to only allow changing it manually, for example. You will have to just put a bit of extra effort (in case of warning even no extra effort) to put secrets into (please, let's not shift the discussion to a more general topic - plain text secrets, we can discuss it separately to keep this conversation focused) Btw, what are the reasons to save secrets into Git? Can you name me or point me to some examples? |
@shcheklein , some people like to have credentials in the repository ( |
|
@shcheklein So you suggest only printing a warning on I was not trying to shift the discussion with the previous question about storing your passwords in plain text. I was simply trying to illustrate that we should either do all or nothing in this case, or at least consider that. If we decide to protect against such an obvious thing as storing your password in git, why not then protect against other common things such as plain-text passwords? @MrOutis @shcheklein Since the question got raised and supported by both of you guys, let's indeed somehow protect against this issue. Is printing a warning on |
|
@efiop my thought process was - if you decided to manually edit the file or ignored the warning or ignored the prompt (depending on the implementation) - then you definitely understand what are you doing and you actually want to save them in Git for whatever reason.
Are you talking about global/system/local configs? It's just less obvious for me and I would need to think a bit more - for a variety of reasons. It's way easier to fix that mistake (you don't push it somewhere). There are less security risks - you have to breach the machine to read the config. Etc. |
efiop
added
p3-nice-to-have
|
@efiop , I already agreed on leaving this as it is: #1615 (comment) If we start thinking about all the scenarios where we can protect the user, we will end up with a lot of warnings in DVC (or at least that's my impression) |
|
@MrOutis You've raised the initial question, so I felt like you've agreed under the pressure :) Ok, in that case, we don't have a consensus with @shcheklein . In general, it feels like we are spending too much time on such a minor thingy. |
|
@efiop , don't get me wrong 😅
I see it more as a design question, sort of related to this: #2498 Should we warn the user against every possible pitfall? Should we put boundaries to prevent the user from going that direction? Should we trust them (delegating responsibilities to them)? |
|
agreed that this discussion are related. If take a look at git or heroku CLI they do warn or abort/prompt on certain things or help you with nice things like when you make a typo in a command. This is what good UI/UX for - to support you (by not breaking the workflow of course). In this particular case it's just feels that probability of you running this by mistake (not realizing that this is bad idea, or that there is --local/--global option, etc) is SO high and price of a mistake is high as well that we might want to put an extra barrier. |
I agree that those are good examples of a shiny friendly CLI with bells and whistles. And I like those and we've been adding more friendly things for a long time. But this specific example is so minor and so insignificant with 0 real complains, that I don't think we should spend so much time on it.
if the probability is "SO high" along with a "high price", how come we haven't ever heard of anyone complaining about this? We did hear people complaining about seemingly much less frequent and less dangerous things than this one, but never about this? Seems strange. We could place a half-measure warning that you suggest, but I don't think it is worth more than p4 or p3 max, which means that we will probably never come to implementing this, unless some user comes and complains about this, at which point we will instantly bump the priority, as it will make it clear that it will help someone. |
Why don't we then just disable this (to be safe) and wait for people to ask to enable it back? If it's so minor and "insignificant" - there is nothing to worry about at all, no one will complain, or will show them how to use it properly. This is the easiest and proper way to understand if there are use cases for storing password in Git.
I doubt that anyone will ever complain about it (though we had one like for this issue, right?) - it's not a bug, it's an UI/workflow improvement. Also, people do this and they don't realize the consequences.
probability is high that you are doing a mistake if you are doing it, not that you are going to do it - those are two different things.
That's why I don't like it tbh. I would put a higher barrier - only manual/explicit updates to the config at least. And would wait some complaint from the community.
|
|
If it is not too much work, I think this would be a useful feature, i.e. preventing users to add a password (or some other private credentials), but allowing them to add it manually anyway (by editing the config file). However I agree that this is neither urgent, not high priority. If making a first stable release would be a milestone, then I would postpone it beyond that milestone. In any case, it is not a bad idea to have a list of nice-to-have features, even if they are never implemented. |
I'm pretty sure that we've agreed on this already a few comments above.
Ok, so it is a minor improvement that is not really important. Let's leave it as is.
Indeed, missed this one. Thanks.
👍
Ok, let's leave it as is. |
|
Closing as stale. |
Uh oh!
There was an error while loading. Please reload this page.
Use
--local,--systemor--globalThe text was updated successfully, but these errors were encountered: