[PATCH] http auth user & password lookup
Matt Mackall
mpm at selenic.com
Thu Aug 23 18:24:13 CDT 2007
On Thu, Aug 23, 2007 at 04:13:46PM -0700, Brad Schick wrote:
> Brad Schick wrote:
> > Alexis S. L. Carvalho wrote:
> >
> >> Thus spake Brad Schick:
> >>
> >>
> >>> # HG changeset patch
> >>> # User Brad Schick <schickb at gmail.com>
> >>> # Date 1187211013 25200
> >>> # Node ID 37b01c92a63ca144a15f728be8712c8a2488a2a2
> >>> # Parent dc38a08557bc34493221683453d14717da0b82e2
> >>> added user & password lookup from [http_auth] config section
> >>>
> >>> For secure systems, this lets people store user and optional
> >>> password values for http auth realms. The format is:
> >>>
> >>> [http_auth]
> >>> realm = user:pass
> >>> * = user:pass
> >>>
> >>> A realm name of '*' is an optional default used when no
> >>> matching realm name is found.
> >>>
> >>>
> >> We also want to store and check the URI (or at least the host name), no?
> >>
> >>
> >>
> > I considered that. It would disambiguate all cases, but I think for many
> > instances the realm is enough. Maybe an optional uri? Any suggestions
> > for how to add that. Could be something like:
> >
> > realm[@uri] = user[:pass]
> >
> >
> Any feedback on this? I think it would help other users if I can get
> this patch to an acceptable state. Its currently a pretty big hassle
> doing remote work over http if auth is in place (or fairly insecure due
> to displaying of passwords) .
Isn't there a security risk of not having the URI in there? If you're
doing pushes to two servers with realm-a and realm-b, the second
server can claim to be in realm-a and get your realm-a password, no?
--
Mathematics is the supreme nostalgia of our time.
More information about the Mercurial-devel
mailing list