On Thu, 23 May 2002, Henrik van Ginhoven wrote:

> On Wed, May 22, 2002 at 11:49:42AM -0400, Dan Mahoney, System Admin wrote:
> > On Tue, 21 May 2002, Dan Mahoney, System Admin wrote:
> >
> > Now, something occurs to ME.  There really SHOULD be an alternate means of
> > prompting the user for a password (i.e. something which is not readily
> > visible through ps, (or saved to a history file) I mean REALLY.
>
> I believe this problem has been adressed before, please observe:
>
> ~]$ wget --help | head -n 1
> GNU Wget 1.7, a non-interactive network retriever.

Well, that's all well and good.  But how about a --prompt option (or a
PASSWORDPROMPT environment variable, or something in your .wgetrc) that
allows for the preference.

>
> and that is the problem, it is a non-interactive network retriever. I wrote
> a tiny patch for my own that applied to the sources of 1.5.3 (I think) that
> did just this, prompt for a username and password, but if I remember correct
> when I brought the topic up (before I wrote the patch, just to make sure I
> was not re-inventing something), the conclusion was that wget could not have
> such a feature since it would break the "non-interactive" part. But it is a
> problem, I agree. On large networks some evil-minded person could write a
> tiny cron-script that ran once every 5 minutes or so to parse ps-output
> looking for nothing but passwords, and thus I think it should be pointed out
> a bit better (perhaps after ./configure or in --help or whatever) that
> someone might actually see your username and password, should you supply
> them on the command line.

Every five minutes?  Crontab?  A single process that sleep 30's and calls
itself.

>
> > wget
> > shows username:*password* in its output, is this supposed to make us think
> > the program is protecting that password from prying eyes in some way?
>
> Yes, as you know it's not perfect but it would be quite silly to actually
> print the password and the username on the screen don't you agree? I don't
> think anyone ever thought of it as a way to make you believe the password is
> well protected..
>
>
> >
> > Ideally like with some browsers, if you specify ftp://username@domain, you
> > get a prompt.

not ftp://username:password@domain, just ftp://username@domain.  If wget
senses that it is running in "interactive" mode (i.e. from a live user as
opposed to a crontab...based on controlling pty or environment or whatnot,
it should AT LEAST print a warning "Your password could be more securely
specified this way".

> ....and at the same time break thousands of scripts that run with at or cron
> when sysadmins start to upgrade wget to that version? oh no... not a good
> idea.

I know scripts that rely on telnet too (for example my
router-config-backup-script).  Doesn't make them secure either.

That's a copout.  There are alternatives.  And the description of the
software shouldn't be the reason not to make it more secure.

On an unrelated note, it would be rather useful if wget supported _S_ftp,
too.

--

"I love you forever eternally."

-Connaian Expression

--------Dan Mahoney--------
Techie,  Sysadmin,  WebGeek
Gushi on efnet/undernet IRC
ICQ: 13735144   AIM: LarpGM
Web: http://prime.gushi.org
finger [EMAIL PROTECTED]
for pgp public key and tel#
---------------------------


Reply via email to