[users at bb.net] Using SSH keys with GitPoller and Git step?

Drago Trusk drago.trusk at gmail.com
Tue Mar 7 12:01:49 UTC 2017 

Hi Pierre,

ups, sorry I'm not using .gitconfig for username/password but rather .netrc
(_netrc for windows). Didn't yet got my coffee.

My use case is that I have to interact (in a way) with a third party
repository, but access for SSH was not granted so I received only HTTP(S)
access.
This is why my .netrc has
(~/.netrc): machine <host> login <sensitive_user> password
<sensitive_password>

In such situations simple approach would be to have a list of parameters
that all steps can receive so that they are stripped from any
output/logging. I'll try to create a PoC when I come back home.

Bye,
Drago

On Tue, Mar 7, 2017 at 10:40 AM, Pierre Tardy <tardyp at gmail.com> wrote:

> Hi Drago
>
> On Tue, Mar 7, 2017 at 7:32 AM Drago Trusk <drago.trusk at gmail.com> wrote:
>
>> Hi Pierre,
>>
>> it is understandable that people should use SSH keys, but if third party
>> exposes non-SSH access then this becomes a problem.
>>
> Could you be more specific on this? I'd like to understand the exact use
> case in order to see how we can support it the best.
> Since we are currently designing the secret manager
> <https://github.com/buildbot/buildbot/pull/2660/files>, and we need to
> understand the usecases in details in order to implement it best.
>
> Obfuscation of command (e.g. password) is nice, but if for whatever reason
>> this command fails and writes sensitive information into stderr/stdout it
>> will still be visible. Of course if worker is on Linux that can be piped
>> and replaced (or through code itself).
>>
> Again, I am not sure what  you suggest as a solution for that?
>
>
>> Since I'm provisioning my workers with SSH keys anyway I have sensitive
>> information in gitconfig, but I just wanted to point out that use cases can
>> happen in situations when someone doesn't have another choice.
>>
>
> I would be interrested to see what kind of gitconfig do you have, could
> you please publish it (obviously with the sensitive information redacted) ?
>
> Regards,
> Pierre
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.buildbot.net/pipermail/users/attachments/20170307/016d4275/attachment.html>

More information about the users mailing list