[Yum-devel] Re: basic auth support enable (was: yum to pass http data to repository)

Scott Russell lnxgeek at us.ibm.com
Mon Nov 21 17:17:16 UTC 2005


I understand that basic HTTP auth is going to be plaintext or plaintext 
over SSL. I don't expect this to be full proof, just more secure.

Placing the userid + passwd into the URL in the config file works of 
course. One situation we encounter on our devel boxes here would be 
where individual accounts have access to root via sudo but each account 
maintains it's own userid and password for both the local system and the 
remote RPM repository. Obviously file permissions won't help in this 
situation and if for no other reason other than keeping an audit trail 
we don't want users sharing accounts. (Discussing IBM Internal security 
policies is way off topic but I will agree that several of them just 
don't make much sense.)

Michael Stenner wrote:
> On Fri, Nov 18, 2005 at 09:49:22PM -0500, Scott Russell wrote:
>> Gotta chime in here and say that I would love to see userid and password 
>> config options for yum repos. That said, the above while it works is 
>> less than ideal. The idea of storing a password in the yum config file 
>> isn't the best practice.
> 
> Where would you prefer to store it?  If you want to NOT store it, then
> I suggest you use the yum environment variables, write a short wrapper
> that prompts for the password, sets the variable and runs yum.  I
> don't think it makes sense to build that functionality into yum
> because people will often have multiple authed repos and designing a
> password system that handles that well would be really ugly.

Ideally I would like to see password prompts from yum and for it to work 
either on a global level or on a per repo level as required. I've done a 
wrapper script for up2date and can modify it for yum however I look at 
the wrapper script as a hack where as having the ability to cleanly deal 
with password protected http and ftp repositories inside of yum would be 
a better solution.

I could be convinced otherwise.

-- 
Scott Russell <lnxgeek at us.ibm.com>
IBM Linux Technology Center System Admin



More information about the Yum-devel mailing list