-
-
Notifications
You must be signed in to change notification settings - Fork 881
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow specifying HTTP basic auth credentials from a file #872
Labels
Comments
Open
5 tasks
Argh, sorry I missed that issue, I swear I searched around before raising this :| I'll keep it open for now, just in case this gets some traction at least:
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Is your feature request related to a problem? Please describe.
Arguments to applications are by default readable to all users on Linux. Try e.g.:
This means that when using the HTTP basic auth mechanism, unprivileged users may be able to abuse
ttyd
to gain another users' permissions. While HTTP basic auth isn't very secure to begin with, it can be used somewhat safely in a controlled network otherwise.Describe the solution you'd like
Ideally, a new arg called
--credential-file
, that would be used to read credentials from a file instead; this would allow setting access permissions on the file instead.Describe alternatives you've considered
Taking credentials from
stdin
, or generally a file descriptor would also be a nice way to implement better security here. Alternatively, maybe the option of HTTP basic auth should be removed altogether - it's a notoriously easy trap to fall for, since it almost never offers any security without TLS anyway, and when TLS is active client certificates are a significantly better alternative.Additional context
NixOS provides a module downstream for
ttyd
, which has some nice configuration semantics for setting up a "passwordFile
", but is a bit misleading. This is part of a larger initiative to provide better ways to support credential passing.The text was updated successfully, but these errors were encountered: