Skip to content

Encrypt crates.io API token under a password (optionally) #3749

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
tarcieri opened this issue Feb 21, 2017 · 4 comments
Open

Encrypt crates.io API token under a password (optionally) #3749

tarcieri opened this issue Feb 21, 2017 · 4 comments
Labels
A-configuration Area: cargo config files and env vars A-interacts-with-crates.io Area: interaction with registries A-registry-authentication Area: registry authentication and authorization (authn authz) C-feature-request Category: proposal for a feature. Before PR, ping rust-lang/cargo if this is not `Feature accepted` S-needs-design Status: Needs someone to work further on the design for the feature or fix. NOT YET accepted.

Comments

@tarcieri
Copy link

tarcieri commented Feb 21, 2017
edited
Loading

Originally from: rust-lang/crates.io#79

Right now crates.io API tokens are stored in the (presently chmod 644 i.e. world readable) ~/.cargo/config file under the [registry.token] section.

Storing credentials in plaintext, even if the file permissions were improved, still makes them vulnerable to local file disclosure (LFD) attacks. These attacks are exceedingly common, especially in environments where developers are running a number of services on their laptops and have not properly configured firewalls and/or service-specific security settings.

Encrypting credentials under a passphrase can help mitigate these attacks. SSH provides precedent for encrypting private keys under a passphrase.

Since cargo already depends on rust-openssl, I would suggest sourcing cryptographic primitives from there. AES-GCM with a password derived via PBKDF2 or as of OpenSSL 1.1.0, scrypt via the EVP_PBE_scrypt() API, which does not yet appear to be supported by rust-openssl (issue opened) should be sufficient to harden cargo API token storage against LFD attacks.
@tarcieri tarcieri mentioned this issue Feb 21, 2017
Closed
@alexcrichton
Copy link
Member

👍

I'd prefer to avoid openssl for this (we don't use it on Windows), but I'm sure ring would be up to the task!

@tarcieri
Copy link
Author

tarcieri commented Feb 22, 2017
edited
Loading

ring provides AES-GCM AEAD along with PBKDF2 at least (and I have a separate crate for scrypt) so... yes (also I'm already using ring for this purpose in other projects)

@carols10cents carols10cents added A-interacts-with-crates.io Area: interaction with registries C-feature-request Category: proposal for a feature. Before PR, ping rust-lang/cargo if this is not `Feature accepted` labels Oct 2, 2017
@ehuss ehuss added A-configuration Area: cargo config files and env vars A-registry-authentication Area: registry authentication and authorization (authn authz) labels Dec 11, 2022
@epage
Copy link
Contributor

epage commented Oct 11, 2023

With #12649 (will be released in 1.74), we now support credentials being supported in wincred, libsecret, and macos-keychain. However, I don't think we've done anything to make these the default when you cargo login. Is that right @arlosi ? Is this something can improve in the future, whether in cargo login and/or in documentation?

@epage epage added the S-needs-design Status: Needs someone to work further on the design for the feature or fix. NOT YET accepted. label Oct 11, 2023
@arlosi
Copy link
Contributor

arlosi commented Oct 11, 2023

We haven't made it the default. However, setting up a credential provider is required when using a private registry, which will also cause it to be used for crates.io tokens.

The documentation is here: https://doc.rust-lang.org/nightly/cargo/reference/registry-authentication.html

It may be worth adding a warning when doing cargo login if a credential provider hasn't been set up that links to the above docs.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
A-configuration Area: cargo config files and env vars A-interacts-with-crates.io Area: interaction with registries A-registry-authentication Area: registry authentication and authorization (authn authz) C-feature-request Category: proposal for a feature. Before PR, ping rust-lang/cargo if this is not `Feature accepted` S-needs-design Status: Needs someone to work further on the design for the feature or fix. NOT YET accepted.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@tarcieri @ehuss @epage @alexcrichton @carols10cents @arlosi