[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#756022: ITP: apt-transport-s3 -- APT transport for privately held AWS S3 repositories

* David Kalnischkies <david@kalnischkies.de>, 2014-07-26, 15:25:
You don't need to write your credentials in a sources.list anymore (which should be world-readable) if your apt is recent enough (and with recent I mean at least oldstable). You can populate a netrc-like file at /etc/apt/auth.conf with them (create it if you must and set for it the permissions to your liking!).

netrc was designed back when all the protocols were equally resistant to password sniffing (that is, not at all). But these days people most likely don't want to send their password in clear text, and the netrc-like password file doesn't really help with that.

Consider the following /etc/apt/sources.lists:

deb http://ftp.pl.debian.org/debian/ unstable main
deb https://topsecretdebs.jwilk.net/ experimental main

And the following /etc/apt/auth.conf:

machine topsecretdebs.jwilk.net
login jwilk password moo37

On the first glace, it looks all righty from the security perspective.

But all a man-in-the-middle attacker has to do to steal the password, is to respond to a http://ftp.pl.debian.org/ request with a redirect to http://secretdebs.jwilk.net/, tricking APT into sending the credentials over unencrypted channel.

Jakub Wilk

Reply to: