Re: Bug#756022: ITP: apt-transport-s3 -- APT transport for privately held AWS S3 repositories
* David Kalnischkies <david@kalnischkies.de>, 2014-07-26, 15:25:
You don't need to write your credentials in a sources.list anymore
(which should be world-readable) if your apt is recent enough (and with
recent I mean at least oldstable). You can populate a netrc-like file
at /etc/apt/auth.conf with them (create it if you must and set for it
the permissions to your liking!).
netrc was designed back when all the protocols were equally resistant to
password sniffing (that is, not at all). But these days people most
likely don't want to send their password in clear text, and the
netrc-like password file doesn't really help with that.
Consider the following /etc/apt/sources.lists:
deb http://ftp.pl.debian.org/debian/ unstable main
deb https://topsecretdebs.jwilk.net/ experimental main
And the following /etc/apt/auth.conf:
machine topsecretdebs.jwilk.net
login jwilk password moo37
On the first glace, it looks all righty from the security perspective.
But all a man-in-the-middle attacker has to do to steal the password,
is to respond to a http://ftp.pl.debian.org/ request with a redirect to
http://secretdebs.jwilk.net/, tricking APT into sending the credentials
over unencrypted channel.
--
Jakub Wilk
Reply to: