password written to the terminal when an error occurs

[dustymabe]

We need to figure out how to pass a password without having to echo and pipe it in as stdin so that the error message a user gets when a failure occurs doesn't have their password in it. Sometimes users don't realize it and then they copy and paste the output to others.

The output looks like this:

==> default: Mounting folder via SSHFS: C:/Users/IEUser/tmp => /mount/windows
Mounting SSHFS shared folders failed. This is most often caused by either
an SSH Daemon not running on the host or invalid credentials being provided.
Please make sure an SSH daemon is running on the host and proper credentials
were provided to be able to authenticate via SSH.

The command and output are:

echo 'Passw0rd!' | sshfs -p 22 -o StrictHostKeyChecking=no -o allow_other -o noauto_cache -o password_stdin IEUser@10.0.2.2:'C:/Users/IEUser/tmp' /mount/windows

Stdout from the command:
Stderr from the command:

read: Connection reset by peer

[codylane]

@dustymabe - I'm wondering if we could use sshpass for this?

[dustymabe]

It would add another install time requirement/dependency which wouldn't be ideal.

[codylane]

Ok, no problem, I understand.

How bout an env var then or perhaps a file that is locked to perms owner:group 0600? This way we could slurp up the file if detected which contains the secrets. Just a thought.

[dustymabe]

Maybe an env var would be best! I'd prefer to try to avoid writing files with passwords in them because we need to be careful to make sure they get cleaned up appropriately and also if they were ever written to disk they could theoretically be recovered even if deleted.

[codylane]

Agreed, there is also a an additional alternative which would be 'getpass' I'm not sure what the equivalent is in ruby but I also feel like it is generally part of standard APIs with most programming langs. We could first try ssh key and if that fails in the exception try to use getpass to have the user enter their password in an interactive prompt or if the user defines the ENV var in their Vagrantfile or ENV in their shell we wouldn't have an interactive prompt.

Env vars have their own security concerns as well but I don't really treat Vagrant as production in a true sense. I use to test my production code before it goes to production but production will use something different that is far more secure.

[codylane]

Agreed, there is also a an additional alternative which would be 'getpass' I'm not sure what the equivalent is in ruby but I also feel like it is generally part of standard APIs with most programming langs. We could first try ssh key and if that fails in the exception try to use getpass to have the user enter their password in an interactive prompt or if the user defines the ENV var in their Vagrantfile or ENV in their shell we wouldn't have an interactive prompt.

Env vars have their own security concerns as well but I don't really treat Vagrant as production in a true sense. I use to test my production code before it goes to production but production will use something different that is far more secure.

In reference to my previous message, io/console provides the getpass method and is part of the of ruby stdlib. I'd be happy to put a PR for this as well and some tests. Should be fairly straight forward.

[dustymabe]

one thing to watch out for is that the reason this is tricky is because it's happening inside the VM. i.e., this is the command we're running on the remote:

echo 'Passw0rd!' | sshfs -p 22 -o StrictHostKeyChecking=no -o allow_other -o noauto_cache -o password_stdin IEUser@10.0.2.2:'C:/Users/IEUser/tmp' /mount/windows

so we have to find a way to pass that information. without showing the password in the log output (this bug)

[codylane]

Gotcha, excellent info. I'll see what we can do and I agree that this needs some careful implementation and I'll see what I can come up with. I enjoy this sort of challenge, but I'm not arrogant enough to say this is an easy fix. ;)