Skip to content
This repository has been archived by the owner on Apr 26, 2024. It is now read-only.

Manhole's server username / password / SSH keys should not be hard-coded #3850

Open
hawkowl opened this issue Sep 12, 2018 · 1 comment
Open

Manhole's server username / password / SSH keys should not be hard-coded #3850

hawkowl opened this issue Sep 12, 2018 · 1 comment
Labels
O-Uncommon Most users are unlikely to come across this or unexpected workflow S-Minor Blocks non-critical functionality, workarounds exist. Security T-Defect Bugs, crashes, hangs, security vulnerabilities, or other reported issues.

Comments

@hawkowl
Copy link
Contributor

hawkowl commented Sep 12, 2018

Even though it's not a big deal, hhhgngh hardcoded server keys are just bad

#3841
@neilisfragile neilisfragile added the z-p2 (Deprecated Label) label Oct 5, 2018
@DMRobertson DMRobertson added P3 (OBSOLETE: use S- labels.) Approved backlog: not yet scheduled, will accept patches S-Minor Blocks non-critical functionality, workarounds exist. T-Defect Bugs, crashes, hangs, security vulnerabilities, or other reported issues. and removed z-p2 (Deprecated Label) labels Jan 27, 2022
@anoadragon453 anoadragon453 mentioned this issue May 4, 2022
Open
@DMRobertson DMRobertson added O-Uncommon Most users are unlikely to come across this or unexpected workflow and removed P3 (OBSOLETE: use S- labels.) Approved backlog: not yet scheduled, will accept patches labels Oct 19, 2022
@clokep clokep changed the title Manhole's server SSH keys should be generated by the server Manhole's server username / password / SSH keys should not be hard-coded Dec 19, 2022
@clokep
Copy link
Member

clokep commented Dec 19, 2022
edited
Loading

I'm going to tweak the scope of this issue to also include the username / password. I'm not really sure anything needs to be auto-generated here -- we should start by removing the default hard-coded values and document how to generate an SSH key.

The steps to do this would be:

  1. Deprecate the default user/password/SSH key:
    1. Update the documentation with this info + how to generate an SSH key.
    2. Write an upgrade notes discussing this change.
    3. (Probably?) Log a warning if a user is not providing a username / password.
  2. After a few releases (>2) stop providing a default username / password / SSH key (and error on start-up?) if the manhole is configured without them.

This was referenced Dec 21, 2023
Open
Open
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
O-Uncommon Most users are unlikely to come across this or unexpected workflow S-Minor Blocks non-critical functionality, workarounds exist. Security T-Defect Bugs, crashes, hangs, security vulnerabilities, or other reported issues.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@callahad @neilisfragile @clokep @richvdh @hawkowl @DMRobertson