[SOLVED] _netrc/.netrc alternative to cURL

_netrc/.netrc alternative to cURL

I've been looking at Git and cURL and I found some references about .netrc, that may help on HTTP authentication. The problem is: .netrc is dumb, because it stores passwords in plain text format, which is a big security issue for the solution I'm developing.

Is there an alternative to the .netrc approach? Is it possible to develop an "authentication backend" to cURL?

Solution

Update April 2013, git 1.8.3:

A new read-only credential helper (in contrib/) to interact with the .netrc/.authinfo files has been added.

That script would allow you to use gpg-encrypted netrc files, avoiding the issue of having your credentials stored in a plain text file.

To enable this credential helper:

git config credential.helper '$shortname -f AUTHFILE1 -f AUTHFILE2'

(Note that Git will prepend "git-credential-" to the helper name and look for it in the path.)

**See a full example at "Is there a way to skip password typing when using https:// github**"

Original answer (March 2011)

The only alternative (except not using it and going through ssh) would be to:

encrypt that file (for instance, on Windows, with the utility 'crypt')
decrypt it just before the curl call
then encrypt it again right after the curl call

Note that on Unix, that file is normally in mode 600, only visible by you.
On Windows (_netrc), that file should be in your HOMEDIR, which shouldn't be accessible (through Windows ACL) to any other users.
But I still don't like a password in plain text...

This thread, for example, goes through the same process (on Unix for gpg, but it still illustrates the solution nicely):

Below I have included a sample script implementing the usage of 'gpg', which can be used to encrypt the contents of a file. It's in shell script, however I'm sure you can adapt the concept to your perl script.

I think for your needs the basic idea is:

create a plain-text file with your password (and other info) 2. encrypt it using gpg and store the encrypted file; dispose of the plain-text file 3. Within the perl script, decrypt the encrypted file into a plain-text file 4. read contents of plain-text file during runtime of your script 5. delete plain-text file as soon as possible.

Here's just an example of the workings of gpg:

#!/bin/sh
echo -n "Enter your password: "
read pass

FILE=~/mypassword
echo $pass > $FILE
gpg -c $FILE
rm -f $FILE

gpg $FILE.gpg
MYPASSWORD=`cat $FILE`
rm -f $FILE

echo $MYPASSWORD