Re: [platform-dev] cvs extssh password

["John Arthorne" <John_Arthorne@xxxxxxxxxx>]

I suppose you may be concerned if you don't trust the people who access your local workstation disks.  Passwords are encrypted in a keyring file that is stored with workspace metadata.  The encryption is quite strong, but is seeded with a password that the user must supply on the Eclipse command line.  If you have security concerns, you should supply a password to use as the encryption key when Eclipse is started (e.g., eclipse -password foo).  Alternatively (or in addition), you can specify the location of the keyring file on the command line as well (e.g., eclipse -keyring c:\temp\keyring or some such).  This allows you to put the keyring file in a trusted location.

We are aware this story is a bit weak (mainly the fact that it relies on unintuitive command line arguments), and there is a plan item to improve this situation for the next release.  See, for example, the following bug report:

https://bugs.eclipse.org/bugs/show_bug.cgi?id=22220
--

"Eric J Kaplan" <eric.kaplan@xxxxxxxxxxx> Sent by: platform-dev-admin@xxxxxxxxxxx 05/14/2003 05:33 PM Please respond to platform-dev

To:        <platform-dev@xxxxxxxxxxx>         cc:                 Subject:        [platform-dev] cvs extssh password

We noticed that when you connect to a cvs repository using extssh, you supply a password.  We assume that password is persisted in the eclipse metadata somewhere.  Our concern is that we now have a password to our fileserver sitting on disk somewhere, either unencrypted or in some readily decryptable form.  Is this true?  Should we be concerned?

 

Regards

 

Eric J. Kaplan

Armanta, Inc.

350 Mt. Kemble Ave.

Morristown, NJ 07960