doug.hellmann at dreamhost
Jun 25, 2012, 3:28 PM
Post #2 of 5
On Mon, Jun 25, 2012 at 6:19 PM, Ken Thomas <krt [at] yahoo-inc> wrote:
> Greetings all,
> Our security folks have an issue with putting passwords on the command
> line or in the environment. I wrote up a blueprint that gives the details
> on their objections as well as a proposed short-term fix for keystone (
> We'd like to see this same change get into UnifiedCLI as a longer term fix.
> The change is minor. If no password was found on the command line or in
> the env, just before the "expecting password" error is raised, we make an
> attempt to prompt the user for it. If we get something, great! Our
> security folks are happy and we keep processing. If we don't get the
> password for any number of reasons (keystone wasn't being run from a tty,
> the user hit Ctrl-C or Ctrl-D when prompted), then we raise the error just
> as before.
> I've already submitted the keystone changes for review (
> and I'd be happy to make the same change to UnifiedCLI as well.
Thanks, Ken! That sounds like a good change to make. If you add me as a
reviewer on the patch, I'll make sure to look at the changes.