Details
-
Task
-
Status: Closed (View Workflow)
-
Major
-
Resolution: Fixed
Description
*Credential Manager is standard way to store secrets, e.g password on Windows. It is much more secure as storing that stuff in config file, password can be stored for current Windows user,
per user:host:port combination.
Windows uses this password manager itself, e.g for teminal service client mstsc, but also 3rd party, like git client make use of it. It is very handy way to store once and forget, but also the passwords there could be looked up, and changed in credential manager itself.
Note, if password does not work, e.g was changed, this needs to be caught in the client, the stored password must be removed, and maybe user should be notified.
A setting whether to use credential manager, could be stored in my.ini
The implementation should allow easy integration of platforms other than Windows, e.g on macOS has keychain API which could be used for that same purpose.
Definitions
Interactive login happens when client passes -P option, which results into "Enter password:" prompt.
Implementation details
- The credential manager is not used at all, if parameter credential_manager=OFF (that's default). The behavior described below only only takes effect if credential_manager=ON.
- Reading from credential manager :
the password is _read_by from credential manager, if either no --password is supplied on the command line, or interactive login requested with -P. If credentials are read, interactive prompt ("Enter password") is not shown.
- Removing entry from credential manager:
If stored password turns out to be wrong (e.g password was updated), and login attempt fails, then stored password is removed from credential manager. If client was started with interactive login, second login attempt will be made, after showing the prompt.
- Adding entry to credential manager
If interactive login succeeds, and password was not yet stored, then password is stored