From 93f33052de84e9aeaf19c92291d043dad2665bbd Mon Sep 17 00:00:00 2001 From: Julian Andres Klode Date: Mon, 2 Dec 2019 11:46:49 +0100 Subject: netrc: Restrict auth.conf entries to https by default This avoids downgrade attacks where an attacker could inject Location: http://private.example/ and then (having access to raw data to private.example, for example, by opening a port there, or sniffing network traffic) read the credentials for the private repository. Closes: #945911 --- doc/apt_auth.conf.5.xml | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) (limited to 'doc/apt_auth.conf.5.xml') diff --git a/doc/apt_auth.conf.5.xml b/doc/apt_auth.conf.5.xml index e7961ef81..99394be00 100644 --- a/doc/apt_auth.conf.5.xml +++ b/doc/apt_auth.conf.5.xml @@ -50,7 +50,7 @@ Unknown tokens will be ignored. Tokens may be separated by spaces, tabs or newli -machine hostname[:port][/path] +machine [protocol://]hostname[:port][/path] Entries are looked up by searching for the machine token matching the hostname of the URI apt needs login information for. Extending the netrc-format @@ -60,7 +60,8 @@ different login information reside on the same server. A machine token with a pa matches if the path in the URI starts with the path given in the token. Once a match is made, the subsequent tokens are processed, stopping when the end of file is reached or another machine -token is encountered. +token is encountered. +If protocol is not specified, the entry only matches https and tor+https. @@ -80,9 +81,9 @@ token is encountered. Example Supplying login information for a user named apt with the password debian for the &sources-list; entry -deb http://example.org/debian &debian-stable-codename; main +deb https://example.org/debian &debian-stable-codename; main could be done in the entry directly: -deb http://apt:debian@example.org/debian &debian-stable-codename; main +deb https://apt:debian@example.org/debian &debian-stable-codename; main Alternatively an entry like the following in the auth.conf file could be used: machine example.org login apt @@ -95,7 +96,7 @@ machine example.org/debian login apt password debian machine example.org/debian/ login apt password debian On the other hand neither of the following lines apply: -machine example.org:80 login apt password debian +machine example.org:443 login apt password debian machine example.org/deb/ login apt password debian machine example.org/ubuntu login apt password debian machine example.orga login apt password debian @@ -111,6 +112,9 @@ also the implementation slightly. For maximum backward compatibility you should avoid multiple machine tokens with the same hostname, but if you need multiple they should all have a path specified in the machine token. +Login information in auth.conf are more flexible than those in sources.list. For +example, login information can be specified for parts of a repository only, or if the +sources.list entry redirects elsewhere, login information for the redirect destination can be supplied. -- cgit v1.2.3-70-g09d2