nuget source password encryption story

[yishaigalatzer]

Rob adding text on 2/10/2017: nuget.exe | dotnet.exe can now use encrypted passwords in nuget.config files -- when running on windows ONLY. Ideally, we'd support dotnet.exe on other platforms too, so they don't need to store passwords via cleartext.

This would need APIs from .NET Core. See the related https://github.com/dotnet/corefx/issues/6746

[yishaigalatzer]

CC @anurse @davidfowl

[emgarten]

Is this needed for xplat?

[yishaigalatzer]

Yes but not for rc, and debatable for rtm

[yishaigalatzer]

@emgarten when RC is out the door, please start a thread with Stephen Toub

[mountgellert]

Hi @rrelyea , is there any update on this or on https://github.com/dotnet/corefx/issues/6746 ?

[mountgellert]

@mrward , How does your change fix this? Still cannot seem to see a way to use encrypted credentials from a Linux machine.

[mrward]

@mountgellert - For some reason merging the latest code into my fork closed this issue when it should not have. Re-opening.

[psmulovics]

Any news on this item?

[guidobouman]

What's the roadmap on this? Is the NuGet or the dotnet project responsible for this implementation? I can't seem to find anything about this in https://github.com/dotnet/designs/issues/11

[psmulovics]

any news on this item?

[wvh-shanee]

Bump for update.

[koliyo]

Please make this a priority, if Microsoft is serious about true cross-platform .NET application development.

We need both MacOS and Linux support!

[dquist]

Another serious shortcoming here is that, even on Windows, there's no way to securely enter the password. It can only be provided as plain text through the -Password option, in which case it will likely be logged to the shell history.

Come on, this is like CLI authentication 101. There needs to be a way to enter secrets interactively.

See https://github.com/NuGet/Home/issues/8131

[Swoorup]

• Upgrades everything to use dotnet core instead of mono.
• Everything works fine locally.
• Hopes on to build machine, which repulls packages.
• Notices this damn bug.
• Cleans packages locally, notices this damn bug.

[MaxHorstmann]

Please make this a priority, if Microsoft is serious about true cross-platform .NET application development.

We need both MacOS and Linux support!

Friendly +1. We're evaluating GitHub Actions / Packages for our build pipeline. A bit simplified, here's the workflow we have in mind:

name: build

on:
  push:
    branches: [ master ]
  pull_request:
    branches: [ master ]

jobs:
  build:

    runs-on: ubuntu-latest

    steps:
    - uses: actions/checkout@v2
    - name: Setup .NET Core
      uses: actions/setup-dotnet@v1
      with:
        dotnet-version: 3.1.300
    - name: Add package source
      run:  dotnet nuget add source https://nuget.pkg.github.com/ourteam/index.json -n GPR --store-password-in-clear-text -u SomeUser -p ${{ secrets.GITHUB_TOKEN }}
    - name: Install dependencies
      run: dotnet restore
    - name: Build
      run: dotnet build --configuration Release --no-restore

So basically, the GitHub Packages NuGet source is injected at build time using the GITHUB_TOKEN. With the entire build running on a Linux image, we're forced to use --store-password-in-clear-text - otherwise, the "Add package source" step fails with the "Encryption is not supported on non-Windows platforms" error.

While GH Actions thankfully doesn't log the cleartext token (shows up as -p ***), it's worrying that it is stored somewhere inside an ephemeral build container (in nuget.config or elsewhere) for a certain period of time. In particular given the wide range of permissions for the GITHUB_TOKEN. Supporting password encryption on non-Windows platforms would alleviate that concern.

[rrelyea]

Had meeting with .net core team today to talk about options for xplat encryption. Unfortunately, this issue is tracking a solution that would only be able to provide "obfusacted passwords" -- see number 5 in list below.

List of best to lowest security options:

Authentication Options for NuGet clients

• 1 - AVAILABLE SOON: Use Client Certs to secure client<->server communication (coming in NuGet 5.7 - available in preview 3 and later) - requires a nuget server that could use client cert as user auth...(not sure if that exists yet) hardware security module to store client key

• 2 - POTENTIAL FEATURE WORK: nuget could use a technique like Azure storage...never send credential -- use credential to sign request...then send to server...server verifies signature. credential never goes across wire...which means process doesn't need access to that signature...so it is more secure.

• 3 - AVAILABLE ON WINDOWS: encrypted passwords in a user/machine nuget.config doc page

• 4 - POSSIBLE TODAY: use a hardware security module to store password (however, if app can read password, so can root, and manager of HSM)

• 4 - POTENTIAL FEATURE WORK: NuGet uses Azure Key Vault (or similar) for CI scenarios

• 5 - POTENTIAL FEATURE WORK: obfuscated passwords, trying to be like Windows' encrypted password stored in nuget.config on...however, root will always have access...even if we implemented that. (hard drive stolen...put in another computer, root wins!)

• 6 - AVAILABLE TODAY: clear text password in envvar. Nuget.config references env var. doc page

• 7 - AVAILABLE TODAY: clear text password in nuget.config doc page

• ? - credential providers...need to understand where they rank and add to list above.

Communication Options between client and server

1) Client Certs and https 2) https 3) http

[tmds]

root will always have access

This is by design. root is not like a Windows administrator. It is at the same level as the kernel. You can never lock out root.

hard drive stolen

Disk encryption can be used. (On top of restricting physical access, so disks don't get stolen.)

obfuscated passwords

Probably the 'key' stored to reverse the obfuscation will be stored with the user permissions. That's fine. I want to point it out explicitly.

env var for password in nuget.config or other clever ways

This seems an interesting option for builds in containers.

[dquist]

Point of clarification regarding the encrypted passwords in nuget.config, there's currently no way to set the encrypted password value without entering it as a plaintext value as part of the command. This is not ideal since the plaintext value will most certainly be logged in terminal history.

[brphelps]

I think MSAL has an approach for this for token encryption that nuget should consider using as inspiration -- they try to find a local encryption library on Linux, and only when it isn't present do they fall back to something else.

[rrelyea]

@brphelps - would love a pointer to that approach. sounds promising. link? In all our discussions with net core team (do we call them .net team again?), they didn't think it was easy to solve in runtime.

[psmulovics]

@brphelps , you had my curiosity. But now you have my attention. This would solve so many problems (powershell scripts, nuget, etc) and is part of an ongoing discussion with @rrelyea , me and many others for at least 3 years now

[psmulovics]

wow, just checked notes, since 2015!

[psmulovics]

ok, so how does https://devblogs.microsoft.com/powershell/powershell-team-2021-investments/#secretmanagement-and-secretstore-1-0 change this picture?

[psmulovics]

Specifically https://www.powershellgallery.com/packages/microsoft.powershell.secretstore/0.9.1

[brphelps]

@psmulovics @rrelyea sorry it took me forever to respond here. I'm mostly looking at: https://github.com/AzureAD/microsoft-authentication-extensions-for-dotnet For reasons I'm a little unclear on I'm blocked from logging into that wiki that they link there, but I remember that it talks about their fallback process in detail. Maybe you guys can access it?

[psmulovics]

We can, the problem that if the application is not interactive (eg it has not X11 access) it cannot use a keychain (it would use the one from Gnome for example which depends on X11). As a result, it falls back to unencrypted plain text. The actual code is:

storageProperties = ConfigureSecureStorage(usePlaintextFileOnLinux: true);

[totollygeek]

Sooo 6 years later and encrypting passwords for sources is still not ready? Sweet. Because, who cares about security, right?

[stunney]

@msftgits time to get this working, today!

[stunney]

@mrward can you help light a fire under a Product Manager to get this resolved?

[BrianMcBrayer]

Agreed. This is a critical feature.

[JonDouglas]

Hi all,

This is the first time i've seen this issue so please bear with me.

As far as I'm aware, this issue is dependent on ProtectedData having cross-platform support. Currently the API has notes of:

https://docs.microsoft.com/en-us/dotnet/api/system.security.cryptography.protecteddata?view=windowsdesktop-5.0#remarks

and

.NET Core and .NET 5+ only: Calls to the Protect method are supported on Windows operating systems only

The use of this class is in the following code:

https://github.com/nuget/NuGet.Client/blob/dev/src/NuGet.Core/NuGet.Configuration/Utility/EncryptionUtility.cs#L15-L39

This API has no plans to support cross-platform cases which means that we(NuGet) will need to use another approach for each platform as noted by the comment author. It is possible that we may be able to adopt a similar implementation that Mono has for these non-windows platforms.

In the meantime, please upvote the original comment on this issue with a 👍 so we can understand the need for this feature. Or even create a new issue specific to the scenario you're interested in since this issue captures many other authentication scenarios in addition.

Thank you.

[psmulovics]

There are multiple scenarios where you would need this - e.g. connecting to enterprise hosted package manager endpoints where you would need to store password or API key in your nuget.config and you would like to do it encrypted.

As a cascade effect, if the actual underlying protecteddata API would be solved for other scenarios (e.g. for Linux it could have a dependency on libcrypt, or the actual .NET package for a particular Linux distribution could have the distro specific implementation of the relevant crypto DLL), it would enable the use of some pwsh scripts that also fail on the lack of protecteddata support, etc. So fixing the underlying problem would have a positive cascade on a much wider set of the .NET ecosystem.

[aortiz-msft]

@dtivel - Would you please summarize our current state? Also, if we are blocked on a crypto API, we need to create an issue against the proper team to drive the conversation.

cc @JonDouglas

[tmds]

We had a discussion about this with Microsoft 2 years back.

Two points came up:

• The solution can not be as-secure as on Windows.
• Depending on what you are encrypting, there are different requirements, which means using algorithms, key lengths, ...

The first is something we need to accept. We can make it as secure as it is on Linux. That means the key for encrypting/decrypting is stored under the user folder and accessible only to that user. (My private ssh key is at ~/.ssh/id_rsa :wink:).

The second means framework won't provide ProtectedData because there is no generic solution. NuGet needs to take care of it itself.

This is some code @bartonjs wrote as part of the discussion. It may be usable as a base for NuGet's implementation.

cc @GrabYourPitchforks

[hamarb123]

I just started getting this warning:

<path to .csproj> : warning NU1803: You are running the 'restore' operation with an 'HTTP' source, 'http://<rest of link>'. Non-HTTPS access will be removed in a future version. Consider migrating to an 'HTTPS' source.

I'm currently using http on macOS (on localhost, which probably should never be blocked imo since it's not really insecure in the same way per-se) because it doesn't support encrypting the client-cert certificate for some reason. This should be able to be very secure on macOS using keychain, I have no idea why this isn't supported yet other than low priority (which is understandable), but I need to be able to keep using http for localhost until client-cert is implemented on macOS - will disallowing http be delayed until this is implemented on all platforms?

Is there a timeline for this? Will it be properly secure using keychain (if I'm not mistaken keychain will prompt every time access is requested until allow every time is pressed, and then it should allow for the dotnet executable to access its keychain data)?

[zivkan]

@hamarb123 this issue (source password encryption, for private/authenticated feeds) is not related to http/https. Please create a new issue for that.

[hamarb123]

I know it's not related directly. As I said (I think), I'm using a client-cert certificate that runs over https, I'm currently having to use the http version (which doesn't have client-cert or encryption) though because I don't want to store the client-cert certificate password unencrypted. I could probably set up a https proxy that doesn't require client-cert as well, but I don't want to accidentally expose it outside of the machine so I have intentionally used the http one on localhost instead of doing that. Ideally I'd like this feature to be implemented so I don't have to use the http one or find a different solution at all.

[tmds]

Fgcgdgdfggfhfn go look g me fkzgv

Op zo 24 jul. 2022 01:29 schreef Hamish Arblaster @.***

:

I just started getting this warning:

<path to .csproj> : warning NU1803: You are running the 'restore' operation with an 'HTTP' source, 'http://'. Non-HTTPS access will be removed in a future version. Consider migrating to an 'HTTPS' source.

I'm currently using http on macOS (on localhost, which probably should never be blocked imo since it's not really insecure in the same way per-se) because it doesn't support encrypting the client-cert certificate for some reason. This should be able to be very secure on macOS using keychain, I have no idea why this isn't supported yet other than low priority (which is understandable), but I need to be able to keep using http for localhost until client-cert is implemented on macOS - will disallowing http be delayed until this is implemented on all platforms?

Is there a timeline for this? Will it be properly secure using keychain (if I'm not mistaken keychain will prompt every time access is requested until allow every time is pressed, and then it should allow for the dotnet executable to access its keychain data)?

— Reply to this email directly, view it on GitHub https://github.com/NuGet/Home/issues/1851#issuecomment-1193205393, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAH2LEEGBTNPX5N2XNVD3Q3VVR57LANCNFSM4BW7LB2Q . You are receiving this because you are subscribed to this thread.Message ID: @.***>