search

cloudfoundry / cli

The official command line client for Cloud Foundry
https://docs.cloudfoundry.org/cf-cli
Apache License 2.0
1.75k stars 927 forks source link

Piping in username and password into the cf login does not work. #1115

Closed norman-abramovitz closed 5 years ago

norman-abramovitz commented 7 years ago

LOGIN

openssl aes-256-cbc -d -in zzz -pass env:OPENSSL_PASSWORD | cf login -a api.run.pivotal.io -s www-staging

What occurred

I can pipe in either username or the password (with the stty errors showing), but I cannot pipe in both values.

API endpoint: api.run.pivotal.io Email> Password> stty: stdin isn't a terminal

stty: stdin isn't a terminal Authenticating... Credentials were rejected, please try again.

Password> stty: stdin isn't a terminal

stty: stdin isn't a terminal Authenticating... Credentials were rejected, please try again.

Password> stty: stdin isn't a terminal

stty: stdin isn't a terminal Authenticating... Credentials were rejected, please try again.

API endpoint: https://api.run.pivotal.io (API version: 2.78.0) Not logged in. Use 'cf login' to log in. FAILED Unable to authenticate.

What you expected to occur

No stty error messages and a successful login.

CLI Version

cf version 6.26.0+9c9a261fd.2017-04-06

CC API Endpoint Version

api endpoint: https://api.local.pcfdev.io api version: 2.75.0

api endpoint: https://api.run.pivotal.io api version: 2.78.0

Platform & Shell Details

Mac OS X 10.12.4 iTerm2 3.0.14 Bash 3.2.57(1)-release

Any other relevant information

I am assuming you will be deprecating the cf auth command. Otherwise, this command could be extended to accept piped input.

Since it is possible to detect stdin versus a pipe, you could echo the username.

cf-gitbot commented 7 years ago

We have created an issue in Pivotal Tracker to manage this:

https://www.pivotaltracker.com/story/show/143363259

The labels on this github issue will be updated when the story is started.

dkoper commented 7 years ago

Hi @norman-abramovitz

I have no plans to deprecate cf auth any time soon. cf auth currently guarantees non-interactive use. Username is printed by most commands (see e.g. first line in cf apps), so I assume the reason for piping the username in is not for security reasons. So cf login -a api-endpoint -u username and piping of the password works for you? What is your use case?

Cheers, Dies Koper CF CLI PM

norman-abramovitz commented 7 years ago

It was for an imposed security policy that anything stored in the client's security vault (CyberArk) needs to be handled securely. The username and secret are stored in their vault. This was a simplified case since the actual case was a script that either a devops or a pipeline could be using.

geetgangwar commented 6 years ago

Hi, I am using CF cli version 6.33.0+a345ea34d.2017-11-20 on MAC OS, when I try to connect to pivotal api portal using cf login, I am always getting "Credentials were rejected, please try again." I have done this on both BASH and KSH prompt.

Please help me.

dkoper commented 6 years ago

@geetgangwar Are you using the cf login command in the same way as @norman-abramovitz does?

phiwoff commented 6 years ago

I am also experiencing this issue. What is odd however, is that I was not receiving this error roughly "last week" performing the exact same task via script. My apologies that I cannot be more exact/specific, but I haven't touched this bit of my code (bash script) in several days, upwards of a week. I am going to look into cf auth

@dkoper to possibly preempt the inquiry, I am not trying the same way. I have a Node app that is spawning a child process (bash script) which it passes arguments to, I set those arguments to vars in the child process, and log in:

cf l -a ${LOGIN_API} -u ${USERNAME} -p ${PASS} -o ${ORG} -s ${SPACE}

api endpoint: https://api.system.aws-usw02-pr.ice.predix.io

api version: 2.75.0

abbyachau commented 5 years ago

Hi @norman-abramovitz thanks for creating this issue. We are currently refactoring the cf login command and believe this issue might be fixed after the refactor. We hope to release a CLI with the refactoring work soon.

bwasmith commented 5 years ago

This behavior is handled correctly in the newly rewritten cf login command.

Specifically, running a command such as: 

$ echo -e "$CF_USERNAME\n$CF_PASSWORD" | cf login

should behave as expected.

Please expect this fix to be included in an upcoming release.

Divine1 commented 1 year ago

Hi @norman-abramovitz

I have no plans to deprecate cf auth any time soon. cf auth currently guarantees non-interactive use. Username is printed by most commands (see e.g. first line in cf apps), so I assume the reason for piping the username in is not for security reasons. So cf login -a api-endpoint -u username and piping of the password works for you? What is your use case?

Cheers, Dies Koper CF CLI PM

cf auth shows Failed

image

but the same credentials works fine in interactive mode