Closed ajlanghorn closed 8 years ago
pmazurek
commented
8 years ago Sure, if it makes sense, I'm open. However could you elaborate on that? Why does it reduce the attack surface? You still have to store the credentials somewhere (most likely its going to be ~/.bashrc for env vars). What type of attack do you mean? AFF is mostly used on local developer machines.
ajlanghorn
commented
8 years ago @pmazurek Ah, I meant more that they wouldn't be stored anywhere. Instead, they'd be generated when required (and then available on a per-shell basis), rather than stored on disk.
pmazurek
commented
8 years ago Interesting approach, how would you go about implementing it? I'm mostly interested in the on-the-go credentials generation, as I currently have no clue on how would that work.
Anyways as the main question has been answered, I think we can close this issue, and discuss further on the PR if its opened?
Would you accept a pull request to change the README to suggest the use of credentials set by environment variable over hard-coded credentials? Doing so reduces the attack surface somewhat.