Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support loading password from file #24

Open
Sohalt opened this issue Sep 7, 2020 · 6 comments
Open

Support loading password from file #24

Sohalt opened this issue Sep 7, 2020 · 6 comments

Comments

@Sohalt
Copy link

Sohalt commented Sep 7, 2020

It would be helpful to support loading the password from a separate file, because it would allow to keep secrets separate from configuration.

Specifically it would help with using mpdscribble as a NixOS module, because NixOS auto-generates a world readable configuration file, which, in the current setup, has to contain the password.

Something like:

[last.fm]
url = http://post.audioscrobbler.com/
username = foobar
password_file = /var/secret/mpdscribble_password
@Sohalt Sohalt mentioned this issue Sep 9, 2020
Merged
10 tasks
@goetzc
Copy link

goetzc commented Sep 26, 2020
edited
Loading

@Sohalt that is a good idea. Also being able to read the password from an environment variable would be nice to have.

FWIW, the password can also be in the form of a MD5 hash.

echo -n "my-password" | md5sum | cut -f 1 -d " "

@Sohalt
Copy link
Author

Sohalt commented Sep 26, 2020

An md5sum is not very cryptographically secure. But yes, in general using a secure cryptographic hash function would also work. But I'd prefer the separate file.

@BachoSeven
Copy link

@Sohalt not sure if it was clear but hashes are already supported in the configuration file.

@MaxKellermann
Copy link
Member

The whole discussion about hashed passwords misses the point.
Pointing out that MD5 is not considered secure these days also misses the point.
Using a secure hash would be pointless, because if the hash is secure, what use would it be for mpdscribble?
mpdscribble can only use the MD5 digest of a last.fm password, beacuse the last.fm server doesn't want to know the password, but its (unsalted) MD5 digest. So if you know the MD5 digest, you control the last.fm account. If last.fm would accept a secure hash instead of MD5, this wouldn't improve anything - that secure hash would still allow you to control the last.fm account.

@Sohalt
Copy link
Author

Sohalt commented Jan 14, 2022

True, I didn't think things trough. Mpdscribble obviously needs to authenticate, so it needs a secret, which ideally should not be in the configuration file, to allow the configuration to be shared and readable, as e.g. in the case of NixOS.

@xmalbertox
Copy link

Hi, just migrated to mpd (from mopidy) and over there most passwords can be queried from secret-tool and stored in the system's keyring, this approach adds a dependency in the form of secret.

Another possibility was raised in an old issue (#12), by getting the password from a user defined utility like Gnu pass or secret-tool or even gpg, this approach is quite flexible and it is used in some email utilities like mbsync.

The best approach will be dependent on how the configuration is parsed, but it would be a great addition since having the password in plain text is not very secure, regardless of being md5sum hashed or not.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@MaxKellermann @Sohalt @goetzc @xmalbertox @BachoSeven