diff options
author | Daniel Stenberg <daniel@haxx.se> | 2019-03-14 11:49:35 +0100 |
---|---|---|
committer | Daniel Stenberg <daniel@haxx.se> | 2019-03-14 20:09:41 +0100 |
commit | 2af732f364e4734a5a5fd432c77a374e84e5d76c (patch) | |
tree | c0797ea5f9b5f8714aab36aee675536fa669492e /docs/cmdline-opts | |
parent | 05a131eb7740e95c7923b698f045bee6e87618ba (diff) |
curl.1: --user and --proxy-user are hidden from ps output
Suggested-by: Eric Curtin
Improved-by: Dan Fandrich
Ref: #3680
Closes #3683
Diffstat (limited to 'docs/cmdline-opts')
-rw-r--r-- | docs/cmdline-opts/proxy-user.d | 6 | ||||
-rw-r--r-- | docs/cmdline-opts/user.d | 6 |
2 files changed, 12 insertions, 0 deletions
diff --git a/docs/cmdline-opts/proxy-user.d b/docs/cmdline-opts/proxy-user.d index b1f6f6e03..152466daa 100644 --- a/docs/cmdline-opts/proxy-user.d +++ b/docs/cmdline-opts/proxy-user.d @@ -9,4 +9,10 @@ If you use a Windows SSPI-enabled curl binary and do either Negotiate or NTLM authentication then you can tell curl to select the user name and password from your environment by specifying a single colon with this option: "-U :". +On systems where it works, curl will hide the given option argument from +process listings. This is not enough to protect credentials from possibly +getting seen by other users on the same system as they will still be visible +for a brief moment before cleared. Such sensitive data should be retrieved +from a file instead or similar and never used in clear text in a command line. + If this option is used several times, the last one will be used. diff --git a/docs/cmdline-opts/user.d b/docs/cmdline-opts/user.d index 439def348..7001d28ab 100644 --- a/docs/cmdline-opts/user.d +++ b/docs/cmdline-opts/user.d @@ -12,6 +12,12 @@ The user name and passwords are split up on the first colon, which makes it impossible to use a colon in the user name with this option. The password can, still. +On systems where it works, curl will hide the given option argument from +process listings. This is not enough to protect credentials from possibly +getting seen by other users on the same system as they will still be visible +for a brief moment before cleared. Such sensitive data should be retrieved +from a file instead or similar and never used in clear text in a command line. + When using Kerberos V5 with a Windows based server you should include the Windows domain name in the user name, in order for the server to successfully obtain a Kerberos Ticket. If you don't then the initial authentication |