Heroku 如何在其命令行应用程序上存储其身份验证?
我假设当您第一次安装 heroku gem 并提示您输入用户名/密码时,它会将该用户名/密码发送到其服务器进行验证。
那么,heroku(或任何其他命令行应用程序)如何安全地将经过验证的令牌存储在文件系统上,然后在运行“heroku create”等其他命令进行验证时将其一起传输?
我在这里使用 Heroku 作为示例,因为它是我能想到的唯一一个可以完成我目前想做的事情的软件。
I assume that when you first install the heroku gem and you're prompted to put in your username/password, it sends that username/password to its server to validate.
How then does heroku (or any other command-line apps for that matter) store that validated token on the file system securely and then transmit it together when it runs other commands like 'heroku create' for validation?
I'm using heroku as an example here because it is the only one that I could think of which does what I'd like to do at the moment.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(4)
Heroku 现在在这里详细说明了他们如何存储 Heroku CLI 的身份验证令牌:
https://devcenter.heroku.com/articles/authentication
相关摘录:
Heroku now spells out how they store their auth token for the Heroku CLI in pretty good detail here:
https://devcenter.heroku.com/articles/authentication
Relevant excerpts:
Heroku 使用您的登录信息一次来确定您是谁,然后将您的公共 ssh 密钥发送到他们的服务器,这样当您推送到他们的 git 存储库时,他们就知道您是谁(文档)。
其他应用程序的处理方式有所不同。有些会在您的主目录中创建一个包含 API 令牌的
.文件。Heroku uses your login once to figure out who you are, then sends your public ssh key to their server so when you push to their git repo they know who you are(docs).
Other apps handle things differently. Some create a
.<something>file in your home directory that contains an API token.heroku gem 将您的凭证存储在 ~/.heroku/credentials 中,相关代码位于 lib/heroku/auth.rb。
The heroku gem stores your credentials in ~/.heroku/credentials and the related code is in lib/heroku/auth.rb.
这取决于实施。
执行此类操作的常见方法是将自动生成的密钥对存储在临时文件中。公钥被传递到服务器,私钥使用对称会话密钥加密(该密钥在短时间内或注销时过期)。
该文件的权限字段设置为r--------(仅供用户读取)。
通常使用/tmp,因为许多操作系统会定期清理它。 (有些甚至使用内存设备。)
实现可能有所不同,例如,SSH 密钥通常仅生成一次,不使用会话密钥加密(但可能过期),并存储在 ~/.ssh 中。
This depends on the implementation.
A common way of doing something like this is storing an auto-generated key-pair in a temporary file. The public key is passed to the server, and the private key is encrypted with a symmetric session key (that expires after a short duration, or upon logout).
The permissions field of this file is set to r-------- (read only by user.)
/tmp is generally used because many operating systems clean it up periodically. (Some even use an in-memory device.)
Implementations may differ, e.g., SSH keys are usually generated just once, not encrypted with a session key (but may expire), and are stored in ~/.ssh.