Work at SourceForge, help us to make it a better place! We have an immediate need for a Support Technician in our San Francisco or Denver office.

Close

#65 Ability to enter password from within schemaSpy

closed
John Currier
None
5
2010-09-29
2010-06-27
st0w
No

The requirement to include a password as a command-line switch is a huge security risk.

Especially as SchemaSpy can take several minutes to run on a large database, this requirement allows any user on the system to execute a simple ps and immediately be provided with all of the login details to the database - including a password. As many users may be running with elevated privileges, in order to ensure they have the entire schema, this is a very serious potential exposure.

SchemaSpy should allow for the user to submit a command line and then subsequently prompt the user for the password. This same behavior can be seen in most every database administration tool.

Discussion

  • John Currier
    John Currier
    2010-06-28

    There's currently a -connprops option that can be used to point to a file of key=value pairs containing a password=mypassword entry. That file would obviously need to be protected. Note that the file you point to can be something like /dev/con (the console) that would be terminated by a Ctrl+D or F6 (depending on your OS). This approach, however, will show the password as you type it.

    Another approach (as suggested) would be to add a -pfp (prompt for password) switch. Java doesn't natively support masking of passwords typed from the command line, so some additional work would be required to make that happen.

     
  • John Currier
    John Currier
    2010-06-28

    • assigned_to: nobody --> johncurrier
     
  • John Currier
    John Currier
    2010-07-20

    A new -pfp (prompt for password) flag has been added in revision 579 (beta available at http://schemaspy.sourceforge.net/schemaSpy.jar\). If running in a Java6 or later JVM it will take advantage of the Console classes for getting the password. If the Console classes aren't available a home-grown implementation is used.

    Let me know if you run into any issues with it.

    John

     
  • John Currier
    John Currier
    2010-08-17

    Implemented in Release 5.0.0.

     
  • John Currier
    John Currier
    2010-08-17

    • status: open --> pending
     
  • This Tracker item was closed automatically by the system. It was
    previously set to a Pending status, and the original submitter
    did not respond within 14 days (the time period specified by
    the administrator of this Tracker).

     
    • status: pending --> closed