Navigation

    Inedo Community Forums

    Forums
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Groups
    1. Home
    2. marcus_1459
    M
    • Profile
    • Following
    • Followers
    • Topics
    • Posts
    • Best
    • Groups

    marcus_1459

    @marcus_1459

    0
    Reputation
    5
    Posts
    1
    Profile views
    0
    Followers
    0
    Following
    Joined Last Online
    marcus_1459 Follow

    Best posts made by marcus_1459

    This user hasn't posted anything yet.

    Latest posts made by marcus_1459

    • RE: SECURITY VULNERABILITY: nuget cli requires anonymous access to feed

      Oh google - now why hadn't I thought of that or indeed looked at the Microsoft web page a few days ago.

      Just so I'm perfectly clear - what is the exact command line to set the credentials in the format that proget prefers into the command line. (using dummy feedname)

      posted in Support
      M
      marcus_1459
    • RE: SECURITY VULNERABILITY: nuget cli requires anonymous access to feed

      @atripp said in SECURITY VULNERABILITY: nuget cli requires anonymous access to feed:

      Once credentials are stored, then you won't be prompted again. That's also by design of nuget.

      Except they do prompt

      posted in Support
      M
      marcus_1459
    • RE: SECURITY VULNERABILITY: nuget cli requires anonymous access to feed

      The problem is - if you also look at the previous posts,
      If you have want a non-interactive session using nuget cli and you have stored your credentials previously you still get prompted to enter them. People are saying the workaround for that is to to enable anonymous - which creates a security risk.

      posted in Support
      M
      marcus_1459
    • SECURITY VULNERABILITY: nuget cli requires anonymous access to feed

      This has been mentioned in a number of forum posts but I do not believe the ramifications of the workaround have been fully understood.
      https://forums.inedo.com/topic/622
      https://forums.inedo.com/topic/345/proget-nuget-push-always-asks-for-credentials
      https://forums.inedo.com/topic/526/push-nupkg-to-proget-failing-with-authentication-error
      And as I have just discovered you get the same if you try to download from proget using nuget cli, in that you get prompted for credentials even though they have been previously supplied.

      The workaround is to provide anonymous access to the feed.

      For downloading it is possible to limit the access to just view the feed but even this is a huge security hole giving access to package information however if users are not aware to restrict they could potentially leave an open path for non approved download and potential data breach.

      From enabling statics on package feeds it looks like once authenticated it's then allowing the download via nuget using anonymous access, whether this is a design of nuget or of proget I don't know. But either way this anonymous loophole needs fixing giving the ability to download nuget packages via the command line using authenticated accounts only.

      posted in Support
      M
      marcus_1459
    • Nuget install prompting for credentials

      Hi,
      We have indeo set up for AD integration

      However, I also have a DevOps pipeline that is off the domain and I don't want to give it an AD account to connect.
      So I have created a built-in directory user to pull the packages down

      I've set the credentials locally
      with nuget sources add -Name "proget" -Source "https://xxxx/nuget/myfeed/" -username "uuuu" -password "pppp"
      and also nuget setapikey "uuuuu:ppppp" -Source "https://xxxx/nuget/myfeed/"

      however, on doing a nuget install, I'm still getting prompted for credentials.

      Any ideas?

      posted in Support
      M
      marcus_1459