From a2f116733b0a1e959a3144667b615a68fbacec20 Mon Sep 17 00:00:00 2001 From: Tycho Andersen Date: Thu, 21 Sep 2017 08:32:06 -0600 Subject: [PATCH] document the pass backend and default behavior Also add a big warning about cleartext passwords. Signed-off-by: Tycho Andersen --- docs/reference/commandline/login.md | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/docs/reference/commandline/login.md b/docs/reference/commandline/login.md index 49ca5428ec..f1088c6987 100644 --- a/docs/reference/commandline/login.md +++ b/docs/reference/commandline/login.md @@ -63,8 +63,9 @@ $ cat ~/my_password.txt | docker login --username foo --password-stdin 2. user is added to the `docker` group. This will impact the security of your system; the `docker` group is `root` equivalent. See [Docker Daemon Attack Surface](https://docs.docker.com/security/security/#docker-daemon-attack-surface) for details. You can log into any public or private repository for which you have -credentials. When you log in, the command stores encoded credentials in -`$HOME/.docker/config.json` on Linux or `%USERPROFILE%/.docker/config.json` on Windows. +credentials. When you log in, the command stores credentials in +`$HOME/.docker/config.json` on Linux or `%USERPROFILE%/.docker/config.json` on +Windows, via the procedure described below. ### Credentials store @@ -82,6 +83,7 @@ you can download them from: - D-Bus Secret Service: https://github.com/docker/docker-credential-helpers/releases - Apple macOS keychain: https://github.com/docker/docker-credential-helpers/releases - Microsoft Windows Credential Manager: https://github.com/docker/docker-credential-helpers/releases +- [pass](https://www.passwordstore.org/): https://github.com/docker/docker-credential-helpers/releases You need to specify the credentials store in `$HOME/.docker/config.json` to tell the docker engine to use it. The value of the config property should be @@ -97,6 +99,15 @@ For example, to use `docker-credential-osxkeychain`: If you are currently logged in, run `docker logout` to remove the credentials from the file and run `docker login` again. +### Default behavior + +By default, Docker looks for the native binary on each of the platforms, i.e. +"osxkeychain" on macOS, "wincred" on windows, and "pass" on Linux. A special +case is that on Linux, Docker will fall back to the "secretservice" binary if +it cannot find the "pass" binary. If none of these binaries are present, it +stores the credentials (i.e. password) in base64 encoding in the config files +described above. + ### Credential helper protocol Credential helpers can be any program or script that follows a very simple protocol.