[OATH-Toolkit-help] oathtool should not require secret key on command li

oath-toolkit-help

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[OATH-Toolkit-help] oathtool should not require secret key on command li

From:	Martin Radford
Subject:	[OATH-Toolkit-help] oathtool should not require secret key on command line
Date:	Thu, 26 Jan 2012 10:17:49 -0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

I've just been looking at the toolkit, and so far everything is working
as expected.

However, as far as I can see, the only way to provide the secret key to
oathtool is to put it on the command line.

This strikes me as being unsafe -- on a multi-user system, the secret
key will show up in the output of the "ps" command, and hence could be
unintentionally exposed.

oathtool really needs to support a command-line option to allow the
secret to be read from a file (e.g. "-f secretkey.txt") or even from a
file descriptor (as gnupg does with its "--passphrase-fd" option).

Martin
- -- 
Martin Radford  (address@hidden)
Systems and Operations Team
IT Services
University of Bristol
PGP keyID:       5D2D92E9
PGP fingerprint: 137E 0277 9D78 7447 71D0 BB3D C20D BB9A 5D2D 92E9
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.0 (MingW32)

iD8DBQFPIShOwg27ml0tkukRAqZzAKC866E9subD49T88e3TpLiro7uHZgCgpQJM
Mm+mb8NQpufiUAe2u/Nx3xA=
=8U1q
-----END PGP SIGNATURE-----

[Prev in Thread]

Current Thread

[Next in Thread]

[OATH-Toolkit-help] oathtool should not require secret key on command line, Martin Radford <=
- Re: [OATH-Toolkit-help] oathtool should not require secret key on command line, Simon Josefsson, 2012/01/26

Prev by Date: Re: [OATH-Toolkit-help] OATH OCRA
Next by Date: Re: [OATH-Toolkit-help] oathtool should not require secret key on command line
Previous by thread: [OATH-Toolkit-help] oath-toolkit 1.10.5-1 MIGRATED to testing
Next by thread: Re: [OATH-Toolkit-help] oathtool should not require secret key on command line
Index(es):
- Date
- Thread