[OATH-Toolkit-help] Key Security with oathtool(1)

oath-toolkit-help

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[OATH-Toolkit-help] Key Security with oathtool(1)

From:	Curt Sampson
Subject:	[OATH-Toolkit-help] Key Security with oathtool(1)
Date:	Thu, 24 Mar 2016 17:41:37 +0900
User-agent:	Mutt/1.5.21 (2010-09-15)

oathtool takes secrets (e.g., TTOP keys) on the command line. While
this is not strictly a vulnerability in oathtool itself, it's very bad
practice for various reasons, including:

* The secret may be visible in the output of utilities such as ps(1).
* The secret will likely be stored in the command line history of users
  who have that enabled, and that may even be recorded to a file. (bash
  by default sets HISTFILE=~/.bash_history according to the manpage.)

oathtool should at the very least offer an option to take secrets on
stdin, and ideally it should discrouage secrets on the command line.

OpenSSL offers a good interface for this, prompting for a pass phrase if
a terminal is available and offering various other options for providing it:

  https://openssl.org/docs/manmaster/apps/openssl.html#PASS-PHRASE-ARGUMENTS

cjs
-- 
Curt Sampson         <address@hidden>         +81 90 7737 2974

To iterate is human, to recurse divine.
    - L Peter Deutsch

[Prev in Thread]

Current Thread

[Next in Thread]

[OATH-Toolkit-help] Key Security with oathtool(1), Curt Sampson <=

Prev by Date: [OATH-Toolkit-help] Bug#807992: Bug#807992: per user oath files
Next by Date: [OATH-Toolkit-help] Help needed with OATHLIB
Previous by thread: [OATH-Toolkit-help] Bug#807992: Bug#807992: per user oath files
Next by thread: [OATH-Toolkit-help] Help needed with OATHLIB
Index(es):
- Date
- Thread