[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [OATH-Toolkit-help] [sr #108846] oathtool should be able to read key
From: |
Andrew McGlashan |
Subject: |
Re: [OATH-Toolkit-help] [sr #108846] oathtool should be able to read key from a file |
Date: |
Mon, 6 Jul 2015 18:52:53 +1000 |
User-agent: |
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.0.1 |
Hi,
On 6/07/2015 4:22 PM, Craig Ringer wrote:
> Details:
>
> Requiring oathtool to read keys from the command line is quite insecure, as
> command line output may be exposed in history files, system logs, process
> listings, etc.
>
> It would be significantly preferable to read a ~/.oathtool (or --authfile
> cmdline path) file with key/value lists of aliases => keys, e.g.
>
> [oathtool]
> google => 0xDEADBEEF
> amazon => SOMEBASE64STRING
>
> etc, then accept these names instead of raw keys on the command line.
Have a look at my implementation.
User config file sample:
http://ix.io/jvA
(is stored as ~USERNAME/.oathtool.conf)
Python script:
http://ix.io/jvB
(store somewhere in user path, suggest /usr/local/bin)
Requires:
python-gnupg
Create the secret files as follows:
$ echo -en "secretstring" | \
gpg -e -a -o servicename.gpg -r YOURGPGKEY_OR_EMAIL
(NB: use space before echo so as to not enter history)
Or you could just create the gpg file with symmetric encryption...
Make sure that you don't include a trailing line feed for the secret!
Obviously using "-a" for ASCII armour is optional....
Enjoy.
> Bonus points for supporting symmetric encryption of the file using a master
> password/passphrase so it's encrypted at rest.
Got the bonus points, did this a good while ago, just updated some bits
today.
> I'm not using oathtool at this point, so no immediate patch will be pending.
> Just noting this issue for consideration.
Perhaps you can use it now ;-)
Cheers
AndrewM