[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[OATH-Toolkit-help] oathtool should not require secret key on command li
From: |
Martin Radford |
Subject: |
[OATH-Toolkit-help] oathtool should not require secret key on command line |
Date: |
Thu, 26 Jan 2012 10:17:49 -0000 |
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
I've just been looking at the toolkit, and so far everything is working
as expected.
However, as far as I can see, the only way to provide the secret key to
oathtool is to put it on the command line.
This strikes me as being unsafe -- on a multi-user system, the secret
key will show up in the output of the "ps" command, and hence could be
unintentionally exposed.
oathtool really needs to support a command-line option to allow the
secret to be read from a file (e.g. "-f secretkey.txt") or even from a
file descriptor (as gnupg does with its "--passphrase-fd" option).
Martin
- --
Martin Radford (address@hidden)
Systems and Operations Team
IT Services
University of Bristol
PGP keyID: 5D2D92E9
PGP fingerprint: 137E 0277 9D78 7447 71D0 BB3D C20D BB9A 5D2D 92E9
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.0 (MingW32)
iD8DBQFPIShOwg27ml0tkukRAqZzAKC866E9subD49T88e3TpLiro7uHZgCgpQJM
Mm+mb8NQpufiUAe2u/Nx3xA=
=8U1q
-----END PGP SIGNATURE-----
- [OATH-Toolkit-help] oathtool should not require secret key on command line,
Martin Radford <=