[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[OATH-Toolkit-help] Bug#839278: oathtool: has no secure way to provide a

From: Michael Gold
Subject: [OATH-Toolkit-help] Bug#839278: oathtool: has no secure way to provide a key
Date: Fri, 30 Sep 2016 19:44:07 -0400
User-agent: NeoMutt/20160916 (1.7.0)

Package: oathtool
Version: 2.6.1-1

According to the man page, oathtool only accepts a key as a command-line
parameter.  This is generally insecure: command lines are visible to all
system users, unless procfs isn't available or has been mounted with the
non-default "hidepid" option.

There should be a secure way to provide the key, and the man page should
encourage its use.  It could be an environment variable or configuration
file.  Accepting a key on stdin would also be OK, as long as one doesn't
first pass it to an external utility like /bin/printf or /bin/echo using
command-line parameters.

- Michael

-- System Information:
Debian Release: stretch/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: arm64, mips, i386

Kernel: Linux 4.7.0-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)

Versions of packages oathtool depends on:
ii  libc6     2.24-3
ii  liboath0  2.6.1-1

oathtool recommends no packages.

oathtool suggests no packages.

-- no debconf information

Attachment: signature.asc
Description: PGP signature

reply via email to

[Prev in Thread] Current Thread [Next in Thread]