[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Bug#839278: oathtool: has no secure way to provide a key
From: |
Ian Jackson |
Subject: |
Bug#839278: oathtool: has no secure way to provide a key |
Date: |
Thu, 1 Oct 2020 11:35:48 +0100 |
Hi. Thanks for the review.
David Woodhouse writes ("Re: Bug#839278: oathtool: has no secure way to provide
a key"):
> If you're going to load keys from files, surely you want to use PSKC
> files?
That would be a possible further improvement, surely.
> And we need to be able to write back to them in the case of HOTP
> keys too, to increase the counter.
You seem to be saying that the pre-existing command line API is wrong
for HOTP - since it takes the key as an argument and has no way of
writing anything back. (I don't know HOTP so I will take your word
for it...)
My change works for TOTP, at least. Having the key in an encrypted
file, or a desktop keyring, or whatever, would be a good improvement,
but I don't think my patch stands in the way of that.
Indeed, right now, with my patch it is possible to put the TOTP key in
a PGP-encrypted file and pipe the key into oathtool. Before my patch
this is not safe because one has to pass the key exposed on oathtool's
command line.
Thanks,
Ian.
--
Ian Jackson <ijackson@chiark.greenend.org.uk> These opinions are my own.
Pronouns: they/he. If I emailed you from @fyvzl.net or @evade.org.uk,
that is a private address which bypasses my fierce spamfilter.