Re: [Freeipa-devel] [PATCH 0017] Add OTP support to ipalib CLI

Thu, 12 Sep 2013 07:03:21 -0700 

On 09/12/2013 03:38 PM, Nathaniel McCallum wrote:

On Thu, 2013-09-12 at 13:48 +0200, Petr Viktorin wrote:

I'm sorry for the late reply, I got caught up in other work and forgot
about this thread.

On 09/05/2013 03:31 PM, Nathaniel McCallum wrote:

On Thu, 2013-09-05 at 12:19 +0200, Petr Viktorin wrote:

On 09/05/2013 06:38 AM, Nathaniel McCallum wrote:

On Thu, 2013-09-05 at 00:25 -0400, Nathaniel McCallum wrote:

This patch has a few problems that I'd like some help with. There are a
few notes here as well.

1. The handling of the 'key' option is insecure. It should probably be
treated like a password (hidden from logs, etc). However, in this case,
it is binary, so I'm not quite sure how to do that. Passing it as a
command line option may be nice for scripting, but is potentially a
security problem if it ends up in bash.history. It would also be nice if
the encoding were base32 instead of base64, since nearly all the OTP
tools use this encoding.


Not only in bash_history; anyone can see command line parameters of
running programs.
We'll need to modify the framework to support more another password
parameter type.
The base32 on input/output can be added to that new type.


To clarify, by scripting I meant calling this from a python script. In
this case, the argument wouldn't show up in the argv. Sorry my wording
wasn't clear here.

The primary case where this will apply is in otp-import (if we implement
it). We will parse the XML and call self.api.Command.otp_add() for each
token found, including the key.

So it would be good to have this option available in python but not the
shell.


In Python you can just use the base64 module to convert between base64
and base32. I don't think we need to go out of our way to make this easier.


We need to pass the key as an argument in python. The format of this
argument is irrelevant (base32/base64).

When *displaying* the key to the user as the result of the otp-add
operation, base32 should be used. Most soft-token products do input in
base32 since it is easier to type and read.
Ah, I see. Then you can make a new Output and put the base32-encoded data there (see e.g. `output_params` and `set_certificate_attrs` in the service plugin for an example). 

--
PetrĀ³

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to