URL:
<http://savannah.nongnu.org/support/?108846>
Summary: oathtool should be able to read key from a file
Project: OATH Toolkit
Submitted by: ringerc
Submitted on: Mon 06 Jul 2015 06:21:58 AM GMT
Category: None
Priority: 5 - Normal
Severity: 3 - Normal
Status: None
Privacy: Public
Assigned to: None
Originator Email:
Open/Closed: Open
Discussion Lock: Any
Operating System: None
_______________________________________________________
Details:
Requiring oathtool to read keys from the command line is quite insecure, as
command line output may be exposed in history files, system logs, process
listings, etc.
It would be significantly preferable to read a ~/.oathtool (or --authfile
cmdline path) file with key/value lists of aliases => keys, e.g.
[oathtool]
google => 0xDEADBEEF
amazon => SOMEBASE64STRING
etc, then accept these names instead of raw keys on the command line.
Bonus points for supporting symmetric encryption of the file using a master
password/passphrase so it's encrypted at rest.
I'm not using oathtool at this point, so no immediate patch will be pending.
Just noting this issue for consideration.
_______________________________________________________
Reply to this item at:
<http://savannah.nongnu.org/support/?108846>
_______________________________________________
Message sent via/by Savannah
http://savannah.nongnu.org/
