oathtool takes secrets (e.g., TTOP keys) on the command line. While this is not strictly a vulnerability in oathtool itself, it's very bad practice for various reasons, including:
* The secret may be visible in the output of utilities such as ps(1). * The secret will likely be stored in the command line history of users who have that enabled, and that may even be recorded to a file. (bash by default sets HISTFILE=~/.bash_history according to the manpage.) oathtool should at the very least offer an option to take secrets on stdin, and ideally it should discrouage secrets on the command line. OpenSSL offers a good interface for this, prompting for a pass phrase if a terminal is available and offering various other options for providing it: https://openssl.org/docs/manmaster/apps/openssl.html#PASS-PHRASE-ARGUMENTS cjs -- Curt Sampson <[email protected]> +81 90 7737 2974 To iterate is human, to recurse divine. - L Peter Deutsch
