On 2015-03-27 16:54, Lennart Sorensen wrote: > On Fri, Mar 27, 2015 at 03:37:03PM -0400, Tim Sattarov wrote: >> You can just spit it to stdin of ktutil >> >> echo -e "add_entry -password -p [email protected] -k 1 -e >> aes128-cts-hmac-sha1-96\ntest\nwkt test_srv" | ktutil >> >> or if you don't want to keep passwords in shell history, put commands to >> the file and then > It also has the problem that it is in the command line arguments and > hence visible in the process table to any user on the system. Exactly because of that I suggested variant below >> cat command_file | ktutil >> >> where command file is >> --- >> add_entry -password -p [email protected] -k 1 -e aes128-cts-hmac-sha1-96 >> test >> wkt test_srv >> --- > Of course that means it is written to disk, unless you use a file on a > ramdisk, which is also considered bad by sufficiently paranoid people. > > A file on a ramdisk is an improvement at least. >
Seriously ? we want to avoid entering manually sensitive data and yet
for security we need to enter it manually ?
If it is so, you can once provide GPG password for
- decryption of encrypted *sensitive data file* kept on
- encrypted ramdrive on
- laptop in a safe bunker
- transferred over SSH tunnel authenticated with 521kbit ECDSA key
(decrypted locally of course)
and run your batch off that file.
Happy Friday everyone :)
Tim
smime.p7s
Description: S/MIME Cryptographic Signature
--- Talk Mailing List [email protected] http://gtalug.org/mailman/listinfo/talk
