[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[OATH-Toolkit-help] Bug#839278: oathtool: has no secure way to provide a
|
From: |
Michael Gold |
|
Subject: |
[OATH-Toolkit-help] Bug#839278: oathtool: has no secure way to provide a key |
|
Date: |
Fri, 30 Sep 2016 19:44:07 -0400 |
|
User-agent: |
NeoMutt/20160916 (1.7.0) |
Package: oathtool
Version: 2.6.1-1
According to the man page, oathtool only accepts a key as a command-line
parameter. This is generally insecure: command lines are visible to all
system users, unless procfs isn't available or has been mounted with the
non-default "hidepid" option.
There should be a secure way to provide the key, and the man page should
encourage its use. It could be an environment variable or configuration
file. Accepting a key on stdin would also be OK, as long as one doesn't
first pass it to an external utility like /bin/printf or /bin/echo using
command-line parameters.
- Michael
-- System Information:
Debian Release: stretch/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: arm64, mips, i386
Kernel: Linux 4.7.0-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)
Versions of packages oathtool depends on:
ii libc6 2.24-3
ii liboath0 2.6.1-1
oathtool recommends no packages.
oathtool suggests no packages.
-- no debconf information
signature.asc
Description: PGP signature
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [OATH-Toolkit-help] Bug#839278: oathtool: has no secure way to provide a key,
Michael Gold <=