mainOATH Toolkit - Support: sr #108846, oathtool should be able to read...

 
 

sr #108846: oathtool should be able to read key from a file

Submitter:  Craig Ringer <ringerc>
Submitted:  Mon 06 Jul 2015 06:21:58 AM UTC
   
 
Category:  None Priority:  5 - Normal
Severity:  3 - Normal Status:  None
Privacy:  Public Assigned to:  None
Open/Closed:  Open Operating System:  None
* Mandatory Fields

Add a New Comment Rich Markup
   

Mon 06 Jul 2015 09:12:19 AM UTC, comment #1: 

Have a look at my implementation.

   User config file sample:

       http://ix.io/jvC

       (is stored as ~USERNAME/.oathtool.conf)

    Python script:

       http://ix.io/jvD

       (store somewhere in user path, suggest /usr/local/bin)

    Requires:
        python-gnupg


Create the secret files as follows:

  $  echo -en "secretstring" | \
         gpg -e -a -o servicename.gpg -r YOURGPGKEY_OR_EMAIL
  (NB: use space before echo so as to not enter history)

  Or you could just create the gpg file with symmetric encryption...

  Make sure that you don't include a trailing line feed for the secret!

  Obviously using "-a" for ASCII armour is optional....


Enjoy.


Andrew McGlashan <affinity>
Mon 06 Jul 2015 06:21:58 AM UTC, original submission:  

Requiring oathtool to read keys from the command line is quite insecure, as command line output may be exposed in history files, system logs, process listings, etc.

It would be significantly preferable to read a ~/.oathtool (or --authfile cmdline path) file with key/value lists of aliases => keys, e.g.

[oathtool]
google => 0xDEADBEEF
amazon => SOMEBASE64STRING

etc, then accept these names instead of raw keys on the command line.

Bonus points for supporting symmetric encryption of the file using a master password/passphrase so it's encrypted at rest.

I'm not using oathtool at this point, so no immediate patch will be pending. Just noting this issue for consideration.

 Craig Ringer <ringerc>

 

(Note: upload size limit is set to 16384 kB, after insertion of the required escape characters.)

Attach Files:
   
   
Comment:
   

No files currently attached

 

Depends on the following items: None found

Items that depend on this one: None found

 

Carbon-Copy List
  • -email is unavailable- added by affinity (Posted a comment)
  • -email is unavailable- added by ringerc (Submitted the item)

    •  

    There are 0 votes so far. Votes easily highlight which items people would like to see resolved in priority, independently of the priority of the item set by tracker managers.

    Only logged-in users can vote.

     

    No changes have been made to this item

    Back to the top

    Copyright © 2024 Free Software Foundation, Inc.
    Verbatim copying and distribution of this entire article is permitted in any medium, provided this notice is preserved.
    The Levitating, Meditating, Flute-playing Gnu logo is a GNU GPL'ed image provided by the Nevrax Design Team.
    Page source code

    Powered by Savane 3.14-8eb0.
    Corresponding source code