Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I believe it is worth mentioning here that reading secrets from command line arguments exposes the secrets in shell history (e.g., ~/.bash_history, ~/.zsh_history, etc.), thus writing the secrets in cleartext to the filesystem. If command line auditing is enabled on a system, any secrets in command line arguments would be exposed in such audit logs too.

Further, if multiple users are logged into the same system (perhaps an unlikely scenario for most people), then secrets in command line arguments would expose the secrets in the output of ps -ef too thereby exposing the secrets to other users.

By the way, I have a similar script at https://github.com/susam/mintotp but it reads secrets from the standard input (as opposed to reading from command line arguments), one secret per line, and outputs TOTP values, one per line. Most of what this script does can be done with oathtool too and there is a section titled "Alternative: OATH Toolkit" in the README that documents this in detail.



fun fact: you can teach your shell to ignore commands that begin with a space character. in bash $HISTCONTROL needs to be ignorespace or ignoreboth, in zsh you must setopt HIST_IGNORE_SPACE


> reading secrets from command line arguments exposes the secrets in shell history

Yes, and process arguments (such as from command line) can also be accessible in process list data that's accessible to other processes and users.

Even if the process only lives for an instant, or normally no other processes could access the data, good practice is to nevertheless keep secrets out of any process arguments.


I should indeed have mentioned that. On the other hand, this is not a concern if you do not execute the it outside your shell (e.g. in another script that reads TOTP secrets from elsewhere).




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: