You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
In current implementation (otp.bash#L360) of pass-otp, when generating pincodes, the implementation use a command line argument to pass the $otp_secret to external binary oathtool.
The problem with this approach is, in strictly managed environment, things like audit log is usually enabled (e.g. enabled for exec* syscall, which is quite common in enterprise server/thin-client environment), arguments to invoke external binary may written to syslogd, which is possibly stored in unencrypted form in terms of on-disk sectors and sudoers (privileged sysadmins). The manual of oathtool(1) also point out this:
oathtool [OPTIONS]... [KEY [OTP]]...
...KEY and OTP is the string '-' to read from standard input
'@file' to read from indicated filename, or a hex encoded value (not recommended on multi-user systems).
This also applies to some consumer-level single user runtime, like Termux on Android (things like logcat may get uploaded to OS vendor. Note that Termux also have pass-otp packaged in their repository). It should have fairly no drawback if switched to pipe appoarch instead.
The text was updated successfully, but these errors were encountered:
Command line args are also visible via top, a program running under a different user could call the syscalls top uses to monitor other processes and watch for your key as a command line arg.
pabs3
added a commit
to pabs3/pass-otp
that referenced
this issue
May 12, 2023
In current implementation (otp.bash#L360) of pass-otp, when generating pincodes, the implementation use a command line argument to pass the
$otp_secret
to external binaryoathtool
.The problem with this approach is, in strictly managed environment, things like audit log is usually enabled (e.g. enabled for
exec*
syscall, which is quite common in enterprise server/thin-client environment), arguments to invoke external binary may written to syslogd, which is possibly stored in unencrypted form in terms of on-disk sectors and sudoers (privileged sysadmins). The manual ofoathtool(1)
also point out this:This also applies to some consumer-level single user runtime, like Termux on Android (things like
logcat
may get uploaded to OS vendor. Note that Termux also havepass-otp
packaged in their repository). It should have fairly no drawback if switched to pipe appoarch instead.The text was updated successfully, but these errors were encountered: