Package: oathtool Version: 2.6.1-1 According to the man page, oathtool only accepts a key as a command-line parameter. This is generally insecure: command lines are visible to all system users, unless procfs isn't available or has been mounted with the non-default "hidepid" option.
There should be a secure way to provide the key, and the man page should encourage its use. It could be an environment variable or configuration file. Accepting a key on stdin would also be OK, as long as one doesn't first pass it to an external utility like /bin/printf or /bin/echo using command-line parameters. - Michael -- System Information: Debian Release: stretch/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Foreign Architectures: arm64, mips, i386 Kernel: Linux 4.7.0-1-amd64 (SMP w/8 CPU cores) Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: sysvinit (via /sbin/init) Versions of packages oathtool depends on: ii libc6 2.24-3 ii liboath0 2.6.1-1 oathtool recommends no packages. oathtool suggests no packages. -- no debconf information
signature.asc
Description: PGP signature
