ykman otp calculate should allow providing the challenge on standard input
#350
Labels
Comments
|
I’ve just noticed that |
|
Thanks, and agreed that this should be added in some way (and to similar commands like you mentioned). |
|
This should now with ykman 4.0 work "as expected". If challenge isn't given as an argument, it will instead be read from stdin. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
ykman otp calculateshould allow providing the challenge on standard inputSteps to reproduce
ykman otp calculate --helpExpected result
There should be an option like
-s, --stdin: Read CHALLENGE from stdin, not as a parameterActual results and logs
ykman otp calculatehas no such option.Other info
While waiting for the YubiKey to respond to the challenge (which can be quite a long time if
--touchis required on the slot), the challenge can be seen in the output ofps fauxand other tools, because it is provided on the command line (e.g.ykman otp calculate 2 1a2b3c4d5e6f). Even ifykmanis run as root, normal users can still see the challenge.My use case is semi-automatic unlocking of an encrypted hard drive. One part of the drive passphrase is stored in a file that can be accessed only by root (generated by something like
openssl rand 16 -hex > /root/.unlock-secret), the other part is the response of the YubiKey when you send it the contents of/root/.unlock-secretas a challenge.While the machine is waiting for me to push the YubiKey’s button, every unprivileged user on the system can see the secret only root should know.
Let me know if you’d be interested in a pull request.
This issue is somewhat related to #335; maybe all operations that currently accept a secret or challenge on the command line should get a (standardized) option to read from stdin.
The text was updated successfully, but these errors were encountered: