-
Notifications
You must be signed in to change notification settings - Fork 131
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support obtaining the secret via a command #103
Comments
Have you tried command substitution? From bash manual[1]
In your case it would be something like:
|
Sure, that would work. However, built-in support would completely avoid the secret from appearing on the command line. And that is the goal here. While gsocket seems to redact the secret, so that it doesn't appear, for example, in |
FTR and to illustrate the problem, I use the following bash script, placed under ~/bin/gs-shell, to establish a gsocket remote shell connection with the credential extracted from pass. #!/usr/bin/env bash
set -eu
TMPFILE=$(mktemp --tmpdir="${TMPDIR:-/tmp}")
trap 'rm -f ${TMPFILE}' EXIT
pass show gsocket/root-shell/"${1}" > "${TMPFILE}"
# No exec here because we want the trap to clean up after us.
gs-netcat -q -k "${TMPFILE}" -i As you can see, the problem is that the secret lies in the temporary directory even after it was obtained from gs-netcat. Generally speaking, the temporary directory and the secret within is accessible by every application of my user (and, of course, the root user and its application). If I where able to pipe the password via stdin into gs-netcat, then the password would not be exposed longer than required, significantly reducing (or even closing) the window where it could be picked up by an unauthorized entity. |
The
gs-netcat
tool currently supports obtaining the secret via a command line argument (-s
) or retrieving it from a file (-k
).My secrets are stored in pass in
pass
. For examplepass gsocket/foo
outputs the gsocket secret of the machinefoo
on stdout. It would be great if I could invokegs-netcat
so that it directly obtains the password from the stdout of a specified command. For example, using a new command line option-K
:$ gs-netcat -K "pass gsocket/foo" -i
The text was updated successfully, but these errors were encountered: