[Freeipa-devel] [PATCH 0017] Add OTP support to ipalib CLI
Petr Viktorin
pviktori at redhat.com
Thu Sep 12 14:01:24 UTC 2013
On 09/12/2013 03:38 PM, Nathaniel McCallum wrote:
> On Thu, 2013-09-12 at 13:48 +0200, Petr Viktorin wrote:
>> I'm sorry for the late reply, I got caught up in other work and forgot
>> about this thread.
>>
>> On 09/05/2013 03:31 PM, Nathaniel McCallum wrote:
>>> On Thu, 2013-09-05 at 12:19 +0200, Petr Viktorin wrote:
>>>> On 09/05/2013 06:38 AM, Nathaniel McCallum wrote:
>>>>> On Thu, 2013-09-05 at 00:25 -0400, Nathaniel McCallum wrote:
>>>>>> This patch has a few problems that I'd like some help with. There are a
>>>>>> few notes here as well.
>>>>>>
>>>>>> 1. The handling of the 'key' option is insecure. It should probably be
>>>>>> treated like a password (hidden from logs, etc). However, in this case,
>>>>>> it is binary, so I'm not quite sure how to do that. Passing it as a
>>>>>> command line option may be nice for scripting, but is potentially a
>>>>>> security problem if it ends up in bash.history. It would also be nice if
>>>>>> the encoding were base32 instead of base64, since nearly all the OTP
>>>>>> tools use this encoding.
>>>>
>>>> Not only in bash_history; anyone can see command line parameters of
>>>> running programs.
>>>> We'll need to modify the framework to support more another password
>>>> parameter type.
>>>> The base32 on input/output can be added to that new type.
>>>
>>> To clarify, by scripting I meant calling this from a python script. In
>>> this case, the argument wouldn't show up in the argv. Sorry my wording
>>> wasn't clear here.
>>>
>>> The primary case where this will apply is in otp-import (if we implement
>>> it). We will parse the XML and call self.api.Command.otp_add() for each
>>> token found, including the key.
>>>
>>> So it would be good to have this option available in python but not the
>>> shell.
>>
>> In Python you can just use the base64 module to convert between base64
>> and base32. I don't think we need to go out of our way to make this easier.
>
> We need to pass the key as an argument in python. The format of this
> argument is irrelevant (base32/base64).
>
> When *displaying* the key to the user as the result of the otp-add
> operation, base32 should be used. Most soft-token products do input in
> base32 since it is easier to type and read.
>
Ah, I see. Then you can make a new Output and put the base32-encoded
data there (see e.g. `output_params` and `set_certificate_attrs` in the
service plugin for an example).
--
Petr³
More information about the Freeipa-devel
mailing list