Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Handle the atKeys passPhrase securely #733

Open
sitaram-kalluri opened this issue Dec 10, 2024 · 1 comment
Open

Handle the atKeys passPhrase securely #733

sitaram-kalluri opened this issue Dec 10, 2024 · 1 comment
Assignees
@gkc @cconstab @sitaram-kalluri @murali-shris @VJag
Labels
enhancement New feature or request

Comments

@sitaram-kalluri
Copy link
Member

sitaram-kalluri commented Dec 10, 2024
edited
Loading

Is your feature request related to a problem? Please describe.

Currently, the "at_activate" function in at_onboarding_cli accepts the passPhrase as an argument. This poses a security risk because the passPhrase becomes visible and is stored in the command history.

Describe the solution you'd like

To securely handle the passPhrase:

For interactive session:

  • Prompt the user to enter the passPhrase instead of passing it as an argument.
  • Mask the passPhrase input by displaying "*" characters, rather than the actual characters typed.
  • Request confirmation of the passPhrase to ensure accuracy before proceeding.

For headless

  • Set the passPhrase in the environment variables and pick the passPhrase from the environment variables.

Use TTY to determine if the application is running interactively or running in a headless mode.
@sitaram-kalluri sitaram-kalluri added the enhancement New feature or request label Dec 10, 2024
@sitaram-kalluri
Copy link
Member Author

Below are the approaches to read the passphrase from the command prompt:

  1. Read Silently:
    In this method, the input is read silently, and the characters entered are not displayed on the terminal.
#!/bin/bash

echo -n "Enter passphrase: "
read -s phrase
echo
echo -n "Confirm passphrase: "
read -s confirmPhrase
echo

if [[ $phrase == $confirmPhrase ]]; then
    echo "Passphrase matches"
else
    echo "Passphrases do not match"
fi

echo "Passphrase: $phrase | Confirmed passphrase: $confirmPhrase"

Output:

sitaram@sitaram-ThinkPad-E14:~$ ./silent_read.sh 
Enter passphrase :
Confirm passphrase :
Pass phrase match
passphrase : abcd | Confirm pass phrase: abcd
  1. Read Securely:
    In this approach, an asterisk * is displayed for each character entered instead of showing the actual characters. However, this approach has the limitation where the bash script does not recognize the newline character properly, meaning when the enter key is pressed, it counts as a character but does not terminate the input.
#!/bin/bash

echo -n "Enter passphrase: "
stty -echo
pass=""
# read -r to escape the backslash
# read -s to read silently, preventing characters from being displayed on the terminal
# -n1 reads one character at a time
while IFS= read -r -s -n1 char; do
    if [[ $char == '\n' || $char == $'\x0a' || $char == $'\x0d' || $char == $'\u000A' ]]; then
        break
    fi
    pass="$pass$char"
    echo -n "*"
done
stty echo
echo
echo "Entered passphrase: $pass"

Output

sitaram@sitaram-ThinkPad-E14:~$ ./secure_read.sh 
Enter passphrase: **************
sitaram@sitaram-ThinkPad-E14:~$  (Used Ctrl + C to force stop the execution).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@gkc gkc

@cconstab cconstab

@sitaram-kalluri sitaram-kalluri

@murali-shris murali-shris

@VJag VJag

Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@gkc @cconstab @sitaram-kalluri @murali-shris @VJag