Add --password and/or --password-file options to -keygen/-rekeygen #314
Comments
|
After looking at the code, it looks like it might be possible to pipe the password in via stdin, rather than the password prompt requiring it to be typed. I am going to verify this before dropping the branch I started, but would it be better to have this functionality documented somewhere? |
|
Hmm, right. Two years ago we added this to scrypt: and that change migrated to tarsnap via libcperciva. I think that we were waiting for the scrypt changes to be released and tested a bit more before "advertizing" this in tarsnap. Please leave this issue open, and I'll come back to it in a few weeks once I've cleared up my current tasklist. |
|
will do, thanks! |
|
@mspacex Just re-reading this... can you clarify what you wanted to pass via stdin? A tarsnap keyfile passphrase, or the tarsnap account password? |
Uh oh!
There was an error while loading. Please reload this page.
It is normally very insecure to have passwords listed in cleartext on the command line, but when automating key generation from puppet/chef/etc, having to use expect and tricking stdin is definitely not preferable.
A compromise to having it available but not directly on the command line is to use --password-file in order to read the account password from a file rather than having on the command line, though that is litter better.
How do we keep a standard user from using it, while still making it available to puppet, etc?
The text was updated successfully, but these errors were encountered: