This would be better if the key did not show up in the process list.

mbushey · on Feb 28, 2019

I agree with you, however I'm the only user on my laptop so for the few milliseconds that oathtool is running it's not a problem for my use case.

$ time otp aws

otp aws 0.00s user 0.01s system 98% cpu 0.015 total

Even back in the 90's Mysql was able to hide the CLI supplied password from the process list. It would be cool if oathtool was able to do the same.

null_content · on Feb 28, 2019

> Even back in the 90's Mysql was able to hide the CLI supplied password from the process list. It would be cool if oathtool was able to do the same.

This has always been a brittle and not easily portable approach.

And doesn't protect you from an attacker doing something much simpler: reading your .bash_history file.

Passing passwords as arguments has always been a bad idea.

jwilk · on March 1, 2019

This bug in oath-toolkit was reported a few years ago:

(Debian maintainer and upstream maintainer are the same person.)