Enhance usability allowing password from stdin when not in a tty
endorama opened this issue · 3 comments
Hello, first of all thank you for this project, its really helpful!
I would like to propose a change to increase integration possibilities of this tool with other security tools ( mainly a password manager ).
Currently due to the implementation of password read you face 2 choices:
- write the password when asked ( which ends with copy-paste if you have a complex password )
- use the keyring
The implementation is in aws_google_auth/__init__.py#L168:L178:
# There is no way (intentional) to pass in the password via the command
# line nor environment variables. This prevents password leakage.
if config.keyring:
keyring_password = keyring.get_password(
"aws-google-auth", config.username)
if keyring_password:
config.password = keyring_password
else:
config.password = getpass.getpass("Google Password: ")
else:
config.password = getpass.getpass("Google Password: ")Option 2 avoids copy-paste but lacks flexibility: if the password changes often, you still have no other choice than copy-paste.
Option 1 is tedious, as you have to copy-paste your password at each login. Plus working with multiple accounts makes this more tedious. More over the password is stored in the OS clipboard, which is prone to accidental paste in other places.
A general good strategy for managing passwords is a password manager. That could avoid usability issues in both option 1 and 2 ( password is always up to date and there could be no need to copy-paste ).
Unfortunately as aws-google-auth does not implement any non-tty input method, there is no way to directly pipe the output of the password manager in the getpass input. That would be really handy, and would increase security.
The objection that could be raised in letting user do this is that it allows passing the password from the command line. In my option however, there could be a way that respect your concerns for password leakage ( please note that copy-paste does not reduce that risk whatsoever ) while increasing usability.
The implementation I'm looking at is along the line of:
if sys.stdin.isatty():
password = getpass.getpass("Google Password: ")
else:
password = sys.stdin.readline()This would allow to keep the current behaviour while allowing direct pipe from another software in this tool:
$ password-manager show password | aws-google-auth
In my option it also has enough friction to discourage users from writing the password in the terminal ( like echo "password" | aws-google-auth ): writing echo ... | is way less handy than using the interactive method.
Thank you for considering this feature request.
That's a reasonable proposal, I think ... as you say it doesn't stop people from intentionally shooting themselves in the foot, but that's not our role anyhow.
If you'd like to craft a pull request, we'll give it a whirl.
That’s a good point that I had previously not considered. We don’t need to prevent people from shooting themselves in the foot.
That said, maybe a warning (non blocking) when a password is passed in via the CLI?
Merged fix a while ago.