Prompt user with hidden input so the secrets won't appear in the shell history

Question

Prompt user with hidden input so the secrets won't appear in the shell history

brunobord opened this issue 5 years ago · 2 comments

Rationale

Using vault-cli without caution results in the full display of the following command in the shell history:

vault set foo bar

The "bar" secret is absolutely visible in plain sight, which is... not very secure.

The only way to prevent this at the moment is to add a space at the beginning of command line, but that looks like the "poor man protection". Disadvantages of this method:

It is only true if your shell has the following environment variable: HISTCONTROL=ignorespace.
if you messed up with your command, you have to retype it entirely
It doesn't prevent the "person looking over your shoulder" flaw, because the secret is displayed on the screen.

Solution

Using click.prompt() with the argument hide_input=True, it's possible to prompt the user for a value without showing the user input in the history. It's "clipboard" and history friendly enough.
The only it doesn't prevent is the usage of a keylogger. But then, vault-cli can't probably do something for you about that.

PR is on its way, hopefully.

Answer 1 · 2019-07-06T16:40:02.000Z

The only way to prevent this at the moment is to add a space at the beginning of command line, but that looks like the "poor man protection".

Well, you can also use stdin.

My opinion on this is that as long as humans manipulate secrets, they're not safe (not saying that they are safe otherwise, of course). This means any method meant for humans to enter secrets to the vault will never be as sure as if no human does.

With this in mind, we're talking about small-time remedies, stdin, prompt without echo, etc. It's a good idea, and everything helps, but what I'd be really passionate about is ways to make vault-cli more easily usable from scripts and other programs to remove the human from the equation (while not making it harder for them to maintain & debug, so avoiding strong coupling, these kinds of things)

That being said, I appreciate your contribution ! And I really hope we can continue this discussion, or other discussions in this project. It's really helpful to have some new pairs of eyes on this code, and I'm personnally grateful that you took some of your own free time to contribute to this ✨ 👍 ❤️

(TL;DR: Thanks ! you rock 🎸 )

Answer 2 · 2019-07-09T22:16:33.000Z

closed by #95