Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Using the flag --no-gui with a password protected YubiKey, the password is not masked in CLI #28

Closed
matiasraisanen opened this issue May 11, 2022 · 1 comment · Fixed by #30
Closed

Using the flag --no-gui with a password protected YubiKey, the password is not masked in CLI #28

matiasraisanen opened this issue May 11, 2022 · 1 comment · Fixed by #30
Labels
bug Something isn't working

Comments

@matiasraisanen
Copy link

Describe the bug
I run vegas-credentials with --no-gui and use a password protected yubikey
It then asks me to type in my 🔑 Yubikey: Input OATH password:, but typing the password is not masked in the CLI.

🔑 Yubikey: Input OATH password: 
my-super-secret-password

System (please complete the following information):

  • OS: Linux
  • OS Version: Zorin OS 15.3 x86_64
  • Tool Version: 0.13.5
  • Tool Installation Method: brew
  • Credential Process invoked via: aws

Expected behavior
Password is either not printed to CLI, or letters are masked with a * or similar

🔑 Yubikey: Input OATH password: 
***************
@matiasraisanen matiasraisanen added the bug Something isn't working label May 11, 2022
aripalo added a commit that referenced this issue May 12, 2022
@aripalo
fix: hide sensitive input
af886e5 
Fixes #28 by using Go's x/term package's ReadPassword
@aripalo aripalo mentioned this issue May 12, 2022
Merged
@aripalo
Copy link
Owner

aripalo commented May 12, 2022

Fixed in #30 and available since version 0.13.7.

The Yubikey OATH application password is hidden:
vegas-input-password

… but the OATH TOTP (MFA Token) input is still visible (if provided via CLI stdin):
vegas-input-token

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix: Hide sensitive input aripalo/vegas-credentials
2 participants
@aripalo @matiasraisanen