On 2015-03-27 16:54, Lennart Sorensen wrote:
On Fri, Mar 27, 2015 at 03:37:03PM -0400, Tim Sattarov wrote:
You can just spit it to stdin of ktutil
echo -e "add_entry -password -p alice@BLEEP.COM -k 1 -e aes128-cts-hmac-sha1-96\ntest\nwkt test_srv" | ktutil
or if you don't want to keep passwords in shell history, put commands to the file and then It also has the problem that it is in the command line arguments and hence visible in the process table to any user on the system. Exactly because of that I suggested variant below cat command_file | ktutil
where command file is --- add_entry -password -p alice@BLEEP.COM -k 1 -e aes128-cts-hmac-sha1-96 test wkt test_srv --- Of course that means it is written to disk, unless you use a file on a ramdisk, which is also considered bad by sufficiently paranoid people.
A file on a ramdisk is an improvement at least.
Seriously ? we want to avoid entering manually sensitive data and yet for security we need to enter it manually ? If it is so, you can once provide GPG password for - decryption of encrypted *sensitive data file* kept on - encrypted ramdrive on - laptop in a safe bunker - transferred over SSH tunnel authenticated with 521kbit ECDSA key (decrypted locally of course) and run your batch off that file. Happy Friday everyone :) Tim