Skip to content
This repository has been archived by the owner on Oct 4, 2024. It is now read-only.

[Security issue] Seed phrase in shell history #939

Open
willemneal opened this issue Feb 18, 2022 · 2 comments
Open

[Security issue] Seed phrase in shell history #939

willemneal opened this issue Feb 18, 2022 · 2 comments
Labels
T-dev-tools

Comments

@willemneal
Copy link
Contributor

willemneal commented Feb 18, 2022
edited by exalate-issue-sync bot
Loading

Currently when generating a key from a seed phrase the phrase is part of the initial command.

 near generate-key bob.near --seedPhrase="..."

This is akin to typing out a password is plaintext and will remain in the shell's history. Also currently keys are stored in plaintext, but assuming that that issue was addressed with being encrypted with a password, this would still be an issue.

    1. Solution

Using --seedPhrase instead uses stdin and treats the input like a password when logging in with SSH.
@abacabadabacaba
Copy link
Collaborator

Secrets must never be passed in command line arguments. On Linux, any process can see command line arguments of any other process, even if this process belongs to a different user.

@willemneal
Copy link
Contributor Author

Currently the documentation says to do this.

https://docs.near.org/docs/tools/near-cli#4a-near-generate-key---seedphraseyour-seed-phrase

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
T-dev-tools
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@willemneal @abacabadabacaba