nhyatt/putty-source
1
0
Fork 0
mirror of https://git.tartarus.org/simon/putty.git synced 2025-07-02 03:52:49 -05:00
Code Issues Projects Releases Wiki Activity

Add command-line passphrase-file options to command-line PuTTYgen.

Browse Source 
Patch due to Colin Watson.

Putting the passphrase in a file avoids exposing it to 'ps' which can
print out every process's command line, while at the same time not
being as platform-specific as the approach of providing an fd number
(since cmdgen.c is in principle a potential cross-platform PuTTYgen,
not just a Unix one, which is why it's not in the 'unix' directory).

Of course it introduces its own risks if someone can read the file
from your disk after you delete it; probably the best approach to
avoiding this, if possible, is to point the option at a file on an
in-memory tmpfs type file system. Or better still, use bash-style
/dev/fd options such as

  puttygen --new-passphrase <(echo -n "my passphrase") [options]

Failing that, try a secure file-wipe utility, as the man page change
mentions.

(And a use case not to be overlooked, of course, is the one where you
actually want to generate an unprotected key - in which case, just
pass /dev/null as the filename.)
This commit is contained in:
Simon Tatham
2016-03-17 18:42:46 +00:00
parent 5c5879b99d
commit 0fadffe0cb
2 changed files with 114 additions and 55 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
doc/man-pg.but
View File

@ -64,6 +64,13 @@ and \c{rsa1} (to generate SSH-1 keys).
\dd Suppress the progress display when generating a new key.
\dt \cw{\-\-old\-passphrase} \e{file}
\dd Specify a file name; the first line will be read from this file
(removing any trailing newline) and used as the old passphrase.
\s{CAUTION:} If the passphrase is important, the file should be stored
on a temporary filesystem or else securely erased after use.
In the second phase, \c{puttygen} optionally alters properties of
the key it has loaded or generated. The options to control this are:
@ -156,6 +163,14 @@ fingerprint. Otherwise, the \c{\-o} option is required.
\dd Synonym for \q{\cw{-O public}}.
\dt \cw{\-\-new\-passphrase} \e{file}
\dd Specify a file name; the first line will be read from this file
(removing any trailing newline) and used as the new passphrase. If the
file is empty then the saved key will be unencrypted. \s{CAUTION:} If
the passphrase is important, the file should be stored on a temporary
filesystem or else securely erased after use.
The following options do not run PuTTYgen as normal, but print
informational messages and then quit:
@ -210,8 +225,3 @@ To add the OpenSSH-format public half of a key to your authorised
keys file:
\c puttygen -L mykey.ppk >> $HOME/.ssh/authorized_keys
\S{puttygen-manpage-bugs} BUGS
There's currently no way to supply passphrases in batch mode, or
even just to specify that you don't want a passphrase at all.