Re: [Gnumed-devel] Re: bootstrap*

[Karsten Hilbert]

> > I have to admit I don't know how to hide the passwords in the
> > command line. I assume you are worried about someone sniffing
> > the process environment ?
> No.  I'm worried about someone standing behind me ...
> I'm curious whether there is any password entry class in Python ...
There is one in wxPython which isn't used by bootstrap*, of
course. I am not aware of one for plain Python. However,
Hilmar volunteered to write one - which isn't really hard.

OTOH, one wouldn't be typing in at the command line but rather
run a shell script that stores the approprate options
including the passwords (or rather postinst will run this
script). Hence the passwords would not appear on-screen so
they can stand behind you all they want. (BTW, didn't you want
to go have coffee anyways ?).

What I don't know is how to hide passwords in the command line
*options*, i.e. someone looping "ps -axfwwww" on the machine
in question thusly sniffing

bootstrap* --pw-gm-dbowner=<a password>

> > I think on today's hardware it is impossible to reach both
> > goals at once: not storing passwords somehow somewhere AND no
> > user interaction at all. Give me a scenario and I'll give you
> > an attack mode. Or buy you a beer (which would still only mean
> > *I* can't figure out an attack).
> It is a non-technical attack if someone stands behind you and
> is watching your screen.
I fail to see the relevance to the above challenge ?

Karsten
-- 
GPG key ID E4071346 @ wwwkeys.pgp.net
E167 67FD A291 2BEA 73BD  4537 78B9 A9F9 E407 1346