vcert commands leaks token on the command line

[freedge]

PROBLEM SUMMARY

Most of the commands (per doc https://github.com/Venafi/vcert/blob/master/README-CLI-TPP-SSH.md) read

vcert -t <auth token>

This is insecure as the auth token is given on the command line. A user logged in on the same machine can see the secret by running a ps command a the right time. The secret is saved to bash history, on my machines it is also saved in an audit log that can be later searched by sysadmins.

STEPS TO REPRODUCE Run any vcert command, apart from getcred that reads the password from stdin

EXPECTED RESULTS No secret should be disclosed!

ACTUAL RESULTS

Secrets disclosed

ENVIRONMENT DETAILS Venafi TPP

COMMENTS/WORKAROUNDS

ideally would read the secret from an environment variable or from a file.

[luispresuelVenafi]

Hi @freedge , thank you for reaching out.

This situation we have had in the past about handling credentials using the CLI generally was solved by setting credentials in environment variables to prevent them to be exposed and most of the time customers had used them in ephemeral states. That said, this is definetely an enhancement we want to address in a future release.

[tr1ck3r]

Just to summarize before closing, instead of passing the token on the command line using the -t parameter, you can pre-assign the token value to the VCERT_TOKEN environment variable or put the token value in a file prefixed by access_token = and specify that file using --config when you run vcert.