Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP

Loading…

[Request] Consider adding safer form of -login param #2545

Open
ghost opened this Issue · 6 comments

3 participants

@ghost

On Linux, command line arg of all running processes are by default visible to all users, so using -login param will definitely risk your username and password details being exposed to everyone on the OS.

I'd like to propose a new cmd param -auth which takes login credential from a file containing username/password on 2 lines, ala --auth-user-pass param in openvpn

Why file? Because users can encrypt and decrypt the file as needed and the credential won't appear in steam command line arg

@hobarrera

As a workaround, you can currently run:

steam -login hobarrera $(cat ~/priv/secrets/steam)

Assuming ~/priv/secrets/steam contains my steam password.

I do agree that reading the password from stdin would be a nice choice, but I hope this workaround helps in the meantime (and sorry for the noise!).

@ghost

That actually does not conceal the password because the command substitution part will be expanded when you run the command..so the output of cat will be visible on process arg..

@hobarrera

You're quite right, my bad! We'll have to wait for an update on steam's side then.

@salamanderrake

the login read file method works better since the data will be read in steam and not in the terminal but that will only work if the file is incrypted and is decrypted in steam since if they know which file it is they can just cat it.

@hobarrera

the login read file method works better since the data will be read in steam and not in the terminal but that will only work if the file is incrypted and is decrypted in steam since if they know which file it is they can just cat it.

I don't think decryption will ever be done inside steam. It makes little sense, since there's already plenty of ways that you can encrypt files yourself, and some steam-specific encryption would make this rather unfriendly to use. Also, most linux distribution offer home encryption or full disk encryption.

Even if someone else know which file it is, you should not have it world readable.

@flying-sheep

well, the advantage of a file is that you can set read permissions to only yourself. no encryption necessary if you trust the admins.

but stdin would be better of course. mdecrypt paddwordfile.nc | steam -auth - (where - means “use stdin instead of file”)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.