[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [msmtp-users] Password parameters patch
Thanks for the quick update.
> > Besides, there is sadly no '--password' parameter available. This is
> > useful for using msmtp from an external program such as mutt, while
> > not saving the password in any clear file. So I added support for the
> > '--password' parameter. Quite simple in fact, and seems to work
> > pretty well.
>
> The problem with this option is that it shows up in process lists (via
> the ps utility, in /proc, and via several system calls), so it would
> be unsafe to use. I did not push this part of your patch.
Isn't it possible to see the result of the command passed to passwordeval
anyway? The command result is retrieved from a pipe -- popen in
get_password_eval(...) function -- so I guess it is possible to get the content
of the pipe, which is the clear password... Perhaps I'm wrong here, tell me.
> With --passwordeval, it should be possible to use secure password
> storage (keyring or encrypted files or something else) and still give
> the password on the command line.
The problem here is that gpg will fail when called from mutt. I did not manage
to find any convenient solution for using msmtp from mutt while keeping the
password encrypted at the same time. The the only solution I've found at the
moment is to patch msmtp to support the --password parameter. Of course it is
not 100% safe, but like I said before, I don't know if --passwordeval is safer
anyway. But I guess the only security flaw would be on a machine with SSH
access.
Tell me if you have some detailed explainations about the possible flaws, and if
you have any smart solution for mutt. Thanks.
Cheers
Pierre