1

According to https://www.netmeister.org/blog/keychain-passwords.html

Secondly, we are necessarily leaking the newly generated password into the process table as the shell expands the backticks (more details here). Sadly, the security(1) utility has no other method of non-interactively accepting a password but on the command-line[1]. For this reason, it may be preferable to create the secret using the GUI application.

Is it possible to programmatically add passwords to the keychain without leaking them to the ps -ef output?

rogerdpack
  • 838

1 Answers1

2

I went ahead and wrote a small command line app to do it for you programmatically, here it is, finally pipe-able console password entry :)

Other options:

If you run security add-generic-password ... -w then it will prompt you for your password, you can type it in there, that doesn't leak anything.

There are a few hacks to feed the secure prompt, but just using it is OK too (or use the GUI).

In my case (attempting to feed kinit) it can integrate with the keychain, though still a manual initial entry, built-in.

rogerdpack
  • 838