Skip to content

fix(password): don't print secret to a terminal on --password-get#9

Merged
jamiesun merged 1 commit into
mainfrom
fix/password-get-no-tty-print
Jun 12, 2026
Merged

fix(password): don't print secret to a terminal on --password-get#9
jamiesun merged 1 commit into
mainfrom
fix/password-get-no-tty-print

Conversation

@jamiesun

@jamiesun jamiesun commented Jun 12, 2026

Copy link
Copy Markdown
Contributor

Problem

--password-get=<key> printed the stored password in plaintext to stdout by default (\nPassword: <value>\n), leaving the secret in terminal scrollback / shoulder-surfing range. That print is largely unnecessary:

  • sshx already uses the keyring internally (auto-fills sudo over stdin) — humans rarely need the raw value.
  • --password-check already answers "does this key exist?" without revealing the value.
  • The decorated Password: <value> output wasn't even clean for scripting.

Fix

Make --password-get TTY-aware:

  • Interactive terminal → does not print the secret; confirms the key exists and shows how to pipe it.
  • Piped / redirected stdout → emits only the raw value (no decoration, no trailing newline) for clean capture: PW=$(sshx --password-get=key) or sshx --password-get=key | pbcopy. The plaintext warning goes to stderr so it never pollutes the value.

No new flag; backward-compatible for scripts (output is actually cleaner now). The not-found error path is unchanged.

Verification

  • gofmt/go vet clean; go test ./... passes; golangci-lint (v2) 0 issues.
  • Manual probe with a throwaway keyring entry:
    • piped capture → exactly the raw value (10 bytes, no trailing newline);
    • warning lands on stderr only;
    • pty (script) run → secret not printed, only "exists" + pipe guidance;
    • missing key → password not found, exit 255.

Docs

Updated usage help, skills/sshx/SKILL.md, README.md, README_CN.md, the list-passwords hint (now points at --password-check), and a CHANGELOG ### Security note.

@jamiesun
fix(password): don't print secret to a terminal on --password-get
f8695b0 
--password-get dumped the stored password in plaintext to stdout by
default, leaving it in terminal scrollback. sshx already uses the keyring
internally and --password-check covers existence, so the only legitimate
need for the raw value is handing it to another program.

Make --password-get TTY-aware: on an interactive terminal it just confirms
the key exists and shows how to pipe it; when stdout is a pipe or file it
emits only the raw value (no decoration, no trailing newline) so it can be
captured cleanly, e.g. PW=$(sshx --password-get=key) or `... | pbcopy`. The
plaintext warning is written to stderr so it never pollutes the value.

Update usage text, SKILL.md, READMEs, and the list-passwords hint (now
points at --password-check), plus a CHANGELOG Security note.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@jamiesun jamiesun merged commit 3b6c394 into main Jun 12, 2026
6 checks passed
@jamiesun jamiesun deleted the fix/password-get-no-tty-print branch June 12, 2026 16:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jamiesun