RFR: 8354469: Keytool exposes the password in plain text when command is piped using | grep
Mikhail Yankelevich
myankelevich at openjdk.org
Wed Apr 23 11:13:47 UTC 2025
On Tue, 22 Apr 2025 22:43:08 GMT, Weijun Wang <weijun at openjdk.org> wrote:
> Add more description on password handling into the keytool man page. A link to the man page is now added to the keytool help screen.
>
> When keytool output is redirected into a file or file, a warning is shown:
>
> $ keytool -genkeypair | type
>
> Warning: password will be echoed because output is redirected.
> Enter keystore password: password
> Warning: password will be echoed because output is redirected.
> Re-enter new password:
>
>
> A new manual test is added.
>
> Sorry we cannot suppress password echoing in this case at the moment because `System.console()` is not available.
test/jdk/sun/security/tools/keytool/EchoPassword.java line 1:
> 1: /*
Do you think using `PassFailJFrame` here might be a simpler solution?
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/24805#discussion_r2055819289
More information about the security-dev
mailing list