search

eventure / hide.client.linux

Hide.me CLI VPN client for Linux
https://hide.me
GNU General Public License v2.0
90 stars 35 forks source link

Password option should not be displayed on command line usage #21

Open JonnyTech opened 1 year ago

JonnyTech commented 1 year ago

When running the program without any arguments, it displays the following text:

$ /opt/hide.me/hide.me

Usage:
  /opt/hide.me/hide.me [options...] <command> [host]

command:
  token - request an Access-Token (required for connect)
  connect - connect to a vpn server
  conf - generate a configuration file to be used with the -c option

host:
  fqdn, short name or an IP address of a hide.me server
  Required when the configuration file does not contain it

options:
  -4    Use IPv4 tunneling only
  -6    Use IPv6 tunneling only
  -P password
        hide.me password
  -R priority
        RPDB rule priority (default 10)
  -b filename
        resolv.conf backup filename (default "/etc/resolv.conf.backup.hide.me")
  -c filename
        Configuration filename
  -ca string
        CA certificate bundle (default "CA.pem")
  -d DNS servers
        comma separated list of DNS servers used for client requests (default "209.250.251.37:53,217.182.206.81:53")
  -dpd duration
        DPD timeout (default 1m0s)
  -i interface
        network interface name (default "vpn")
  -k    enable/disable leak protection a.k.a. kill-switch (default true)
  -l port
        listen port
  -m mark
        firewall mark for wireguard and hide.me client originated traffic
  -p port
        remote port (default 432)
  -r table
        routing table to use (default 55555)
  -s networks
        comma separated list of networks (CIDRs) for which to bypass the VPN
  -t string
        access token filename (default "accessToken.txt")
  -u username
        hide.me username

But password is not available as a command line option

options:
  -P password
        hide.me password

The only reference that I can find is https://github.com/eventure/hide.client.linux/blob/005c2540ffc27ee9e7b18734d00104f6656a2427/hide.me.go#L31

But I am not well versed in GO to be able to omit that from the command-line usage - maybe removing the backticks is sufficient but I cannot find documentation supporting it.

Anyway, this command-line usage display confused me so it should be removed in case it does so to others.

leberknecht commented 11 months ago

its actually very bad practice to read password from the command line.. it should either come from interactive prompt or be read from env.