1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
|
Received: from sog-mx-3.v43.ch3.sourceforge.com ([172.29.43.193]
helo=mx.sourceforge.net)
by sfs-ml-4.v29.ch3.sourceforge.com with esmtp (Exim 4.76)
(envelope-from <craig@theagricolas.org>) id 1UZl0I-0007Yv-4U
for bitcoin-development@lists.sourceforge.net;
Tue, 07 May 2013 16:44:38 +0000
Received-SPF: pass (sog-mx-3.v43.ch3.sourceforge.com: domain of
theagricolas.org designates 199.119.226.154 as permitted
sender) client-ip=199.119.226.154;
envelope-from=craig@theagricolas.org; helo=mail.theagricolas.org;
Received: from theagricolas.org ([199.119.226.154] helo=mail.theagricolas.org)
by sog-mx-3.v43.ch3.sourceforge.com with esmtps
(TLSv1:AES256-SHA:256) (Exim 4.76) id 1UZl0H-0000D9-2p
for bitcoin-development@lists.sourceforge.net;
Tue, 07 May 2013 16:44:38 +0000
Received: from localhost (localhost [127.0.0.1])
by mail.theagricolas.org (Postfix) with ESMTP id E963C4FC8057;
Tue, 7 May 2013 12:45:06 -0400 (EDT)
X-Virus-Scanned: Debian amavisd-new at theagricolas.org
Received: from mail.theagricolas.org ([127.0.0.1])
by localhost (kimble.theagricolas.org [127.0.0.1]) (amavisd-new,
port 10024)
with LMTP id KuIAJogYM2YU; Tue, 7 May 2013 12:45:05 -0400 (EDT)
Received: from localhost (c-75-69-34-85.hsd1.vt.comcast.net [75.69.34.85])
(using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits))
(No client certificate requested)
(Authenticated sender: craig@theagricolas.org)
by mail.theagricolas.org (Postfix) with ESMTPSA id 42F2D4FC8055;
Tue, 7 May 2013 12:45:05 -0400 (EDT)
Date: Tue, 7 May 2013 12:44:25 -0400
From: Craig B Agricola <craig@theagricolas.org>
To: Adam Back <adam@cypherspace.org>
Message-ID: <20130507164425.GN24376@theagricolas.org>
References: <20130507121641.GA11770@netbook.cypherspace.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20130507121641.GA11770@netbook.cypherspace.org>
User-Agent: Mutt/1.5.20 (2009-06-14)
X-Spam-Score: -2.8 (--)
X-Spam-Report: Spam Filtering performed by mx.sourceforge.net.
See http://spamassassin.org/tag/ for more details.
-1.5 SPF_CHECK_PASS SPF reports sender host as permitted sender for
sender-domain
-0.0 SPF_PASS SPF: sender matches SPF record
-1.3 RP_MATCHES_RCVD Envelope sender domain matches handover relay
domain
X-Headers-End: 1UZl0H-0000D9-2p
Cc: Bitcoin-Dev <bitcoin-development@lists.sourceforge.net>
Subject: Re: [Bitcoin-development] minor bitcoin-qt gripes moving BTC off
specific key
X-BeenThere: bitcoin-development@lists.sourceforge.net
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: <bitcoin-development.lists.sourceforge.net>
List-Unsubscribe: <https://lists.sourceforge.net/lists/listinfo/bitcoin-development>,
<mailto:bitcoin-development-request@lists.sourceforge.net?subject=unsubscribe>
List-Archive: <http://sourceforge.net/mailarchive/forum.php?forum_name=bitcoin-development>
List-Post: <mailto:bitcoin-development@lists.sourceforge.net>
List-Help: <mailto:bitcoin-development-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/bitcoin-development>,
<mailto:bitcoin-development-request@lists.sourceforge.net?subject=subscribe>
X-List-Received-Date: Tue, 07 May 2013 16:44:38 -0000
BTW, Adam, I suspect you might be using the console in the GUI, and that might be
under Windows for all I know, but I usually do it this way on the command line
under Linux:
echo -n "Password: ";bitcoind walletpassphrase `stty -echo;read p;echo $p;stty echo` 60; echo
This uses the JSON API to unlock the wallet (for 60 seconds; which is the "60"
at the end), and should work for either the GUI (if you start it with the
-server flag) or the headless bitcoind. It keeps the password that you type
off the console, and also keeps it out of the history file. The only issue
with it is that it will show up in the process tree as an argument of the
command for the period of time that the JSON API is being prepared and sent,
which should be fairly short. This might be a concern if you are on a
multi-user system (you probably shouldn't be doing this anyway), or
worry that spyware might be monitoring for passwords (though if you are
worried about spyware, you should already be concerned about keyloggers,
so...) I doubt this will work (without significant modifications) on
Windows without Cygwin, though.
-Craig
On Tue, May 07, 2013 at 02:16:41PM +0200, Adam Back wrote:
> Hi
>
> Three minor security/other issues:
>
> 1. please a way to unlock the wallet without displaying wallet password in
> console screen (console unlock wallet, to import priv key); or
|