Read ID & SECRET from files #27

New Issue

Closed

opened 2025-11-19 07:12:19 -06:00 by GiteaMirror · 4 comments

GiteaMirror commented 2025-11-19 07:12:19 -06:00

Owner

Copy Link

Originally created by @thalin on GitHub (May 22, 2025).

Originally assigned to: @oschwartz10612 on GitHub.

A standard security practice is to pass secret values in files so that they aren't exposed via /proc and/or ps. It would be great if you could specify --id-file and --secret-file to pass along these values as files instead of directly on the command line.

An additional bonus would be being able to set _FILE environment variables for these as well, to match the existing environment variables from which newt reads secrets now.

Originally created by @thalin on GitHub (May 22, 2025). Originally assigned to: @oschwartz10612 on GitHub. A standard security practice is to pass secret values in files so that they aren't exposed via /proc and/or ps. It would be great if you could specify --id-file and --secret-file to pass along these values as files instead of directly on the command line. An additional bonus would be being able to set _FILE environment variables for these as well, to match the existing environment variables from which newt reads secrets now.

GiteaMirror added the enhancement label 2025-11-19 07:12:19 -06:00

GiteaMirror closed this issue 2025-11-19 07:12:20 -06:00

GiteaMirror commented 2025-11-19 07:12:20 -06:00

Author

Owner

Copy Link

@oschwartz10612 commented on GitHub (May 22, 2025):

The id and secret are actually saved in the files at the following locations, depending on your operating system after you do a initial connection with the values. This should be documented better and we should also add a way to control the files so I will leave this open.

macOS: ~/Library/Application Support/newt-client
Windows: %APPDATA%\newt-client
Linux (and others): ~/.config/newt-client

@oschwartz10612 commented on GitHub (May 22, 2025): The id and secret are actually saved in the files at the following locations, depending on your operating system after you do a initial connection with the values. This should be documented better and we should also add a way to control the files so I will leave this open. macOS: ~/Library/Application Support/newt-client Windows: %APPDATA%\newt-client Linux (and others): ~/.config/newt-client

GiteaMirror commented 2025-11-19 07:12:20 -06:00

Author

Owner

Copy Link

@wolrah commented on GitHub (Jul 11, 2025):

I'd like to also see a standard system-wide location like /etc/ used instead of /root/.config/ when running as a service.

@wolrah commented on GitHub (Jul 11, 2025): I'd like to also see a standard system-wide location like /etc/ used instead of /root/.config/ when running as a service.

GiteaMirror commented 2025-11-19 07:12:20 -06:00

Author

Owner

Copy Link

@vworldat commented on GitHub (Aug 16, 2025):

I'd also really prefer a NEWT_SECRET_FILE env option as recommended in the docker compose docs: https://docs.docker.com/compose/how-tos/use-secrets/

@vworldat commented on GitHub (Aug 16, 2025): I'd also really prefer a `NEWT_SECRET_FILE` env option as recommended in the docker compose docs: https://docs.docker.com/compose/how-tos/use-secrets/

GiteaMirror commented 2025-11-19 07:12:21 -06:00

Author

Owner

Copy Link

@oschwartz10612 commented on GitHub (Aug 23, 2025):

This is actually currently possible with the latest newt! It already
looks for a config file:

$ cat ~/.config/newt-client/config.json
{
   "id": "spmzu8rbpzj1qq6",
   "secret": "f6v61mjutw233245kkydbw3fjo227zl60a2tsf5psw9r25hgae3",
   "endpoint": "https://pangolin.fossorial.io",
   "tlsClientCert": ""
}

... and that file can be changed with the CONFIG_FILE env var found at
websocket/config.go. Need to document this better...

@oschwartz10612 commented on GitHub (Aug 23, 2025): This is actually currently possible with the latest newt! It already looks for a config file: ``` $ cat ~/.config/newt-client/config.json { "id": "spmzu8rbpzj1qq6", "secret": "f6v61mjutw233245kkydbw3fjo227zl60a2tsf5psw9r25hgae3", "endpoint": "https://pangolin.fossorial.io", "tlsClientCert": "" } ``` ... and that file can be changed with the CONFIG_FILE env var found at websocket/config.go. Need to document this better...

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

dependabot/github_actions/docker/build-push-action-7.0.0

dependabot/github_actions/docker/login-action-4.0.0

dependabot/github_actions/aquasecurity/trivy-action-0.35.0

dependabot/go_modules/prod-patch-updates-3194e6d214

dependabot/github_actions/docker/setup-buildx-action-4.0.0

dependabot/github_actions/actions/stale-10.2.0

dependabot/docker/minor-updates-1134f52710

dev

msg-opt

ssh-agent

msg-delivery

icmp2

port-firewall

platform

hp-multi-client

holepunch

updown

1.10.2

v1.10.2

1.10.1

v1.10.1

1.10.0

v1.10.0

1.9.5

1.9.4

1.9.3

1.9.2

1.9.1

1.9.0

v1.9.0

1.8.1

v1.8.1

v1.8.0

1.8.0

1.8.0-rc.0

1.7.0

1.6.1

1.7.0-rc.0

1.6.0

v1.0.1

1.4.9

1.5.2

1.5.1

1.5.0

1.4.4

1.4.3

1.4.2

1.4.1

1.4.0

1.3.4

1.3.3

1.3.2

1.3.1

1.3.0

1.2.1

1.2.0

1.1.3

1.1.2

1.1.1

1.1.0

1.0.0

1.0.0-beta.5

1.0.0-beta.4

1.0.0-beta.3

1.0.0-beta.2

1.0.0-beta.1

Labels

Clear labels

bug

enhancement

good first issue

help wanted

Improvement

pull-request

Mirrored from GitHub Pull Request

No Label enhancement

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

GiteaMirror ninjasurge

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/newt#27