From 582125ababbbbc451b26ef5d6625fca898b31788 Mon Sep 17 00:00:00 2001
From: Patrick Schleizer <adrelanos@riseup.net>
Date: Fri, 23 Feb 2018 13:58:16 +0100
Subject: [PATCH] avoid password in shell history

as suggested by @marmarek

https://github.com/QubesOS/qubes-doc/pull/582#pullrequestreview-98203644
---
 security/yubi-key.md | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/security/yubi-key.md b/security/yubi-key.md
index 1df57b4f..91d42f44 100644
--- a/security/yubi-key.md
+++ b/security/yubi-key.md
@@ -81,11 +81,15 @@ To use this mode you need to:
 6. Paste your hashed password (other than your standard Qubes password)  into
 `/etc/qubes/yk-keys/yk-login-pass-hashed.hex` in dom0.
 
-   You can calculate your hashed password using this command:
+   You can calculate your hashed password using the following two commands.
+   First run the following command to store your password in a temporary variable `password`.
+   (This way your password will not leak to the terminal commnand history file.)
 
-       echo -n "PASSWORD" | openssl dgst -sha1
-
-   (Replace `PASSWORD` with your actual password.)
+       read password
+       
+   Now run the following command to calculate your hashed password.
+       
+       echo -n "$password" | openssl dgst -sha1
 
 7. Edit `/etc/pam.d/login` in dom0. Add this line at the beginning: