[pass] totp enhancement

stephane croze admin at lesderniersdelaclasse.pw
Thu Aug 6 13:27:42 CEST 2015 

Hi,
Thanks for feedback!

You are right on the style : I replaced backticks with $().

I understand the pass style point of view. Minimum dependencies,
standard file name convention, only one functionnality : it's certainly
the best way to ensure security and/or robustness.

But I've one argument to use my fork. It does not change the structure
of my password store. I could still access it without using "totp
enhancement" fork.

Thanks for the thread : I have been reading it. I did not understand
everything... I'm just a end-user. And like all the end-users, I search
usability. So, my idea was to have a single command to get both the
password and TOTP.

Thus, I'll try your script "subcommand_hooks". Yes, I like the idea.
It's more secure because :
* it must be signed to be execute.
* it allows to add functionnality without modifing the core code.
A priori, do you think it's possible to obtain the same result as "totp
enhancement" : just one commande to get the two factors?

thanks by advance :)
Stephane


Le 05/08/2015 15:33, Lenz Weber a écrit :
> Hi,
> this looks like a great idea!
> 
> On the code itself: it looks fine to me, but I would replace the
> backticks with $(), as that style is used everywhere else in pass.
> 
> But at the moment, I think there are some concerns that may keep it from
> getting integrated (but this is just guesswork, I'm not the maintainer)
>  * it introduces a new dependency: oathtool
>  * it introduces a new file name convention which impacts other commands
>  * it moves a bit away from the "only one functionality" thing pass does
> otherwise.
> 
> My thought on this is (and yes, I'm conquering your thread a bit with
> this, sorry):
> This might be a perfect example for a used-defined command hook.
> We have been discussing this idea a few days ago (take a look at the
> archive:
> http://lists.zx2c4.com/pipermail/password-store/2015-August/thread.html#1659
> ).
> 
> The gist of it is: you create a script with contents like
> 
>     #!/bin/bash
>     OTP_OPTS=( $PASSWORD_STORE_OTP_OPTS "--base32" "-w 3" "--totp" )
>     OTP="oathtool"
>     $OTP "${OTP_OPTS[@]}" $(cmd_show "$@" | head -n1)
> 
> save it as '~/.password-store/.subcommand_hooks/otp', make it executable
> and sign it and it would be available as
>     pass otp <password-name>
> 
> If you like the idea and want to do some testing, I'm desperately
> waiting for feedback ;)
> 
> Regards,
> Lenz
> 
> 
> 
> Am 05.08.2015 um 13:50 schrieb admin:
>> Hello,
>> I'm apologize for my poor english and my bad code... But I tried to
>> add a functionality to allow password-store to generate a time otp.
>> It's very useful for websites requesting a 2FA totp like google or
>> github. See my fork of the master github password-store :
>> https://github.com/Gambiit/password-store
>> Thanks a lot for password-store, Best regards :)
>>
>>
>> _______________________________________________
>> Password-Store mailing list
>> Password-Store at lists.zx2c4.com
>> http://lists.zx2c4.com/mailman/listinfo/password-store
> 
> 
> 
> _______________________________________________
> Password-Store mailing list
> Password-Store at lists.zx2c4.com
> http://lists.zx2c4.com/mailman/listinfo/password-store
>

More information about the Password-Store mailing list