[pass] totp enhancement
Lenz Weber
mail at lenzw.de
Fri Aug 7 00:06:40 CEST 2015
Hi Stephane,
you could do something like put the password in line 1 and the otp
secret in line two and then use a hook like this:
#!/bin/bash
pw_contents=$(pass show "$@")
echo "password:"
echo $pw_contents | sed -n 1p
OTP_OPTS=( $PASSWORD_STORE_OTP_OPTS "--base32" "-w 3" "--totp" )
OTP="oathtool"
echo "otp:"
$OTP "${OTP_OPTS[@]}" $(echo $pw_contents | sed -n 2p )
I think that should suffice.
Greetings,
Lenz
PS: for all the hooking to work you will have to use one of my suggested
patches from the thread.
Am 06.08.2015 um 13:27 schrieb stephane croze:
> Hi,
> Thanks for feedback!
>
> You are right on the style : I replaced backticks with $().
>
> I understand the pass style point of view. Minimum dependencies,
> standard file name convention, only one functionnality : it's certainly
> the best way to ensure security and/or robustness.
>
> But I've one argument to use my fork. It does not change the structure
> of my password store. I could still access it without using "totp
> enhancement" fork.
>
> Thanks for the thread : I have been reading it. I did not understand
> everything... I'm just a end-user. And like all the end-users, I search
> usability. So, my idea was to have a single command to get both the
> password and TOTP.
>
> Thus, I'll try your script "subcommand_hooks". Yes, I like the idea.
> It's more secure because :
> * it must be signed to be execute.
> * it allows to add functionnality without modifing the core code.
> A priori, do you think it's possible to obtain the same result as "totp
> enhancement" : just one commande to get the two factors?
>
> thanks by advance :)
> Stephane
>
>
> Le 05/08/2015 15:33, Lenz Weber a écrit :
>> Hi,
>> this looks like a great idea!
>>
>> On the code itself: it looks fine to me, but I would replace the
>> backticks with $(), as that style is used everywhere else in pass.
>>
>> But at the moment, I think there are some concerns that may keep it from
>> getting integrated (but this is just guesswork, I'm not the maintainer)
>> * it introduces a new dependency: oathtool
>> * it introduces a new file name convention which impacts other commands
>> * it moves a bit away from the "only one functionality" thing pass does
>> otherwise.
>>
>> My thought on this is (and yes, I'm conquering your thread a bit with
>> this, sorry):
>> This might be a perfect example for a used-defined command hook.
>> We have been discussing this idea a few days ago (take a look at the
>> archive:
>> http://lists.zx2c4.com/pipermail/password-store/2015-August/thread.html#1659
>> ).
>>
>> The gist of it is: you create a script with contents like
>>
>> #!/bin/bash
>> OTP_OPTS=( $PASSWORD_STORE_OTP_OPTS "--base32" "-w 3" "--totp" )
>> OTP="oathtool"
>> $OTP "${OTP_OPTS[@]}" $(cmd_show "$@" | head -n1)
>>
>> save it as '~/.password-store/.subcommand_hooks/otp', make it executable
>> and sign it and it would be available as
>> pass otp <password-name>
>>
>> If you like the idea and want to do some testing, I'm desperately
>> waiting for feedback ;)
>>
>> Regards,
>> Lenz
>>
>>
>>
>> Am 05.08.2015 um 13:50 schrieb admin:
>>> Hello,
>>> I'm apologize for my poor english and my bad code... But I tried to
>>> add a functionality to allow password-store to generate a time otp.
>>> It's very useful for websites requesting a 2FA totp like google or
>>> github. See my fork of the master github password-store :
>>> https://github.com/Gambiit/password-store
>>> Thanks a lot for password-store, Best regards :)
>>>
>>>
>>> _______________________________________________
>>> Password-Store mailing list
>>> Password-Store at lists.zx2c4.com
>>> http://lists.zx2c4.com/mailman/listinfo/password-store
>>
>>
>>
>> _______________________________________________
>> Password-Store mailing list
>> Password-Store at lists.zx2c4.com
>> http://lists.zx2c4.com/mailman/listinfo/password-store
>>
> _______________________________________________
> Password-Store mailing list
> Password-Store at lists.zx2c4.com
> http://lists.zx2c4.com/mailman/listinfo/password-store
>
More information about the Password-Store
mailing list