[pass] totp enhancement

stephane croze admin at lesderniersdelaclasse.pw
Sun Aug 9 01:42:47 CEST 2015 

Hi Lenz,
Thanks for the patch

I used your idea : it works fine. However I prefer to use two files
rather than a single one with multiple lines. I published the branch
"hook" on github.
I have some ideas for enhancement, I'm listening all yours :)
I have a project for the future : make a cheap USB key based on
microcontroller like the ATmega328 and a special pass addons to read it.
I know : it already exists, eg wibukeys. But the thing is to make it
yourself so that everyone knows exactly what's in it. What do you think
about?

regards,
Stephane.

Le 07/08/2015 00:06, Lenz Weber a écrit :
> Hi Stephane,
> 
> you could do something like put the password in line 1 and the otp
> secret in line two and then use a hook like this:
> 
> 
> #!/bin/bash
> pw_contents=$(pass show "$@")
> 
> echo "password:"
> echo $pw_contents | sed -n 1p
> 
> OTP_OPTS=( $PASSWORD_STORE_OTP_OPTS "--base32" "-w 3" "--totp" )
> OTP="oathtool"
> echo "otp:"
> $OTP "${OTP_OPTS[@]}" $(echo $pw_contents | sed -n 2p )
> 
> 
> I think that should suffice.
> 
> Greetings,
> Lenz
> 
> PS: for all the hooking to work you will have to use one of my suggested
> patches from the thread.
> 
> Am 06.08.2015 um 13:27 schrieb stephane croze:
>> Hi,
>> Thanks for feedback!
>>
>> You are right on the style : I replaced backticks with $().
>>
>> I understand the pass style point of view. Minimum dependencies,
>> standard file name convention, only one functionnality : it's certainly
>> the best way to ensure security and/or robustness.
>>
>> But I've one argument to use my fork. It does not change the structure
>> of my password store. I could still access it without using "totp
>> enhancement" fork.
>>
>> Thanks for the thread : I have been reading it. I did not understand
>> everything... I'm just a end-user. And like all the end-users, I search
>> usability. So, my idea was to have a single command to get both the
>> password and TOTP.
>>
>> Thus, I'll try your script "subcommand_hooks". Yes, I like the idea.
>> It's more secure because :
>> * it must be signed to be execute.
>> * it allows to add functionnality without modifing the core code.
>> A priori, do you think it's possible to obtain the same result as "totp
>> enhancement" : just one commande to get the two factors?
>>
>> thanks by advance :)
>> Stephane
>>
>>
>> Le 05/08/2015 15:33, Lenz Weber a écrit :
>>> Hi,
>>> this looks like a great idea!
>>>
>>> On the code itself: it looks fine to me, but I would replace the
>>> backticks with $(), as that style is used everywhere else in pass.
>>>
>>> But at the moment, I think there are some concerns that may keep it from
>>> getting integrated (but this is just guesswork, I'm not the maintainer)
>>>  * it introduces a new dependency: oathtool
>>>  * it introduces a new file name convention which impacts other commands
>>>  * it moves a bit away from the "only one functionality" thing pass does
>>> otherwise.
>>>
>>> My thought on this is (and yes, I'm conquering your thread a bit with
>>> this, sorry):
>>> This might be a perfect example for a used-defined command hook.
>>> We have been discussing this idea a few days ago (take a look at the
>>> archive:
>>> http://lists.zx2c4.com/pipermail/password-store/2015-August/thread.html#1659
>>> ).
>>>
>>> The gist of it is: you create a script with contents like
>>>
>>>     #!/bin/bash
>>>     OTP_OPTS=( $PASSWORD_STORE_OTP_OPTS "--base32" "-w 3" "--totp" )
>>>     OTP="oathtool"
>>>     $OTP "${OTP_OPTS[@]}" $(cmd_show "$@" | head -n1)
>>>
>>> save it as '~/.password-store/.subcommand_hooks/otp', make it executable
>>> and sign it and it would be available as
>>>     pass otp <password-name>
>>>
>>> If you like the idea and want to do some testing, I'm desperately
>>> waiting for feedback ;)
>>>
>>> Regards,
>>> Lenz
>>>
>>>
>>>
>>> Am 05.08.2015 um 13:50 schrieb admin:
>>>> Hello,
>>>> I'm apologize for my poor english and my bad code... But I tried to
>>>> add a functionality to allow password-store to generate a time otp.
>>>> It's very useful for websites requesting a 2FA totp like google or
>>>> github. See my fork of the master github password-store :
>>>> https://github.com/Gambiit/password-store
>>>> Thanks a lot for password-store, Best regards :)
>>>>
>>>>
>>>> _______________________________________________
>>>> Password-Store mailing list
>>>> Password-Store at lists.zx2c4.com
>>>> http://lists.zx2c4.com/mailman/listinfo/password-store
>>>
>>>
>>>
>>> _______________________________________________
>>> Password-Store mailing list
>>> Password-Store at lists.zx2c4.com
>>> http://lists.zx2c4.com/mailman/listinfo/password-store
>>>
>> _______________________________________________
>> Password-Store mailing list
>> Password-Store at lists.zx2c4.com
>> http://lists.zx2c4.com/mailman/listinfo/password-store
>>
> _______________________________________________
> Password-Store mailing list
> Password-Store at lists.zx2c4.com
> http://lists.zx2c4.com/mailman/listinfo/password-store
>

More information about the Password-Store mailing list