[pass] totp enhancement

Lenz Weber mail at lenzw.de
Sun Aug 9 10:48:33 CEST 2015


Hm, personally I'm using an OpenPGP Smartcard as a second factor, and a
Yubikey neo which acts as an emulated card reader (the javacard applet
they are using as OpenPGP Card is Open Source).
Another idea would be using something like an usbarmory (google it, cool
stuff) with secure boot and an encrypted boot disk.


On your idea: I'm a software guy and have no idea about hardware ;)

But if you need more info on one of my solutions, drop me an email, I
guess thats out of the scope of this mailing list.

Regards,
Lenz

Am 09.08.2015 um 01:42 schrieb stephane croze:
> Hi Lenz,
> Thanks for the patch
> 
> I used your idea : it works fine. However I prefer to use two files
> rather than a single one with multiple lines. I published the branch
> "hook" on github.
> I have some ideas for enhancement, I'm listening all yours :)
> I have a project for the future : make a cheap USB key based on
> microcontroller like the ATmega328 and a special pass addons to read it.
> I know : it already exists, eg wibukeys. But the thing is to make it
> yourself so that everyone knows exactly what's in it. What do you think
> about?
> 
> regards,
> Stephane.
> 
> Le 07/08/2015 00:06, Lenz Weber a écrit :
>> Hi Stephane,
>>
>> you could do something like put the password in line 1 and the otp
>> secret in line two and then use a hook like this:
>>
>>
>> #!/bin/bash
>> pw_contents=$(pass show "$@")
>>
>> echo "password:"
>> echo $pw_contents | sed -n 1p
>>
>> OTP_OPTS=( $PASSWORD_STORE_OTP_OPTS "--base32" "-w 3" "--totp" )
>> OTP="oathtool"
>> echo "otp:"
>> $OTP "${OTP_OPTS[@]}" $(echo $pw_contents | sed -n 2p )
>>
>>
>> I think that should suffice.
>>
>> Greetings,
>> Lenz
>>
>> PS: for all the hooking to work you will have to use one of my suggested
>> patches from the thread.
>>
>> Am 06.08.2015 um 13:27 schrieb stephane croze:
>>> Hi,
>>> Thanks for feedback!
>>>
>>> You are right on the style : I replaced backticks with $().
>>>
>>> I understand the pass style point of view. Minimum dependencies,
>>> standard file name convention, only one functionnality : it's certainly
>>> the best way to ensure security and/or robustness.
>>>
>>> But I've one argument to use my fork. It does not change the structure
>>> of my password store. I could still access it without using "totp
>>> enhancement" fork.
>>>
>>> Thanks for the thread : I have been reading it. I did not understand
>>> everything... I'm just a end-user. And like all the end-users, I search
>>> usability. So, my idea was to have a single command to get both the
>>> password and TOTP.
>>>
>>> Thus, I'll try your script "subcommand_hooks". Yes, I like the idea.
>>> It's more secure because :
>>> * it must be signed to be execute.
>>> * it allows to add functionnality without modifing the core code.
>>> A priori, do you think it's possible to obtain the same result as "totp
>>> enhancement" : just one commande to get the two factors?
>>>
>>> thanks by advance :)
>>> Stephane
>>>
>>>
>>> Le 05/08/2015 15:33, Lenz Weber a écrit :
>>>> Hi,
>>>> this looks like a great idea!
>>>>
>>>> On the code itself: it looks fine to me, but I would replace the
>>>> backticks with $(), as that style is used everywhere else in pass.
>>>>
>>>> But at the moment, I think there are some concerns that may keep it from
>>>> getting integrated (but this is just guesswork, I'm not the maintainer)
>>>>  * it introduces a new dependency: oathtool
>>>>  * it introduces a new file name convention which impacts other commands
>>>>  * it moves a bit away from the "only one functionality" thing pass does
>>>> otherwise.
>>>>
>>>> My thought on this is (and yes, I'm conquering your thread a bit with
>>>> this, sorry):
>>>> This might be a perfect example for a used-defined command hook.
>>>> We have been discussing this idea a few days ago (take a look at the
>>>> archive:
>>>> http://lists.zx2c4.com/pipermail/password-store/2015-August/thread.html#1659
>>>> ).
>>>>
>>>> The gist of it is: you create a script with contents like
>>>>
>>>>     #!/bin/bash
>>>>     OTP_OPTS=( $PASSWORD_STORE_OTP_OPTS "--base32" "-w 3" "--totp" )
>>>>     OTP="oathtool"
>>>>     $OTP "${OTP_OPTS[@]}" $(cmd_show "$@" | head -n1)
>>>>
>>>> save it as '~/.password-store/.subcommand_hooks/otp', make it executable
>>>> and sign it and it would be available as
>>>>     pass otp <password-name>
>>>>
>>>> If you like the idea and want to do some testing, I'm desperately
>>>> waiting for feedback ;)
>>>>
>>>> Regards,
>>>> Lenz
>>>>
>>>>
>>>>
>>>> Am 05.08.2015 um 13:50 schrieb admin:
>>>>> Hello,
>>>>> I'm apologize for my poor english and my bad code... But I tried to
>>>>> add a functionality to allow password-store to generate a time otp.
>>>>> It's very useful for websites requesting a 2FA totp like google or
>>>>> github. See my fork of the master github password-store :
>>>>> https://github.com/Gambiit/password-store
>>>>> Thanks a lot for password-store, Best regards :)
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Password-Store mailing list
>>>>> Password-Store at lists.zx2c4.com
>>>>> http://lists.zx2c4.com/mailman/listinfo/password-store
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> Password-Store mailing list
>>>> Password-Store at lists.zx2c4.com
>>>> http://lists.zx2c4.com/mailman/listinfo/password-store
>>>>
>>> _______________________________________________
>>> Password-Store mailing list
>>> Password-Store at lists.zx2c4.com
>>> http://lists.zx2c4.com/mailman/listinfo/password-store
>>>
>> _______________________________________________
>> Password-Store mailing list
>> Password-Store at lists.zx2c4.com
>> http://lists.zx2c4.com/mailman/listinfo/password-store
>>
> _______________________________________________
> Password-Store mailing list
> Password-Store at lists.zx2c4.com
> http://lists.zx2c4.com/mailman/listinfo/password-store
> 


More information about the Password-Store mailing list