gitea two factor auth hashes derived from zlib fail to parse.

pass-otp has been moved in the official community repository of archlinux, therefore it is not in the AUR any-more. You should update the README to this fit change.

It also means, Foxboron is the new arch maintainer of pass-otp.

I ended up updating the call to qrcode to be qrencode -t ANSI -o - "$otp_uri" "OTP key URI for $path" to display the QR code for importing elsewhere.

Hi,

It seems that for some reason, the 2FA TOTP at discordapp.com does not seem to work with pass-totp, using any of SHA-1, SHA-256, or SHA-512. It does work with other mobile authentication apps though (e.g. Authy or Google Authenticator), so I'm not sure if I'm missing something here.

Will provide more info as needed.

The cmd_otp_append function does not set a value for the local variable prompt, which is passed to otp_read_uri in order to display the target secret's path when prompting the user for the TOTP secret.

This results in:

$ pass otp append -s -i example.com -a [email protected] example.com/foo
Enter secret for :
Retype secret for :

Ref https://github.com/passff/passff/issues/200

pass otp ls [--update] [subfolder]
    List files in the password store containing OTP secrets. Optionally, update an
    external index of said files, using this index for future searches.

Motivation: Third-party pass frontends may find it difficult to integrate with this extension, because one must decrypt a passfile before determining if it contains an OTP secret. Said decryption takes around 1 second per file when using a GPG smartcard on my laptop, so 30-ish passfiles take around 30 seconds to run pass grep, so delegating to that built-in feature is not feasible for a performant UI.

A separate index is proposed, i.e. $PREFIX/.otp-index, on each line containing a relative pass to a password store entry containing an otpauth:// entry. This index is updated automatically upon pass otp insert. The index may be force-refreshed using the --update option to pass otp ls.

Future commands to manipulate password store entries should update the index appropriately; i.e. a pass otp rm command should remove its entry from the index.

Hi,

I just installed pass-otp in Ubuntu, got the message "pass-otp installed successfully", but when I run any pass otp command I have this:

Error: otp is not in the password store

As if it wasn't installed. Am I missing something?

Move to the OTP Key URI Format for key storage, respecting the default values in that specification.

This obviates #7 and #8.

Hello,

Thanks for putting the work into making this 👍

A quick note about your Makefile, I know that some Linuxes put stuff into /usr when they shouldn't, but to consult man hier...

/usr/local
    This is where programs which are local to the site typically go.

Using /usr is a bit of an endemic no-no, but if we all work together, we can make a difference!

Again, much appreciation for the time you've put into this.

Hi,

is there a possibility to show the time, when the next code will be created?

Thanks

the otpauth document clearly states: "The padding specified in RFC 3548 section 2.2 is not required and should be omitted." but, one ignorant user might include the padding, and be confused. the following would be tolerant of such aberrant behavior. (who, me?!!?!)
`*** otp.bash 2017-12-18 22:45:18.291831917 +0530
--- /usr/local/lib/password-store/extensions/otp.bash 2018-01-17 17:08:03.544472496 +0530

*** 41,47 ****
local p=${BASH_REMATCH[7]}
local IFS=&; local params=(${p[@]}); unset IFS

! pattern='^(.+)=(.+)$'
for param in "${params[@]}"; do
if [[ "$param" =~ $pattern ]]; then
case ${BASH_REMATCH[1]} in
--- 41,47 ----
local p=${BASH_REMATCH[7]}
local IFS=&; local params=(${p[@]}); unset IFS

! pattern='^([^=]+)=(.+)$'
for param in "${params[@]}"; do
if [[ "$param" =~ $pattern ]]; then
case ${BASH_REMATCH[1]} in
`

Hi,

Pass bash completion does not work when using the otp command in Ubuntu (with other non pass-otp commands it does work).

I am using pass v1.7 and pass-otp v1.0.0.

Thanks

Normall when I insert a password, it is added to a git commit. When using pass-otp to add an otp commit, it doesn't.

Just wondering if there's any way that fish shell completion could be implemented? It would really help a lot!

Hi, first time using pass-otp (migrating passwords to pass recently).
I have got the URI from a qrcode, manually added to google authenticator and at the same time to pass-otp.
Both generate codes, but just the one from google authenticator works. Tested pass-otp on linux and osx, several times (deleting, generating new qrcode/uri, adding).

Any thoughts on this? Is something related to timezone (-3 here, Brazil)?

Thanks for this extension ;)

Hi,

I really like your pass extension and want to package it for Debian.
There are some improvements in the code since the last release and I'd like to ship them to the Debian users. Would you mind releasing a new version which I could pick for Debian?

Thanks,

Philip

You need to write some tests to verify this extension on every future update. You can take a look at the tests written for Pass, they use Sharness and it's very easy to use.

Cheers!

the passdmenu is obviously very nice and useful.

It would be nice if either the upstream one supported this, or this project shipped with a dmenu script.

What are your thoughts?

Accepting the URI as an argument is a security risk, which is why pass insert doesn't allow it. If users want to be insecure, they can still do echo "$uri" | pass otp insert.

Just convert otp.bash to otp.bash.in with template variables to replace the which $foo subshells.

Could you please sign releases with your GPG key? This would make it possible to check if the content of the tarball is really what you released.

There is a documentation how to do that if you need guidance:

https://wiki.debian.org/Creating%20signed%20GitHub%20releases

Thanks,

Philip

I like the elegance of this extension, but it's been bothering me more and more lately that this breaks the 2FA assumption most sites use TOTP for. While your password store is unlocked, any malware can steal your password AND TOTP code at the same time.

A safer way would at least require a separate GPG key and put the OTP codes under separate pass files, or maybe an entirely separate pass store. But that breaks the workflow that pass-otp was designed for.

Right now pass-otp is helping me appear more secure to the Big Five than I actually am.

Just updated to 1.0.0 and noticed that I'm not using the old format, is there an upgrade path, or should I just manually do it.

Also, for what its worth, I think that having default settings, and just asking for a secret as opposed to the URI input (maybe as a flag?).

Cheers,

Hugh

It would be nice if pass files were yaml compliant.

Allowing otp uri's to be prefixed with otp: otpauth://* follows a standard convention and allows for parsing pass file contents as yaml.

Steam seems like using a 5 character length otp key other than 6 character length digits. KeeTrayTOTP (https://github.com/victor-rds/KeeTrayTOTP) has supported this format, and this may be a quite important feature for pass users as well.

Hi there! First off, I'd like to mention that I've been maintaining totp-cli for quite a while now, but I'd really like to just join efforts and avoid having too tools with such a large overlap. Plus, pass-otp is a lot more feature complete and is better integrated (eg: as an extension).

There's only one feature that I'm finding critical, and it's the input/file format. It looks like entries expect a otpauth:// URL, but pass-otp doesn't provide the tools to generate convert a key to this format. While this is quite machine friendly, it leaves user crafting URI manually, just to have a tool parse it (and that really doesn't make sense). I haven't seen any services that provide an otpauth:// either, but all do provide the raw key (I think battle.net is the strong exception here, but they provide neither).

Following on this, the file layout is really counter-intuitively formatted (and importantly, doesn't really follow pass's layout). I'm pretty sure that the old format is closer to more pass-like. totp-cli's format is also a bit close (though this one has a lot less features). It's basically "key in the first line, extra args in the following ones).

Would you have any objections in PRs to clean all this up? How do you feel about these details in general?

Sorry for the late notification (my PR for pass-otp got merged on 2018-03-16).
Installation is done with the usual/regular emerge app-admin/pass-otp so you might want to just say it’s available on gentoo.

Is it possible to either retrieve it for pasting or inject it into the password field on the page via the extension?

I'm a fool. Wrong project.

You should have received a copy of the GNU General Public License along with this program.

The licence text is not included in the repo.

pass-otp-insert help text

pass otp insert [--force,-f] [--echo,-e]
        [[--secret, -s] [--issuer,-i issuer] [--account,-a account]]
        [pass-name]
    Prompt for and insert a new OTP key.

    If 'secret' is specified, prompt for the OTP secret, assuming SHA1
    algorithm, 30-second period, and 6 OTP digits; one of 'issuer' or
    'account' is also required. Otherwise, prompt for a key URI; if
    'pass-name' is not supplied, use the URI label.

    Optionally, echo the input. Prompt before overwriting existing URI
    unless forced. This command accepts input from stdin.

Emphasis on the following: one of 'issuer' or 'account' is also required. That statement seems to be inaccurate - see the following:

$ pass otp insert --secret --account [email protected] test
Missing issuer or account

$ pass otp insert --secret -a [email protected] test
Missing issuer or account

I use a subfolder for all my otp secrets, it would be handy to have an env variable for what is the "root" of a pass-otp store, so that I can do pass-otp insert totp blah and it saves it as otp/blah.gpg instead of blah.otp

Can you enlighten me what is the use case for this plugin? Don't get me wrong, it's just curiosity as I tried to come up with a compelling user story and couldn't find one.

Thoughts on adding pymarkdownlint to make lint?

$ markdownlint README.md 
README.md:1: R1 Line exceeds max length (119>80)
README.md:51: R1 Line exceeds max length (107>80)
README.md:83: R1 Line exceeds max length (111>80)
README.md:84: R1 Line exceeds max length (111>80)
README.md:85: R1 Line exceeds max length (93>80)
README.md:86: R1 Line exceeds max length (85>80)
README.md:87: R1 Line exceeds max length (97>80)
README.md:88: R1 Line exceeds max length (105>80)
README.md:89: R1 Line exceeds max length (103>80)
README.md:90: R1 Line exceeds max length (91>80)
README.md:91: R1 Line exceeds max length (95>80)
README.md:92: R1 Line exceeds max length (101>80)
README.md:93: R1 Line exceeds max length (93>80)
README.md:94: R1 Line exceeds max length (95>80)
README.md:95: R1 Line exceeds max length (101>80)
README.md:96: R1 Line exceeds max length (97>80)
README.md:97: R1 Line exceeds max length (89>80)
README.md:98: R1 Line exceeds max length (93>80)
README.md:99: R1 Line exceeds max length (111>80)
README.md:100: R1 Line exceeds max length (111>80)
README.md:101: R1 Line exceeds max length (111>80)
README.md:141: R1 Line exceeds max length (85>80)
$ markdownlint CHANGELOG.md
CHANGELOG.md:10: R1 Line exceeds max length (97>80)
CHANGELOG.md:18: R1 Line exceeds max length (122>80)

It’s probably too late now as it’s published but the tarball tree is using pass-otp-version as a root directory instead of pass-otp-1.1.1 which is quite the standard and what you used before.

Considering that in most cases in which pass-otp would be used these days (2FA mainly), the OTP type is TOTP, couldn't this be made default rather than having the line otp_type: totp in every single pass file?

pass already has a Firefox addon. It would be great if we could integrate pass-otp to it.

Good evening,

I've been trying to use pass-otp for the Two Factor Authentication process of Protonmail, GitLab and GitHub. I was only able to use it for Protonmail. This is the result when trying to add the URI codes
provided by the two former:

# Here I try GitLab. At first with the URI as provided, with spaces, and then without any spaces.
paine@host:~$ pass otp insert git/gitlab/2fa
Enter otpauth:// URI for git/gitlab/2fa: 
Retype otpauth:// URI for git/gitlab/2fa: 
Cannot parse OTP key URI: vryn rqia 6idd qmf5 mwrb nyh4 24kn xebt
paine@host:~$ pass otp insert git/gitlab/2fa
Enter otpauth:// URI for git/gitlab/2fa: 
Retype otpauth:// URI for git/gitlab/2fa: 
Cannot parse OTP key URI: vrynrqia6iddqmf5mwrbnyh424knxebt

# Here I try to use "validate" in order to check the URI provided by GitHub.
paine@host:~$ pass otp validate 5n3b7gaeia3zgtku
Cannot parse OTP key URI: 5n3b7gaeia3zgtku
paine@host:~$ 

Was anyone here successful using pass-otp for these 2FA verifications? If so, what did I miss?

The URL generated by https://github.com/go-gitea/gitea causes pass-otp to fail as demonstrated below:

~ ❯❯❯ pass otp git.stengle.in
/usr/bin/oathtool: invalid argument, "SHA1", for option `--totp'

It generates something of the form otpauth://totp/git.stengle.in:ocelotsloth?algorithm=SHA1&digits=6&issuer=git.stengle.in&period=30&secret=****************.

Because the SHA1 is all caps, oathtool fails because it only accepts sha1, sha256, or sha512. Admittedly, this is an issue on oathtool's end, and I'll be reporting there, but simply normalizing the call to oathtool should fix the problem for now with pass-otp.

the program "which" is required for finding oathtool and is not a listed dependncy for this.
My arch linux build did not come with which installed by default and pass otp was failing saying it could not find oathtool due to this. I installed whiched, which fixed this issue.

Some services render the OTP secret with spaces, like ABCD DEFG GHIJ. I guess that's for readability, as if humans were actually typing them into their OTP apps, poor devils.

Anyway, if you paste such a secret straight into otp append, it'll work, but the URI in the file will be malformed because the spaces aren't urlencoded or elided. It's recoverable if you know what's going on, but it would be mysterious to anyone else.

I suggest urlencoding or eliding spaces, and then of course making sure that otp show is handling urlencoding properly.

Hello 👋

I had originally setup pass otp by inserting a new QR code via zbarimg (which works fine, e.g. pass otp -c foo/bar/otp copies a 2FA code to my clipboard).

I noticed in the README that there was a way to display the QR code that was originally used as part of the insert operation, but when I try to use it I get output from ImageMagik instead of the QR?

pass otp uri -q foo/bar/otp

Version: ImageMagick 7.0.9-7 Q16 x86_64 2019-12-01 https://imagemagick.org                                                                                              
Copyright: © 1999-2020 ImageMagick Studio LLC                                                                                                                           
License: https://imagemagick.org/script/license.php                                                                                                                     
Features: Cipher DPC HDRI Modules OpenMP(3.1)                                                                                                                           
Delegates (built-in): bzlib freetype heic jng jp2 jpeg lcms ltdl lzma openexr png tiff webp xml zlib                                                                    
Usage: display [options ...] file [ [options ...] file ...]                                                                                                             
                                                                                                                                                                        
Image Settings:                                                                                                                                                         

...

display: delegate library support not built-in '' (X11) @ error/display.c/DisplayImageCommand/1877.

Any ideas what I might be missing?

Thanks!

Make pass-name optional, since otpauth:// URIs contain a label intended to disambiguate tokens by issuer/accountname. Continue to support the pass-name argument.

It would be useful to store tokens as additional fields in existing pass files, and support modifying tokens without destroying existing pass data.

#9 would make this simple.

I recently installed pass 1.7.1 on Ubunutu 17.04 and then installed this plugin to support my 2fa tokens. However whenever i run the pass otp show foo/bar command, I get an empty line of output instead of the expected 2fa code. I have oathtool installed and the exit code of the pass otp show command is zero, so i have to assume that everything is being run correctly. I have the same setup on an OS X 10.12 machine that works fine.

Env:

• macOS Sierra with zsh
• I installed pass via "brew install pass"

When I "sudo make install PREFIX=/usr/local" (my pass installed via brew is here /usr/local/lib/password-store), I saw:

pass-otp git:(master) ✗ sudo make install PREFIX=/usr/local        
install: pass-otp.1 -> /usr/local/share/man/man1/pass-otp.1
install: otp.bash exists but is not a directory
make: *** [install] Error 71

After a small change like this, it succeed:

diff --git a/Makefile b/Makefile
index c3ad5b1..5654947 100644
--- a/Makefile
+++ b/Makefile
@@ -16,7 +16,7 @@ all:
 install:
        @install -v -d "$(DESTDIR)$(MANDIR)/man1" && install -m 0644 -v pass-$(PROG).1 "$(DESTDIR)$(MANDIR)/man1/pass-$(PROG).1"
        @install -v -d "$(DESTDIR)$(SYSTEM_EXTENSION_DIR)/"
-       @install -Dm0755 $(PROG).bash "$(DESTDIR)$(SYSTEM_EXTENSION_DIR)/$(PROG).bash"
+       @install -m0755 $(PROG).bash "$(DESTDIR)$(SYSTEM_EXTENSION_DIR)/$(PROG).bash"
        @echo
        @echo "pass-$(PROG) is installed succesfully"
        @echo
(END)

My versions are as follows:

$ brew info pass

pass: stable 1.7.3 (bottled), HEAD
Password manager
https://www.passwordstore.org/
/usr/local/Cellar/pass/1.7.3 (34 files, 147KB) *
  Poured from bottle on 2018-10-02 at 07:55:39
From: https://github.com/Homebrew/homebrew-core/blob/master/Formula/pass.rb
==> Dependencies
Required: gnu-getopt ✔, gnupg ✔, qrencode ✔, tree ✔
==> Options
--HEAD
	Install HEAD version
==> Caveats
Bash completion has been installed to:
  /usr/local/etc/bash_completion.d

zsh completions have been installed to:
  /usr/local/share/zsh/site-functions

fish completions have been installed to:
  /usr/local/share/fish/vendor_completions.d
Emacs Lisp files have been installed to:
  /usr/local/share/emacs/site-lisp/pass
==> Analytics
install: 2,150 (30 days), 6,295 (90 days), 31,640 (365 days)
install_on_request: 2,080 (30 days), 6,045 (90 days), 29,217 (365 days)
build_error: 0 (30 days)

$ brew info pass-otp

pass-otp: stable 1.2.0 (bottled)
The Pass extension for managing one-time-password (OTP) tokens
https://github.com/tadfisher/pass-otp#readme
/usr/local/Cellar/pass-otp/1.2.0 (8 files, 66.2KB) *
  Poured from bottle on 2019-03-01 at 22:33:44
From: https://github.com/Homebrew/homebrew-core/blob/master/Formula/pass-otp.rb
==> Dependencies
Required: oath-toolkit ✔, pass ✔
==> Caveats
Bash completion has been installed to:
  /usr/local/etc/bash_completion.d
==> Analytics
install: 85 (30 days), 206 (90 days), 236 (365 days)
install_on_request: 85 (30 days), 206 (90 days), 236 (365 days)
build_error: 0 (30 days)

I am on MacOS Mojave 10.14.3 running zsh 5.6.2.

I am unable to run any commands per the README.

$ pass otp example-name
Error: otp is not in the password store.

$ pass otp insert example-name
Error: otp is not in the password store.

Hi. I am using Mac. Instead of sudo make install, I installed pass-otp via make install PREFIX=/usr/local (without sudo).

This is not an issue. Just don't know where to put this comment about "readme". :-)

oathtool does not require me to specify a TOTP hash algorithm and will default to sha1. So if I don't specify otp_algorithm, it should use the default, rather than writing this error:

Missing otp_algorithm: line in …

Super useful little add-on to pass, thanks for this @tadfisher!

Has it crossed your mind to put a small migrator from Google Authenticator to pass-otp.

On a rooted Android handset it's as easy as dumping the corresponding sqlite3 database from the corresponding directory. Then this silly bit of sqlite/bash script did the trick for me in order to convert rows into pass-otp urls:

#!/bin/bash

sqlite_run="sqlite3 -batch $HOME/tmp/foo"

# After dumping the database from a rooted android phone using the following SO hints:
# https://android.stackexchange.com/questions/63252/how-do-i-back-up-google-authenticator#86861
#
#sqlite> .schema accounts
#CREATE TABLE accounts (_id INTEGER PRIMARY KEY, email TEXT NOT NULL, secret TEXT NOT NULL, counter INTEGER DEFAULT 0, type INTEGER, provider INTEGER DEFAULT 0, issuer TEXT DEFAULT NULL, original_name TEXT DEFAULT NULL);

# The idea is to extract and convert this:
#$ sqlite3 -batch ~/tmp/foo "select * from accounts;"
#2|Google:[email protected]|SECRET|0|0|0|Google|Google:[email protected]
#
# To this:
#otpauth://totp/[email protected]@Google?secret=SECRET&issuer=Google

for id in $($sqlite_run "select _id from accounts;"); do
    email=$($sqlite_run "select email from accounts where _id=$id")
    secret=$($sqlite_run "select secret from accounts where _id=$id")
    issuer=$($sqlite_run "select issuer from accounts where _id=$id")
    echo "otpauth://totp/${email}?secret=${secret}&issuer=${issuer}"
done

I tried to run the testing part and there is some that are failing, qrencode is present btw (even if qrcode is disabled in the USE flags).

• ebuild: https://hacktivis.me/git/overlay/file/app-admin/pass-otp/pass-otp-1.1.0.ebuild.html
• build.log
• system information (there is a lot of noise in there, specially in the middle…)
  • Pass version: 1.7.1