Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add option to otp-cache to create custom aliases #179

Open
trevor87 opened this issue Jun 3, 2021 · 4 comments
Open

Add option to otp-cache to create custom aliases #179

trevor87 opened this issue Jun 3, 2021 · 4 comments

Comments

@trevor87
Copy link

trevor87 commented Jun 3, 2021

First of all, thanks for your great work!

I wrote an extension to make aws-vault work with the latest nitrocli dev version using otp-cache. It automatically calls nitrocli otp-cacheand uses the returned MFA-token. Unfortunately setup is currently quite complicated and not very stable.

The reason is this: aws-vault is only able to pass a string of the format arn:aws:iam::[account-id]:mfa/[your-iam-username] to nitrocli as an identifier for the needed OTP. At first I thought to simply change the slot name of an nitrokey entry to this format (this is the current solution for yubikeys), but then I learned that the identifier is too long (The provided slot name is too long (actual length: 39 bytes, maximum length: 15 bytes)).

To make it work I therefore manually added an entry into the file in ~/.cache/nitrocli-otp-cache.

e.g.

[[totp]]
name = "aws"
id = 0

[[totp]]
name = "arn:aws:iam::123456123456:mfa/testuser"
id = 0

This works, but is not a very stable solution, as it gets deleted when I update the entries in the cache.

Therefore my question: Do you think it would be possible/useful to have a feature for persistent aliases in nitrocli otp-cache?

e.g. instead of the above one could have:

[[totp]]
name = "aws"
alias = "arn:aws:iam::123456123456:mfa/testuser"
id = 0

Sorry for the long text!

@robinkrahl
Copy link
Collaborator

Thank you for bringing this up!

Do you think it would be possible/useful to have a feature for persistent aliases in nitrocli otp-cache?

Yes, I think so. I try to use the FQDN of a service as slot name, but even that isn’t possible for some longer domains. It always bugged me that I have to abbreviate the slot names, but I didn’t think of this elegant solution.

I don’t like storing the aliases in the cache file. It is semantically wrong, and it makes the update process more complicated. For example, if the name for slot 0 changes from aws to aws-testuser – should we keep the alias?

My suggestion would be to have an aliases section in the configuration file (.config/nitrocli-opt-cache/config.toml) instead.

[aliases.0xdeadbeef]
"arn:aws:iam::123456123456:mfa/testuser" = "aws"
"some.long.name.example.org" = "s.l.n.example.o"

We could also have a default section for all devices, but I think that might do more harm than good.

One open question is what we should do if for an alias foo = "bar" both foo and bar are valid slot names. My first thought would be to return an error.

@robinkrahl
Copy link
Collaborator

On second thought, there is another aspect to this question: I would like to see the alias in the output of nitrocli otp-cache list because I use that to open a dmenu that lets me choose the PWS slot. The term alias implies that I can have multiple aliases for the original name, and that the original name is valid too. So we would probably have to list only the original name, or the original name and all aliases.

I think it might be better to use a 1:1 relation between aliases and original names, clearly intended to provide a workaround for the short slot length (and not as a generic alias feature). In this case, we would only use the alias in the UI and would no longer accept the original name as a valid slot name. Maybe name override or name replacement would be a more appropriate term for this kind of feature, clearly indicating that the original name is replaced.

@d-e-s-o
Copy link
Owner

d-e-s-o commented Jun 4, 2021

Good to see someone else use extensions :-)

I agree with Robin's sentiment that a 1:1 relationship would be nice. So basically, we'd have:

In .config/nitrocli-opt-cache/config.toml:

[override.aws]
name = "arn:aws:iam::123456123456:mfa/testuser"

In .cache/nitrocli-otp-cache/<serial>.toml:

[[totp]]
name = "aws"
id = 0

[[totp]]
name = "github.com"
id = 1

Results in:

$ nitrocli otp-cache list
alg     slot    name
totp    0       arn:aws:iam::123456123456:mfa/testuser
totp    1       github.com

@trevor87 does this sound reasonable to you? Will you take a stab at the implementation?

@trevor87
Copy link
Author

trevor87 commented Jun 4, 2021

Thanks for your quick replies! I'm very happy to see that you support this idea!

In my opinion the override approach is a good solution for the issue of too short slot names described in #179 (comment).

Nevertheless, I think ideally we would have both overrides and aliases as they solve different problems:

In my situation I would still want to be able to use the get command on both slot-names, so e.g. nitrocli otp-cache get aws and nitrocli otp-cache get arn:aws:iam::123456123456:mfa/testuser. The reason for this being that it would be very tedious to type out the whole override name and it is only needed for technical interoperability with aws-vault. In a list view I would therefore also prefer aws to the long slot name.

Still, I think it would make sense to start with the override function and eventually add the alias approach later on.

Regarding the implementation: I currently have little time and have never used rust before but I will give it a shot and see how far I get.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants