-
Notifications
You must be signed in to change notification settings - Fork 10
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add option to otp-cache to create custom aliases #179
Comments
Thank you for bringing this up!
Yes, I think so. I try to use the FQDN of a service as slot name, but even that isn’t possible for some longer domains. It always bugged me that I have to abbreviate the slot names, but I didn’t think of this elegant solution. I don’t like storing the aliases in the cache file. It is semantically wrong, and it makes the update process more complicated. For example, if the name for slot 0 changes from My suggestion would be to have an [aliases.0xdeadbeef]
"arn:aws:iam::123456123456:mfa/testuser" = "aws"
"some.long.name.example.org" = "s.l.n.example.o" We could also have a One open question is what we should do if for an alias |
On second thought, there is another aspect to this question: I would like to see the alias in the output of I think it might be better to use a 1:1 relation between aliases and original names, clearly intended to provide a workaround for the short slot length (and not as a generic alias feature). In this case, we would only use the alias in the UI and would no longer accept the original name as a valid slot name. Maybe name override or name replacement would be a more appropriate term for this kind of feature, clearly indicating that the original name is replaced. |
Good to see someone else use extensions :-) I agree with Robin's sentiment that a 1:1 relationship would be nice. So basically, we'd have: In [override.aws]
name = "arn:aws:iam::123456123456:mfa/testuser" In [[totp]]
name = "aws"
id = 0
[[totp]]
name = "github.com"
id = 1 Results in: $ nitrocli otp-cache list
alg slot name
totp 0 arn:aws:iam::123456123456:mfa/testuser
totp 1 github.com @trevor87 does this sound reasonable to you? Will you take a stab at the implementation? |
Thanks for your quick replies! I'm very happy to see that you support this idea! In my opinion the override approach is a good solution for the issue of too short slot names described in #179 (comment). Nevertheless, I think ideally we would have both overrides and aliases as they solve different problems: In my situation I would still want to be able to use the get command on both slot-names, so e.g. Still, I think it would make sense to start with the override function and eventually add the alias approach later on. Regarding the implementation: I currently have little time and have never used rust before but I will give it a shot and see how far I get. |
First of all, thanks for your great work!
I wrote an extension to make aws-vault work with the latest nitrocli dev version using otp-cache. It automatically calls
nitrocli otp-cache
and uses the returned MFA-token. Unfortunately setup is currently quite complicated and not very stable.The reason is this: aws-vault is only able to pass a string of the format
arn:aws:iam::[account-id]:mfa/[your-iam-username]
to nitrocli as an identifier for the needed OTP. At first I thought to simply change the slot name of an nitrokey entry to this format (this is the current solution for yubikeys), but then I learned that the identifier is too long (The provided slot name is too long (actual length: 39 bytes, maximum length: 15 bytes)
).To make it work I therefore manually added an entry into the file in
~/.cache/nitrocli-otp-cache
.e.g.
This works, but is not a very stable solution, as it gets deleted when I update the entries in the cache.
Therefore my question: Do you think it would be possible/useful to have a feature for persistent aliases in nitrocli otp-cache?
e.g. instead of the above one could have:
Sorry for the long text!
The text was updated successfully, but these errors were encountered: