Learn more about these different git repos.
Other Git URLs
fe6671f
@@ -104,7 +104,7 @@
kinit -n @$domain -c FILE:$armorcache
F_PASSWORD=$(systemd-ask-password "FAS password:")
- F_OTP=$(systemd-ask-password "FAS OTP (leave blank if not configured):")
+ F_OTP=${FKINIT_OTP:-$(systemd-ask-password "FAS OTP (leave blank if not configured):")}
echo -n ${F_PASSWORD}${F_OTP} | kinit -T FILE:$armorcache $_arg_user@$domain >/dev/null
unset F_PASSWORD
This allows me to run:
$ FKINIT_OTP=$(ykman oath accounts code accounts.fedoraproject.org --single) fkinit
I can even alias this:
$ alias fkinit='FKINIT_OTP=$(ykman oath accounts code accounts.fedoraproject.org --single) fkinit'
And the invocation then looks like this:
$ fkinit Touch your YubiKey... 🔐 FAS password: (press TAB for no echo)
cc @sgallagh
I am slightly concerned about the potential for using $FKINIT_OTP to bypass the "second factor" almost entirely (by using the CLI for a password wallet like Bitwarden/1Password) to retrieve the OTP value.
$FKINIT_OTP
That said, to be able to do that, they'd already have to have authenticated against the wallet with the master password of that wallet, so I guess we'd be switching from "something you know and something you have" to "two different things you know". Which is not great, but maybe an acceptable tradeoff.
Well, you can do that now as well. Except you need to copy it and paste it.
Yeah, there's nothing stopping anyone from reimplementing this to do it that way in any case, so I guess I don't really have a strong opposition to it.
I formerly used to call fkinit using a script that securely obtained my password and OTP from elsewhere and pass them concatenated to fkinit. Since that broke and I susequently noticed (today), I've updated my script to basically do the same but call kinit directly. I'd love to be able to do so with fkinit again, or use environment variables for both as here for OTP.
I think OTP should be read from a file descriptor instead, not potentially shareable by other processes. I have filled issue #181 stating stdin cannot be used anymore.
It may make more sense to be ask interactively just password from terminal and give it some fd reference to read secret from it.
I just proposed https://pagure.io/fedora-packager/pull-request/182 to address the original request of this ticket and also to clean up a potential attack vector (examining the echo command in the process table).
echo
I adopted your changes into my patch in #182 and also modified the HELP text to describe that $FKINIT_OTP could be used.
This was merged as part of #182 (and is now part of https://src.fedoraproject.org/rpms/fedora-packager/pull-request/11 because this upstream is actually dead).
Pull-Request has been closed by sgallagh
This allows me to run:
I can even alias this:
And the invocation then looks like this: