mcepl / gen-oath-safe Goto Github PK

...instead they print the QR code:

$ gen-oath-safe --help

INFO: Bad or no token type specified, using TOTP.
INFO: No secret provided, generating random secret.

...

Each executable in standard binary directories should have a man page.

Red Hat Enterprise Linux Server release 7.3 (Maipo)
gen-oath-safe-0.10.0-1.el7
generating a key gives a warning
File "", line 1
import sys; import base64; import binascii; print base64.b32encode(binascii.unhexlify(sys.stdin.read()))
the created key appears valid but causes force closes in freeotp.

surrounding the statement
import sys; import base64; import binascii; print (base64.b32encode(binascii.unhexlify(sys.stdin.read())))
allows the token to be created without errors but the created token is invalid.

gen-oath-safe uses python2 , which is obsolete (see https://www.python.org/doc/sunset-python-2/).
To work with python3 line 107 should to be replaced with

b32key="$(echo -n "$hexkey" | python3 -c "import sys; import base64; import binascii; print(base64.b32encode(binascii.unhexlify(sys.stdin.read())).decode(\"utf8\"))")"

Thanks for this nice snippet, but why do you have caca as a dependency? qrencode should be enough?

Try this:

for t in ANSI ANSI256 ASCII ASCIIi UTF8 ANSIUTF8;
do
    qrencode --type $t "gen-oath-safe"; 
    sleep 2; 
done;

Hi,

I have a french keyboard, and it turn out that this break usage out of the box of the yubikey, see https://qa.ubuntu.com/2012/11/24/yubikey-and-french-keyboard-layout-on-ubuntu/

So I found out of the option, but you have to use it when flashing the key, otherwise you erase the key.

What about setting it by default if the layout is french, and the firmware is sufficient new ( ie > 2.3 ).

PR #10 broke key lengths. Culprit is line 117:

hexkey="$(printf '%s' $hexkey | base32 | tr -dc '[:alpha:][digit]' | od -tx1 -An | tr -d '[:space:]' | head -c 30 | tr -d '\n')"

It generates a 30 char hex value which results in a 24 char base32 value. However, the hex key should have 40 chars, the resulting base32 key should have 32 chars. This also breaks provisioning of yubikeys, which require a 40 char hex value, resulting in error Invalid key string.

To correct the issue the line should be:

hexkey="$(printf '%s' "${hexkey}" | base32 | tr -dc '[:alpha:][digit]' | od -tx1 -An | tr -d '[:space:]' | head -c 40 | tr -d '\n')"

I'll prepare a pr that fixes this issue.

Since the user has to copy the command line to execute it on a yubikey, what about detecting if a yubikey is plugged currently ( one and only one ) and run the command instead of of asking to the user to do it ? This way, this prevent the issue of having the command with the seed in history, since the recommendation of using history -c can be a bit annoying.

( of course, we would need to ask the slot, and this could maybe also serve for #2 to detect if we can set the numeric-keypad option )