Comments (4)
Thanks for your quick replies! I'm very happy to see that you support this idea!
In my opinion the override approach is a good solution for the issue of too short slot names described in #179 (comment).
Nevertheless, I think ideally we would have both overrides and aliases as they solve different problems:
In my situation I would still want to be able to use the get command on both slot-names, so e.g. nitrocli otp-cache get aws
and nitrocli otp-cache get arn:aws:iam::123456123456:mfa/testuser
. The reason for this being that it would be very tedious to type out the whole override name and it is only needed for technical interoperability with aws-vault. In a list view I would therefore also prefer aws
to the long slot name.
Still, I think it would make sense to start with the override function and eventually add the alias approach later on.
Regarding the implementation: I currently have little time and have never used rust before but I will give it a shot and see how far I get.
from nitrocli.
On second thought, there is another aspect to this question: I would like to see the alias in the output of nitrocli otp-cache list
because I use that to open a dmenu
that lets me choose the PWS slot. The term alias implies that I can have multiple aliases for the original name, and that the original name is valid too. So we would probably have to list only the original name, or the original name and all aliases.
I think it might be better to use a 1:1 relation between aliases and original names, clearly intended to provide a workaround for the short slot length (and not as a generic alias feature). In this case, we would only use the alias in the UI and would no longer accept the original name as a valid slot name. Maybe name override or name replacement would be a more appropriate term for this kind of feature, clearly indicating that the original name is replaced.
from nitrocli.
Thank you for bringing this up!
Do you think it would be possible/useful to have a feature for persistent aliases in nitrocli otp-cache?
Yes, I think so. I try to use the FQDN of a service as slot name, but even that isn’t possible for some longer domains. It always bugged me that I have to abbreviate the slot names, but I didn’t think of this elegant solution.
I don’t like storing the aliases in the cache file. It is semantically wrong, and it makes the update process more complicated. For example, if the name for slot 0 changes from aws
to aws-testuser
– should we keep the alias?
My suggestion would be to have an aliases
section in the configuration file (.config/nitrocli-opt-cache/config.toml
) instead.
[aliases.0xdeadbeef]
"arn:aws:iam::123456123456:mfa/testuser" = "aws"
"some.long.name.example.org" = "s.l.n.example.o"
We could also have a default
section for all devices, but I think that might do more harm than good.
One open question is what we should do if for an alias foo = "bar"
both foo
and bar
are valid slot names. My first thought would be to return an error.
from nitrocli.
Good to see someone else use extensions :-)
I agree with Robin's sentiment that a 1:1 relationship would be nice. So basically, we'd have:
In .config/nitrocli-opt-cache/config.toml
:
[override.aws]
name = "arn:aws:iam::123456123456:mfa/testuser"
In .cache/nitrocli-otp-cache/<serial>.toml
:
[[totp]]
name = "aws"
id = 0
[[totp]]
name = "github.com"
id = 1
Results in:
$ nitrocli otp-cache list
alg slot name
totp 0 arn:aws:iam::123456123456:mfa/testuser
totp 1 github.com
@trevor87 does this sound reasonable to you? Will you take a stab at the implementation?
from nitrocli.
Related Issues (20)
- Compare strings instead of byte slices in tests HOT 2
- Access PWS slots by name HOT 8
- Improve otp subcommand HOT 1
- Validate PWS and OTP string length HOT 5
- Document scdaemon reset workaround in readme
- Publishing nitrocli-ext HOT 5
- Publishing the core extensions HOT 10
- Improve installation instructions HOT 6
- Split up commands module HOT 1
- Show retry count (< 3) in pinentry HOT 1
- "Wrong password, please reenter" after device reconnection HOT 22
- "Unexpected response: OK" if empty password is entred via pinentry HOT 1
- Add log messages to nitrocli HOT 12
- pinentry-tty does not work HOT 13
- Change tests to not create python scripts during builds HOT 2
- Migrate to clap 3.0.0 HOT 2
- Move CI checks to Makefile HOT 4
- nitrocli (for NK2 Pro) not responsive while NK3 plugged in HOT 4
- Document extensions in readme HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from nitrocli.