Comments (12)
...
Please not that the comment continues after the three dots, even if Github thinks that’s a signature. Also, as I cannot edit comments submitted by mail, I want to make clear that nitrokey-app only sets the time once a device is connected, not with every OTP generation.
Thanks for the explanation @robinkrahl ! No more questions at this point, your honor.
In conclusion, I think my previous suggestion is still valid. But we could use the
*_soft
function per default. If it fails, the user has to pass--ignore-time
to continue anyway or--reset-time
for a “hard” reset.
Sounds good to me!
Internal clock synchronization should be required only once per device's power cycle. It should keep the time then for further TOTP work. I do not know, how much its clock drifts with time, but never seen any issues during normal usage. Devices have no battery, hence the clock is reset on each boot.
Thanks for the clarification @szszszsz !
from nitrocli.
Sounds good! In retrospect I would really have liked to cut a release earlier. We are cramming a lot of features into this one, for no real reason. In my opinion it would have been much better to ship, say the pws
and volume
command introduction and that's it. The rest would come as smaller incremental updates. That would have allowed us to focus on testing (I expect it to be much harder to roll out proper testing now and to think about the corner cases that we would have more easily thought of during feature development) and less features would have meant an easier time getting the documentation up to date (although admittedly that is not a big deal).
But we have what we have (and lack of testing hardware certainly was a factor), so no pulling back now. So yes, given that this sounds like an impediment to the functioning of already merged functionality we should add support for clock synchronization. Will that require an additional dependency (if we decide go with reading the host time)?
from nitrocli.
from nitrocli.
To be honest, I just forgot about this issue because it was six months since I implemented the OTP support in
nitrokey
. After thinking about the issue some more, I think it would be best to add a--time
option to theotp get
command. Then we could always set the time before generating the OTP – either to the system time or to the given timestamp if--time
is set.
Sure, no worries. My remarks were more of a general nature than specific to this issue (so perhaps that wasn't the best place to articulate them). So the interface you propose is:
nitrocli otp get --time
would automatically sync the time to the host time, if it is out of sync.nitrocli otp get
would warn if out-of-sync.
Is that right? I think I may have to understand OTP a little more. What would be considered out-of-sync? Is that time window dependent?
Will that require an additional dependency (if we decide go with reading the host time)?
No. We can usestd::time::SystemTime
.
Ah, perfect!
All in all, this is only a minor change. I just wanted to file an issue so that we do not forget about it.
Absolutely.
from nitrocli.
from nitrocli.
Many thanks for the explanation!
There are two more things that I am confused about, I guess.
- From your description it appears that the Nitrokey (or any TOTP capable device) really needs to have a way to keep time. But the device has no battery (from what I know), so it cannot do anything of that sort if it is unplugged. Is that why you would want to set the time by default? Because it is very likely out of sync?
- Are there other services that use the time? If OTP is the sole user I think unconditionally syncing it is fine.
Possible problems with this solution are:
- We have one more command to send to the device (set time). But on the other hand, we should always check the time, so it does not make any difference.
We would also need to retrieve the currently set time window, wouldn't we? (though that may come along with the time; not that this is a problem, I just want to understand)
from nitrocli.
from nitrocli.
Please not that the comment continues after the three dots, even if Github thinks that’s a signature. Also, as I cannot edit comments submitted by mail, I want to make clear that nitrokey-app only sets the time once a device is connected, not with every OTP generation.
In conclusion, I think my previous suggestion is still valid. But we could use the *_soft
function per default. If it fails, the user has to pass --ignore-time
to continue anyway or --reset-time
for a “hard” reset.
from nitrocli.
Hi! Just wanted to add two words.
Internal clock synchronization should be required only once per device's power cycle. It should keep the time then for further TOTP work. I do not know, how much its clock drifts with time, but never seen any issues during normal usage. Devices have no battery, hence the clock is reset on each boot.
from nitrocli.
Do you mind taking this issue, @robinkrahl ? I guess you already may have started work on it
from nitrocli.
from nitrocli.
Merged. Thanks for bringing up this issue and resolving it @robinkrahl !
from nitrocli.
Related Issues (20)
- Compare strings instead of byte slices in tests HOT 2
- Access PWS slots by name HOT 8
- Improve otp subcommand HOT 1
- Validate PWS and OTP string length HOT 5
- Document scdaemon reset workaround in readme
- Publishing nitrocli-ext HOT 5
- Publishing the core extensions HOT 10
- Improve installation instructions HOT 6
- Split up commands module HOT 1
- Show retry count (< 3) in pinentry HOT 1
- "Wrong password, please reenter" after device reconnection HOT 22
- "Unexpected response: OK" if empty password is entred via pinentry HOT 1
- Add log messages to nitrocli HOT 12
- Add option to otp-cache to create custom aliases HOT 4
- pinentry-tty does not work HOT 13
- Change tests to not create python scripts during builds HOT 2
- Migrate to clap 3.0.0 HOT 2
- Move CI checks to Makefile HOT 4
- nitrocli (for NK2 Pro) not responsive while NK3 plugged in HOT 4
- Document extensions in readme HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from nitrocli.