Add option to otp-cache to create custom aliases #179
Comments
|
Thank you for bringing this up!
Yes, I think so. I try to use the FQDN of a service as slot name, but even that isn’t possible for some longer domains. It always bugged me that I have to abbreviate the slot names, but I didn’t think of this elegant solution. I don’t like storing the aliases in the cache file. It is semantically wrong, and it makes the update process more complicated. For example, if the name for slot 0 changes from My suggestion would be to have an [aliases.0xdeadbeef]
"arn:aws:iam::123456123456:mfa/testuser" = "aws"
"some.long.name.example.org" = "s.l.n.example.o"We could also have a One open question is what we should do if for an alias |
|
On second thought, there is another aspect to this question: I would like to see the alias in the output of I think it might be better to use a 1:1 relation between aliases and original names, clearly intended to provide a workaround for the short slot length (and not as a generic alias feature). In this case, we would only use the alias in the UI and would no longer accept the original name as a valid slot name. Maybe name override or name replacement would be a more appropriate term for this kind of feature, clearly indicating that the original name is replaced. |
|
Good to see someone else use extensions :-) I agree with Robin's sentiment that a 1:1 relationship would be nice. So basically, we'd have: In [override.aws]
name = "arn:aws:iam::123456123456:mfa/testuser"In [[totp]]
name = "aws"
id = 0
[[totp]]
name = "github.com"
id = 1Results in: $ nitrocli otp-cache list
alg slot name
totp 0 arn:aws:iam::123456123456:mfa/testuser
totp 1 github.com@trevor87 does this sound reasonable to you? Will you take a stab at the implementation? |
|
Thanks for your quick replies! I'm very happy to see that you support this idea! In my opinion the override approach is a good solution for the issue of too short slot names described in #179 (comment). Nevertheless, I think ideally we would have both overrides and aliases as they solve different problems: In my situation I would still want to be able to use the get command on both slot-names, so e.g. Still, I think it would make sense to start with the override function and eventually add the alias approach later on. Regarding the implementation: I currently have little time and have never used rust before but I will give it a shot and see how far I get. |
First of all, thanks for your great work!
I wrote an extension to make aws-vault work with the latest nitrocli dev version using otp-cache. It automatically calls
nitrocli otp-cacheand uses the returned MFA-token. Unfortunately setup is currently quite complicated and not very stable.The reason is this: aws-vault is only able to pass a string of the format
arn:aws:iam::[account-id]:mfa/[your-iam-username]to nitrocli as an identifier for the needed OTP. At first I thought to simply change the slot name of an nitrokey entry to this format (this is the current solution for yubikeys), but then I learned that the identifier is too long (The provided slot name is too long (actual length: 39 bytes, maximum length: 15 bytes)).To make it work I therefore manually added an entry into the file in
~/.cache/nitrocli-otp-cache.e.g.
This works, but is not a very stable solution, as it gets deleted when I update the entries in the cache.
Therefore my question: Do you think it would be possible/useful to have a feature for persistent aliases in nitrocli otp-cache?
e.g. instead of the above one could have:
Sorry for the long text!
The text was updated successfully, but these errors were encountered: