Yubikey OTP Provisioner
Project description
yop
YubiKey OTP Provisioner, or yop for short, is a command line tool that allows provisioning OTP credentials, stored in pass, onto a YubiKey.
The tool solves the problem of keeping OTP credentials on multiple YubiKeys in sync.
If you are a YubiKey user, chances are you have more than one: definitely for redundancy, probably for convenience. If you use your YubiKeys for OTP, then you proabably want to keep the OTP credentials on all of them in sync. One way of achieving that is keeping your credentials' data in pass, and then provision it onto your YubiKeys. yop automates the process of keeping credentials on your YubiKeys in sync with your pass store.
Installation
Install pipx, then
pipx install yop
Usage
Insert a YubiKey, then execute yop, pointing it to the pass directory with your OTP credentials:
yop ~/.otp-store
Inner workings and limitations
yop assumes that the pass store it sees is used exclusively for OTP credentials, i.e. it will not try to make a distinction between an encrypted OTP credential and an encrypted password. If a value encountered is not a valid OTP secret (a Base32 encoded string), parsing will fail. It is generally a good idea anyway, if using pass for OTP credentials, to at least keep them in a separate store.
The store can have arbitrary directory structure, but it must contain no more than 32 encrypted files (this is a limitation of the YubiKey OATH application, that can only hold up to 32 credentials).
yop relies on the following assumptions about the encrypted file:
- the file name (without the
.gpgextension) is assumed to be the issuer - the first line is assumed to be the secret
- if there is a line that starts with
user:orusername:, the part after:is assumed to be the username; otherwise the second line is assumed to be the username
Examples:
-
firefox.com.gpg:FOOBARBAZQUX4217 username: me@example.com -
amazon.com.gpg:FOOBARBAZQUX4217 user: someoneelse@example.com -
github.com.gpg:FOOBARBAZQUX4217 Ch00k
The sync operation is atomic: if a file cannot be parsed, the sync operation is aborted.
By default yop runs in dry-run mode. Supplying the --really option disables dry-run.
By default yop will try to write credentials, that are found in pass, but are not found on YubiKey, but it will
not delete those that are found on YubiKey, but not found in pass. To force deletion, supply the --delete option.
See the output of yop --help for mode details.
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
File details
Details for the file yop-0.0.2.tar.gz.
File metadata
- Download URL: yop-0.0.2.tar.gz
- Upload date:
- Size: 6.4 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: poetry/1.8.2 CPython/3.12.2 Linux/6.5.0-1016-azure
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | b77f78a7dd2e5e98474c590b818ebf34ba1722daf9a849122f259ab97882ead6 |
|
| MD5 | 9625b84418bca27bc85f19bd780d4fb2 |
|
| BLAKE2b-256 | 43a6e54d11b82734b6dcab2dab6bbc5e88bb2f11d9f2b9502e0c84124d6f7a0c |
File details
Details for the file yop-0.0.2-py3-none-any.whl.
File metadata
- Download URL: yop-0.0.2-py3-none-any.whl
- Upload date:
- Size: 7.5 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: poetry/1.8.2 CPython/3.12.2 Linux/6.5.0-1016-azure
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | a4e8302a33dc2648e596901065d26edbcc3ee42ccf62547223633bf525d50cf8 |
|
| MD5 | 752622de04874baacce9be3f6f625dc9 |
|
| BLAKE2b-256 | 708195d5940ad62b2cb94936788302172dded2d626b137aaf67bbb3e7614e462 |
