CLI client for RFC 4226's HOTP and RFC 6238's TOTP.

Overview

One Time Password (OTP, TOTP/HOTP)

Python 3.10 Code style: black pdm-managed pre-commit


OTP serves as additional protection in case of password leaks.

onetimepass allows you to manage OTP codes and generate a master key. The master key allows the base to be decrypted and encrypted. Make sure to keep it in a safe place, otherwise it will not be possible to recover the data.

onetimepass supports as an optional dependency the integration with the system keychain (cross-platform) in which the application saves the master key.

Requirements

  • Python 3.10+
  • PDM 1.11+

Installation

$ pdm install

To include the optional keychain support:

$ pdm install -G keyring

Usage

Initialize database

At the very beginning, the database must be initialised, which additionally creates the master key. It will save it to the keychain if this has been installed.

By default, it will print the generated key to the STDOUT. You need this behavior if you don't use the optional keychain integration.

If you do, you can pass the -q, --quiet option to silence the output.

Keychain integration

The application will automatically detect if you have the keychain integration installed, however, if you want to force enable/disable it, you can by using respectively the -k, --keyring and -K, --no-keyring options.

Although, if you don't have the keychain integration installed, enabling it won't work:

Print the master key

It is possible to print the current master key stored in the keychain (if you need this for e.g. migrating the app to the different device).

This of course won't work if you don't use the keychain integration.

Adding new OTP alias

onetimepass identifies the added OTP codes via the user-specified aliases, which should be short, easy-to-remember names.

onetimepass allows you to add new alias in two ways, either by specifying all the parameters manually, using add hotp or add totp commands (depending on which type of the OTP you want to add), or by providing the de facto standard URI invented by the Google.

Adding via URI (command will aks interactively for the URI)

$ pdm run otp add uri AWS-root
Enter URI:
Repeat for confirmation:

Example URIs

Adding via totp/hotp subcommand (command will ask interactively for the secret):

$ pdm run otp add totp AWS-root
Enter secret:
Repeat for confirmation:
$ pdm run otp add hotp AWS-root
Enter secret:
Repeat for confirmation:

Removing OTP alias

$ pdm run otp rm <alias>
Are you sure? [y/N]:

To omit the interactive confirmation ( ⚠️ unsafe!), pas the --yes option.

Showing OTP code

Show single OTP identified by alias

$ pdm run otp show <alias>

You can force the app to wait until the new OTP code is valid, in case the current one will be invalid in a short period of time (so you won't have to rush with copy-pasting the code, or wait manually), using -w, --wait-for-next option.

$ pdm run otp show -w <seconds> <alias>

This will accept the seconds of tolerance (if the remaining time of the current code to be valid is less than seconds, the app will wait, otherwise it will show the current code).

You can easily automate it even more:

$ pdm run otp show -w 10 <alias> | cut -d' ' -f2 | pbcopy; alert

To extract the code when it's ready, then copy it to the system clipboard (pbcopy for macOS, xclip for Linux), and send the system notification to yourself when it's all finished (assuming you have the alert alias configured, available by default e.g. on Ubuntu Linux).

Show all codes

$ pdm run otp show-all

You can emulate the view known from the Google Authenticator (list of all the codes, refreshed dynamically) by wrapping the application in the external watcher (e.g. watch):

$ watch -c -p -n 1 pdm run otp show-all

Database import/export

In case you want to migrate the application to the different device, you can export the local database to the format of choice (currently only the json is supported) and then import it.

You can use this not only to transfer the application between the devices, but also to create backups: because onetimepass is a CLI-based tool, you can even implement the cronjob that will periodically run the export in the background ( ⚠️ just remember to encrypt the resulting file and store it somewhere safe).

Shell Completion

onetimepass can provide tab completion for commands, options, and choice values. Bash, Zsh, and Fish are supported

$ pdm run zsh
$ eval "$(_OTP_COMPLETE=zsh_source otp)"
$ pdm run bash
$ eval "$(_OTP_COMPLETE=bash_source otp)"

Rationale

As the onetimepass have multiple alternatives, you may ask why bother with reinventing the wheel instead of using any existing solution.
This section addresses that.

Existing alternatives

Google Authenticator

The main issue with this app is that it does not offer any way to backup the secrets, and synchronize them between the devices.

If you don't have the backup of the original QR codes, and you'll lose your mobile phone, you're screwed. Yes, services that provide the 2FA often offer the backup codes, but not every one of them, and this is not the optimal solution.

In theory, if you root the device, you can access the local database, but not everyone wants or can root their mobile phone, as this can e.g. void a device's warranty.

Besides, if you root the device, you can see the local database is stored in the plain text, which is a big security risk.

Authy

It does allow synchronizing secrets between the devices, but this happens through the provider servers. The application neither sent nor store your backup password, but it can still be non-optimal for some people to trust the external provider to handle such sensitive data.

Also, Authy does not support export or import of the secrets.

pass or gopass

pass is an extensible CLI-based password manager, and there is a pass-otp plugin to handle TOTP (although, HOTP is not supported).

One issue is that it uses GnuPG for encrypting the local database, which can be tedious to configure:

To be honest, a few first times I tried to configure it, I failed miserably. This should be much easier and faster. ~ Daniel Staśczak

The second issue is that, as mentioned above, pass is primarily the password manager. If one wants only the TOTP client, it's a little bit of an overkill to install the whole password manager for that.

The GUI clients in general

This is more of a personal preference, but if you use the GUI-based OTP client, especially on your mobile phone, there are some extra steps everytime you need to use it:

  1. You have to get your phone.
  2. You have to open the app.
  3. You have to type the code manually, if you need to enter the code on another device (e.g. to authorize on the desktop).

This is not very inconvenient, but I bet there were at least few times when you didn't had your phone with you while you had to authorize into the AWS account while working on something urgent, or get your phone out of the pocket every few hours, because the Keeper logged out you out of a sudden once again in a day.

If you're CLI power-user, using the CLI-based tool is just much quicker and convenient. And you can create some crazy pipelines (see the examples in the Usage section).

Security

While onetimepass does reinvent a wheel in general, one of the main goals of the project is to still be a secure solution, and do not reinvent the wheel in regard to the security. Because of this reason, for generating the master key and encrypting the local database, the high-level cryptographic library is used.

The main algorithm for the HOTP/TOTP is implemented based on the official RFC and the reference implementation.

There are some functionalities which can be a security hole if used in an irresponsible manner (e.g. export, key), but the same can be said about the sudo rm -rf --np-preserve-root /, right?

Nevertheless, if you see any security issue, please feel free to report it, we're more than happy to consider it.

Owner
Apptension
We are a fellow custom software development company for Startups, Investors and Agencies.
Apptension
A user-friendly python CLI for Fmask 4.3 software (GERS Lab, UCONN).

pyFmask What is pyFmask pyFmask is a user-friendly python CLI for Fmask 4.3 software (GERS Lab, UCONN; https://github.com/GERSL/Fmask). Fmask (Zhu et

1 Jan 05, 2022
CLI tool to fix linked references for dates.

Fix Logseq dates This is a CLI tool to fix the date references following a change in date format since the current version (0.4.4) of Logseq does not

Isaac Dadzie 5 May 18, 2022
Present - A terminal-based presentation tool with colors and effects.

present A terminal-based presentation tool with colors and effects. You can also play a codio (pre-recorded code block) on a slide. present is built o

Vinayak Mehta 4.2k Jan 03, 2023
CLI/library to control FNIRSI DC Power Supply (DC-6006L, etc)

dc6006l - CLI/library to control FNIRSI DC Power Supply (DC-6006L, etc) What is this? FNIRSI DC6006L is a programmable DC power supply that is quite c

Taisuke Yamada 7 Sep 25, 2022
Because sometimes you need to do it live

doitlive doitlive is a tool for live presentations in the terminal. It reads a file of shell commands and replays the commands in a fake terminal sess

Steven Loria 3.2k Jan 09, 2023
A lightweight Python module and command-line tool for generating NATO APP-6(D) compliant military symbols from both ID codes and natural language names

Python military symbols This is a lightweight Python module, including a command-line script, to generate NATO APP-6(D) compliant military symbol icon

Nick Royer 5 Dec 27, 2022
asciinema - Terminal session recorder 📹

asciinema - Terminal session recorder 📹

asciinema 11.1k Dec 27, 2022
Wordle-textual - Play Wordle from the CLI, using Textual

Wordle, playable from the CLI This project seeks to emulate Wordle in your shell

PhenoM4n4n 3 Mar 29, 2022
A CLI minesweeper application written in 60 LoC python

This is a CLI minesweeper application written in 60 LoC python. You can use d row,column to dig and f row,column to flag/unflag

1 Dec 21, 2021
Bear-Shell is a shell based in the terminal or command prompt.

Bear-Shell is a shell based in the terminal or command prompt. You can navigate files, run python files, create files via the BearUtils text editor, and a lot more coming up!

MichaelBear 6 Dec 25, 2021
CLI Web-CAT interface for people who use VIM.

CLI Web-CAT CLI Web-CAT interface. Installation git clone https://github.com/phuang1024/cliwebcat cd cliwebcat python setup.py bdist_wheel sdist cd di

Patrick 4 Apr 11, 2022
A Multipurpose bot with many Commands made using Pycord

This repo has all of the commands you will ever need in a discord bot. a Multipurpose discord bot

Pogrammar 42 Dec 18, 2022
tox-server is a command line tool which runs tox in a loop and calls it with commands from a remote CLI.

Tox Server tox-server is a command line tool which runs tox in a loop and calls it with commands from a remote CLI. It responds to commands via ZeroMQ

Alexander Rudy 3 Jan 10, 2022
slipit is a command line utility for creating archives with path traversal elements.

slipit is a command line utility for creating archives with path traversal elements. It is basically a successor of the famous evilarc utility with an extended feature set and improved base functiona

usd AG 35 Dec 23, 2022
A webmining CLI tool & library for python.

minet is a webmining command line tool & library for python (= 3.6) that can be used to collect and extract data from a large variety of web sources

médialab Sciences Po 165 Dec 17, 2022
Command line util for grep.app - Search across a half million git repos

grepgithub Command line util for grep.app - Search across a half million git repos Grepgithub uses grep.app API to search GitHub repositories, providi

Nenad Popovic 18 Dec 28, 2022
A powerful, colorful, beautiful command-line-interface for pypi.org

pypi-command-line pypi-command-line is a colorful, powerful, and beautiful command line interface for pypi.org that is actively maintained Detailed Do

Wasi Master 32 Jun 23, 2022
Command-line interface to PyPI Stats API to get download stats for Python packages

pypistats Python 3.6+ interface to PyPI Stats API to get aggregate download statistics on Python packages on the Python Package Index without having t

Hugo van Kemenade 140 Jan 03, 2023
Lets you view, edit and execute Jupyter Notebooks in the terminal.

Lets you view, edit and execute Jupyter Notebooks in the terminal.

David Brochart 684 Dec 28, 2022
A very simple python script to encode and decode PowerShell one-liners.

PowerShell Encoder A very simple python script to encode and decode PowerShell one-liners. I used Raikia's PowerShell encoder ALOT, but one day it wen

John Tear 5 Jul 29, 2022