[Toybox] Microsoft github is disabling my account on the 7th.
James Cloos
cloos at jhcloos.com
Mon Sep 30 10:40:30 PDT 2024
RL> Is there a howto on this? (I can try searching from minneapolis if you haven't
RL> got one handy, I'm a bit scrunched packing out my hotel room in tokyo just now.)
no. i called 'eix totp' to see whar gentoo packaged with the name totp
(akin to apt search totp). the ebuild for app-crypt/totp-cli-bin
recommended app-admin/keepassxc for a better option, but the gui version
failed to run with a qt version conflict i've yet to diagnose, so i just
used totp-cli..
RL> Devuan Bronchitis has keepassxc but not totp anything.
on ceres i see keepassxc-full, keepassxc-minimal and transitional
packages named keepassxc. i have not investigated the differences.
RL> (The laptop with Devuan
RL> Dermatitis isn't set up at the moment.) Is that the same as
RL> https://github.com/WhyNotHugo/totp-cli (which says it's a pip install...)
the ebuild i used specifies https://github.com/yitsushi/totp-cli as the
homepage. one is likely a fork of the other.
with totp-cli-bin it was a matter of running:
totp-cli-bin add
totp-cli-bin g github my_gh_id
and follow the prompts. the 1st arg to g is the namespaced i specified
when add prompted for it, and IIRC the second was also a string for
which add prompted. the token string gh specified was also entered at
one of add's prompts.
>> keepassxc/stable
RL> It says it's a password manager, is that the same as totp-cli?
all i know for sure is that to totp-cli-bin ebuild writes this after
installing:
"For a more mature TOTP you can try app-admin/keepassxc, cli included"
RL> P.S. I have no idea how "enter a unix time from the command line and this will
RL> generate a code way in the future" is supposed to be more secure. Somebody with
RL> 15 seconds access to my laptop could generate one for 3am a week from now and
RL> log in at the specified time. Reading the setup, there's a shared key in
RL> plaintext extractable from the github config. That's JUST TWO PASSWORDS, they're
RL> merely obfuscating one of them slightly...
yes, just more makework, what they ought to do if they actually cared
would be an api over ssh -- using ed25519 or future pq keys -- to do
anything rw, rather than screwing around with http nonsense.
but of course they wont.
-JimC
--
James Cloos <cloos at jhcloos.com>
OpenPGP: https://jhcloos.com/0x997A9F17ED7DAEA6.asc
More information about the Toybox
mailing list