Re: New package for NonGNU ELPA : totp-auth

[Morgan Willcock]

Jean Louis <bugs@gnu.support> writes:

> * Richard Stallman <rms@gnu.org> [2024-02-07 06:17]:
>> [[[ To any NSA and FBI agents reading my email: please consider    ]]]
>> [[[ whether defending the US Constitution against all enemies,     ]]]
>> [[[ foreign or domestic, requires you to follow Snowden's example. ]]]
>> 
>> This is a useful feature, but should it be implemented as a part of
>> Emacs?  Is there / should there be a shell command for this?
>> 
>> Given a shell command for this, do we want it implemented in Emacs
>> too?
>
> I have implemented it this way below, and it works well now for long time 
> already. It uses the external shell command. I would rather use Emacs Lisp 
> for it. It is required at many logins. I did not show more than 3 logins 
> below, and they are also fake keys.
>
> (defvar oath-keys '(digitalocean "31CHLCURYJ5VRDHB" 
>                   tether "J2AMLDF473VHD517"
>                   twilio 
> "EB1JS6TJNL1TQCWSNEZJG6IQ4XZGSC4UMI276X3TEODG2VQRTE5A")
>
> (defun call-process-to-string (program &optional infile display &rest args)
>   (with-temp-buffer
>     (apply #'call-process program infile t display args)
>     (buffer-string)))
>
> (defun oath ()
>   "Ask for service and kill OATH result to memory."
>   (interactive)
>   (let* ((key (rcd-choose (map-keys oath-keys) "OATH Service: "))
>        (result (call-process-to-string "oathtool" nil nil "-b" "--totp=sha1" 
> (plist-get oath-keys (intern key))))
>        (result (string-trim result)))
>     (message result)
>     (kill-new result)))

I imagine this is potentially leaking your keys by making them visible
in the system's process information.

Recent versions of oathtool can read the key from stdin, so any attempt
to create a wrapper should probably be using this feature.

-- 
Morgan Willcock