1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
|
.TH PASS-OTP 1 "2023 September 21" "Password store OTP extension"
.SH NAME
pass-otp - A \fBpass\fP(1) extension for managing one-time-password (OTP) tokens.
.SH SYNOPSIS
.B pass otp
[
.I COMMAND
] [
.I OPTIONS
]... [
.I ARGS
]...
.SH DESCRIPTION
.B pass-otp
extends the
.BR pass (1)
utility with the
.B otp
command for adding OTP secrets, generating OTP codes, and displaying secret key
URIs using the standard \fIotpauth://\fP scheme.
If no COMMAND is specified, COMMAND defaults to \fBcode\fP.
.SH COMMANDS
.TP
\fBotp code\fP [ \fI--clip\fP, \fI-c\fP ] \fIpass-name\fP
Generate and print an OTP code from the secret key stored in \fIpass-name\fP
using \fBoathtool\fP(1). If \fI--clip\fP or \fI-c\fP is specified, do not print
the code but instead copy it to the clipboard using \fBxclip\fP(1)
and then restore the clipboard after 45 (or \fIPASSWORD_STORE_CLIP_TIME\fP)
seconds. This command is alternatively named \fBshow\fP.
.TP
\fBotp insert\fP [ \fI--force\fP, \fI-f\fP ] [ \fI--echo\fP, \fI-e\fP ] \
[ [ \fI--secret\fP, \fI-s\fP ] [ \fI--issuer\fP, \fI-i\fP \fIissuer\fP ] \
[ \fI--account\fP, \fI-a\fP \fIaccount\fP ] ] [ \fIpass-name\fP ]
Prompt for and insert a new OTP secret into the password store at
\fIpass-name\fP.
If \fI--secret\fP is specified, prompt for the \fIsecret\fP value, assuming SHA1
algorithm, 30-second period, and 6 OTP digits. One or both of \fIissuer\fP and
\fIaccount\fP must also be specified.
If \fI--secret\fP is not specified, prompt for a key URI; see the documentation at
.UR https://\:github.\:com/\:google/\:google-authenticator/\:wiki/\:Key-Uri-Format
.UE
for the key URI specification.
The secret is consumed from stdin; specify \fI--echo\fP or \fI-e\fP to echo input
when running this command interactively. If \fIpass-name\fP is not specified,
convert the \fIissuer:accountname\fP URI label to a path in the form of
\fIisser/accountname\fP. Prompt before overwriting an existing secret, unless
\fI--force\fP or \fI-f\fP is specified. This command is alternatively named
\fBadd\fP.
.TP
\fBotp append\fP [ \fI--force\fP, \fI-f\fP ] [ \fI--echo\fP, \fI-e\fP ] \
[ [ \fI--secret\fP, \fI-s\fP ] [ \fI--issuer\fP, \fI-i\fP \fIissuer\fP ] \
[ \fI--account\fP, \fI-a\fP \fIaccount\fP ] ] \fIpass-name\fP
Append an OTP secret to the password stored in \fIpass-name\fP, preserving any
existing lines.
If \fI--secret\fP is specified, prompt for the \fIsecret\fP value, assuming SHA1
algorithm, 30-second period, and 6 OTP digits. One or both of \fIissuer\fP and
\fIaccount\fP must also be specified.
If \fI--secret\fP is not specified, prompt for a key URI; see the documentation at
.UR https://\:github.\:com/\:google/\:google-authenticator/\:wiki/\:Key-Uri-Format
.UE
for the key URI specification.
The URI is consumed from stdin; specify \fI--echo\fP or \fI-e\fP to echo input
when running this command interactively. Prompt before overwriting an existing
secret, unless \fI--force\fP or \fI-f\fP is specified.
.TP
\fBotp uri\fP [ \fI--clip\fP, \fI-c\fP | \fI--qrcode\fP, \fI-q\fP ] \fIpass-name\fP
Print the key URI stored in \fIpass-name\fP to stdout. If \fI--clip\fP or
\fI-c\fP is specified, do not print the URI but instead copy it to the clipboard
using
.BR xclip (1)
and then restore the clipboard after 45 (or \fIPASSWORD_STORE_CLIP_TIME\fP)
seconds. If \fI--qrcode\fP or \fI-q\fP is specified, do not print the URI but
instead display a QR code using
.BR qrencode (1)
either to the terminal or graphically if supported.
.TP
\fBotp validate\fP \fIuri\fP
Test a URI string for validity according to the Key Uri Format. For more
information about this format, see the documentation at
.UR https://\:github.\:com/\:google/\:google-authenticator/\:wiki/\:Key-Uri-Format
.UE .
.SH OPTIONS
.TP
\fBhelp\fP, \fB\-h\fP, \fB\-\-help\fP
Show usage message.
.SH EXAMPLES
.TP
.B Insert new OTP seed
$ pass otp insert totp-secret
.br
For totp the secret will be in the format: otpauth://totp/totp-secret?secret=AAAAAAAAAAA&issuer=totp-secret
.TP
.B To use your webcam to scan a QR code
$ zbarcam -q --raw | pass otp insert totp-secret
.TP
.B To use your webcam to append to an existing passfile
$ zbarimg -q --raw google-qrcode.png | pass otp append google/example@gmail.com
.br
If you have a clipboard management console tool such as `wl-clipboard` for
Wayland installed, you can also select "Copy Image" in your favorite browser
and run
.br
$ wl-paste | zbarimg -q --raw - | pass otp append google/example@gmail.com
.TP
.B Generate a 2FA code using seed
$ pass otp totp-secret
.TP
.B Display a QR code for an OTP token:
$ pass otp uri -q totp-secret
.SH SEE ALSO
.BR pass (1),
.BR qrencode (1),
.BR zbarimg (1)
.SH AUTHORS
.B pass-otp
was written by
.MT tadfisher@gmail.com
Tad Fisher
.ME .
.SH COPYING
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
|
