Notices where this attachment appears
-
In the previous episode: Steam requires 2FA for some features, and only provides it through few valve's apps, also it'll only tell you about the phone one. However, it really just uses good old TOTP. People are ripping the secrets left and right and using third party apps. Here's a good CLI one I've found: https://github.com/dyc3/steamguard-cli
I'd like to get my codes from pass(1) as I do with everything else. I managed, but it's silly.
pass already has an excellent OTP extension, but when fed the otp URI extracted with the above tool it spews wrong codes. It's nothing wrong with the underlying implementation, steam just moves some numbers around for no reason and the extension won't entertain it at this time.
I moved to try and hack it somewhere onto the extension. A pass extension is just a file of bash. In this case, it wraps external oathtool(1) and merely provides handy pass commands for installing the secrets in the password store.
Right now it seems there's no way to have oathtool spew valid steam codes without hacking into it's code, and it's C so it's a pain to deploy such hack later.
It's probably possible to recode the code inside the bash script, but I'm not doing that.
By far the easiest way to do this is to replace oathtool in the bash script, perhaps conditionally just for steam secrets. It's well written so it's not unpleasant to do either.
For replacement, I thought I'd use perl, maybe inline the whole thing inside the pass extension. I looked at what tooling's there on cpan - lo and behold, Pass::OTP is a sensible lib with few lines dedicated just to handling cases of issuer=Steam. The whole thing comes to just this:
use Pass::OTP qw/otp/;
use Pass::OTP::URI qw/parse/;
print otp(parse('$otp_uri'));
Included files are the patch, and the whole thing if you'd rather take that. Dump the extension either in /usr/lib/password-store/extensions/ or your .password-store/.extensions/. In the latter case, you also need to set PASSWORD_STORE_ENABLE_EXTENSIONS=true in your env. Pass::OTP is seldom packaged in distros so probably grab it from cpan. If your run uber minimool install with no perldoc it'll also fail because bad programming. And I can't attest to hotp working as expected because I don't care.