ALL NPPS Members

["Ye, Shuwei" <yesw AT bnl.gov>]

Dear all,

Inspired by Bret's idea of generating OTPs in the command line, I've developed a tool to automate SSH and SCP access to CERN lxplus using OTP and Kerberos. Once set up, you can simply run ssh-lxplus to connect without the need to manually copy and paste your 2FA code, while seamlessly utilizing your existing Kerberos token for CERN.CH.

You can find the relevant scripts in the repository here: https://github.com/yesw2000/modern-linuxtools/tree/master/ssh-cern/

Setup for Mac: To install the OTP prerequisites and initialize 2FA, download and run the following script:

bash

$ wget https://raw.githubusercontent.com/yesw2000/modern-linuxtools/refs/heads/master/ssh-cern/Install-OTP_tools-Mac.sh $ bash Install-OTP_tools-Mac.sh

Usage: After setup, download the ssh-lxplus (for SSH connections) and scp-lxplus (for file transfers) scripts:

bash

$ wget https://raw.githubusercontent.com/yesw2000/modern-linuxtools/refs/heads/master/ssh-cern/ssh-lxplus $ chmod +x ssh-lxplus $ ./ssh-lxplus

Note: The scripts will ask for your CERN username on the first run and will automatically update themselves to save it for future use.

You can find more details in the documentation here: https://github.com/yesw2000/modern-linuxtools?tab=readme-ov-file#-cern-sshscp-with-automatic-2fa

Cheers,

--Shuwei

---

From: Viren, Brett
Sent: Thursday, February 5, 2026 12:24 PM
To: Ye, Shuwei
Cc: NPPS members
Subject: Re: [[Phys-npps-members-l] ] Browser-based OTP authenticator for all OS

"Ye, Shuwei" <yesw AT bnl.gov> writes:

> Zhaoyu asked about OTP alternatives to phone apps.

An alternative for anyone like me that lives in the command line:

  $ pass otp com/github/me/totp | xclip

  *paste*

Ingredients:

- https://www.passwordstore.org/
- https://github.com/tadfisher/pass-otp

-Brett.