phys-npps-members-l AT lists.bnl.gov
Subject: ALL NPPS Members
List archive
Re: [[Phys-npps-members-l] ] A tool of Automated SSH/SCP access to CERN lxplus with OTP and Kerberos
- From: "Ye, Shuwei" <yesw AT bnl.gov>
- To: "Viren, Brett" <bviren AT bnl.gov>
- Cc: NPPS members <phys-npps-members-l AT lists.bnl.gov>
- Subject: Re: [[Phys-npps-members-l] ] A tool of Automated SSH/SCP access to CERN lxplus with OTP and Kerberos
- Date: Tue, 3 Mar 2026 04:31:37 +0000
Hi Brett,
This is a great tool for securely managing API keys. Thanks!
--Shuwei
From: Viren, Brett
Sent: Monday, March 2, 2026 1:47 PM
To: Ye, Shuwei
Cc: NPPS members
Subject: Re: [[Phys-npps-members-l] ] A tool of Automated SSH/SCP access to CERN lxplus with OTP and Kerberos
Sent: Monday, March 2, 2026 1:47 PM
To: Ye, Shuwei
Cc: NPPS members
Subject: Re: [[Phys-npps-members-l] ] A tool of Automated SSH/SCP access to CERN lxplus with OTP and Kerberos
Nice, Shuwei.
pass is pretty flexible in part because it does not dictate a format for
its encrypted records so we can build ideas on top of it.
I "wrote" (LLM-assisted) a little tool called "passdb" that turns pass
entries into something more rich. It does dictate a format, which is
one people tend to already use. In exchange it adds some templated
formatting and processing that lets it, for example, emit shell
environment variable settings that may include the "secret" or other
fields in the record.
The motivation for this tool was that I'm dealing with an ever growing
set of APIs for LLM usage that require a variety of ways to specify API
keys and I don't want ever let API keys land in a repo.
Code and some examples are here:
https://github.com/brettviren/passdb
Keep the hacks coming! :)
-Brett.
"Ye, Shuwei" <yesw AT bnl.gov> writes:
> Dear all,
> Inspired by Bret's idea of generating OTPs in the command line, I've developed a tool to automate SSH
> and SCP access to CERN lxplus using OTP and Kerberos. Once set up, you can simply run ssh-lxplus to
> connect without the need to manually copy and paste your 2FA code, while seamlessly utilizing your
> existing Kerberos token for CERN.CH.
> You can find the relevant scripts in the repository here:
> https://github.com/yesw2000/modern-linuxtools/tree/master/ssh-cern/
> Setup for Mac: To install the OTP prerequisites and initialize 2FA, download and run the following script:
> bash
> $ wget https://raw.githubusercontent.com/yesw2000/modern-linuxtools/refs/heads/master/ssh-cern/Install-OTP_tools-Mac.sh
> $ bash Install-OTP_tools-Mac.sh
> Usage: After setup, download the ssh-lxplus (for SSH connections) and scp-lxplus (for file transfers)
> scripts:
> bash
> $ wget https://raw.githubusercontent.com/yesw2000/modern-linuxtools/refs/heads/master/ssh-cern/ssh-lxplus
> $ chmod +x ssh-lxplus
> $ ./ssh-lxplus
> Note: The scripts will ask for your CERN username on the first run and will automatically update themselves to
> save it for future use.
> You can find more details in the documentation here:
> https://github.com/yesw2000/modern-linuxtools?tab=readme-ov-file#-cern-sshscp-with-automatic-2fa
> Cheers,
> --Shuwei
>
> ---------------------------------------------------------------------------------------
> From: Viren, Brett
> Sent: Thursday, February 5, 2026 12:24 PM
> To: Ye, Shuwei
> Cc: NPPS members
> Subject: Re: [[Phys-npps-members-l] ] Browser-based OTP authenticator for all OS
>
> "Ye, Shuwei" <yesw AT bnl.gov> writes:
>
>> Zhaoyu asked about OTP alternatives to phone apps.
>
> An alternative for anyone like me that lives in the command line:
>
> $ pass otp com/github/me/totp | xclip
>
> *paste*
>
> Ingredients:
>
> - https://www.passwordstore.org/
> - https://github.com/tadfisher/pass-otp
>
> -Brett.
pass is pretty flexible in part because it does not dictate a format for
its encrypted records so we can build ideas on top of it.
I "wrote" (LLM-assisted) a little tool called "passdb" that turns pass
entries into something more rich. It does dictate a format, which is
one people tend to already use. In exchange it adds some templated
formatting and processing that lets it, for example, emit shell
environment variable settings that may include the "secret" or other
fields in the record.
The motivation for this tool was that I'm dealing with an ever growing
set of APIs for LLM usage that require a variety of ways to specify API
keys and I don't want ever let API keys land in a repo.
Code and some examples are here:
https://github.com/brettviren/passdb
Keep the hacks coming! :)
-Brett.
"Ye, Shuwei" <yesw AT bnl.gov> writes:
> Dear all,
> Inspired by Bret's idea of generating OTPs in the command line, I've developed a tool to automate SSH
> and SCP access to CERN lxplus using OTP and Kerberos. Once set up, you can simply run ssh-lxplus to
> connect without the need to manually copy and paste your 2FA code, while seamlessly utilizing your
> existing Kerberos token for CERN.CH.
> You can find the relevant scripts in the repository here:
> https://github.com/yesw2000/modern-linuxtools/tree/master/ssh-cern/
> Setup for Mac: To install the OTP prerequisites and initialize 2FA, download and run the following script:
> bash
> $ wget https://raw.githubusercontent.com/yesw2000/modern-linuxtools/refs/heads/master/ssh-cern/Install-OTP_tools-Mac.sh
> $ bash Install-OTP_tools-Mac.sh
> Usage: After setup, download the ssh-lxplus (for SSH connections) and scp-lxplus (for file transfers)
> scripts:
> bash
> $ wget https://raw.githubusercontent.com/yesw2000/modern-linuxtools/refs/heads/master/ssh-cern/ssh-lxplus
> $ chmod +x ssh-lxplus
> $ ./ssh-lxplus
> Note: The scripts will ask for your CERN username on the first run and will automatically update themselves to
> save it for future use.
> You can find more details in the documentation here:
> https://github.com/yesw2000/modern-linuxtools?tab=readme-ov-file#-cern-sshscp-with-automatic-2fa
> Cheers,
> --Shuwei
>
> ---------------------------------------------------------------------------------------
> From: Viren, Brett
> Sent: Thursday, February 5, 2026 12:24 PM
> To: Ye, Shuwei
> Cc: NPPS members
> Subject: Re: [[Phys-npps-members-l] ] Browser-based OTP authenticator for all OS
>
> "Ye, Shuwei" <yesw AT bnl.gov> writes:
>
>> Zhaoyu asked about OTP alternatives to phone apps.
>
> An alternative for anyone like me that lives in the command line:
>
> $ pass otp com/github/me/totp | xclip
>
> *paste*
>
> Ingredients:
>
> - https://www.passwordstore.org/
> - https://github.com/tadfisher/pass-otp
>
> -Brett.
-
[[Phys-npps-members-l] ] A tool of Automated SSH/SCP access to CERN lxplus with OTP and Kerberos,
Ye, Shuwei, 03/02/2026
-
Re: [[Phys-npps-members-l] ] A tool of Automated SSH/SCP access to CERN lxplus with OTP and Kerberos,
Brett Viren, 03/02/2026
- Re: [[Phys-npps-members-l] ] A tool of Automated SSH/SCP access to CERN lxplus with OTP and Kerberos, Ye, Shuwei, 03/02/2026
- Re: [[Phys-npps-members-l] ] A tool of Automated SSH/SCP access to CERN lxplus with OTP and Kerberos, Ye, Shuwei, 03/03/2026
-
Re: [[Phys-npps-members-l] ] A tool of Automated SSH/SCP access to CERN lxplus with OTP and Kerberos,
Brett Viren, 03/02/2026
Archive powered by MHonArc 2.6.24.