How to get 2FA on the command line \ stacker news ~tech

Getting Time-based One-Time-Password for 2FA on the command line.

Abstract

This HOW-TO has been succesfully tested on Ubuntu 22.04.3 LTS so let's assume you have a similar setup.

There is no shortage of OTP 2FA apps availiable for your phone, such as Authy , FreeOTP or even the not so recommended Google Authenticator.

These apps take an initial secret code and create a TOTP anytime you need a 2FA code for login.

Some advantages of doing 2FA on the CLI are:

Easy to add, maintain, and backup with a simple key=val text file
Copy/Paste is easier than typing digits displayed on your phone
No issues with being locked out due to dead/lost/new phones

Installation

Make sure you're logged in as a regular user (not as root).

Install the two utility with:

sudo apt install oathtool gpg

We'll use a helper script as well as a file of initial secrets encrypted with GnuPG for better security.

sudo touch /usr/local/bin/totp

and, with your editor of choice, put the content below on the file and save it.

#!/bin/bash
# 
# Time-based One-time Password algorithm (TOTP) helper script
# Save shared secrets on disk protected with GnuPG encryption
# Easily generate OTPs for two-factor authorization (2FA)
#
# Setup:
# Install requirements with `sudo apt install oathtool gpg`
# Setup gpg as per https://keyring.debian.org/creating-key.html
#
# Adapt the 3 variables below:
# - KEYFILE: file that holds the name/key pairs
# - UID: GnuPG user ID to use for encryption
# - KEYID: GnuPG key ID to use for encryption
#
# Good to know:
# - get gpg keys with: gpg --list-keys --keyid-format short user

Make it executable with :

sudo chmod +x /usr/local/bin/totp

If all went well, we can get a 2FA code on command line with:

$ totp twitter
078321

That's all folks.

Now you have a Time-based One-Time-Password for 2FA on the command line. Enjoy !!

view all related items

266 sats \ 1 reply \ @nym 22 Nov 2023

Good writeup. Here are some security suggestions:

Improved File Permissions:
- Ensure that the key file ($KEYFILE) and the script itself have strict file permissions. This can be done using chmod to restrict access to only the necessary users, typically just the owner.
```
chmod 600 "$KEYFILE"
chmod 700 /path/to/your/script.sh
```
Input Validation:
- Add validation for the inputs, especially for the service name and key, to prevent injection attacks or accidental misconfiguration.
```
if [[ ! "$2" =~ ^[a-zA-Z0-9_]+$ ]]; then
    echo "Invalid service name"
    exit 1
fi
```

Error Handling and Logging:

Implement better error handling and logging to track script usage and errors. This can help in auditing and troubleshooting.

log_file="/var/log/totp_script.log"

log() {
    echo "$(date '+%Y-%m-%d %H:%M:%S') - $1" >> "$log_file"
}

# Example usage within the script:
log "Generating TOTP for service $2"

Encrypted Backups:
- Create a mechanism for encrypted backups of the $KEYFILE. This can be a simple script that encrypts and copies the file to a secure location.
```
backup_file="$HOME/.totpkeys_backup_$(date '+%Y%m%d')"

cp "$KEYFILE" "$backup_file"
gpg --encrypt -r "$UID" "$backup_file"
```
Enhanced GnuPG Handling:
- Ensure that the GnuPG configuration is secure. This may include setting up a strong key passphrase, using a secure keyring, and keeping the GnuPG software up to date.
Avoid Hardcoded Information:
- Instead of hardcoding the GnuPG user ID and key ID, consider passing them as arguments or setting them as environment variables.
```
UID=${TOTP_UID:-"default_user
```
Restrict Script Execution:
- Restrict the script to be executable only by the intended users. This can be done by checking the user ID at the beginning of the script.
```
if [ "$(id -u)" -ne "expected_user_id" ]; then
    echo "This script can only be run by a specific user."
    exit 1
fi
```

Prompt for Confirmation on Sensitive Actions:

For operations like setting a new key, prompt for user confirmation to prevent accidental changes.

read -p "Are you sure you want to set a new key for $2? [y/N] " response
if [[ ! "$response" =~ ^[Yy]$ ]]; then
    echo "Operation canceled."
    exit 1
fi

Use Temporary Files for Sensitive Data:
- Instead of directly writing sensitive data to files, use temporary files with restricted permissions and ensure they are securely deleted after use.
```
tmpfile=$(mktemp /tmp/.totp.XXXXXX)
chmod 600 "$tmpfile"
# Use $tmpfile for intermediate steps
rm -f "$tmpfile"
```

18 sats \ 0 replies \ @italiansatoshi OP 22 Nov 2023

Thank you so much. I'll include each and everyone of your suggestions.