266 sats \ 1 reply \ @nym 22 Nov 2023 \ on: How to get 2FA on the command line tech
Good writeup. Here are some security suggestions:
  1. Improved File Permissions:
    • Ensure that the key file ($KEYFILE) and the script itself have strict file permissions. This can be done using chmod to restrict access to only the necessary users, typically just the owner.
    chmod 600 "$KEYFILE"
chmod 700 /path/to/your/script.sh
  2. Input Validation:
    • Add validation for the inputs, especially for the service name and key, to prevent injection attacks or accidental misconfiguration.
    if [[ ! "$2" =~ ^[a-zA-Z0-9_]+$ ]]; then
    echo "Invalid service name"
    exit 1
fi
  3. Error Handling and Logging:
    • Implement better error handling and logging to track script usage and errors. This can help in auditing and troubleshooting.
    log_file="/var/log/totp_script.log"

log() {
    echo "$(date '+%Y-%m-%d %H:%M:%S') - $1" >> "$log_file"
}

# Example usage within the script:
log "Generating TOTP for service $2"
  4. Encrypted Backups:
    • Create a mechanism for encrypted backups of the $KEYFILE. This can be a simple script that encrypts and copies the file to a secure location.
    backup_file="$HOME/.totpkeys_backup_$(date '+%Y%m%d')"

cp "$KEYFILE" "$backup_file"
gpg --encrypt -r "$UID" "$backup_file"
  5. Enhanced GnuPG Handling:
    • Ensure that the GnuPG configuration is secure. This may include setting up a strong key passphrase, using a secure keyring, and keeping the GnuPG software up to date.
  6. Avoid Hardcoded Information:
    • Instead of hardcoding the GnuPG user ID and key ID, consider passing them as arguments or setting them as environment variables.
    UID=${TOTP_UID:-"default_user
  7. Restrict Script Execution:
    • Restrict the script to be executable only by the intended users. This can be done by checking the user ID at the beginning of the script.
    if [ "$(id -u)" -ne "expected_user_id" ]; then
    echo "This script can only be run by a specific user."
    exit 1
fi
  8. Prompt for Confirmation on Sensitive Actions:
    • For operations like setting a new key, prompt for user confirmation to prevent accidental changes.
    read -p "Are you sure you want to set a new key for $2? [y/N] " response
if [[ ! "$response" =~ ^[Yy]$ ]]; then
    echo "Operation canceled."
    exit 1
fi
  9. Use Temporary Files for Sensitive Data:
    • Instead of directly writing sensitive data to files, use temporary files with restricted permissions and ensure they are securely deleted after use.
    tmpfile=$(mktemp /tmp/.totp.XXXXXX)
chmod 600 "$tmpfile"
# Use $tmpfile for intermediate steps
rm -f "$tmpfile"
write
preview
18 sats \ 0 replies \ @italiansatoshi OP 22 Nov 2023
Thank you so much. I'll include each and everyone of your suggestions.
reply