You are not logged in.

#1 2020-01-16 11:51:06

clusterF
Member
Registered: 2019-05-07
Posts: 539

2fa on the terminal

Successfully used this program today on archlinux to use with github. It negates the need to have a smartphone app or something like a usb key like yubico. Require's golang-go though.

https://github.com/rsc/2fa

2fa is a two-factor authentication agent.

Usage:

go get -u rsc.io/2fa

2fa -add [-7] [-8] [-hotp] name
2fa -list
2fa name

2fa -add name adds a new key to the 2fa keychain with the given name. It prints a prompt to standard error and reads a two-factor key from standard input. Two-factor keys are short case-insensitive strings of letters A-Z and digits 2-7.

By default the new key generates time-based (TOTP) authentication codes; the -hotp flag makes the new key generate counter-based (HOTP) codes instead.

By default the new key generates 6-digit codes; the -7 and -8 flags select 7- and 8-digit codes instead.

2fa -list lists the names of all the keys in the keychain.

2fa name prints a two-factor authentication code from the key with the given name. If -clip is specified, 2fa also copies to the code to the system clipboard.

With no arguments, 2fa prints two-factor authentication codes from all known time-based keys.

The default time-based authentication codes are derived from a hash of the key and the current time, so it is important that the system clock have at least one-minute accuracy.

The keychain is stored unencrypted in the text file $HOME/.2fa.
Example

During GitHub 2FA setup, at the “Scan this barcode with your app” step, click the “enter this text code instead” link. A window pops up showing “your two-factor secret,” a short string of letters and digits.

Add it to 2fa under the name github, typing the secret at the prompt:

$ 2fa -add github
2fa key for github: nzxxiidbebvwk6jb
$

Then whenever GitHub prompts for a 2FA code, run 2fa to obtain one:

$ 2fa github
268346
$

Or to type less:

$ 2fa
268346    github
$

Offline

#2 2020-01-16 13:00:03

clusterF
Member
Registered: 2019-05-07
Posts: 539

Re: 2fa on the terminal

make it more secure with below bashrc function if you have gnupg setup. This way the the ~/.2fa file is encrypted using gnupg.

first encrypt the .2fa file.

gpg --encrypt --recipient <pubkey> .2fa

2fa() { 

       gpg --decrypt ~/.2fa.gpg > ~/.2fa; /usr/bin/2fa "$@"; rm ~/.2fa; 

}

Last edited by clusterF (2020-01-16 13:06:10)

Offline

#3 2020-01-16 18:39:39

twoion
ほやほや
Registered: 2015-08-10
Posts: 2,818

Re: 2fa on the terminal

Just don't forget that 2FA means two factors. If the computer is both factors, then it's 1.5FA at best.


Per aspera ad astra.

Offline

#4 2020-01-17 01:30:30

clusterF
Member
Registered: 2019-05-07
Posts: 539

Re: 2fa on the terminal

twoion wrote:

Just don't forget that 2FA means two factors. If the computer is both factors, then it's 1.5FA at best.

True and there is a hacky work around to that by symlinking the .2fa keyfile from a usb to $HOME therefore creating somewhat of a yubico key.

ln -s /run/media/$HOME/USB/.2fa $HOME

Offline

#5 2020-01-17 07:28:31

johnraff
nullglob
From: Nagoya, Japan
Registered: 2015-09-09
Posts: 6,936
Website

Re: 2fa on the terminal

twoion wrote:

Just don't forget that 2FA means two factors. If the computer is both factors, then it's 1.5FA at best.

Some time ago I started playing with this, intending to switch my GitHub login to 2FA, not having a smartphone which seemed to be almost essential. Now I do have one, so a bit of the pressure is off, but actually got a login system on the point of seeming to work OK.

The necessary second factor, replacing the smartphone or yubikey, is any usb memory stick. Don't label it "highly secret and confidential", and since the secret key file inside will be gpg encrypted anyway it should be OK. (Do give its filesystem a LABEL though, so that the mount path is predictable.) The point is that the secret is stored in a physically separate device, and gpg encrypted to protect you from theft of the key. The only dangerous case is if the thief also has access to your computer...

This script uses secret-tool to retrieve the decryption password (for the key on the stick) from your login keyring, and passes it to oathtool to generate a TOTP. It can be added to a menu to automatically put the TOTP on the clipboard (cleared after 15s) ready to be pasted into some interface.

You need to create and encrypt the secret file on the key manually though. A bit of scripting could be done for that too, I guess.

It seemed to be working, but I never got round to extensive testing.

#!/bin/bash

##### BE SURE TO SET THIS CONFIG TO SOMETHING ELSE #####

# path to file on external disk holding secrets
secrets=/media/username/MUSIC/stuff.gpg

# name associated in above file with secret to retrieve
# use default_name if no name is passed on command line
default_name=2fa_tmp

# keys to look up secrets file's password in login keyring
pwattr=keyfile
pwval=2fa

##### CONFIG END #####

HELP="USAGE: $0 [name]
Run this script to get a TOTP one-time code.

If no name is passed '$default_name' will be used to look up the secret.
That secret will then be used to obtain a 1 time 6-digit pass code.

The encrypted secrets file should be of the form:
name1:secret1
name2:secret2
etc.
(spaces and tabs are permitted)

Encrypt the secrets file with
'gpg -c <filename>',
remove the original file,
and store the password in the login keyring with at least one pair of
attribute/value with
'secret-tool store --label <something> <attribute> <value>'
The same <attribute> and <value> will be used to retrieve the password.
Use a strong password in case someone else gets your usb stick.

Keep the encrypted secrets file on an external plugin device,
and set its path when mounted in 'secrets'.
(Set a LABEL attribute on the device so its mounted path is predictable.)
"

# name associated with secret to retrieve
name=${1:-${default_name}}

error_exit() {
    echo "$0 error: $1" >&2
    [[ -t 1 ]] || yad --window-icon=dialog-error --center --borders=20 --undecorated --fixed --on-top --button=OK:0 --image=dialog-error --text="TOTP: $1"
    exit 1
}

required_commands='oathtool secret-tool xsel notify-send yad'

missing_commands=
for i in $required_commands
do
    hash $i || missing_commands+=" $i"
done
[[ $missing_commands ]] && error_exit "This script requires the following commands: $missing_commands
Please install the packages containing the missing commands
and rerun the script."

case $1 in
--help|-h)
    echo "$HELP"
    exit
    ;;
esac

[[ -r $secrets ]] || error_exit "Cannot read $secrets. Is the stick plugged in and mounted?"

# get the totp code
code=$( secret-tool lookup "$pwattr" "$pwval"| \
gpg --decrypt --batch --passphrase-fd 0 "$secrets" 2>/dev/null | \
sed -nr "s/^[[:blank:]]*$name[[:blank:]]*:[[:blank:]]*([^[:blank:]]+).*$/\1/p" | \
xargs oathtool --totp --base32 )

[[ ${#code} -eq 6 ]] || error_exit "got invalid totp code"

echo "$code" | xsel
( sleep 15; xsel -c; echo "selection cleared";) &
echo "TOTP code is in primary selection, ready to paste. It will clear in 15 sec."
notify-send --icon=dialog-info --expire-time=15000 "$code" "This TOTP code is in the primary selection, ready to paste with a middle-click. \nIt will clear in 15 sec."
wait

exit

Last edited by johnraff (2020-01-17 07:52:17)


...elevator in the Brain Hotel, broken down but just as well...
( a boring Japan blog (currently paused), idle Twitterings and GitStuff )

Introduction to the Bunsenlabs Lithium Desktop

Offline

#6 2020-01-17 14:20:05

clusterF
Member
Registered: 2019-05-07
Posts: 539

Re: 2fa on the terminal

Hi John, just trying your script now and getting this error. Not sure how the secret should be formatted?

.local/bin/j2fa.sh error: got invalid totp code

my gpg secret file looks like this, numbers below for example of course.

github:10101010101010

Sorry nevermind this needs to be done via gnome-keyring. Something im not familiar with and dont have installed.

What ive done with the 2fa golang version is hold it on an encrypted usb drive now, and i can just softlink it to $HOME when and if i need to.

Last edited by clusterF (2020-01-17 14:28:15)

Offline

#7 2020-01-18 04:09:48

johnraff
nullglob
From: Nagoya, Japan
Registered: 2015-09-09
Posts: 6,936
Website

Re: 2fa on the terminal

gnome-keyring comes with BL by default. Did you remove it?
But never mind, if you've got it working as you want.


...elevator in the Brain Hotel, broken down but just as well...
( a boring Japan blog (currently paused), idle Twitterings and GitStuff )

Introduction to the Bunsenlabs Lithium Desktop

Offline

#8 2020-01-18 07:13:56

clusterF
Member
Registered: 2019-05-07
Posts: 539

Re: 2fa on the terminal

johnraff wrote:

gnome-keyring comes with BL by default. Did you remove it?
But never mind, if you've got it working as you want.

Thanks for the info in that script, i might give it a go another time, i just keep bunsenlabs on a live usb stick with persistence for data rescue at the moment. I dont have a need for the gnome-keyring on my daily driver and other duel boots.
Ive been interested in the go language for a little while so this more of a learning experience i thought i would share here. It seems to be working ok.

Offline

Board footer

Powered by FluxBB