Skip to content

Instantly share code, notes, and snippets.

@HendrikPetertje

HendrikPetertje/2-factor-terminal .md

Last active September 27, 2018 13:07
Show Gist options
  • Save HendrikPetertje/3bfca49e09d1261faf8f3e60b85854eb to your computer and use it in GitHub Desktop.
Save HendrikPetertje/3bfca49e09d1261faf8f3e60b85854eb to your computer and use it in GitHub Desktop.
Download ZIP
Setting up time-based authenticator in your terminal
Raw
2-factor-terminal .md

Wanna try google auth, but not have the app on your phone and use your CLI instead? sure!

making it easy

Begin by adding this fun alias to your ~/.bashrc. that way executing this bit of fun will be easier

alias google_auth=`sudo ~/.auth/google.sh`

Turn your auth-seed into something safer

Google will provide you with an authenticator seed key. this is the key used to calculate future time-keys. Google will show you a QR code by default, opt instead to see the key in text. execute the command below in your console, replace the code with the key you received. You can replace -aes256 with any cypher you want.

$> echo code-from-google-auth-setup | openssl enc -aes256 -a -nosalt

once issued it will ask you to provide a secret password. this is just extra securety for later (let's not store your authenticator-secret in cleartext) Make sure to open ~/.bash_history or ~/.zsh_history afterward and remove the history record of the above command!

keep the screen that has the hashed key on it somehwere. I encrypted the word "hello" using the password "yolo" and got this funny key:

ruX1e8WwbhfvmqhDAyevUA==

putting it all in place

Create a new file like (for example) ~/.auth/google.sh and open it in your favorite code-editor. then give it the content like below (make sure to use the same cypher):

#!/bin/sh
# Set key to decrypt, change this to the key you generated earlier
encrypted="ruX1e8WwbhfvmqhDAyevUA=="

# Promt for decryption key
printf "decryption key:"
read -s password

# Decrypt encrypted key
decrypted=`echo $encrypted | openssl enc -d -aes256 -a -nosalt -k $password`

# Generate timecode
code=`oathtool --totp -b -d 6 $decrypted`
echo
echo $code
echo $code | pbcopy

# Unset decrypted key
decrypted=

Before anything else, we need to make this file just a tad safer. execute the following commands:

sudo chown root ~/.auth/google.sh
sudo chmod 700 ~/.auth/google.sh

Now the file is owned by the sudo user and can only be opened, edited and executed by sudo.

Testing it out

close your terminal and open a new one. then execute the following command

$> google_key

  1. you should first provide your system sudo-password
  2. then you provide the secret password you made in step 1
  3. tadaa, you now have the time-key on your screen and on your clipboard!
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment