Linux Tutorials

Use oathtool Linux command line for two step verification (2FA)

SEOClerks

I don’t want to use Google Authenticator or Authy app that generates 2 step verification (2FA) codes on my iOS/Android telephone. Is there any approach I can produce 2FA codes from Linux command line for well-liked websites similar to Gmail, Twitter, Fb, Amazon and extra?

The cell apps generate safe 2 step verification codes to guard your on-line accounts from hackers. You get an extra layer of safety. Along with your password, you could enter 2FA codes for every login. This web page explains use oathtool OTPs (one-time password) on Linux to safe your Gmail and different on-line accounts. As an alternative of ready for textual content messages, get verification codes totally free from the oathtool Linux command.

Adblock detected 😱

My web site is made doable by displaying on-line ads to my guests. I get it! Advertisements are annoying however they assist preserve this web site working. It’s onerous to maintain the location working and producing new content material when so many individuals block adverts. Please contemplate donating cash to the nixCraft through PayPal/Bitcoin, or turn into a supporter utilizing Patreon.

Methods to set up oathtool Linux command line software

oathtool is a command line software for producing and validating OTPs and gpg2 is an OpenPGP encryption and signing software for encrypting non-public keys utilized by oathtool. Sort the instructions as per your Linux distro to put in the identical.

Fedora Linux set up oathtool

Open the terminal utility and sort the next dnf command:
$ sudo dnf set up oathtool gnupg2

CentOS Linux/RHEL set up oathtool

First allow EPEL repo on RHEL or CentOS 7 and run the next yum command:
$ sudo yum set up oathtool gnupg2

Debian/Ubuntu Linux set up oathtool

Merely use the apt command or apt-get command to put in the identical:
$ sudo apt replace
$ sudo apt improve
$ sudo apt set up oathtool gpgv2

SUSE/OpenSUSE Linux set up oathtool

Merely run the next [nixcmd identify=”zypper”:
$ sudo zypper ref
$ sudo zypper in oath-toolkit gpg2

Linux 2 step verification (2FA) utilizing oathtool

The syntax to generate totp is as follows:
oathtool -b –totp ‘private_key’
Sometimes private_key solely displayed as soon as once you allow 2FA with on-line providers similar to Google/Gmail, Twitter, Fb, Amazon, Financial institution accounts and so forth. It’s essential to preserve private_key secrete and by no means share with anybody. Here’s a pattern session that creates code for my Twitter account.
$ oathtool -b –totp ‘N3V3R G0nn4 G1v3 Y0u Up’
Pattern outputs:

944092

Methods to generate Two-Issue authentication code out of your Linux CLI

Generate a brand new key pair for encryption when you don’t have a gpg key, run:
$ gpg2 –full-gen-key
Generate two-factor authentication code from your Linux CLI
Subsequent, create some directories and helper scripts:
$ mkdir ~/.2fa/
$ cd ~/.2fa/
You may record GPG keys together with GnuPG person id and key id, run:
$ gpg –list-secret-keys –keyid-format LONG

Shell script helper script to encrypt the totp secret (keys)

Create a shell script named encrypt.key.sh:

#!/bin/bash
# Goal: Encrypt the totp secret saved in $dir/$service/.key file
# Creator: Vivek Gite https://www.cyberciti.biz/ beneath GPL v 2.x or above
# ————————————————————————–
# Path to gpg2 binary
_gpg2=“/usr/bin/gpg2”
 
## run: gpg –list-secret-keys –keyid-format LONG to get uid and child ##
# GnuPG person id
uid=“YOUR-EMAIL-ID”
 
# GnuPG key id
child=“YOUR-KEY”
 
# Listing that shops encrypted key for every service
dir=$HOME/.2fa”
 
# Now construct CLI args
s=“$1”
ok=$dir/$s/.key”
kg=$ok.gpg”
 
# failsafe stuff
[ “$1” == “” ] && echo “Utilization: $zero service”; exit 1;
[ ! -f $ok ] &&
[ -f $kg ] &&
 
# Encrypt your service .key file
$_gpg2 -u $child -r $ –encrypt $ok && rm -i $ok

#!/bin/bash
# Goal: Encrypt the totp secret saved in $dir/$service/.key file
# Creator: Vivek Gite https://www.cyberciti.biz/ beneath GPL v 2.x or above
# ————————————————————————–
# Path to gpg2 binary
_gpg2=”/usr/bin/gpg2″ ## run: gpg –list-secret-keys –keyid-format LONG to get uid and child ##
# GnuPG person id
uid=”YOUR-EMAIL-ID” # GnuPG key id
child=”YOUR-KEY” # Listing that shops encrypted key for every service
dir=”$HOME/.2fa” # Now construct CLI args
s=”$1″
ok=”$dir/$s/.key”
kg=”$ok.gpg” # failsafe stuff
[ “$1” == “” ] &&
[ ! -f “$k” ] && echo “$zero – Error: $ok file not discovered.”; exit 2;
[ -f “$kg” ] && echo “$zero – Error: Encrypted file “$kg” exists.”; exit three; # Encrypt your service .key file
$_gpg2 -u “$child” -r “$” –encrypt “$ok” && rm -i “$ok”

Shell script helper script to decrypt the totp secret and generate 2FA code

Create a shell script named decrypt.key.sh:

#!/bin/bash
# Goal: Show 2FA code on display screen
# Creator: Vivek Gite https://www.cyberciti.biz/ beneath GPL v 2.x or above
# ————————————————————————–
# Path to gpg2 binary
_gpg2=“/usr/bin/gpg2”
_oathtool=“/usr/bin/oathtool”
 
## run: gpg –list-secret-keys –keyid-format LONG to get uid and child ##
# GnuPG person id
uid=“YOUR-EMAIL-ID”
 
# GnuPG key id
child=“YOUR-KEY”
 
# Listing
dir=$HOME/.2fa”
 
# Construct CLI arg
s=“$1”
ok=$dir/$s/.key”
kg=$ok.gpg”
 
# failsafe stuff
[ “$1” == “” ] && echo “Utilization: $zero service”; exit 1;
[ ! -f $kg ] && echo “Error: Encrypted file $kg not discovered.”; exit 2;
 
# Get totp secret for given service
totp=$($_gpg2 –quiet -u $child -r $ –decrypt $kg)
 
# Generate 2FA totp code and show on display screen
echo “Your code for $s is …”
$_oathtool -b –totp $totp
 
# Be certain we do not have .key file in plain textual content format ever #
[ -f $ok ] && echo “Warning – Plain textual content key file $ok discovered.”

#!/bin/bash
# Goal: Show 2FA code on display screen
# Creator: Vivek Gite https://www.cyberciti.biz/ beneath GPL v 2.x or above
# ————————————————————————–
# Path to gpg2 binary
_gpg2=”/usr/bin/gpg2″
_oathtool=”/usr/bin/oathtool” ## run: gpg –list-secret-keys –keyid-format LONG to get uid and child ##
# GnuPG person id
uid=”YOUR-EMAIL-ID” # GnuPG key id
child=”YOUR-KEY” # Listing
dir=”$HOME/.2fa” # Construct CLI arg
s=”$1″
ok=”$dir/$s/.key”
kg=”$ok.gpg” # failsafe stuff
[ “$1” == “” ] &&
[ ! -f “$kg” ] && # Get totp secret for given service
totp=$($_gpg2 –quiet -u “$child” -r “$” –decrypt “$kg”) # Generate 2FA totp code and show on display screen
echo “Your code for $s is …”
$_oathtool -b –totp “$totp” # Be certain we do not have .key file in plain textual content format ever #
[ -f “$k” ] && echo “Warning – Plain textual content key file “$ok” discovered.”

2FA utilizing oathtool within the Linux command line for Gmail account

Allow us to see a whole instance for Google/Gmail account. To allow 2FA go to and login:
https://www.google.com/touchdown/2step/
Go to 2-Step Verification > Get Began:
Gmail 2-Step Verification
You will have to confirm your cell phone quantity. As soon as verified, scroll down and select Authenticator app:
Set up Authenticator app
What sort of telephone do you might have? Select iPhone or Android as we’re going to use our CLI app and click on Subsequent:
Get codes from the Linux authenticator cli app
Be sure you click on on “CAN’T SCAN IT” to see totp secret key and duplicate it:
Can't scan the barcode for Linux 2FA app
Cd into ~/.2fa/ listing and run the next instructions:
cd ~/.2fa/
### Step 1. create service listing ###
### vivek@gmail.com additionally act as service identify for encrypt.key.sh ###
mkdir vivek@gmail.com
### Step 2. Retailer totp secret key ###
echo -n ‘hilp zs6i c5qu bx7z akiz q75e wk5z z66b’ > ~/.2fa/vivek@gmail.com/.key
Encrypt the totp secret key file named ~/.2fa/vivek@gmail.com/.key with gpg and password shield it for safety and privateness causes utilizing our encrypt.key.sh helper script:
### Step three. Safe totp secret key for service named vivek@gmail.com ###
./encrypt.key.sh vivek@gmail.com
Linux 2 step verification 2FA totp key file
Lastly click on on the Subsequent button:
Set up Linux oathtool as authenticator app
It’s time to create your first 6-digit code utilizing oathtool command. Nevertheless, we automated this course of utilizing decrypt.key.sh shell script that decrypts the totp secret and generates the 6-digit 2FA code. Merely run:
./decrypt.key.sh vivek@gmail.com
It’s good to kind the gpg passphrase to unlock the secrete key for service named vivek@gmail.com:
oathtool Linux command line with shell script helper
Lastly you will notice the 6-digit code as follows on display screen:
Generate Two-Factor Authentication Codes on Linux
Withing 30 seconds you could kind the 330197 code and click on on the confirm button:
Enter 6 digit code for Gmail from Linux command line
And you might be achieved:
totp linux set up

Methods to add one other service

The syntax is fairly easy:

Log in to on-line service similar to Twitter, Fb, Checking account and search for Authenticator 2FA app. For instance, allow us to arrange Twitter account 2FA utilizing Linux command line app.Copy the totp secret from Twitter account.Create a brand new service listing: mkdir ~/.2fa/twitter.com/Make a brand new .key file: echo -n ‘your-twitter-totp-secret-key’ > ~/.2fa/twitter.com/.keyGenerate a brand new PGP encrypted file for safety and privateness causes: ~/.2fa/encrypt.key.sh twitter.comDecrypts the totp secret and generates the 6-digit 2FA code when you could log in into Twitter: ~/.2fa/decrypt.key.sh twitter.com

You may repeat the above course of for any providers that show the totp secret together with QR code.

Conclusion

The principle benefit of Linux command line is which you can simply backup your ~/.2fa/ listing and keys. Your totp secrets and techniques/keys are at all times encrypted and password protected by gpg2. Cellular apps similar to Google Authenticator normally don’t assist you to sync or copy secrets and techniques/keys for safety causes. So when you misplaced telephone or change telephone, you wouldn’t be capable to login into the account. This arrange is straightforward and simple to backup/restore so long as you bear in mind your gpg2 passphrase. I strongly suggest that you just allow full disk encryption (FDE) too. Subsequent time I’ll present you use GUI apps for a similar function. See oathtool man web page for extra info right here.

Posted by: Vivek Gite

The creator is the creator of nixCraft and a seasoned sysadmin, DevOps engineer, and a coach for the Linux working system/Unix shell scripting. Get the newest tutorials on SysAdmin, Linux/Unix and open supply matters through RSS/XML feed or weekly e mail publication.

Source link

Related Articles

Leave a Reply

Back to top button