Pick Our Brain

Open Source Contributions + Knowledge Sharing = Better World

  • Terminal Based Multi-Factor Authentication Token

    By Unknown
    ,
    Share this post:
    : Terminal Based Multi-Factor Authentication Token

    Overview

    More and more sites are now offering Multifactor Authentication (MFA) authenticate with soft-token applications such as Google Authenticator or AWS Virtual MFA. Some websites that now allow MFA authentication are: Google Apps, AWS, Dropbox, etc…

    Here we will go over settting up a token generating app in a terminal. This saves me digging my phone out every time I log into something that has MFA enabled. With only a couple MFA enabled sites it isn’t too bad, but pass ten and you start looking for your phone pretty regularly.

    Dependencies and installation 

    To do this you will need to MFA enable an account and to install http://www.nongnu.org/oath-toolkit/. It is likely you’ll need a qr-code reader on your phone such as QR Barcode Scanner or use a command line tool/utility like libdecodeqr-simpletest to decode the key from the QR Code.

    Ubuntu

    $ sudo apt-get install oathtool
## Optional qrcode reader util
$ sudo apt-get install libdecodeqr-examples

    OSX

    Installation may be supported by brew, fink, macports, or other things, but following are instructions for installing from source on OS X Sarah Pal^H^H^H^H^HMavericks. (It is left to the reader to ensure the signature verifies and to substitute up to date version numbers where applicable):

    $ curl 
    http://download.savannah.gnu.org/releases/oath-toolkit/oath-toolkit-2.4.1.tar.gz  
    | tar zxf -
$ cd oath-toolkit-2.4.1
## disable here or figure out how to install XMLSec
$ ./configure --disable-pskc
$ make -j5
$ make check ## I got failures but it worked to generate tokens
$ sudo make install
$ oathtool -h

    Enable MFA Somewhere

    Now we’ll walk through enabling MFA in an AWS IAM Account.

    Enabling MFA in AWS

    Login to your console

    • Go to the IAM service (/iam/home once logged in)
    • Then click users
    • Select your user
    • Select the “Security Credentials” tab
    • Click “Manage MFA Device”
    • Select “A virtual MFA device”
    • Click continue
    • Read the warning and click continue

    At this point a QRCode Appears with two fields in which to enter 2 consecutive qr codes. We want to add it to our phone’s MFA Virtual Token app and add it to our aliases so we can generate codes in our terminal…

    Take a screenshot of the image, you can toss this when you’ve extracted the key. You can also use this to add more tables and other devices later.

    • Use your phone app to add it to your Virtual MFA app by scanning the QR Code repeat if necessary
    • Use the QR Barcode Scanner to extract the key and save it as a text file.
    • Alternatively you can use the libdecodeqr-simpletest utility installed with libdecodeqr-examples which should look something like this:
    $ libdecodeqr-simpletest ~/AeroFS/totp-qr-code/cjp-aws-k-totp.png
libdecodeqr version 0.9.3 ($Rev: 42 $)
STATUS=2000
otpauth://totp/me@myaws?secret=LALSKDJAOSFDADS3K5SADFHAKDSJNAKSDJN2OISD7USODIF33SOCVISOIVDVOID4
    • Note the secret in the output above, you will need it shortly
    • you can now enter 2 consecutive codes from your Virtual MFA Token app on your phone.
    • Click “Continue”
    • Click “Finish”


    Testing token generation on the command line

    We can run oathtool with the secret key we extracted from the QR Code above.

    $ oathtool --totp --base32 LALSKDJAOSFDADS3K5SADFHAKDSJNAKSDJN2OISD7USODIF33SOCVISOIVDVOID4

    NB: Sometimes the secret key is provided with spaces like so `sadq 3ine dsfs 4scw kmw2 ohac q4m4 h2vw`. In htis case we”ll need to quote it. Like this

    $ oathtool --totp --base32 "sadq 3ine dsfs 4scw kmw2 ohac q4m4 h2vw"

    You may wish to compare the tokens generated here with those on your phone. Or Perhaps you’d like to log out and log back in to test it. You’re choice. 

    Adding an alias for the command in ~/.bashrc

    NB: setting appropriate permissions and protecting the file with the aliases in it is an exercise left to the reader!!
     
    In $HOME/.bashrc add an entry like this

    alias myawsiotp='oathtool --totp --base32 LALSKDJAOSFDADS3K5SADFHAKDSJNAKSDJN2OISD7USODIF33SOCVISOIVDVOID4'

    In the case that there are spaces then something like this:

    alias myawsotp='oathtool --totp --base32 "sadq 3ine dsfs 4scw kmw2 ohac q4m4 h2vw"''

    Source your .bashrc and you should be ready to go:

    $ source ~/.bashrc
$ myawsotp
109345

    Additional Notes

    Extracting from Google Authenticator or AWS Virtual MFA 

    I tried pulling my previously keys out of Google Authenticator and AWS Virtual MFA, but couldn’t get them out of Google Authenticator at all. I did manage to ge them out of AWS Virtual MFA. See this page for 3 methods to try to get GA out.

    I did manage to get keys from AWS Virtual MFA by creating a backup then extracting the DB out from there like so:

    Install some utilities:

    $ sudo add-apt-repository ppa:nilarimogard/webupd8
$ sudo apt-get update
$ sudo apt-get install android-tools-adb android-tools-fastboot

    Create a backup:

    ## creates a backups called backup.ab
$ adb backup -noapk -noshared -all -nosystem

    Then build the android-backup-extractor somewhere:

    $ git clone git@github.com:nelenkov/android-backup-extractor.git
$ cd android-backup-extractor/lib
$ curl http://downloads.bouncycastle.org/java/bcprov-jdk15on-148.jar -O
$ cd ..
$ sudo apt-get install ant
$ ant
$ sudo apt-get purge ant
$ sudo apt-get autoremove

    Now we can use it to unpack the backup:

    $ java -jar ~/java/android-backup-extractor/abe.jar unpack backup.ab backup.tar  <password/code>
$ sqlite3 dbs/com.google.android.apps.docs/f/fileinternal/<your_hash_here>/DB
sqlite> .headers
sqlite> select * from accounts;

    And it will squirt out your entries which you can then use like we did above.

Generic selectors
Exact matches only
Search in title
Search in content
Post Type Selectors