30

I manage a server with two-factor authentication. I have to use the Google Authenticator iPhone app to get the 6-digit verification code to enter after entering the normal server password. The setup is described here: http://www.mnxsolutions.com/security/two-factor-ssh-with-google-authenticator.html

I would like a way to get the verification code using just my laptop and not from my iphone. There must be a way to seed a command line app that generates these verification codes and gives you the code for the current 30-second window.

Is there a program that can do this?

dan
  • 787
  • 2
  • 8
  • 11

8 Answers8

33

Yes, oathtool can do this. You'll need to seed it with the shared secret from your server.

You can install it from the oath-toolkit package.

Example usage to generate same code as google authenticator and authy:

oathtool -b --totp 'N3V3R G0nn4 G1v3 Y0u Up'
Paul
  • 2,755
  • 6
  • 24
  • 35
EEAA
  • 108,414
  • 18
  • 172
  • 242
  • Is this compatible with the Google Authenticator PAM module? It seems like a different (though functionally equivalent) beast... – voretaq7 Jul 01 '13 at 16:31
  • 2
    Yep - with the `--totp` flag, it implements the same standards-compliant TOTP alg that Google Authenticator does. – EEAA Jul 01 '13 at 16:37
  • 2
    It's `oathtool`. In many cases you need both `--totp` and `-b` flag (base32 decoding) – Zouppen Feb 05 '16 at 13:51
  • 2
    FWIW, I wrote a shell wrapper for oathtool that is functionally equivalent to Authy on the CLI: https://github.com/poolpog/bash-otp – JDS Nov 02 '16 at 17:21
  • FWIW: I wrote a C-wrapper which uses `libpam-google-authenticator` to verify tokens. See https://github.com/hilbix/google-auth - in the README there is function `checktotp` shown. Just remove the `| fgrep -qx "$1";` to see the tokens. – Tino Jun 29 '17 at 10:29
  • Just to add, if you need the Centos RPM, it's `oathtool` – Ralph Bolton Nov 12 '21 at 12:20
8

There is also a go implementation on github at https://github.com/pcarrier/gauth

This one uses a config file ~/.config/gauth.csv to store the tokens in a the following format

me@gmail.com: abcd efg hijk lmno
aws-account: mygauthtoken

And the output is rather friendly too:

$ gauth
           prev   curr   next
AWS        315306 135387 483601
Airbnb     563728 339206 904549
Google     453564 477615 356846
Github     911264 548790 784099
[=======                      ]
Adam Terrey
  • 407
  • 1
  • 5
  • 8
4

There's many 3rd party Authenticator implementations. Check out the list on the wikipedia page. For instance, you may be able to use onetimepass (which is written in Python) for command line usage.

Jeff VanNieulande
  • 51
  • 2
2

As far as I'm aware Google only releases the Authenticator application for phones (iOS, Android).
(This poses a problem for paranoid folks like me, who don't really trust Google's history of discontinuing services with little notice, and would prefer a token generator we can see inside of.)

You could consider other alternatives, like a one-time password pad system.

Honestly, getting the verification code from your laptop kind of defeats the two-factor authentication aspect (anyone who captures the laptop now has the code generator - that's part of what Authenticator is supposed to protect against).

Community
  • 1
voretaq7
  • 79,345
  • 17
  • 128
  • 213
  • I agree with the sentiment that a separate device is fundamentally necessary for 2FA. However, could that secondary device be a *remote* server? – Jerry Jul 23 '17 at 14:19
  • 1
    Storing your TOTP secret on your laptop instead of your phone is still much, much better than no TOTP at all if you don't store your password on your laptop (e.g., in your browser's password agent). MITM attackers (such as key loggers) do not have access to the TOTP secret, just the time-based code, and so capture auth info good only for a minute or two. A stolen laptop has the TOTP secret, but not the password. (You'll need to use a weaker password to make it memorable, but that's ok with TOTP.) Making attackers both sniff the password _and_ steal the secret complicates their task. – cjs Apr 23 '18 at 03:56
  • One more note: TOTP as practised is technically not two-factor auth in the strictest sense, because both the password and the TOTP secret are "something you know." Either can be copied without the owner's knowledge of the loss of secrecy. – cjs Apr 23 '18 at 03:58
2

You could try http://soundly.me/oathplus

This is a tool I developed on top of the venerable oathtool, that lets you read QR codes, and stash OTP account info for later use. You can think of it as Google Authenticator for the command-line, since it can download and read QR codes, and consume otpauth:// URIs. (OSX only atm.)

jar
  • 21
  • 3
0
A windows commandline gauth.exe is here https://github.com/moshahmed/gauth/
fork of https://github.com/pcarrier/gauth to compile on windows7.

$ cd ~/.ssh
$ cat gauth.mfa
    test,ABC

# Encrypt gauth.mfa to gauth.ssl
$ openssl enc -aes-128-cbc -md sha256 -in gauth.mfa -out gauth.ssl
    password=xxx
# Decrypt gauth.ssl and edit gauth.mfa
$ openssl enc -aes-128-cbc -md sha256 -d -in gauth.ssl -out gauth.mfa
    password=xxx

# Get the 2fa code
$ go run gauth.go [tes] [$HOME/.ssh/gauth.ssl]
|   pass:xxx
|   2FA    Name
|   129079 test
# Print qrcode.txt on console as scan able image
  $ pip install qrcode
  $ qr "otpauth://totp/Example:mosh@mosh.com?secret=XYZ&issuer=SOMEONE"
    [qrcode printed on Console]
# Convert text to png image, from https://github.com/miyako/console-qrencode
  $ waqrencode -t png -i mfa.txt -o mfa.png
# Convert qrcode.jpg image to string
  $ zbarimg qrcode.jpg
mosh
  • 111
  • 3
0

If you're using python there's packages available in pip with CLI frontends.

Morgan Christiansson
  • 159
  • 3
0

Here is a hacky one: https://github.com/bjurga/DeOtp

It's a striped down GoogleAuthenticator with a nice "Windows integration" idea. The git project is very new and obviously requires cosmetics improvements but, it works fine so far.

bjoster
  • 4,423
  • 5
  • 22
  • 32
Guest
  • 1