Terminal Based Multi-Factor Authentication Token

Overview

More and more sites are now offering Multifactor Authentication (MFA) authenticate with soft-token applications such as Google Authenticator or AWS Virtual MFA. Some websites that now allow MFA authentication are: Google Apps, AWS, Dropbox, etc…

Here we will go over settting up a token generating app in a terminal. This saves me digging my phone out every time I log into something that has MFA enabled. With only a couple MFA enabled sites it isn’t too bad, but pass ten and you start looking for your phone pretty regularly.

Dependencies and installation 

To do this you will need to MFA enable an account and to install http://www.nongnu.org/oath-toolkit/. It is likely you’ll need a qr-code reader on your phone such as QR Barcode Scanner or use a command line tool/utility like libdecodeqr-simpletest to decode the key from the QR Code.

Ubuntu

$ sudo apt-get install oathtool
## Optional qrcode reader util
$ sudo apt-get install libdecodeqr-examples

OSX

Installation may be supported by brew, fink, macports, or other things, but following are instructions for installing from source on OS X Sarah Pal^H^H^H^H^HMavericks. (It is left to the reader to ensure the signature verifies and to substitute up to date version numbers where applicable):

$ curl 
http://download.savannah.gnu.org/releases/oath-toolkit/oath-toolkit-2.4.1.tar.gz  
| tar zxf -
$ cd oath-toolkit-2.4.1
## disable here or figure out how to install XMLSec
$ ./configure --disable-pskc
$ make -j5
$ make check ## I got failures but it worked to generate tokens
$ sudo make install
$ oathtool -h

Enable MFA Somewhere

Now we’ll walk through enabling MFA in an AWS IAM Account.

Enabling MFA in AWS

Login to your console

  • Go to the IAM service (/iam/home once logged in)
  • Then click users
  • Select your user
  • Select the “Security Credentials” tab
  • Click “Manage MFA Device”
  • Select “A virtual MFA device”
  • Click continue
  • Read the warning and click continue

At this point a QRCode Appears with two fields in which to enter 2 consecutive qr codes. We want to add it to our phone’s MFA Virtual Token app and add it to our aliases so we can generate codes in our terminal…

Take a screenshot of the image, you can toss this when you’ve extracted the key. You can also use this to add more tables and other devices later.

  • Use your phone app to add it to your Virtual MFA app by scanning the QR Code repeat if necessary
  • Use the QR Barcode Scanner to extract the key and save it as a text file.
  • Alternatively you can use the libdecodeqr-simpletest utility installed with libdecodeqr-examples which should look something like this:
$ libdecodeqr-simpletest ~/AeroFS/totp-qr-code/cjp-aws-k-totp.png
libdecodeqr version 0.9.3 ($Rev: 42 $)
STATUS=2000
otpauth://totp/me@myaws?secret=LALSKDJAOSFDADS3K5SADFHAKDSJNAKSDJN2OISD7USODIF33SOCVISOIVDVOID4
  • Note the secret in the output above, you will need it shortly
  • you can now enter 2 consecutive codes from your Virtual MFA Token app on your phone.
  • Click “Continue”
  • Click “Finish”


Testing token generation on the command line

We can run oathtool with the secret key we extracted from the QR Code above.

$ oathtool --totp --base32 LALSKDJAOSFDADS3K5SADFHAKDSJNAKSDJN2OISD7USODIF33SOCVISOIVDVOID4

NB: Sometimes the secret key is provided with spaces like so `sadq 3ine dsfs 4scw kmw2 ohac q4m4 h2vw`. In htis case we”ll need to quote it. Like this

$ oathtool --totp --base32 "sadq 3ine dsfs 4scw kmw2 ohac q4m4 h2vw"

You may wish to compare the tokens generated here with those on your phone. Or Perhaps you’d like to log out and log back in to test it. You’re choice. 

Adding an alias for the command in ~/.bashrc

NB: setting appropriate permissions and protecting the file with the aliases in it is an exercise left to the reader!!
 
In $HOME/.bashrc add an entry like this

alias myawsiotp='oathtool --totp --base32 LALSKDJAOSFDADS3K5SADFHAKDSJNAKSDJN2OISD7USODIF33SOCVISOIVDVOID4'

In the case that there are spaces then something like this:

alias myawsotp='oathtool --totp --base32 "sadq 3ine dsfs 4scw kmw2 ohac q4m4 h2vw"''

Source your .bashrc and you should be ready to go:

$ source ~/.bashrc
$ myawsotp
109345

Additional Notes

Extracting from Google Authenticator or AWS Virtual MFA 

I tried pulling my previously keys out of Google Authenticator and AWS Virtual MFA, but couldn’t get them out of Google Authenticator at all. I did manage to ge them out of AWS Virtual MFA. See this page for 3 methods to try to get GA out.

I did manage to get keys from AWS Virtual MFA by creating a backup then extracting the DB out from there like so:

Install some utilities:

$ sudo add-apt-repository ppa:nilarimogard/webupd8
$ sudo apt-get update
$ sudo apt-get install android-tools-adb android-tools-fastboot

Create a backup:

## creates a backups called backup.ab
$ adb backup -noapk -noshared -all -nosystem

Then build the android-backup-extractor somewhere:

$ git clone git@github.com:nelenkov/android-backup-extractor.git
$ cd android-backup-extractor/lib
$ curl http://downloads.bouncycastle.org/java/bcprov-jdk15on-148.jar -O
$ cd ..
$ sudo apt-get install ant
$ ant
$ sudo apt-get purge ant
$ sudo apt-get autoremove

Now we can use it to unpack the backup:

$ java -jar ~/java/android-backup-extractor/abe.jar unpack backup.ab backup.tar  <password/code>
$ sqlite3 dbs/com.google.android.apps.docs/f/fileinternal/<your_hash_here>/DB
sqlite> .headers
sqlite> select * from accounts;

And it will squirt out your entries which you can then use like we did above.