Menu
blog.headdesk.me
blog.headdesk.me

Use oathtool to generate 2FA code

Posted on 2020/08/302022/04/20

In this example, I’ll be using the oathtool on Ubuntu to generate 2FA code. I’ll be using this for 2FA authentication against AWS access.

Install oathtool

On the client machine, install oathtool

apt install oathtool

Enable MFA on AWS

On AWS, pick an IAM user and enable MFA.

Here, AWS can show the private key in format of a QR code, or as a string. Use the second option, click the “Show secret key” link.

Use oathtool to generate the MFA code twice.

oathtool -b --totp 'xxxxxxxxxxxxxxxxxxxxxxxx'
sleep 30
oathtool -b --totp 'xxxxxxxxxxxxxxxxxxxxxxxx'

Enter the 2 codes into the MFA code textbox, then click “Assign MFA”

Next time the IAM user logs into AWS, it will prompt for the MFA code, generate a new one using the same command shown above, just like using any hardware or software token.

Secure the private key

Now it is important to secure the private key. Otherwise why MFA? One can use gpg and wrap the commands in a script.

Another way is to put the oathtool command into a bash script and compile it into binary. It’s not secure, but it is easy to do. It’s better to have some security rather than none. First, create a simple script for oathtool:

!/bin/bash
oathtool -b --totp 'xxxxxxxxx'

Then compile it with shc. One can then run aws-oath to generate the MFA code.

shc -f aws-oath.sh -o aws-oath
rm -f aws-oath.sh
./aws-oath
420728

facebookShare on Facebook
TwitterTweet

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Full text search

Recent Posts

  • Dumping AWS Organization tree
  • Free is the most expensive
  • Terraform conditional resource and blocks
  • Upgrade Ubuntu 16.04 to latest release
  • Inspect and control network traffic on AWS
  • aws (8)
  • coffee (1)
  • headfi (1)
  • linux (7)
  • others (55)
  • security (2)
  • tech (36)
  • wordpress (2)

apache aws awscli azure backup cloud coffee coreos distributed filesystem docker ec2 EL8 elasticcache etckeeper featured heartbleed kernel linux mail meltdown mysql php pine python rdp rds Redhat Red Hat RHEL RHEL7 rpm Ryzen snapshot spectre SSL systemd tech terraform ubuntu ubuntu upgrade vector vpn wordpress xtreemfs yum

©2022 blog.headdesk.me | Powered by SuperbThemes & WordPress