Menu
blog.headdesk.me
blog.headdesk.me

Use oathtool to generate 2FA code

Posted on 2020/08/302022/04/20

In this example, I’ll be using the oathtool on Ubuntu to generate 2FA code. I’ll be using this for 2FA authentication against AWS access.

Install oathtool

On the client machine, install oathtool

apt install oathtool

Enable MFA on AWS

On AWS, pick an IAM user and enable MFA.

Here, AWS can show the private key in format of a QR code, or as a string. Use the second option, click the “Show secret key” link.

Use oathtool to generate the MFA code twice.

oathtool -b --totp 'xxxxxxxxxxxxxxxxxxxxxxxx'
sleep 30
oathtool -b --totp 'xxxxxxxxxxxxxxxxxxxxxxxx'

Enter the 2 codes into the MFA code textbox, then click “Assign MFA”

Next time the IAM user logs into AWS, it will prompt for the MFA code, generate a new one using the same command shown above, just like using any hardware or software token.

Secure the private key

Now it is important to secure the private key. Otherwise why MFA? One can use gpg and wrap the commands in a script.

Another way is to put the oathtool command into a bash script and compile it into binary. It’s not secure, but it is easy to do. It’s better to have some security rather than none. First, create a simple script for oathtool:

!/bin/bash
oathtool -b --totp 'xxxxxxxxx'

Then compile it with shc. One can then run aws-oath to generate the MFA code.

shc -f aws-oath.sh -o aws-oath
rm -f aws-oath.sh
./aws-oath
420728

facebookShare on Facebook
TwitterTweet

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Full text search

Recent Posts

  • Terraform and segregated permissions
  • LVM Compression and Deduplication
  • Edit gpg encrypted file with vim
  • Lelit Elizabeth PL92T Pressure Tuning
  • jq transformation
  • aws (8)
  • coffee (1)
  • headfi (1)
  • linux (6)
  • others (58)
  • security (2)
  • tech (36)
  • wordpress (2)

apache aws awscli azure backup clearlinux cloud coffee docker DOCP ec2 EL8 epyc espresso featured gpg jenkins kernel lelit linux lvm meltdown memory MFA mikrotik php python rdp Redhat RHEL roasting rpm Ryzen site-to-site snapshot spectre tech terraform tuning ubuntu ubuntu upgrade vim vpn wordpress xdotool

©2023 blog.headdesk.me | Powered by SuperbThemes & WordPress