Re: [OATH-Toolkit-help] /usr/local/bin/oathtool -- python script

[Andrew McGlashan]

Hi Simon,

Bring on two factor auth ;)

On 17/09/2012 4:24 PM, Simon Josefsson wrote:
> Andrew McGlashan <address@hidden> writes:
> 
>> Hi Simon,
>>
>> Considering your blog post here:
>> http://www.advogato.org/person/jas/diary.html?start=31
>>
>> I thought you might be interested in the python script I created for
>> this task.
>>
>> http://ix.io/30h/py
>>
>> The script will look for the "service" files in the $HOME/.totp/
>> directory (for the user running the script).
>>
>> The .totp directory must be readable only by the user, ie have
>> permissions of 0700 ... each file in the directory will have the secret
>> used for the TOTP process (the secret does not need to be padded) as the
>> script will auto-pad as needed.
>>
>>
>> Use like this:
>>
>> oathtool --help
>> oathtool --service google
>> oathtool -s dropbox -v
> 
> Hi!  Nice indeed, would you mind posting your announcement to the
> address@hidden list?  I'd consider supporting the same
> interface, although I would prefer to put the secret under ~/.config and
> to use either a file naming convention or a file format that would
> support different algorithms (HOTP vs TOTP, TOTP with different
> parameters etc).  Maybe we could have some on-list discussion about it,
> I suspect others are interested in your work and hoping they might add
> something useful to the discussion.
> 
> Having an enrollment service would be nice, i.e., 'oathtool --register
> dropbox' that would take a secret and add it to the local store.
> 
> /Simon

I've got a much improved script [1] now, but it relies on having gnupg
module setup for python now.

If you give an interval, it uses HOTP.  There is a single parameter file
that can set things -- command line options (if used) will override conf
file settings.

The secret can be stored in the conf file as plain text or you can use a
reference to a gpg encrypted secret file.


Here is a sample conf file:

$ cat /home/andrewm/.oathtool.conf
[google]
#secret = AAAABBBBCCCCDDDD
#digits = 8
secretfile = google.gpg

[dropbox]
#secret = AAAABBBBCCCCDDDDEEEEFFFFGG
secretfile = dropbox.gpg


You can now specify the number of digits, either in the conf file or as
a command line option too.

Haven't got anything for registering a service yet.



If people use KeePass 2.x version, then they can also use a plugin [2]
for TOTP which allows choice of 6 or 8 digits (7 is not there, but going
greater than 6 digits just adds numbers to the left whilst keeping the
first 6 unchanged).

Keepass also has a QR plugin [3] which is handy too when using the URI
[4] for an TOTP setup.


Cheers

[1] http://ix.io/30X/py
[2] http://keepass.info/plugins.html#keeotp
[3] http://keepass.info/plugins.html#qrcodegen

[4] otpauth://totp/address@hidden

-- 
Kind Regards
AndrewM

Andrew McGlashan
Broadband Solutions now including VoIP

Current Land Line No: 03 9012 2102
Mobile: 04 2574 1827 Fax: 03 9012 2178

National No: 1300 85 3804

Affinity Vision Australia Pty Ltd
http://affinityvision.com.au
http://securemywireless.com.au
http://adsl2choice.net.au

In Case of Emergency --  http://affinityvision.com.au/ice.html