[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[OATH-Toolkit-help] Simple HOTP client for command line and client appli
|
From: |
David Woodhouse |
|
Subject: |
[OATH-Toolkit-help] Simple HOTP client for command line and client applications |
|
Date: |
Tue, 18 Feb 2014 15:03:48 +0000 |
Hi,
My employer has just started deploying HOTP authentication in some
cases, and I'm working with them to get this working sanely on Linux.
I'm trying to use oath-toolkit but I'm missing something.
I'm looking for a simple command-line tool which will load a HOTP key
from a file, generate the passcode, then increment the counter in the
file.
It looks like I might be able to script it horribly, using 'pskctool -i'
to read the file and then manually converting the base64 secret key to
something I can feed to oathtool, then probably using xmlstarlet to
increment the counter in the file because AFAICT pskctool doesn't do
that.
But I can't help feeling that this is the *common* case and it ought to
exist already, so I must be missing something...
I'm also looking for a simple library function I can use to do exactly
the same thing — just a simple function to load a TOTP or HOTP key from
a file and use it, incrementing the counter if appropriate.
I maintain the OpenConnect VPN client, which currently has support for
TOTP with a secret key manually passed on the command line, but it's
very inflexible — it supports only TOTP keys with all the default
parameters (6 digits, default start and step times). All this stuff is
*in* the PSKC file.
Please tell me there's a better way than this...
#!/bin/bash
FILE="$1"
if [ ! -r "$FILE" ]; then
echo Cannot read Key file "$FILE"
exit 1
fi
# We actually have to parse the output; the return code doesn't help :(
FILEOK=$(pskctool -e "$FILE")
if [ "$FILEOK" != "OK" ]; then
echo Failed to validate key file "$FILE"
exit 1
fi
if pskctool -i "$FILE" | grep -q "KeyPackage 1:"; then
echo There can only be one key in the file
exit 1
fi
# Ah, screw it. Parsing the output of 'pskctool -i' is harder than parsing
# the XML in the first place.
KEY=$(xmlstarlet sel -t -v
/_:KeyContainer/_:KeyPackage/_:Key/_:Data/_:Secret/_:PlainValue $FILE | base64
-di | od -A none -t x1 -w40 | sed s/\ //g)
COUNTER=$(xmlstarlet sel -t -v
/_:KeyContainer/_:KeyPackage/_:Key/_:Data/_:Counter/_:PlainValue $FILE)
# XXX Check for TOTP/HOTP mode, output format, etc.
oathtool -c $COUNTER $KEY
COUNTER=$(($COUNTER + 1))
xmlstarlet ed -L -u
/_:KeyContainer/_:KeyPackage/_:Key/_:Data/_:Counter/_:PlainValue -v $COUNTER
$FILE
--
dwmw2
smime.p7s
Description: S/MIME cryptographic signature
- [OATH-Toolkit-help] Simple HOTP client for command line and client applications,
David Woodhouse <=