Script for oathtool for 2 factor auth and KDE menu list/short cut
191 views
Skip to first unread message
Tim W
Jan 11, 2016, 11:09:29 PM1/11/16
to qubes-users
I thought this might be of some help for those newer to Qubes and possibly Linux. Its easy to update/edit and quick to use as needed. Takes all of about 5 mins to setup, 10 min if you have to create the VMs etc at the most.
As we already have a good how to in the Docs on how to setup a mulitfactor authentication app vm based on a Fedora minimal template I will not go into that. But I went a slightly different route for creating a script. Where the how to creates a individual script for each account or site I made one script for all. The base script can be used for all sorts of forms by changing the default names. Thus is can be used for one account under each key for a site-domain or multiples by adding another line and key. But it gives a nice terminal based menu and output.
Beyond that I also created a KDE menu link and desktop shortcut that can allow you to open it directly. I have seen a few posts where people had issues with the qubes syntax and how to get terminal programs to open properly so I thought I would combine all of this into on post.
This "how to" already assumes you have created a minimal template cloned it MFA template installed oathtool package and possibly helpful packages such as sudo etc.. and created mfa appvm based off that template with no network access. All instructions can be found here: Multifactor Authentication
We are starting with mfa-appvm that has oathtool and sudo packages and no network access allowed.
As the minimal templates and the vm based on them have few tools I chose to create the script and .desktop files in a different appvm and then copy them over. For those new to Qubes I describe how to use the inter-vm copy tool.
The VMs I will be using are mfa-vm ( mfa=multifactor authentication) and vault-vm ( as it has the same no network setting and security profile). You replace these names with whatever vms you choose to use/name.
Overview of tasks:
First we will create some directories in the mfa-vm to keep things organized. Then we will create two files script and desktop in the vault-vm and transfer them to the mfa-vm. We will then copy them to the appropriate directories we created. We will change their permissions to make them executable. Lastly we will add a new menu item in KDE app menu under mfa-vm and add a desktop shortcut from it.
1: Open terminal in mfa-vm
2: create two folders in the /home/user
$ mkdir /home/user/scripts
$ mkdir /home/user/desktop
3: In vault-vm open your choice of text editor ( gedit, cat, nano, etc), Create the bash shell script "authenticator.sh" and then .desktop file authenticator.desktop. Copy the text below for each:
Bash shell script: authenticator.sh :
Save script as: authenticator.sh.
--------------------------------------------------
Application desktop file: authenticator.desktop
# Blue = path to where the authenticator script is located
[Desktop Entry]
Version=1.0
Exec=/home/user/scripts/authenticator.sh
Name=Two Factor Authenticator
GenericName=Two Factor Authenticator
Comment=Oathtool Authenticator Script
Encoding=UTF-8
Terminal=true
Type=Application
Categories=Application;Security
Save as: authenticator.desktop
3: After saving, if you chose to create it in a differnt vm (I used my "vault" vm as it has the same basic trust level) open file manager and goto directory of saved files. Right click highlighting both files (authenticator.sh and authenticator.desktop) choose "Copy to Other AppVM" and type the name of the domain you are using for the oathtool vm. In my case "mfa".
4: Copy transferred files to their appropriate directories. Files transfered via inter-vm tool can be found in /home/user/QubesIncoming/(name of VM tranfered from) in this example it is "vault" /home/user/QubesIncoming/vault/
$ cp /home/user/QubesIncoming/vault/authenticator.sh /home/user/scripts/
$ cp /home/user/QubesIncoming/vault/authenticator.desktop /home/user/desktop/
5: Next we need to change the permissions to make them executable:
$ chmod +x /home/user/scripts/authenticator.sh
$ chmod +x /home/user/desktop/authenticator.desktop
6: Test: You can change to the scripts directory and run the script:
$ cd /home/user/scripts
$ ./authenticator.sh
7: Make the KDE App Menu item by right clicking the KDE App menu icon. Choose "edit applications"
8: In the left pane choose "Domain: mfa"
9: choose "New Item" from top tool bar
10: In right pane fill in fields you can choose the names and comments etc all but the "Command:" path is up to use.
Here is what I chose:
Name: Two Factor Authenticator
Description: Oathtool Authenticator Script
Comment: Two factor authenticator for online login credentials confirmation
Command: qvm-run -q --tray -a mfa --'qubes-desktop-run /home/user/desktop/authenticator.desktop'
Next: you can click on the blank Icon square to the upper right and choose an icon from the icon window.
Next: choose the "save" button and close the KDE menu tool.
Click on KDE app menu (start button for MS windows users) and goto "Domain: mfa" and right click "Two Factor Auth.." and choose add to "desktop" or "panel" etc where ever you want a shortcut.
Now you can start the script by the desktop short cut, app menu list icon, in the terminal with ./authenticator.sh
As we already have a good how to in the Docs on how to setup a mulitfactor authentication app vm based on a Fedora minimal template I will not go into that. But I went a slightly different route for creating a script. Where the how to creates a individual script for each account or site I made one script for all. The base script can be used for all sorts of forms by changing the default names. Thus is can be used for one account under each key for a site-domain or multiples by adding another line and key. But it gives a nice terminal based menu and output.
Beyond that I also created a KDE menu link and desktop shortcut that can allow you to open it directly. I have seen a few posts where people had issues with the qubes syntax and how to get terminal programs to open properly so I thought I would combine all of this into on post.
This "how to" already assumes you have created a minimal template cloned it MFA template installed oathtool package and possibly helpful packages such as sudo etc.. and created mfa appvm based off that template with no network access. All instructions can be found here: Multifactor Authentication
We are starting with mfa-appvm that has oathtool and sudo packages and no network access allowed.
As the minimal templates and the vm based on them have few tools I chose to create the script and .desktop files in a different appvm and then copy them over. For those new to Qubes I describe how to use the inter-vm copy tool.
The VMs I will be using are mfa-vm ( mfa=multifactor authentication) and vault-vm ( as it has the same no network setting and security profile). You replace these names with whatever vms you choose to use/name.
Overview of tasks:
First we will create some directories in the mfa-vm to keep things organized. Then we will create two files script and desktop in the vault-vm and transfer them to the mfa-vm. We will then copy them to the appropriate directories we created. We will change their permissions to make them executable. Lastly we will add a new menu item in KDE app menu under mfa-vm and add a desktop shortcut from it.
1: Open terminal in mfa-vm
2: create two folders in the /home/user
$ mkdir /home/user/scripts
$ mkdir /home/user/desktop
3: In vault-vm open your choice of text editor ( gedit, cat, nano, etc), Create the bash shell script "authenticator.sh" and then .desktop file authenticator.desktop. Copy the text below for each:
Bash shell script: authenticator.sh :
#!/bin/bash
# This script is for oathtool authentication codes for online accounts that allow two factor authentication.
# Blue = The account names
# Red = Master Key from the account (spaces do not matter between the digits)
# Green = The authentication code output size (Some domain req outputs can be other than 6)
# You can add new lines copying the same formate if you need for more accounts
OPTIONS="Google ProtonMail GitHub Name01 Name02 Name03 Name04 Name05 Quit" select opt in $OPTIONS; do if [ "$opt" = "Google" ]; then oathtool --base32 --totp "xd2n mx5t ekg6 h6bi u74d 745k n4m7 zy3x" -d 6 elif [ "$opt" = "ProtonMail" ]; then oathtool --base32 --totp "Enter Master Key Here" -d 6 elif [ "$opt" = "GitHub" ]; then oathtool --base32 --totp "Enter Master Key Here" -d 6 elif [ "$opt" = "Name01" ]; then oathtool --base32 --totp "Enter Master Key Here" -d 6 elif [ "$opt" = "Name02" ]; then oathtool --base32 --totp "Enter Master Key Here" -d 6 elif [ "$opt" = "Name03" ]; then oathtool --base32 --totp "Enter Master Key Here" -d 6
elif [ "$opt" = "Name04" ]; then oathtool --base32 --totp "Enter Master Key Here" -d 6
elif [ "$opt" = "Name05" ]; then oathtool --base32 --totp "Enter Master Key Here" -d 6
elif [ "$opt" = "Quit" ]; then exit else clear echo "Choose an available option." fi done
Save script as: authenticator.sh.
--------------------------------------------------
Application desktop file: authenticator.desktop
# Blue = path to where the authenticator script is located
[Desktop Entry]
Version=1.0
Exec=/home/user/scripts/authenticator.sh
Name=Two Factor Authenticator
GenericName=Two Factor Authenticator
Comment=Oathtool Authenticator Script
Encoding=UTF-8
Terminal=true
Type=Application
Categories=Application;Security
Save as: authenticator.desktop
3: After saving, if you chose to create it in a differnt vm (I used my "vault" vm as it has the same basic trust level) open file manager and goto directory of saved files. Right click highlighting both files (authenticator.sh and authenticator.desktop) choose "Copy to Other AppVM" and type the name of the domain you are using for the oathtool vm. In my case "mfa".
4: Copy transferred files to their appropriate directories. Files transfered via inter-vm tool can be found in /home/user/QubesIncoming/(name of VM tranfered from) in this example it is "vault" /home/user/QubesIncoming/vault/
$ cp /home/user/QubesIncoming/vault/authenticator.sh /home/user/scripts/
$ cp /home/user/QubesIncoming/vault/authenticator.desktop /home/user/desktop/
5: Next we need to change the permissions to make them executable:
$ chmod +x /home/user/scripts/authenticator.sh
$ chmod +x /home/user/desktop/authenticator.desktop
6: Test: You can change to the scripts directory and run the script:
$ cd /home/user/scripts
$ ./authenticator.sh
7: Make the KDE App Menu item by right clicking the KDE App menu icon. Choose "edit applications"
8: In the left pane choose "Domain: mfa"
9: choose "New Item" from top tool bar
10: In right pane fill in fields you can choose the names and comments etc all but the "Command:" path is up to use.
Here is what I chose:
Name: Two Factor Authenticator
Description: Oathtool Authenticator Script
Comment: Two factor authenticator for online login credentials confirmation
Command: qvm-run -q --tray -a mfa --'qubes-desktop-run /home/user/desktop/authenticator.desktop'
Next: you can click on the blank Icon square to the upper right and choose an icon from the icon window.
Next: choose the "save" button and close the KDE menu tool.
Click on KDE app menu (start button for MS windows users) and goto "Domain: mfa" and right click "Two Factor Auth.." and choose add to "desktop" or "panel" etc where ever you want a shortcut.
Now you can start the script by the desktop short cut, app menu list icon, in the terminal with ./authenticator.sh
cubit
Jan 12, 2016, 7:15:19 AM1/12/16
to Tim W, qubes-users
OPTIONS="Google ProtonMail GitHub Name01 Name02 Name03 Name04 Name05 Quit
" select opt in $OPTIONS; doGoogle" ]; then oathtool --base32 --totp "xd2n mx5t ekg6 h6bi u74d 745k n4m7 zy3x" -d 6
Should this master key have been in here?
Tim W
Jan 12, 2016, 3:27:37 PM1/12/16
to qubes-users, timw...@gmail.com, cu...@tutanota.com
I pulled it from a online example of a key. But thank you , seriously, for looking out for me making one of "those" kind of mistakes and printing my real key. I have seen that happen on github before. private instead of public keys pasted
Cheers,
Tim
Reply all
Reply to author
Forward
0 new messages