Use oathtool to generate 2FA code

Posted under security On By xpk

In this example, I’ll be using the oathtool on Ubuntu to generate 2FA code. I’ll be using this for 2FA authentication against AWS access.

Install oathtool

On the client machine, install oathtool

apt install oathtool

Enable MFA on AWS

On AWS, pick an IAM user and enable MFA.

Here, AWS can show the private key in format of a QR code, or as a string. Use the second option, click the “Show secret key” link.

Use oathtool to generate the MFA code twice.

oathtool -b --totp 'xxxxxxxxxxxxxxxxxxxxxxxx'
sleep 30
oathtool -b --totp 'xxxxxxxxxxxxxxxxxxxxxxxx'

Enter the 2 codes into the MFA code textbox, then click “Assign MFA”

Next time the IAM user logs into AWS, it will prompt for the MFA code, generate a new one using the same command shown above, just like using any hardware or software token.

Secure the private key

Now it is important to secure the private key. Otherwise why MFA? One can use gpg and wrap the commands in a script.

Another way is to put the oathtool command into a bash script and compile it into binary. It’s not secure, but it is easy to do. It’s better to have some security rather than none. First, create a simple script for oathtool:

oathtool -b --totp 'xxxxxxxxx'

Then compile it with shc. One can then run aws-oath to generate the MFA code.

shc -f -o aws-oath
rm -f

 335 total views,  1 views today

Leave a comment

Your email address will not be published. Required fields are marked *