Two-Factor Authentication Client for CPI

tinkering

#1

I added a repo for this for those that want that.

Disclaimer: I’m not responsible for you getting locked out of your accounts. This is probably a bad idea.
I was looking for a way to set up two-factor authentication on a portable Linux device, and since this doesn’t have a touch screen like my PocketCHIP did, it required a different setup. I don’t like smartphones, and text message 2fa is a worse idea than no 2fa.
So I wrote a solution in shell scripts.
Install the prerequisites. We’re using oathtool to generate time-based one time passwords, ImageMagick to convert the output text to images, and feh to display the images.

sudo apt install feh imagemagick oathtool

Edit the ImageMagick policy file - yes, an image conversion tool has a security policy. This was a fun one to figure out. Welcome to Linux, I guess!

sudo $EDITOR /etc/ImageMagick-6/policy.xml

Remove the line at the end that has the “@*” in it. Add the following line:

<policy domain="coder" rights="read|write" pattern="*"  />

This line can be added as a substitute for the last one. It’s less severe but may cause problems in the future if you decide to tweak the scripts. I’ve not tested with only this one.

<policy domain="coder" rights="read|write" pattern="LABEL"  />

Make the directory structure for the files in the launcher:

mkdir ~/.oath
mkdir ~/.apps/Menu/22_Authenticator

You need two files in the Authenticator menu folder. action.json and action.config. They’re both really similar.
action.json:

{
"ROM":"/home/cpi/.oath",
"EXT":["sh"],
"LAUNCHER":"bash",
"TITLE":"Authenticators"
}

action.config:

ROM=/home/cpi/.oath
EXT=sh
LAUNCHER=bash
TITLE=Authenticators

Next, the actual bash scripts. Put these in ~/.oath/ . The authenticator menu item will look for them.

#!/bin/bash
#mkdir $HOME/.tmp
OUTFILE=$HOME/.tmp/account.txt
OUTIMAGE=$HOME/.tmp/account.gif
echo "Description" > $OUTFILE
OUTPUT="$(oathtool --totp -b -d6 -w 3 SECRET_CODE)"
echo $OUTPUT >> $OUTFILE
convert -background lightgray -fill black -size 320x240 -pointsize 18 -gravity center label:@$OUTFILE $OUTIMAGE
feh $OUTIMAGE &
sleep 10s
pkill feh
rm $OUTIMAGE
rm $OUTFILE

SECRET_CODE is the text code you get in place of the QR code when setting up 2fa on really any modern website. They usually have an option that says something like “Can’t scan QR code? Enter this code instead.”
I’ve named each script something like “Google_account.sh” or “Github.sh” for each account.
That’s it. I can, in the future, make a script that will just set this all up, but I’m so excited I figured this out that I wanted to share.

Again, this is probably a bad idea. I just did it as a proof of concept, and because I hate the idea of storing these secrets on a smartphone. These should probably be at least gpg encrypted, in some way, and stored on an encrypted hard drive.