2FA/Multiple

Aus Doc-Wiki
Version vom 25. April 2019, 07:46 Uhr von imported>Ubadm (→‎Links)
(Unterschied) ← Nächstältere Version | Aktuelle Version (Unterschied) | Nächstjüngere Version → (Unterschied)
Zur Navigation springen Zur Suche springen

Multiple Identities on Linux

When you are getting used to this seconds factor concept described in Shell#2FA you may wish to use it with other services too. At this point you have to decide if you:

  • have one single identity shared by several providers
  • have several identities = a different one for each service

Of course the latter is recommended. To store theses secret files I chose a separate directory in my $HOME: .my-secrets. Call it whatever you want.

Remove all ACLs except the required one.

~$ fs sa -dir .my-secrets -acl web-home none
~$ fs sa -dir .my-secrets -acl ifi-login none
~$ fs sa -dir .my-secrets -acl spamassassin none
~$ fs sa -dir .my-secrets -acl mta none

At the end it should look like:

~$ fs la .my-secrets/
Access list for .my-secrets/ is
Normal rights:
 system:administrators rlidwka
 username rlidwka
 username.system rl
 username@student.uni-goettingen.de rlidwka
 username@top.gwdg.de rlidwka

Copy (do not move) the already setup file for your universities userid and give it a "better" name:

~$ cp  .ifi-login/.google_authenticator  .my-secrets/uni-userid

Create other identities by running google-authenticator. It seems this will always create the output file as $HOME/.google_authenticator. So we need to copy (or move) those newly created file to our folder:

~$ google-authenticator
...
~$ cp  .google_authenticator  .my-secrets/user-at-other-provider

Repeat this step as often as you want :-)

To use one of those identities run

~$ oathtool  --totp -b $(head -n 1 ~/.my-secrets/user-at-other-provider)
111187

You might use a separate terminal window and run this oneliner:

~$ while true ; clear; date;  do for I in $(ls -A ~/.my-secrets/) ; do printf "%-24s" $I; oathtool  --totp -b $(head -n 1 ~/.my-secrets/$I);  done; sleep 2; done

This creates an automatically refreshed output like this:

Di 21. Jun 09:02:10 CEST 2016
uni-userid              690091
user-at-other-provider  965901

You can put this uncomfortable long line into your ~/.bash_aliases

~$ cat  .bash_aliases
#
# Show all Time Based OTP defined in ~/.my-secrets/*
#
function mytotp ()
{
	while :
	do
		clear
		date
		for I in $(ls -A ~/.my-secrets/) 
		do 
			printf "%-24s" $I; oathtool  --totp -b $(head -n 1 ~/.my-secrets/$I)
		done
		sleep 2

	done

}

This file is automatically evaluated ("sourced") during login. To activate it without the need to logout/login you can do so by

~$ . .bash_aliases 


See also

Links