Category: Security

Making your life easier with oathtool

oathtool is a CLI application, that can generate onetime passwords based on provided secrets.
How ever it’s a bit tricky to generate the OTP, as it requires the secret being passed as argument and you do not really want the secret to appear in your .bash_history / .zsh_history.

To solve this problem I stored the secrets in a folder inside of my home directory (e.g. ~/.oath-secrets/) and encrypted them using gpg.
So if you have the secret “1234567890”, store it in a file called “my-secret” inside this directory and encrypt it using gpg like this:

# pwd should be ~/.oath-secrets/
gpg -e -r mygpgkeyid my-secret
shred -uz my-secret

This should create a file called “my-secret.gpg” and delete the original unencrypted file.

Paste the following function into your .zshrc or .bashrc file:

t () {
        GREEN="\033[1;32m"
        NOCOLOR="\033[0m"
        oathtool --totp -b $(gpg -d ~/.oath-secrets/"${1}".gpg) | xclip && echo "\n${GREEN}[ + ]${NOCOLOR} Clipped!"
        echo "[ ? ] You have 10 seconds."
        sleep 10
        xclip -i /dev/null && echo "${GREEN}[ + ]${NOCOLOR} Clipboard deleted.\n"
}

Start a new terminal (or sourcing your .zshrc or .bashrc file) and get your OTP token by running “t my-secret”

$ t my-secret
gpg: encrypted with 4096-bit RSA key, ID XXXXXXXXXXXXXXX, created 1970-01-01 "Max Mustermann max@mustermann.com"
[ + ] Clipped!
[ ? ] You have 10 seconds.
[ + ] Clipboard deleted.

The 2FA token has been copied into your mouse clipboard. Now you can paste it with middle click.
It will be deleted after 10 seconds, so hurry up 😉

Downside: This might compromise the safety of 2 factor authentication depending on how you’re using it.