Winning with Soft Tokens

Well, I’d call that a sabbatical, but I think that would mean I was relaxing. Time to revive this thing (again).

After all, what is a blog but a wall of zombie text that keeps coming back?

Anyway.

DISCLOSURE: Security, blah blah. Use at own risk. Encrypt stuff.

Okay moving on- New job, new laptop, new security.

Upon my onboarding I was shown how to set up a soft token on my phone to access my company’s zero-trust assets.

This in combination with our SSO usually was pretty decent, but I’d still have to drag out my phone at least 20 times a day to authenticate to something which was irritating.

Apparantly I wasn’t the only one.

So let’s start with the end goal: have a PC based soft token that I can copy and paste just using keyboard shortcuts (aka quit having to whip out my phone).

Part One: Generate a new token and capture the seed

  1. Go to your token portal, and request a new One Time Password software token.
  2. Once you have put in the pertinant data, you typically get sent to a page to enroll your phone with a QR code
  3. On this page there should be an otpauth formatted link like so:
    otpauth://hotp/OATH12345678?secret=6BA2PFJXYHLWIGYZEPR2U6Q3TT7MVNSN&counter=1&digits=6&issuer=JoeBobCorp
    
  4. The portion of this that we care about is the secret, in this case it would be the value
    6BA2PFJXYHLWIGYZEPR2U6Q3TT7MVNSN
    
  5. Save this string for now

Part Two: Sync your token

  1. Now we’ve got our key, let’s sync this bad boy
  2. To sync we’ll want to use this command to get our first couple of codes
    oathtool -b -c 1 -w 1 YOUR_KEY_FROM_THE_EARLIER_STEP
    
  3. Once we’ve gotten these two codes, go ahead and sync them with your token issuer

Part Three: Generating tokens

  1. Now that our token is in sync we need to keep track of which count we’re up on since we have to request a particular number each time.
  2. Now let’s write a small script that will get us our one-time tokens (maybe save this in $HOME/.local/bin/)
#!/bin/bash
key="PUT_YOUR_KEY_HERE"
if [ -e "$HOME/.authcounter" ] ; then
  count=$(cat "$HOME/.authcounter")
fi
token=`oathtool -b -c ${count} ${key}`
pin="badidea123"
pinandtoken="${pin}${token}"
value=`expr ${count} + 1`
echo ${value} > "$HOME/.authcounter"

echo -n $pinandtoken | xsel -ib

This script will do the following:

  • Read the token count
  • Generate a token based on your key and the number of times the OTP has been utilized
  • Append the token to a PIN (noted, this is probably not a great idea for security reasons, but some people are lazy)
  • Increments the number of times the OTP has been utilized
  • Copies the PIN+Token string to the clipboard using xsel (if you don’t have xsel already install it)

Part Four: Profit

Now all we need to do is map a hot-key to this script.

After that all you need to do is smack your hot-key, then paste the value into the login.

You’ve never gotten a token so fast.

Part Five: Disclaimer (again)

These are all open source tools/products. Anybody can put them together. You should still be using complex passwords, encrypting your disks, and storing your laptop in a safe place.

If you want to do this, go for it. Your mileage may vary. :-)

Tagged

2021

Back to top ↑

2020

Self Service with Satellite

less than 1 minute read

Recently I had a customer who was running into some legacy infrastructure challenges with VM consistency, meeting (internal) customer expectations, and gener...

Winning with Soft Tokens

2 minute read

Well, I’d call that a sabbatical, but I think that would mean I was relaxing. Time to revive this thing (again).

Back to top ↑

2018

Back to top ↑

2017

Using Powershell and Posh-SSH to GSD.

5 minute read

I’m a guy who thinks you should use the right tool for the job. For instance, if you’re in a Windows environment, and you need to script something, installi...

iDrac, RACADM, sshpass, and BASH

8 minute read

If it were up to me, I suppose that the only thing that I’d really be responsible for would be core networking infrastructure (and consumption of craft brews...

Dynamic DNS and you

3 minute read

Okay, so I know the popular thing with network engineers is to remember the IP of EVERYTHING.  I’m pretty good at it too.  But having a lab at home and needi...

Back to top ↑