Can google authenticator send email to user with link to qr code?

[mpostument]

Hello. I need to generate link and send it to user with email address, or show link when user do first login in to ssh. Is this possible?

OS: Centos 6.x

[ThomasHabets]

Email

How would you know the email address to use? (in the general case)
You can do this by scripting pretty easily today.

Show link at first login

This would be possible. A pull request to do so may be accepted if it looks good.

There is the problem of "what if the user forgot to scan the QR code the first time?" does occur to me though.

[mpostument]

User will give email to admin, and admin run google authenticator from this user and with email
For script:
I use ansible for creating user and running google authenticator. And it can parse log and send link to user by email. But we need to send email using google authenticator not ansible or other stuff

If user do not scan QR code, admin can re-run google authenticator for that user, and after next login, user will saw that link

[ThiefMaster]

The most common way to enable 2FA is to require the user to enter a code from the app to finally enable it. That way he proved that he set it up, i.e. he won't lock himself out.

[ThomasHabets]

@ThiefMaster oh yeah, that'd do it.

@Infectsoldier what do you mean by "we need to send email using google authenticator"? Sending email does not belong here. All you need to script is to send out the QR code for otpauth://totp/foobar?secret=ABCDEF where ABCDEF can be found in the user's ~/.google_authenticator

[ThomasHabets]

I've created #536 to track the non-email feature.

[pantsman0]

@Infectsoldier something like this?

#!/bin/bash

if [[ ! -e ~/.google_authenticator ]];
then
    echo "If you lose your One-Time Password, you will not be able to log in.";

    # inspired by the answer by Dennis Williamson
    # http://stackoverflow.com/a/1885534
    read -p  "Do you want to create your One-Time Password now? [y/n] " -n 1 -r c;
    echo;

    if [[ ! $c =~ ^[Yy]$ ]];
    then
        exit 1
    fi
    google-authenticator -t -d -f -i "My Issuer" -l "My Label" -u -w3
fi

If you added this to the /etc/skel/.bash_login it will continue to prompt a user when they first open a bash shell.

If you leave bash as a default shell for CentOS this should meet needs, and it will continue to prompt or log out a user until they accept.

[mpostument]

@pantsman0 thanks. But i already use ansible. Ansible generate link and send it to user email

[pantsman0]

my bad, I meant to say that my comment is only answering the "show link when user do first login in to ssh", as Thomas has already opened a new issue (#536) to address the email option.

[ThomasHabets]

The non-email option, you mean.

[ThomasHabets]

@Infectsoldier

And it can parse log and send link to user by email. But we need to send email using google authenticator not ansible or other stuff

Google authenticator the CLI tool? Why? If you have the email address, why not just send it yourself?

[ThomasHabets]

This issue was moved to google/google-authenticator-libpam#44