A Simple "google authenticator" / TOTP client tool
a simple TOTP / google authenticator client. it will generate TOTP tokens for the configured accounts and secure data at rest.
WARNING This is a project in development, some trivial backup/rollback strategies are being implemented, but it seems reliable enough that i use it everyday on various accounts.
make sure you have a properly installed golang and $GOPATH etc.. then :
$ go get github.com/unix4fun/g
$ g -h
Usage of g:
-add string
add entry <name>
-dec
decrypt PEM file and output on stdout
-digit int
TOTP token size (valid: {6,7,8}) (default 6)
-enc
encrypt PEM file and output on stdout
-hmac string
TOTP hmac function (valid {sha1|sha256|sha512}) (default: sha1) (default "sha1")
-init
initialize the PEM file (will truncate if existing)
-pass
update PEM file password
-pem string
PEM filename to use (default "/home/rival/.config/g.pem")
-period int
TOTP window (default: 30) (default 30)
-qr string
scan & add from QRcode image file
-rm string
remove entry <name>
-sec string
TOTP shared secret (valid: len>0)
-upd string
update entry <name>
the default secret storage lies in ~/.config/g.pem but you can ALWAYS give the pem file you want to operate on by using:
... -pem <pemfile>
to access your tokens, you will be asked your password/passphrase whatever..
$ g -init
Init Password: <type your password>
Retype Init Password: <type your password again>
Save the QRcode PNG file then thanks to an external qrdecoding module we can read QR code directly, note that it has not been extensively tested yet.
$ g -qr /path/to/qrcode.png
qr code add: /path/to/qrcode.png
Password:
like you're setting up your 2FA for your gmail account. WARNING Remember if you have an history file, THIS WILL BE IN YOUR HISTORY. Most shells allows to execute a command without being history logged check your shell documentation.
Example, for now with bash, you can tell history to NOT log this command:
export HISTIGNORE="g *"
or setup a no history space prefix like :
export HISTCONTROL=ignorespace
and prefix your commands for token by a space.
This might be the reason for a format/editing change later.
$ g -add gmail -sec <google 2fa secret>
Password:
.. debug message to say it's ok...
$ g
Password:
account | totp
---------- | ----
gmail | 357119
[== ] TTL
now you can add all your tokens one by one when necessary. tokens by default adopts google authenticator baseline (sha1 / 6 digits)
but some services provides even higher baseline, like sha256 / 8 digits token, which is also supported:
$ g -add patatra -sec <my secret> -hmac sha256 -digit 8
...
$ g
Password:
account | totp
---------- | ----
gmail | 707792
patatra | 71997833
[========= ] TTL
token config are in a JSON format encrypted using PEMAEAD you can decrypt them at any moment to peek if necessary and re-encrypt a payload as necessary too
$ g -dec
Password:
{
"gmail": {
"secret": "proutpro",
"hash": "sha1",
"digit": 6
},
"patatra": {
"secret": "geonimo",
"hash": "sha256",
"digit": 8
}
}
No particular reason for using JSON, i guess i was brainwashed by the whole JSON crap craze everywhere instead of using a simpler format (CSV?), which mean i might move to a simpler format later, but the tool will manage to handle backward compatibility so don't worry.
- remove debug messages.
- might move the secret input as a terminal input instead of command line (to avoid people leave their history full of secret)
- cleaner CLI.
- rewrite help messages.
- implement unit test everywhere.
- implement QR code reader (from jpg)