Oath
A solemn pledge or promise, appealing to a deity, a ruler, or another entity (not necessarily present) to attest to the truth of a statement or sincerity of one's desire to fulfill a contract or promise.
Oath
is an Oh My ZSH plugin that manages 2FA
authentication 6 digit tokens. It's highly inspired in
this article.
Pre-requisites
Oath
pre-requisites are as follows:
oathtool
for generating 6 digit tokens.gnupg2
for handling private keys securely.xclip
for copying to clipboard.- An RSA 4096 bits long key (check this section for generating a key).
Small Example
Oath
allows to add, remove keys as well as show the temporal 6 digit token
e.g:
- Adding a new key for a domain e.g. for
twitter.com
:
~ $ oath add twitter.com
Private Key:
[SUCESS] Key created for twitter.com
- Deleting a key for a domain e.g. for
twitter.com
:
~ $ oath delete twitter.com
[WARN] Deleting $OATH_DIR/.oath/twitter.com/424184E122529120CC1821756759ADDD12CB6379.gpg
[WARN] Deleting $OATH_DIR/.oath/twitter.com
[SUCCESS] Key deleted for twitter.com
- Showing (and copying to clipboard) the current 6 digit token e.g. for
twitter.com
:
~ $ oath twitter.com
012345
[SUCCESS] Code copied to clipboard
- Showing (and copying to clipboard) the key for a domain e.g. for
twitter.com
:
~ $ oath pk twitter.com
SomePrivateKey
[SUCCESS] Private key copied to clipboard
- Listing keys for all domains e.g:
~ $ oath list twitter.com
twitter.com
github.com
- Updating
Oath
to latest version:
~ $ oath update
Installation
Just clone Oath
as follows:
~ $ git clone "https://github.com/alexdesousa/oath.git" "$ZSH_CUSTOM/plugins/oath"
And add the oath to your plugins
in $HOME/.zshrc
file:
# Activate completions
autoload -U +X compinit && compinit
autoload -U +X bashcompinit && bashcompinit
plugins=(
oath
)
# Variables for Oath
export OATH_KEY=<My Oath key>
export OATH_EMAIL=<My Oath email>
Important: when updating you can run the following:
cd `$ZSH_CUSTOM/plugins/oath` && git pull origin master
Generating a Key
First you need to create a key with gpg2
as follows:
$ gpg2 --full-gen-key
This will prompt several questions:
Kind of key: Hit
[Enter]
or choose1
forRSA and RSA
:gpg (GnuPG) 2.2.19; Copyright (C) 2019 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Please select what kind of key you want: (1) RSA and RSA (default) (2) DSA and Elgamal (3) DSA (sign only) (4) RSA (sign only) (14) Existing key from card Your selection? 1
Key size:
4096
is recommended.RSA keys may be between 1024 and 4096 bits long. What keysize do you want? (3072) 4096 Requested keysize is 4096 bits
Expiration: Choose
0
for no expiration.Please specify how long the key should be valid. 0 = key does not expire <n> = key expires in n days <n>w = key expires in n weeks <n>m = key expires in n months <n>y = key expires in n years Key is valid for? (0) 0 Key does not expire at all
Hit
y
if everything is correct.Is this correct? (y/N) y
Identify the key with:
GnuPG needs to construct a user ID to identify your key. Real name: Alex de Sousa Email address: alex@example.com Comment: My Oath key You selected this USER-ID: "Alex de Sousa (My Oath key) <alex@example.com>"
Hit
o
if everything is correct.Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
Move you mouse to generate entropy:
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
Retrieve your key:
gpg: key 6759ADDD12CB6379 marked as ultimately trusted gpg: revocation certificate stored as '/home/alex/.gnupg/openpgp-revocs.d/424184E122529120CC1821756759ADDD12CB6379.rev' public and secret key created and signed. pub rsa4096 2020-02-06 [SC] 424184E122529120CC1821756759ADDD12CB6379 uid Alex de Sousa (Oath key) <alex@example.com> sub rsa4096 2020-02-06 [E]
Then we'll only need the email
and the key uid
e.g. in our example the
the following two values:
OATH_EMAIL
:alex@example.com
OATH_KEY
:424184E122529120CC1821756759ADDD12CB6379
Important: The key will be in your
$HOME/.gnupg
folder. Saving this folder is enough to back it up.
Author
Alexander de Sousa.
License
Oath
is released under the MIT License. See the LICENSE file for further
details.