MFA: setting up Linux as an authenticator to generate a TOTP password

MFA 3 Minutes

Other posts on MFA:

With Timed One Timed Passwords, you can use an application on your mobile phone for generating the TOTP codes.

You can also do this from Linux and generate the code to be able to logon to z/OS from Linux (Ubuntu 22.04). I used cURL and a Linux authenticator tool called oathtool. I expect other techniques are available, such as with Python.

Overview of the process

  • From Linux, send the userid and password request in a URL from Linux to https://….:6793/AZFTOTP1/genericToken.
  • This sends back a response with
    • “status”:0,
    • “rc”:0,
    • “rsn”:0,
    • “preflightPathBase”:”/AZFTOTP1/preflight”,
    • “inviteCode”:”HXKNSSWMMDIZ2DVB1R2VNTGA2MOUJDKE”,
    • “otpauthURL”:”otpauth://totp/T012@MYREALM
    • ?secret=MQB4T…2Y
    • &issuer=MYREALM
    • &algorithm=SHA1
    • &digits=6
    • &period=30″}
  • The data is
    • The “preflightPathBase” is the URL to send back the code to
    • The “inviteCode” identifies the specific request to MFA
    • The secret is the value used to generate the OTP – it should be kept securely
    • Algorithm specifies the algorithm to be used, for example SHA1, or SHA256
    • The number of digits to be generated in the numeric code
    • The period when it should generate a new code, typically 30 seconds.
  • The oathtool is invoked passing the secret and the algorithm etc. and it generates a code
  • The code is sent back to the requester to complete the registration process

The bash script

url="https://10.1.1.2:6793"
http=$url"/AZFTOTP1/genericToken"

data='{"userid":"T012","password":"11111111"}'

x=$(curl --config curlyubi.parms --tlsv1.2  --data $data $http  )
# echo "response" $x

rc=$(echo $x | cut -d',' -f 1 )
rsn=$(echo $x | cut -d',' -f 2 )
echo "rc:"$rc
# check it is a valid response
if [ "$rc" = "{\"status\":0" ]; then
   echo "valid....."
else
  echo "RC:"$rc "RSN:"$rsn $x
  return 
fi
# extract the data from the input data - split at ',' and return the nth field
# remove surrounding quotes etc
preFlight=$(echo $x | cut -d',' -f 4 |awk -F'":"|"' '{print $3}')
echo "preflight:"$preFlight 

invite=$(echo $x | cut -d',' -f 5 |awk -F'":"|"' '{print $3}')
#a5=$(echo $x | cut -d',' -f 5 )
echo "invite code:"$invite

secret=$(echo $x | cut -d',' -f 6 | awk -F'secret=|&issuer' '{print $2}')
#echo "secret is "$secret

alg=$(echo $x | cut -d',' -f 6 | awk -F'algorithm=|&digits' '{print $2}')
#echo "algorithm" $alg

digits=$(echo $x | cut -d',' -f 6 | awk -F'digits=|&period' '{print $2}')
#echo "digits:"$digits

period=$(echo $x | cut -d',' -f 6 | awk -F'period=|"}' '{print $2}')

# echo "period:" $period
# generate the code
tss="--time-step-size="$period
code=$(oathtool --totp=$alg  --digits=$digits $tss --window=0 --base32 $secret)

# and send it back
ht=$url""$preFlight"/"$invite"/"$code
y=$(curl $trace --config curlyubi.parms --tlsv1.2 -X GET $ht  )
echo "Final response" $y

Where the bash code does

  • rsn=$(echo $x | cut -d’,’ -f 2 ) says take the data in variable x, split it at “,” (cut -d’,’) and take the second field (-f 2)
  • awk -F’digits=|&period’ ‘{print $2}’ says split the data into … “digits=” …. “&period” and take the second piece of data, the ….

When this ran successfully it generated

{“msg”:”yes”,”status”:0}

When I reran it I got a message from the first curl request

response {“rc”:8,”rsn”:23}

if you register using the web browser, the message is

TOTP Enrollment is not available for your User ID. Your account is already provisioned.

In the ./htdocs/js/totpUtils.js is the mapping from rsn code to message.

Generating a code when needed

Whenever you execute

code=$(oathtool –totp=$alg –digits=$digits $tss –window=0 –base32 $secret)

a new code is generated. This means you need to retain the various parameters ( secret, digits etc) on Linux. Having the parameters in a file may be insecure, so you may want to consider encrypting the file with the parameters, and use, for example, a dongle with the private key on it. This means to be able to access the parameters you need the dongle.

What is supported?

The oathtool help says the supported algorithms are “SHA1”, “SHA256”, or “SHA512” The MFA product also supports SHA384 – but cannot be used with authtool.

Unknown's avatar

Published by Colin Paice

I retired from IBM where I worked on MQ on z/OS, and did customer stuff. I retired, and keep my hand in with MQ, by playing with it! I'm now an #IBMChampion from my work trying to make z/OS product more usable.

Published

10 thoughts on “MFA: setting up Linux as an authenticator to generate a TOTP password

  1. Pingback: MFA: configuring Yubikey – ColinPaice
  2. Pingback: MFA: Configuring a userid – ColinPaice
  3. Pingback: MFA configuring a policy for out of band authentication – ColinPaice
  4. Pingback: MFA error messages – ColinPaice
  5. Pingback: MFA installation and configuration – ColinPaice
  6. Pingback: MFA: Using a password – ColinPaice
  7. Pingback: MFA configuring Timed One Time Password (TOTP) – ColinPaice
  8. Pingback: MFA: displaying information – ColinPaice
  9. Pingback: Multi Factor Authentication(MFA): Planning. – ColinPaice
  10. Pingback: MFA messages – ColinPaice

Leave a comment