Skip to content

nordcloud/mfacli

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

26 Commits
cmd
cmd
 
 
config
config
 
 
pkg
pkg
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
Makefile
Makefile
 
 
README.md
README.md
 
 
go.mod
go.mod
 
 
go.sum
go.sum
 
 
main.go
main.go
 
 

Repository files navigation

MFACLI - a command line tool for generating Time-based One-Time Passwords for Multi-Factor Authentication

mfacli allows you to generate TOTP codes from command like for different MFA clients (e.g. multiple AWS IAM Virtual MFA devices). Its most useful feature is the ability to simulate typing of the code so you can bind a command like mfacli type CLIENT_ID to some global shortcut and have it automatically typed into the currently focused input on a web-page or to some command-line tool which asks for the code (like awscli, serverless, etc.).

Installation

go get github.com/nordcloud/mfacli

Basic usage

Step 1. Adding a client

mfacli add CLIENT [-s|--secret]

Set up a password

At the first execution you will be asked to set up a new password for the client secrets encrypted vault.

Provide a client secret

After the password is set up (or if the vault already exists) you will be asked to provide a client secret which will be used to generate TOTP codes.

Secret source

if the --secret flag (or its short form -s) is omitted the value for the new secret is read from the terminal standard input without echoing the characters. If the value for the flag is provided it defines the source for the new secret to be imported from. The supported forms of the flag's value are described below:

  • qr-scan: a QR code is scanned from the screen and its decoded value is used as the new secret
  • qr-file:<IMAGE_FILE>: a QR code is read from the <IMAGE_FILE> and its decoded value is used as the new secret
  • env:<ENV>: the secret is set to the value of the <ENV> environment variable
  • file:<FILENAME>: the secret is set to the whole content of the file <FILENAME> (including a possible newline!)
  • pass:<PLAIN_TEXT>: the secret is set to <PLAIN_TEXT>

Note: the QR code scanning from the screen assumes the import command from the Imagemagick toolkit is installed on the system.

Step 2. Generate the TOTP code

Print to standard output

mfacli print CLIENT_ID [--newline]

Copy to clipboard (currently only supported on Linux with X.org)

mfacli clipboard CLIENT_ID [--newline]

Simulate typing (currently only supported on Linux with X.org)

mfacli type CLIENT_ID [--newline]

How it works

All client secrets are stored in an encrypted file which is called a vault. Its default location is ~/.mfacli/mfacli.vault though a custom value can be provided using --vault flag (see mfacli --help for details).

To prevent typing the vault password every time you want to generate a TOTP code only the first execution of mfacli asks for password. It then starts a secrets cache server (using the encryption key which is SHA-256 sum of the password) which listens on a Unix socket (~/.mfacli/mfacli.sock by default). Upon all subsequent executions mfacli connects to the socket to retrieve the secret and then generates the code based on it. This way the secrets are never stored on disk unencrypted.

About

No description or website provided.

Topics

aws totp mfa

Resources

Readme

License

Apache-2.0 license
Activity
Custom properties

Stars

9 stars

Watchers

30 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

No packages published

Contributors 6

Languages