This fork is simply for the purpose of modifing the instructions of the work by WillForan in order to extact Duo's HOTP secret key when connecting with Dosespot (or possibly other services that use DUO and don't provide QR codes).
Duo can authenticate using HOTP - Hash(message authentication code)-based One-Time Password. But it has some proprietary covers over the OATH (Initiative for Open Authentication) standard.
simonseo/nyuad-spammer has code to work around this.
duo.py is largely copied from there
also see duo.py -h or the doc string of duo.py
Unlike most services, Dosespot doesn't provide QR codes or links with which to use in the duo.py program. As such, some fiddling around is required to create the needed URL. (Scroll down to see the edited instructions.)
1. generate a new duo QR code for an android tablet within your institution's device management portal
2. copy the url of the QR code image. it should look like `https://api-e4c9863e.duosecurity.com/frame/qr?value=c53Xoof7cFSOHGxtm69f-YXBpLWU0Yzk4NjNlLmR1b3NlY3VyaXR5LmNvbQ`
3. `./duo.py new 'https://URL-OF-IMAGE'` to register
4. push continue in the browser
5. `./duo.py next` for future authentication
- Instead of producing a QR code or URL, Dosespot sends an activation link (via SMS only) to your phone. This link WILL NOT work with the duo.py program! However, it is necessary in order to create the URL that will work with the program.
- DO NOT CLICK ON THE LINK FROM YOUR PHONE! Clicking the link will start the importing of the secret key into the DUO app (which will prevent you from being able to use the duo.py program with the URL you're about to create.)
- Instead of clicking the link, copy and paste it into an email message that is addressed to yourself.
- From a desktop or laptop, click on the link from the email you just sent and it should open to something that looks like this:
- Copy the entire code (circled in red above). NOTE: The code is larger than the box in which it is displayed! Be sure to copy the entire code.
- Using the code you just copied AND the example URL in WillForan's orginal instructions, create your own personal URL by replacing the back half of the example URL with the code you just copied. (I.E. it should look like this:
https://api-e4c9863e.duosecurity.com/frame/qr?value=ABCDEFGHIJKLMNOPQRST-YXBpLWYzNzNmOGIxLmR1b3NlY3VyaXR5LmNvbQ) - You now have a URL that can be used in the duo.py progam with which to extract the HTOP secret! In other words, just run:
./duo.py new 'https://YOUR-PERSONAL-URL'to register. - Duo.py stores the secret key in UTF-8 format in a file named secrets.json. If your chosen authenticator app requires that the key be in encoded in Base32 (like my authenticator app does), you need to encode it. I used https://emn178.github.io/online-tools/base32_encode.html to encode the key. (You can also find the Base32 encoded secret key simply by scrolling through the output of the duo.py output.)
consider adding binding in sxkd, xbindkeys, etc for
duo.py next -s ~/secure/myinstitution_duo.json | xclip -i
- The default
secret.jsonfile is not encrypted! Be careful where you store it (see-sswitch). - if you generate too many
nextcalls w/out passing on to duo, you'll leave the validation window and duo will not authenticate.
pip install -r requirements.txt # pyotp docopt requests
./duo.py -h
testing is limited.
python -m doctest duo.py
- support GPG to secure secret file
duo.py is specific to duo's HOTP.
For time based one time passwords (Google Authenticator, Microsoft Authenticator), look at oath-toolkit
KEY=$(zbarimg /path/to/qr-image.png)
oathtool --totp --base32 $KEY