You are not logged in.

#1 2019-05-01 09:29:08

doctorzeus
Member
Registered: 2011-12-24
Posts: 79

Google Authenticator Bash Script

So I was moving to a new phone recently and have wanted to store my google authenticator codes on a new device anyway. I ended up finding out there was no tool on Linux that seemed to do this, only generate the codes.

So what was meant to be a quick script project turned into an all-nighter with code encryption, management, etc so I thought i'd release it on github and create a package in the AUR for anyone who is interested: https://aur.archlinux.org/packages/gashell/.

Thanks

Last edited by doctorzeus (2019-05-01 09:29:57)

Offline

#2 2021-11-29 06:45:55

randomxusr
Member
Registered: 2021-08-04
Posts: 10

Re: Google Authenticator Bash Script

Thanks for creating this script.

I'm hoping to use this script for the reason you created it.

I'm running into an issue however, with decrypting the secrets file. I've tried to open it to get the codes and I'm receiving errors about the password.

I believe that I'm entering the same password I've created to no avail. I'm suspecting that this either has something to do with my openssl.cnf/openssl build or the fact I'm using a Ryzen CPU.

These are just guesses at this point however, and I'm hoping you are able to assist.

Would you be willing to help out?

Thanks in advance

Offline

#3 2021-11-29 07:25:22

doctorzeus
Member
Registered: 2011-12-24
Posts: 79

Re: Google Authenticator Bash Script

randomxusr wrote:

Thanks for creating this script.

I'm hoping to use this script for the reason you created it.

I'm running into an issue however, with decrypting the secrets file. I've tried to open it to get the codes and I'm receiving errors about the password.

I believe that I'm entering the same password I've created to no avail. I'm suspecting that this either has something to do with my openssl.cnf/openssl build or the fact I'm using a Ryzen CPU.

These are just guesses at this point however, and I'm hoping you are able to assist.

Would you be willing to help out?

Thanks in advance

So your trying to get the actual private keys out of the file?

Your CPU and openssl config file shouldn't make any difference if you have manually specified the right options.

Are you utilizing pbkdf2 with aes-256-cbc and the salt contained in the salt file manually? e.g.

SECRETSCONTENTS="$(cat ~/.config/gashell/secrets)";
SALT="$(cat ~/.config/gashell/salt)";
PASSWORD='YOURPASSWORD';

echo $SECRETSCONTENTS | openssl enc -d -pbkdf2 -aes-256-cbc -a -nosalt -pass "pass:$SALT$PASSWORD$SALT";

The contents are tab delimited with new lines representing each code.

It might be a good feature to add code export in the future.

Last edited by doctorzeus (2021-11-29 07:32:07)

Offline

#4 2021-11-29 07:52:23

randomxusr
Member
Registered: 2021-08-04
Posts: 10

Re: Google Authenticator Bash Script

doctorzeus wrote:
randomxusr wrote:

Thanks for creating this script.

I'm hoping to use this script for the reason you created it.

I'm running into an issue however, with decrypting the secrets file. I've tried to open it to get the codes and I'm receiving errors about the password.

I believe that I'm entering the same password I've created to no avail. I'm suspecting that this either has something to do with my openssl.cnf/openssl build or the fact I'm using a Ryzen CPU.

These are just guesses at this point however, and I'm hoping you are able to assist.

Would you be willing to help out?

Thanks in advance

So your trying to get the actual private keys out of the file?

Your CPU and openssl config file shouldn't make any difference if you have manually specified the right options.

Are you utilizing pbkdf2 with aes-256-cbc and the salt contained in the salt file manually? e.g.

SECRETSCONTENTS="$(cat ~/.config/gashell/secrets)";
SALT="$(cat ~/.config/gashell/salt)";
PASSWORD='YOURPASSWORD';

echo $SECRETSCONTENTS | openssl enc -d -pbkdf2 -aes-256-cbc -a -nosalt -pass "pass:$SALT$PASSWORD$SALT";

The contents are tab delimited with new lines representing each code.

It might be a good feature to add code export in the future.


To be sure; I'm still learning bash, scripting, and some cryptography, to the extent of following directions at this point.

I've used all defaults in openssl when I installed it about a month ago. Then I found your project over the past few days. Followed the AUR articles and installed gashell.

Indeed the last line is similar except mine differs as follows -  CODESSTR=$(echo $CODESSTR | openssl enc -d -pbkdf2 -aes-256-cbc -a -nosalt -pass "pass:$SALT$PASSWORD$SALT" >2$ERROROUTFILE);

I don't have the first block you included regarding the SECRETCONTENTS/SALT/PASSWORD.

My error in the /tmp/gashellerr.txt is Bad Decrypt.

Does this help identify possible issues?

Offline

#5 2021-11-29 08:34:14

doctorzeus
Member
Registered: 2011-12-24
Posts: 79

Re: Google Authenticator Bash Script

Ok back up a bit..  Just to clarify are you trying to:

A. Use the gashell script normally to add, store, generate, etc your codes?
B. Manually extract the private keys stored by gashell?

If you are trying to use gashell normally you don't need to start messing around with openssl (the script does all this for you), all you need to do is run "gashell" in the terminal and it should talk you through how to use it there.

If you are trying to manually extract the private keys stored by the script: Assuming you have not modified the original gashell script, the "secrets" and "salt" files you need should be in the $HOME/.config/gashell/ directory. You need to run these through openssl to get the contents. Easiest way to do this would be to save the code similar to what I provided earlier into a bash script and run the script (I have modified it to make it simpler and ask for your password when run):

#!/bin/bash

SECRETSCONTENTS="$(cat $HOME/.config/gashell/secrets)";
SALT="$(cat $HOME/.config/gashell/salt)";
PASSWORD='';

while [ "$PASSWORD" = '' ]; do
    echo "Enter Password:";
    read -s PASSWORD;
done

echo $SECRETSCONTENTS | openssl enc -d -pbkdf2 -aes-256-cbc -a -nosalt -pass "pass:$SALT$PASSWORD$SALT";

I'm assuming you know how to save and run bash/shell scripts as otherwise there are too many rabbit holes to go down to explain sadly, so some googling may be required.. smile

Last edited by doctorzeus (2021-11-29 09:04:55)

Offline

#6 2021-11-29 09:28:24

randomxusr
Member
Registered: 2021-08-04
Posts: 10

Re: Google Authenticator Bash Script

I installed gashell without editing any files. I did view gashell.sh to gain some insight to what it was trying to do.

I am trying to add and store the codes from my phone for use with gashell.

My first interaction was to grab a QR code to export codes from my android and save it to my computer. I then used gashell -i QRcodeImg and set a password, when prompted.

My next action was to run gashell to view the secrets. I figured as a password was required that I gashell.sh is trying to open the secrets file, and it wants the password I created.

Am I mistaken?

Do the first two blocks simply read an encrypted password? and the last line passes the contents of the secrets file to a block cipher function to be decrypted?

Last edited by randomxusr (2021-11-29 09:48:04)

Offline

#7 2021-11-29 10:58:14

randomxusr
Member
Registered: 2021-08-04
Posts: 10

Re: Google Authenticator Bash Script

I created a .sh file based on the code you provided and ran it.

Entered the password and received an error - Bad Decrypt. It mentioned Digital Envelope Routines EVP_DecryptFinal_ex:bad decrypt:crypto/evp/evp_enc.c:610:

Offline

#8 2021-11-30 23:50:13

doctorzeus
Member
Registered: 2011-12-24
Posts: 79

Re: Google Authenticator Bash Script

randomxusr wrote:

I installed gashell without editing any files. I did view gashell.sh to gain some insight to what it was trying to do.

I am trying to add and store the codes from my phone for use with gashell.

My first interaction was to grab a QR code to export codes from my android and save it to my computer. I then used gashell -i QRcodeImg and set a password, when prompted.

My next action was to run gashell to view the secrets. I figured as a password was required that I gashell.sh is trying to open the secrets file, and it wants the password I created.

Am I mistaken?

Do the first two blocks simply read an encrypted password? and the last line passes the contents of the secrets file to a block cipher function to be decrypted?

Yes the secrets are stored in the secrets file and can be decrypted using a combination of your password and the contents of the salt file.

The password you provided to gashell is the one used to encrypt/decrypt the codes.

The first 2 lines in the code I provided to you read in the contents of the secret file and the salt file, the while loop then asks for your password and the final one decrypts the codes using the password you provided along with the contents of the salt file. However you shouldn't even need this script that I have provided for your use case as just typing in "gashell" with no arguments will ask for your password and begin generating usable codes.

Is your phone exporting all the codes as a single QR code? In which case this is probably a proprietary format and is not supported by gashell.. The QR codes being parsed need to be individual codes not a group of them and you will need to start again and access the various sites/code providers and get additional codes for gashell.

My only other guess is maybe you typed in the password wrong when you first created it (however unlikely). Assuming you still have the qr code you could do the following:

1. $ mv $HOME/.config/gashell $HOME/.config/gashell.bak
2. Run gashell with no arguments and enter your new password. I.e: $ gashell
3. Parse the qr code $ gashell -i QRcodeImg
4. Run gashell again with no arguments and enter your password. I.e. $ gashell

Last edited by doctorzeus (2021-11-30 23:54:27)

Offline

#9 2021-11-30 23:53:22

doctorzeus
Member
Registered: 2011-12-24
Posts: 79

Re: Google Authenticator Bash Script

randomxusr wrote:

I created a .sh file based on the code you provided and ran it.

Entered the password and received an error - Bad Decrypt. It mentioned Digital Envelope Routines EVP_DecryptFinal_ex:bad decrypt:crypto/evp/evp_enc.c:610:

I'm not sure what this would be sorry, I would throw it into google and see what it spits out.

Offline

Board footer

Powered by FluxBB