A portable shell script to generate TOTPs from the command line.
shotput service [reveal]
Generates an OTP for the given service. If the service is not found, you will
be prompted to provide a new secret key and an encryption password. New
secrets are added to the config file in $HOME/.config/shotput.keys
. Each
secret is encrypted seperately and may use a different password.
If reveal
is specified, the secret key for the given service will be
displayed, rather than generating an OTP.
Add a new TOTP secret:
$ ./shotput example
Enter a new base32 secret key for example:GEZDGNBVGY3TQOJQGEZDGNBVGY3TQOJQ
Enter TOTP algorithm (default SHA1):SHA512
Enter TOTP timeout (default 30s):60
enter aes-256-cbc encryption password:
Verifying - enter aes-256-cbc encryption password:
Encrypted secret key for example and added to /home/username/.config/shotput.keys
enter aes-256-cbc decryption password:
166313
Check your secrets are encrypted:
$ cat ~/.config/shotput.keys
example="U2FsdGVkX19jANPjexyaiXOsTgZvdwKyWfDm4yWGh9rZ3G1iqfd5RyNX/hyGKmJOeeZYPF7FKrfD/dgRswb72Q== SHA512 60"
Generate an OTP:
$ ./shotput example
enter aes-256-cbc decryption password:
358094
Recover your secret key:
$ ./shotput example reveal
enter aes-256-cbc decryption password:
GEZDGNBVGY3TQOJQGEZDGNBVGY3TQOJQ
SHA512
60
shotput requires oathtool >=2.6.6
and openssl
:
sudo apt install oathtool openssl
Place the shotput
script on your path:
cd $HOME/bin
wget https://raw.githubusercontent.com/rogerkeays/shotput/main/shotput
Or clone with github:
git clone https://github.com/rogerkeays/shotput.git
zbarimg
can be used to decode QR codes. Save the QR code as an image file, and run:
sudo apt install zbar-tools
zbarimg $file
This should produce an otpauth://
URL which contains your secret key, and TOTP parameters.
shotput
can be made to work with older versions of oathtool
that do not read from stdin. Replace oathtool -
with oathtool $(cat /dev/stdin)
. This is not recommended on multi-user systems, because the plain text secret key will be visible to ps
and other tools while oathtool
is running.
- otpclient: another linux OTP utility which includes a command line tool.
- otpauth: a tool which can convert Google Authenticator links to standard oauth secret keys.
- How to use TOTP with Google accounts: being conventional is sometimes the right choice.
- How to extract TOTP secrets from the MyGov app: for Australians who are over installing government apps.
- python-vipacess: a tool to provision secret keys from Symantec VIP Access so you don't have to install their app.
- More stuff you never knew you wanted.