A Simple "google authenticator" / TOTP client tool

a simple TOTP / google authenticator client. it will generate TOTP tokens for the configured accounts and secure data at rest.

WARNING This is a project in development, some trivial backup/rollback strategies are being implemented, but it seems reliable enough that i use it everyday on various accounts.

make sure you have a properly installed golang and $GOPATH etc.. then :

$ go get github.com/unix4fun/g
$ g -h

Usage of g:
  -add string
    	add entry <name>
  -dec
    	decrypt PEM file and output on stdout
  -digit int
    	TOTP token size (valid: {6,7,8}) (default 6)
  -enc
    	encrypt PEM file and output on stdout
  -hmac string
    	TOTP hmac function (valid {sha1|sha256|sha512}) (default: sha1) (default "sha1")
  -init
    	initialize the PEM file (will truncate if existing)
  -pass
    	update PEM file password
  -pem string
    	PEM filename to use (default "/home/rival/.config/g.pem")
  -period int
    	TOTP window (default: 30) (default 30)
  -qr string
    	scan & add from QRcode image file
  -rm string
    	remove entry <name>
  -sec string
    	TOTP shared secret (valid: len>0)
  -upd string
    	update entry <name>

the default secret storage lies in ~/.config/g.pem but you can ALWAYS give the pem file you want to operate on by using:

...  -pem <pemfile>

to access your tokens, you will be asked your password/passphrase whatever..

$ g -init
Init Password: <type your password>
Retype Init Password: <type your password again>

Save the QRcode PNG file then thanks to an external qrdecoding module we can read QR code directly, note that it has not been extensively tested yet.

$ g -qr /path/to/qrcode.png
qr code add: /path/to/qrcode.png
Password:

like you're setting up your 2FA for your gmail account. WARNING Remember if you have an history file, THIS WILL BE IN YOUR HISTORY. Most shells allows to execute a command without being history logged check your shell documentation.

Example, for now with bash, you can tell history to NOT log this command:

   export HISTIGNORE="g *"

or setup a no history space prefix like :

   export HISTCONTROL=ignorespace

and prefix your commands for token by a space.

This might be the reason for a format/editing change later.

$ g -add gmail -sec <google 2fa secret>
Password:
.. debug message to say it's ok...

$ g 
Password:
account    | totp  
---------- | ----  
gmail      | 357119

[==        ] TTL

now you can add all your tokens one by one when necessary. tokens by default adopts google authenticator baseline (sha1 / 6 digits)

but some services provides even higher baseline, like sha256 / 8 digits token, which is also supported:

$ g -add patatra -sec <my secret> -hmac sha256 -digit 8
...
$ g
Password:
account    | totp
---------- | ----
gmail      | 707792
patatra    | 71997833

[========= ] TTL

token config are in a JSON format encrypted using PEMAEAD you can decrypt them at any moment to peek if necessary and re-encrypt a payload as necessary too

$ g -dec
Password:
{
 	"gmail": {
  	"secret": "proutpro",
  	"hash": "sha1",
  	"digit": 6
 	},
 	"patatra": {
  	"secret": "geonimo",
  	"hash": "sha256",
  	"digit": 8
 	}
}

No particular reason for using JSON, i guess i was brainwashed by the whole JSON crap craze everywhere instead of using a simpler format (CSV?), which mean i might move to a simpler format later, but the tool will manage to handle backward compatibility so don't worry.

• remove debug messages.
• might move the secret input as a terminal input instead of command line (to avoid people leave their history full of secret)
• cleaner CLI.
• rewrite help messages.
• implement unit test everywhere.
• implement QR code reader (from jpg)