This 2FA BS will be the death of me. Oracle Cloud won't let me sign
in anymore unless I get a USB authenticator key or an authenticator
app on my non-existent smartphone.

The docs suggest that the smartphone apps are actually using TOTP:
https://docs.oracle.com/en-us/iaas/Content/Identity/Tasks/usingmfa.htm

So although officially they only want you using their own
smartphone app or Google's one, it seems there should be options
for using a Linux TOTP program on PC as well.

So I found a nice simple TOTP program in C, c_otp:
https://github.com/fmount/c_otp

The example "secrets" are 7-character-long base32 strings, and it
gives me codes from them. But the ones Oracle give you (when you
click past the QR codes) are 26 characters long with the spaces
removed, and to them (with or without an '=' added on the end) it
says "invalid base32 secret", which sppears to mean that the
validate_b32key() function in OpenSSL (v3.2) rejected it.

So is there another transformation that I need to do to the
"secret" string that Oracle spits out? Or does someone know a
specific Linux TOTP program that works with Oracle Cloud? Ideally
something small, fast, and scriptable, like c_otp.

Tips to avoid Oracle's 2FA requirement altogether would be even
more welcome, but it looks like they've made it compulsory.

--
__ __
#_ < |\| |< _# | Note: I won't see posts made from Google Groups |

Computer Nerd Kev <not@telling.you.invalid> wrote:
> So I found a nice simple TOTP program in C, c_otp:
> https://github.com/fmount/c_otp
>
> The example "secrets" are 7-character-long base32 strings, and it
> gives me codes from them. But the ones Oracle give you (when you
> click past the QR codes) are 26 characters long with the spaces
> removed, and to them (with or without an '=' added on the end) it
> says "invalid base32 secret", which sppears to mean that the
> validate_b32key() function in OpenSSL (v3.2) rejected it.
>
> So is there another transformation that I need to do to the
> "secret" string that Oracle spits out?

I found the GNU oathtool program from oath-toolkit, and its verbose
mode let slip that what I needed to do was pad the "secret" out to
32-characters long using '=' characters:
[26-char "secret"]======

I'll test it out with the Oracle website after lunch.

--
__ __
#_ < |\| |< _# | Note: I won't see posts made from Google Groups |

Computer Nerd Kev <not@telling.you.invalid> wrote:
> I found the GNU oathtool program from oath-toolkit, and its verbose
> mode let slip that what I needed to do was pad the "secret" out to
> 32-characters long using '=' characters:
> [26-char "secret"]======
>
> I'll test it out with the Oracle website after lunch.

Yep, it works.

--
__ __
#_ < |\| |< _# | Note: I won't see posts made from Google Groups |

On 2023-12-23, Computer Nerd Kev <not@telling.you.invalid> wrote:
> Computer Nerd Kev <not@telling.you.invalid> wrote:
>> I found the GNU oathtool program from oath-toolkit, and its verbose
>> mode let slip that what I needed to do was pad the "secret" out to
>> 32-characters long using '=' characters:
>> [26-char "secret"]======
>>
>> I'll test it out with the Oracle website after lunch.
>
> Yep, it works.
>

I've had to monkey around a little with 2FA, but generally always got
it working with Linux. The "pass" password manager helps quite a bit
here to make it less painful, providing a nice front end to it.

Borax Man <rotflol2@hotmail.com> wrote:
> I've had to monkey around a little with 2FA, but generally always got
> it working with Linux. The "pass" password manager helps quite a bit
> here to make it less painful, providing a nice front end to it.

I've now set an option in the window manager's menu that runs:
bash -c 'expr "`c_otp -f ~/.totpcodes`" : ".*(oracle: \([0-9]*\)" | xclip'

Where ~/.totpcodes contains the secrets for different sites (yes
I've observed that encrypting them is another option).

Now I just have to click the menu option, then paste into the form
in the web browser. That's easy enough for me.

--
__ __
#_ < |\| |< _# | Note: I won't see posts made from Google Groups |

On 2023-12-23, Computer Nerd Kev <not@telling.you.invalid> wrote:
> Borax Man <rotflol2@hotmail.com> wrote:
>> I've had to monkey around a little with 2FA, but generally always got
>> it working with Linux. The "pass" password manager helps quite a bit
>> here to make it less painful, providing a nice front end to it.
>
> I've now set an option in the window manager's menu that runs:
> bash -c 'expr "`c_otp -f ~/.totpcodes`" : ".*(oracle: \([0-9]*\)" | xclip'
>
> Where ~/.totpcodes contains the secrets for different sites (yes
> I've observed that encrypting them is another option).
>
> Now I just have to click the menu option, then paste into the form
> in the web browser. That's easy enough for me.

I highly recommend "pass". I use that, and with the Window Manager use
"red pass" (https://gitlab.com/fnt400/redpass) which can use xdotool to
automatically type usernames, passwords and one time codes.

Pass is simple, its just shell scripts. It seems you are basically
reinventing it!