Published: Mon 11 July 2022
By Mathias Payer
In Random .
tags: EPFL
Due to the risk of "cyber threats", many universities are switching to second
factor authentication to log into their VPNs. Many companies moved to second
factor for VPN authentication quite some time ago to protect their perimeter
from external access. The idea is that users have to provide two factors to log
into the internal network (not necessarily internal services), reducing the risk
of users falling victims to phishing attacks where they leak their password.
Now, in comparison to companies which are usually a more closed environment,
universities are much more open and much more diverse. First, they often offer a
public WiFi that gives local users (in WiFi proximity) access to a somewhat
internal network. Second, there are large classes of users with tens of
thousands of students that all bring their own devices that don't run under any
corporate policy.
Under such a "bring your own device" scenario, trying to protect internal
network access seems futile. Nevertheless, many universities are trying to
enforce 2nd factor authentication and thereby burning through many hours of user
time to bring their second factor (usually a phone) to log into the VPN.
Let's see how we can make the login process a bit easier. In short, let's clone
our second factor device and automatically generate authentication codes on
demand as the VPN connection is set up.
TOTP: Time-based One Time Password
TOTP is a simple scheme that creates a one-time password that is valid during a
short time frame. TOTP uses HOTP (hash-based one time passwords) with a rolling
epoch that serves as the HOTP counter. The concatenation of the secret key and
the counter are fed into HMAC-SHA1. By default, an epoch is 30 seconds long
and is rooted with the start of Unix time. As an aside, using HOTP has the
advantage that using (reading) a password synchronously updates the counter on
both the verifier and the user ensuring that the password can only be used once.
The downside of HOTP is that the counters must stay in sync.
Cloning TOTPs
You likely have used Google Authenticator (or a similar app) to store your OTP
keys. As you will have guessed by now, you can also extract these secrets.
Fire up Google Authenticator and export your keys.
Scan the QR code with another phone (or take a screenshot) and store the data
as my_keys.otp
Clone extract_opt_keys
and check that the script will not leak your secrets to somewhere else
Run python3 extract_opt_secret_keys.py my_keys.otp
Store your TOTP secret somewhere save (e.g., ~/.totp_university
Install oathtool from your favorite package manager
Run cat ~/.totp_university | oathtool -b --totp - to get the current OTP value
Using the last step, you cloned your OTP and have replaced your phone with a
command. Well done! Now let's automate the VPN login.
You can connect to your VPN with: openconnect -v -b vpn.uni.edu --authgroup
"Super Secret Name of Auth Group" --user=asdf@uni.edu . To automatically
connect with TOTP you can expand the command as follows: echo -e
'YourSecredPassword\n'$(cat ~/.totp_university | oathtool --totp -b -) | sudo
openconnect -v -b vpn.uni.edu --authgroup "Super Secred Name of Auth Group"
--user=asdf@uni.edu --passwd-on-stdin . Now store this command in a shell
script and be happy that you neither have to remember your password nor bring
your second factor.