Episode: 4503
Title: HPR4503: One time passwords using oathtool
Source: https://hub.hackerpublicradio.org/ccdn.php?filename=/eps/hpr4503/hpr4503.mp3
Transcribed: 2025-11-22 15:08:24

---

This is Hacker Public Radio episode 4,503, go Wednesday the 5th of November 2025.
Today's show is entitled One Time Passwords Using Othtool.
It is the first show by Newhost Whiskey Jack and is about 13 minutes long.
It carries a clean flag.
The summary is, this podcast is about using One Time Passwords by means of Othtool.
One Time Passwords are replacing simple password and username in some applications.
This is for security to prevent usernames and passwords, which are exposed by some
means from being reused by an attacker.
A One Time Password can be used only once, so even if an attacker finds it, he cannot reuse
it.
Most sites using One Time Passwords ask you to either download an app or give them your
phone number so they can send an SMS.
This is not necessary however in many cases.
You can use third party applications instead.
This episode discusses one such application known as OAuthTool.
What are One Time Passwords?
One Time Passwords are codes which can be used only once.
These may be a code sent from one party to the next to be returned in the reply message.
This code is typically sent by SMS.
Alternatively, they may be based on having a shared secret which is shared once by secure
means.
After that, the shared secret is not transmitted between the two parties again, but instead
used in an algorithm to create a sequence of codes.
If an attacker obtains the One Time Password, he cannot use it except in a very narrow window
of opportunity, making it very difficult to exploit.
This podcast episode focuses on the method using a shared secret via the OATH pronounced
OAuth or open application protocol or algorithm.
How can you use OAuth?
Websites which use OAuth typically ask you to download and install a smartphone app for
their site.
This can be both troublesome and intrusive.
It also doesn't help if you are working from a desktop computer.
However, there are all alternatives.
One of these is to use OAuthTool, which is spelled OA-T-H-T-O-O-L, a third party free
software OAuth application available under the gplv3+, which means gplv3 or later license.
It was written by Simon Yosefson.
It has been around since 2009 and can be found in many Linux repos.
OAuth options and OAuthTool.
The OAuth standard has several options.
You need to know which OAuth options to site you wish to log into uses in order to use
OAuth.
Sometimes these are not documented by the website, so you may need to use trial and error to find
which options they require.
I will cover the two most common option, TOTP versus HOTP and hex versus base 32 and
coding.
OAuth options TOTP versus HOTP.
There are two different types of OAuth one-time passwords, HOTP and TOTP.
HOTP uses a counter.
The client and the server both maintain a counter, which is used together with a shared
secret to generate the next one-time password.
During each log in attempt, both sides will increment their counter.
The counters can get out of sync, so I mean rescinking them must be provided.
I won't go into more detail on HOTP as I haven't come across anyone using it.
TOTP uses a current time instead of a counter.
The time is fed into the OAuth algorithm along with the shared secret to generate a new
password on both ends of the connection.
Both the client and the server must have the correct time, but the algorithm allows for
a time window, so time synchronization does not have to be exact.
This also allows for the time between generating the new one-time password and entering it into
the log in page or window.
All the instances of OAuth that I am familiar with use TOTP.
TOTP mode TOTP has different modes.
These modes are hash encoding algorithms such as SHA1, SHA256 or SHA512.
The correct mode must be selected in order to log in using OAuth with TOTP.
Encoding hex versus base 32.
Both ends of the connection must be initialized with a shared secret or key which is required
as part of the OAuth algorithm.
How this is created and initially shared is not part of the OAuth standard.
Typically you would go to the website in question, log into an administration page using some
more conventional means such as username and password, and ask it to generate a key which
you then copy and save in a secure location.
I won't cover how this is done as the details will depend upon which website you are interacting
with and this site may change from time to time.
However, this key could be encoded in one of two forms, either hexadecimal or base 32.
Websites often do not document which encoding method they are using.
If you cannot determine the encoding of the key simply by looking at it, you may need
to use trial and error during your first OAuth login attempts to see which type of key
has been used.
GitHub and PiPI options.
GitHub and PiPI are two of the most prominent websites using OAuth.
Both use the same options, TOTP with SHA1 mode and base 32 encoding.
Using OAuth tool.
OAuth tool is a simple command line application which generates one time passwords for use
with OAuth.
It can be run in a terminal.
However, it can also be turned into a simple GUI application using Xenity.
I will discuss this in more detail later.
By default, OAuth tool uses HOTP and hex encoding.
To use TOTP and base 32 encoding, you must specify those on the command line.
To specify base 32 encoding for use with for example GitHub, pass the dash B or dash
bash base 32, that is dash dash BASC32 argument on the command line.
To specify TOTP, pass the dash dash TOTP argument on the command line.
By default OAuth tool uses SHA1 with TOTP so you don't need to specify that if you
require SHA1.
If you need a different TOTP mode, you specify that as part of the TOTP argument separated
by an equal sign character.
For example, dash dash TOTP equal SHA256.
OAuth tool example.
Here is a simple example of using OAuth tool to create a one time password to use with
GitHub or PiPI.
Open a terminal and type the following.
OAuth is OATHTOL space dash B, space dash dash TOTP space and then just enter some arbitrary
secret code.
It doesn't have to be a valid one because we're just trying this out.
Then press the enter key.
The one time password will be printed out in the terminal.
You can try this out without using a valid key so long it is a valid base 32 string.
When used with a valid key, you then enter that one time password into GitHub, PiPI or
other website where it asks for the one time password.
Zenity example.
I did mention previously that I would tell you how to turn this into a GUI application
using Zenity.
OAuth tool is a command line application but if you are using Linux, it is simple to
convert it into a GUI application using Zenity.
Zenity is a simple to use package that creates GUI windows on the command line or in a shell
script.
I won't cover in detail how to use Zenity in general.
I will just describe a simple application of how to use it in this instance.
I also won't go into security aspects of how to keep your key secret.
It is too broad of a topic to cover here.
There are two steps to the process.
First, create the one time password from the key by using OAuth tool and save it in
a variable.
Next, call a Zenity info window with the one time password as part of the provided text.
You can now copy and paste the one time password from the window into your web browser.
To close the window, click on the OK button.
Here is the example.
We will assume that you are going to use a variable named HPR code.
So, here is the first step.
HPR code equals dollar sign, left bracket, OAuth tool, dash B, dash dash, TOTP, then whatever
some arbitrary key is, and then write bracket.
That will run OAuth tool, create a one time password code, and store it in the variable
named HPR code.
Now to run Zenity, you have Zenity, Z, E, N, I, T, Y, space, dash dash, info as INFO,
space, dash dash, width, W, I, D, T, H equals 150, space, dash dash, title as T, I, T,
L, E equals double quote, HPR space, 2, F, A, quote, space, dash dash, T, E, X, T equals
double quote, then left angle bracket, B, I, G, right angle bracket, 2, F, A, space,
C, O, D, E, space, I, S, colon, left angle bracket, forward slash, B, I, G, right angle
bracket, slash N, slash N, space, dollar sign, HPR code, space, slash N, double quote.
What that does is it runs Zenity, it opens a info window, it sets the window width to 150,
it sets the title of the window to HPR 2, F, A, you could change that to HPR obviously
to whatever website is applicable, and then it sets the text to 2, F, A code is colon,
whatever, whatever the code came out to in HPR code, and then the, it sets the 2, F, A,
code to large characters. If you're using gnome, you can make the script launchable from
the desktop by creating a dot desktop file in the desktop directory.
Conclusion. One time passwords are seeing increasing use in a number of applications.
Many times the system being used is OAuth, although that isn't necessarily obvious without a bit of digging.
Many sites ask you to download their phone app or give them your phone number so they can send you SMS messages.
The OAuth tool command line application, however, can be used on a desktop PC without installing any phone apps or giving anyone your phone number.
Thank you very much.
You have been listening to Hacker Public Radio at HackerPublicRadio.org.
Today's show was contributed by a HPR listener like yourself.
If you ever thought of recording podcasts, you click on our contribute link to find out how easy it really is.
Hosting for HPR has been kindly provided by an honesthost.com, the internet archive and our sings.net.
On this address status, today's show is released under Creative Commons Attribution 4.0 International License.