diff --git a/dnsapi/dns_kas.sh b/dnsapi/dns_kas.sh index 2164a8e8..24c97f78 100755 --- a/dnsapi/dns_kas.sh +++ b/dnsapi/dns_kas.sh @@ -7,6 +7,7 @@ Options: KAS_Login API login name KAS_Authtype API auth type. Default: "plain" KAS_Authdata API auth data + KAS_OTP_Secret 2 Factor Authentication Shared Secret (optional requires oathtool) Issues: github.com/acmesh-official/acme.sh/issues/2715 Author: squared GmbH , Martin Kammerlander , Marc-Oliver Lange ' @@ -146,6 +147,7 @@ _check_and_save() { KAS_Login="${KAS_Login:-$(_readaccountconf_mutable KAS_Login)}" KAS_Authtype="${KAS_Authtype:-$(_readaccountconf_mutable KAS_Authtype)}" KAS_Authdata="${KAS_Authdata:-$(_readaccountconf_mutable KAS_Authdata)}" + KAS_OTP_Secret="${KAS_OTP_Secret:-$(_readaccountconf_mutable KAS_OTP_Secret)}" if [ -z "$KAS_Login" ] || [ -z "$KAS_Authtype" ] || [ -z "$KAS_Authdata" ]; then KAS_Login= @@ -157,6 +159,7 @@ _check_and_save() { _saveaccountconf_mutable KAS_Login "$KAS_Login" _saveaccountconf_mutable KAS_Authtype "$KAS_Authtype" _saveaccountconf_mutable KAS_Authdata "$KAS_Authdata" + _saveaccountconf_mutable KAS_OTP_Secret "$KAS_OTP_Secret" return 0 } @@ -219,12 +222,28 @@ _get_record_id() { # Retrieve credential token _get_credential_token() { + if [ -n "$KAS_OTP_Secret" ]; then + if ! _exists oathtool; then + _err "Please install oathtool to use 2 Factor Authentication." + _err "" + return 1 + fi + + # Get OTP code with the defined secret. + otp_code="$(oathtool --base32 --totp "${KAS_OTP_Secret}" 2>/dev/null)" + fi + baseParamAuth="\"kas_login\":\"$KAS_Login\"" baseParamAuth="$baseParamAuth,\"kas_auth_type\":\"$KAS_Authtype\"" baseParamAuth="$baseParamAuth,\"kas_auth_data\":\"$KAS_Authdata\"" baseParamAuth="$baseParamAuth,\"session_lifetime\":600" baseParamAuth="$baseParamAuth,\"session_update_lifetime\":\"Y\"" + + if [ -n "$otp_code" ]; then + baseParamAuth="$baseParamAuth,\"session_2fa\":\"$otp_code\"" + fi + data='{' data="$data$baseParamAuth}"