From 32d6166948cc18e28efdfc3127f6d7cdfcaf0c51 Mon Sep 17 00:00:00 2001 From: Nils Poltmann Date: Thu, 5 Feb 2026 09:45:13 +0100 Subject: [PATCH 1/6] [dns_kas] Added 2FA support --- dnsapi/dns_kas.sh | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) diff --git a/dnsapi/dns_kas.sh b/dnsapi/dns_kas.sh index 2164a8e8..bd54b5bc 100755 --- a/dnsapi/dns_kas.sh +++ b/dnsapi/dns_kas.sh @@ -146,6 +146,7 @@ _check_and_save() { KAS_Login="${KAS_Login:-$(_readaccountconf_mutable KAS_Login)}" KAS_Authtype="${KAS_Authtype:-$(_readaccountconf_mutable KAS_Authtype)}" KAS_Authdata="${KAS_Authdata:-$(_readaccountconf_mutable KAS_Authdata)}" + KAS_OTP_Secret="${KAS_OTP_Secret:-$(_readaccountconf_mutable KAS_OTP_Secret)}" if [ -z "$KAS_Login" ] || [ -z "$KAS_Authtype" ] || [ -z "$KAS_Authdata" ]; then KAS_Login= @@ -157,6 +158,7 @@ _check_and_save() { _saveaccountconf_mutable KAS_Login "$KAS_Login" _saveaccountconf_mutable KAS_Authtype "$KAS_Authtype" _saveaccountconf_mutable KAS_Authdata "$KAS_Authdata" + _saveaccountconf_mutable KAS_OTP_Secret "$KAS_OTP_Secret" return 0 } @@ -219,12 +221,27 @@ _get_record_id() { # Retrieve credential token _get_credential_token() { + if [ -n "$KAS_OTP_Secret" ]; then + if ! _exists oathtool; then + _err "Please install oathtool to use 2 Factor Authentication." + _err "" + return 1 + fi + + # Get OTP code with the defined secret. + otp_code="$(oathtool --base32 --totp "${KAS_OTP_Secret}" 2>/dev/null)" + fi + baseParamAuth="\"kas_login\":\"$KAS_Login\"" baseParamAuth="$baseParamAuth,\"kas_auth_type\":\"$KAS_Authtype\"" baseParamAuth="$baseParamAuth,\"kas_auth_data\":\"$KAS_Authdata\"" baseParamAuth="$baseParamAuth,\"session_lifetime\":600" baseParamAuth="$baseParamAuth,\"session_update_lifetime\":\"Y\"" + if [ -n "$otp_code" ]; then + baseParamAuth="$baseParamAuth,\"session_2fa\":\"$otp_code\"" + fi + data='{' data="$data$baseParamAuth}" @@ -275,4 +292,4 @@ _callAPI() { response="$(_post "$data" "$KAS_Api" "" "POST" "$contentType")" _debug2 "[KAS] -> Response" "$response" echo "$response" -} +} \ No newline at end of file From 905ce1641904779d18386d3853931a9486a7ec54 Mon Sep 17 00:00:00 2001 From: Nils Poltmann Date: Thu, 5 Feb 2026 09:51:55 +0100 Subject: [PATCH 2/6] [dns_kas] Added 2FA support options docs --- dnsapi/dns_kas.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/dnsapi/dns_kas.sh b/dnsapi/dns_kas.sh index bd54b5bc..90ce2606 100755 --- a/dnsapi/dns_kas.sh +++ b/dnsapi/dns_kas.sh @@ -7,6 +7,7 @@ Options: KAS_Login API login name KAS_Authtype API auth type. Default: "plain" KAS_Authdata API auth data + KAS_OTP_Secret 2 Factor Authentication Shared Secret (optional requires oathtool) Issues: github.com/acmesh-official/acme.sh/issues/2715 Author: squared GmbH , Martin Kammerlander , Marc-Oliver Lange ' From ce274b7510ad6bf269fca66f66241764a6b84e1d Mon Sep 17 00:00:00 2001 From: Nils Poltmann Date: Fri, 6 Feb 2026 11:16:15 +0100 Subject: [PATCH 3/6] Take the test suite from flybyray/acmetest with oathtool --- .github/workflows/DNS.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/DNS.yml b/.github/workflows/DNS.yml index fbe1e61f..06e68cbb 100644 --- a/.github/workflows/DNS.yml +++ b/.github/workflows/DNS.yml @@ -68,7 +68,7 @@ jobs: steps: - uses: actions/checkout@v6 - name: Clone acmetest - run: cd .. && git clone --depth=1 https://github.com/acmesh-official/acmetest.git && cp -r acme.sh acmetest/ + run: cd .. && git clone --depth=1 https://github.com/flybyray/acmetest.git && cp -r acme.sh acmetest/ - name: Set env file run: | cd ../acmetest From 98ee12422760250845b84bc2afb8150398012a3a Mon Sep 17 00:00:00 2001 From: Nils Poltmann Date: Fri, 6 Feb 2026 11:19:38 +0100 Subject: [PATCH 4/6] Bump actions --- dnsapi/dns_kas.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/dnsapi/dns_kas.sh b/dnsapi/dns_kas.sh index 90ce2606..9e37b5ab 100755 --- a/dnsapi/dns_kas.sh +++ b/dnsapi/dns_kas.sh @@ -239,6 +239,7 @@ _get_credential_token() { baseParamAuth="$baseParamAuth,\"session_lifetime\":600" baseParamAuth="$baseParamAuth,\"session_update_lifetime\":\"Y\"" + if [ -n "$otp_code" ]; then baseParamAuth="$baseParamAuth,\"session_2fa\":\"$otp_code\"" fi From 7e58a3d39621859674c4cc2044aad75f00da2826 Mon Sep 17 00:00:00 2001 From: Nils Poltmann Date: Fri, 6 Feb 2026 12:18:04 +0100 Subject: [PATCH 5/6] Removed the test suite from flybyray/acmetest with oathtool --- .github/workflows/DNS.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/DNS.yml b/.github/workflows/DNS.yml index 06e68cbb..fbe1e61f 100644 --- a/.github/workflows/DNS.yml +++ b/.github/workflows/DNS.yml @@ -68,7 +68,7 @@ jobs: steps: - uses: actions/checkout@v6 - name: Clone acmetest - run: cd .. && git clone --depth=1 https://github.com/flybyray/acmetest.git && cp -r acme.sh acmetest/ + run: cd .. && git clone --depth=1 https://github.com/acmesh-official/acmetest.git && cp -r acme.sh acmetest/ - name: Set env file run: | cd ../acmetest From 077ea514da6ac9d6a6df334805f4b190fa413094 Mon Sep 17 00:00:00 2001 From: Nils Poltmann Date: Fri, 6 Feb 2026 12:20:15 +0100 Subject: [PATCH 6/6] Added new line to the last line --- dnsapi/dns_kas.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dnsapi/dns_kas.sh b/dnsapi/dns_kas.sh index 9e37b5ab..24c97f78 100755 --- a/dnsapi/dns_kas.sh +++ b/dnsapi/dns_kas.sh @@ -294,4 +294,4 @@ _callAPI() { response="$(_post "$data" "$KAS_Api" "" "POST" "$contentType")" _debug2 "[KAS] -> Response" "$response" echo "$response" -} \ No newline at end of file +}