How to configure it?
Closed this issue · 5 comments
Hello,
can you please do me the favor and advise how to configure it? I am a newbie and I got lost.
I would try to log in via Browser and extract the cookie manually? Can you advise how to extract the cookie manually?
Thanks!
Dan
Hello Dan,
you need to manage the MFA via oauth tool and fill-in this inside of the alexa script:
SET_EMAIL='amazon_account@email.address'
SET_PASSWORD='Very_Secret_Amazon_Account_Password'
SET_MFA_SECRET=''
something like 1234 5678 9ABC DEFG HIJK LMNO PQRS TUVW XYZ0 1234 5678 9ABC DEFG
EMAIL and PASSWORD you know - are same as login to Amazon. The MFA you need to obtain in an iteration between oauth and Amazon-Weblogin. That is the tricky part.
From what I remember, you need to login from a computer with webbrowser and you must reach the MFA page, where it ask you to send SMS or phone call or OTP manual enter. You need the last. The OTP now requested you get from oauth on your computer which shall run the alexa-script. Then, again if I remember right, you can a QR code to scan. There, you follow "I cannot scan" and then you get the final MFA_SECRET which you need to copy straigt into the alex-script as extracted above.
Once done, the alexa script will login by itself and create its cookie automatically. If cookie expires, I will login again and create a new one seemlessly. The script works really great once the authentification is mastered.
Hope I could help and not cause more confusion. Please note I have no involvement into the scirpt here. I am just a normal user who uses the script a lot.
Regards,
Horst
Thanks Horst ,
as a newbie, I am wondering if there any risk in writing the MFA_SECRET into the script.
Thanks for advising,
Dan
Hi Dan,
there is a risk if a) the computer hosting the alexa script is not only used by you but also accessed by other persons as well and b) you have the alexa script readable for group or others. You can reduce permissions in Unix / Linux by
sudo chmod go-rwx alexa_remote.....
The MFA secret - to my knowledge - is also strongly linked to a secret created by oauth. This limits the MFA secret to be valid only for the specific computer is was created. This is why you need to run back and forth between Amazon web front end and oauth tool to finally get the secret.
If you use e.g. a Raspi PI behind a router with a firewall and if you did not put too many wholes into the firewall by port forwarding, then the PI behind the firewall should be fairly safe.
Last not least any other person would need a certain level of skills and ambition to abuse the MFA secret. For me, I judged the risk for my raspberry to be low and did not limit access rights. And I do have a lot of wholes in my firewall also to my PIs. I only did one thing: change the PI standard passwort to my own one. This is mandatory in any case.
Regards,
Horst
Hi Dan,
there is a risk if a) the computer hosting the alexa script is not only used by you but also accessed by other persons as well and b) you have the alexa script readable for group or others. You can reduce permissions in Unix / Linux by
sudo chmod go-rwx alexa_remote.....
The MFA secret - to my knowledge - is also strongly linked to a secret created by oauth. This limits the MFA secret to be valid only for the specific computer is was created. This is why you need to run back and forth between Amazon web front end and oauth tool to finally get the secret.
If you use e.g. a Raspi PI behind a router with a firewall and if you did not put too many wholes into the firewall by port forwarding, then the PI behind the firewall should be fairly safe.
Last not least any other person would need a certain level of skills and ambition to abuse the MFA secret. For me, I judged the risk for my raspberry to be low and did not limit access rights. And I do have a lot of wholes in my firewall also to my PIs. I only did one thing: change the PI standard passwort to my own one. This is mandatory in any case.
Regards,
Horst
Thanks, it works!
@dcaccount you should treat the MFA-secret just like your password!
In fact we are violating the purpose of MFA by placing it on the same machine as the password - unfortunately this is the only way to login via Shell as of recently.
Following @Korki67 's remarks about account and script security is likely to ensure safety of your account data - the risk of which everybody has to ponder themselves.