gpg-auth2.sh
gniibe (NIIBE Yutaka)
Actions

Authored By

	• gniibe
	May 17 2022, 11:09 AM

Size

1 KB

Subscribers

None

Tokens

"Cup of Joe" token, awarded by werner.

gpg-auth2.sh
View Options

	#!/bin/sh

	#
	# Experimental script to check if a user has valid USB token
	#

	# Check and enable all connected tokens under scdaemon control
	gpg-connect-agent "SCD SERIALNO" /bye >/dev/null

	# Ask tokens to show their public keys in SSH format
	# (1) get list of keygrips
	KEYGRIPS=$(gpg-connect-agent "SCD KEYINFO --list=auth" /bye \| \
	(while read dummy0 dummy1 keygrip the_rest; do \
	if test -n "$keygrip"; then echo $keygrip; fi; \
	done))
	# (2) using keygrip, get its public key in SSH format
	KEYS=$(for keygrip in $KEYGRIPS; do \
	gpg-connect-agent "SCD READKEY --format=ssh $keygrip" /bye \| \
	(read dummy0 dummy1 pubkey the_rest; echo $pubkey)
	done)

	# Get authorized keys for this host for the user
	AUTHORIZED_KEYS=$(while read dummy0 pubkey the_rest; do \
	echo $pubkey
	done < ~/.ssh/authorized_keys)

	get_keygrip () {
	local index=0

	for keygrip in $KEYGRIPS; do
	if test $index -eq $1; then
	echo $keygrip
	break
	fi
	index=$((index+1))
	done
	}

	#
	# Consider a set of keys, the intersection of KEYS and AUTHORIZED_KEYS.
	# When one of a key in the set can be validated, it's OK.
	# If no key in the set can be validated, it's not OK.
	#

	counter=0
	for key in $KEYS; do
	for authorized_key in $AUTHORIZED_KEYS; do
	if test "$key" = "$authorized_key"; then
	keygrip=$(get_keygrip $counter)
	result=$(gpg-connect-agent "SCD PASSWD --clear OPENPGP.2 $keygrip" /bye)
	if test "$result" != "OK"; then
	exit 1
	fi
	result=$(gpg-connect-agent "SCD PKAUTH --challenge-response $keygrip" /bye)
	if test "$result" = "OK"; then
	exit 0
	fi
	fi
	done
	counter=$((counter+1))
	done

	exit 1