Better hasyubi

2 files changed, 19 insertions, 8 deletions

diff --git a/README.md b/README.md
index db557ed..c715bc5 100644
--- a/README.md
+++ b/README.md
@@ -1,7 +1,9 @@
 # TrustHome
 
 TrustHome disables the password requirement for sudo/login while you’re
-using your home wifi and you have your yubikey connected.
+using your home wifi and you have your yubikey connected. The main
+difference to normal yubico challenge-response is that this
+authentication method doesn’t require any interaction.
 
 ### DISLAIMER: I’m not responsible for any security breaches you may encounter while having this installed. This is merely a utility for my personal convenience and should never be used if you’re serious about security. You should ALWAYS use other security measures, such as full disk encryption, in addition.
 
diff --git a/hasyubi b/hasyubi
index 95fe37b..f3582db 100755
--- a/hasyubi
+++ b/hasyubi
@@ -1,13 +1,22 @@
-#!/bin/env sh
+#!/bin/env bash
 
-# WARNING: This (obiously) isn't a replacement for normal challenge-response verification.
 # This only serves as an additional security measure IF YOU ALREADY TRUST YOUR ENVIRONMENT
+# choose one or more verification methods (TOTP is great obviously)
 
+set -e
+
+# serial verification
 SERIAL="YOURSERIAL"
 connected=$(ykman list --serials 2>/dev/null)
+[ "$connected" = "$SERIAL" ] || exit 1
+
+# TOTP verification
+TOTPKEY="YOURTOTPKEY"
+key=$(oathtool -b "$TOTPKEY" --totp=SHA1)
+gen=$(ykman oath accounts code linux | awk '{print $2}')
+exit $([ "$key" = "$gen" ])
 
-if [ "$connected" = "$SERIAL" ]; then
-	exit 0
-else
-	exit 1
-fi
+# stored public key verification
+# PUBKEY="YOURPUBLICKEYPATH"
+# pub=$(yubico-piv-tool -aread-cert -s9a -KSSH)
+# cmp -s <(echo "$pub") <(awk '{ print $1 " " $2 }' <$PUBKEY) || exit 1