diff options
| author | Marvin Borner | 2023-03-24 10:55:58 +0100 |
|---|---|---|
| committer | Marvin Borner | 2023-03-24 10:55:58 +0100 |
| commit | 921eaa2fceaa132585ef3a2e7b35379e8ea0856f (patch) | |
| tree | 97d159d5a9adba4e2406b4a6edc794a9ebb479e3 /hasyubi | |
| parent | 1562aad7d4e1b24d8191de892f2d216ee0f6de7b (diff) | |
Better hasyubi
Diffstat (limited to 'hasyubi')
| -rwxr-xr-x | hasyubi | 23 |
1 files changed, 16 insertions, 7 deletions
@@ -1,13 +1,22 @@ -#!/bin/env sh +#!/bin/env bash -# WARNING: This (obiously) isn't a replacement for normal challenge-response verification. # This only serves as an additional security measure IF YOU ALREADY TRUST YOUR ENVIRONMENT +# choose one or more verification methods (TOTP is great obviously) +set -e + +# serial verification SERIAL="YOURSERIAL" connected=$(ykman list --serials 2>/dev/null) +[ "$connected" = "$SERIAL" ] || exit 1 + +# TOTP verification +TOTPKEY="YOURTOTPKEY" +key=$(oathtool -b "$TOTPKEY" --totp=SHA1) +gen=$(ykman oath accounts code linux | awk '{print $2}') +exit $([ "$key" = "$gen" ]) -if [ "$connected" = "$SERIAL" ]; then - exit 0 -else - exit 1 -fi +# stored public key verification +# PUBKEY="YOURPUBLICKEYPATH" +# pub=$(yubico-piv-tool -aread-cert -s9a -KSSH) +# cmp -s <(echo "$pub") <(awk '{ print $1 " " $2 }' <$PUBKEY) || exit 1 |