From 921eaa2fceaa132585ef3a2e7b35379e8ea0856f Mon Sep 17 00:00:00 2001
From: Marvin Borner
Date: Fri, 24 Mar 2023 10:55:58 +0100
Subject: Better hasyubi

---
 hasyubi | 23 ++++++++++++++++-------
 1 file changed, 16 insertions(+), 7 deletions(-)

(limited to 'hasyubi')

diff --git a/hasyubi b/hasyubi
index 95fe37b..f3582db 100755
--- a/hasyubi
+++ b/hasyubi
@@ -1,13 +1,22 @@
-#!/bin/env sh
+#!/bin/env bash
 
-# WARNING: This (obiously) isn't a replacement for normal challenge-response verification.
 # This only serves as an additional security measure IF YOU ALREADY TRUST YOUR ENVIRONMENT
+# choose one or more verification methods (TOTP is great obviously)
 
+set -e
+
+# serial verification
 SERIAL="YOURSERIAL"
 connected=$(ykman list --serials 2>/dev/null)
+[ "$connected" = "$SERIAL" ] || exit 1
+
+# TOTP verification
+TOTPKEY="YOURTOTPKEY"
+key=$(oathtool -b "$TOTPKEY" --totp=SHA1)
+gen=$(ykman oath accounts code linux | awk '{print $2}')
+exit $([ "$key" = "$gen" ])
 
-if [ "$connected" = "$SERIAL" ]; then
-	exit 0
-else
-	exit 1
-fi
+# stored public key verification
+# PUBKEY="YOURPUBLICKEYPATH"
+# pub=$(yubico-piv-tool -aread-cert -s9a -KSSH)
+# cmp -s <(echo "$pub") <(awk '{ print $1 " " $2 }' <$PUBKEY) || exit 1
-- 
cgit v1.2.3