#!/bin/env bash

# This only serves as an additional security measure IF YOU ALREADY TRUST YOUR ENVIRONMENT
# choose one or more verification methods (TOTP is great obviously)

set -e

# serial verification
SERIAL="YOURSERIAL"
connected=$(ykman list --serials 2>/dev/null)
[ "$connected" = "$SERIAL" ] || exit 1

# TOTP verification
TOTPKEY="YOURTOTPKEY"
key=$(oathtool -b "$TOTPKEY" --totp=SHA1)
gen=$(ykman oath accounts code linux | awk '{print $2}')
exit $([ "$key" = "$gen" ])

# stored public key verification
# PUBKEY="YOURPUBLICKEYPATH"
# pub=$(yubico-piv-tool -aread-cert -s9a -KSSH)
# cmp -s <(echo "$pub") <(awk '{ print $1 " " $2 }' <$PUBKEY) || exit 1