10afa8e06SEd Maste#!/bin/sh 20afa8e06SEd Maste 30afa8e06SEd Maste# Copyright (c) 2020 Fabian Henneke. 40afa8e06SEd Maste# Use of this source code is governed by a BSD-style 50afa8e06SEd Maste# license that can be found in the LICENSE file. 6*2ccfa855SEd Maste# SPDX-License-Identifier: BSD-2-Clause 70afa8e06SEd Maste 80afa8e06SEd Maste 90afa8e06SEd Masteif [ $(uname) != "Linux" ] ; then 100afa8e06SEd Maste echo "Can only run on Linux" 110afa8e06SEd Maste exit 1 120afa8e06SEd Mastefi 130afa8e06SEd Maste 140afa8e06SEd MasteTOKEN_VERSION=$(${FIDO_TOOLS_PREFIX}fido2-token -V 2>&1) 150afa8e06SEd Masteif [ $? -ne 0 ] ; then 160afa8e06SEd Maste echo "Please install libfido2 1.5.0 or higher" 170afa8e06SEd Maste exit 180afa8e06SEd Mastefi 190afa8e06SEd Maste 200afa8e06SEd MasteTOKEN_VERSION_MAJOR=$(echo "$TOKEN_VERSION" | cut -d. -f1) 210afa8e06SEd MasteTOKEN_VERSION_MINOR=$(echo "$TOKEN_VERSION" | cut -d. -f2) 220afa8e06SEd Masteif [ $TOKEN_VERSION_MAJOR -eq 0 -o $TOKEN_VERSION_MAJOR -eq 1 -a $TOKEN_VERSION_MINOR -lt 5 ] ; then 230afa8e06SEd Maste echo "Please install libfido2 1.5.0 or higher (current version: $TOKEN_VERSION)" 240afa8e06SEd Maste exit 1 250afa8e06SEd Mastefi 260afa8e06SEd Maste 270afa8e06SEd Masteset -e 280afa8e06SEd Maste 290afa8e06SEd MasteTOKEN_OUTPUT=$(${FIDO_TOOLS_PREFIX}fido2-token -L) 300afa8e06SEd MasteDEV_PATH_NAMES=$(echo "$TOKEN_OUTPUT" | sed -r 's/^(.*): .*\((.*)\)$/\1 \2/g') 310afa8e06SEd MasteDEV_COUNT=$(echo "$DEV_PATH_NAMES" | wc -l) 320afa8e06SEd Maste 330afa8e06SEd Mastefor i in $(seq 1 $DEV_COUNT) 340afa8e06SEd Mastedo 350afa8e06SEd Maste DEV_PATH_NAME=$(echo "$DEV_PATH_NAMES" | sed "${i}q;d") 360afa8e06SEd Maste DEV_PATH=$(echo "$DEV_PATH_NAME" | cut -d' ' -f1) 370afa8e06SEd Maste DEV_NAME=$(echo "$DEV_PATH_NAME" | cut -d' ' -f1 --complement) 380afa8e06SEd Maste DEV_PRETTY=$(echo "$DEV_NAME (at '$DEV_PATH')") 390afa8e06SEd Maste if expr match "$(${FIDO_TOOLS_PREFIX}fido2-token -I $DEV_PATH)" ".* credMgmt.* clientPin.*\|.* clientPin.* credMgmt.*" > /dev/null ; then 400afa8e06SEd Maste printf "Enter PIN for $DEV_PRETTY once (ignore further prompts): " 410afa8e06SEd Maste stty -echo 420afa8e06SEd Maste read PIN 430afa8e06SEd Maste stty echo 440afa8e06SEd Maste printf "\n" 450afa8e06SEd Maste RESIDENT_RPS=$(echo "${PIN}\n" | setsid -w ${FIDO_TOOLS_PREFIX}fido2-token -L -r $DEV_PATH | cut -d' ' -f3) 460afa8e06SEd Maste printf "\n" 470afa8e06SEd Maste RESIDENT_RPS_COUNT=$(echo "$RESIDENT_RPS" | wc -l) 480afa8e06SEd Maste FOUND=0 490afa8e06SEd Maste for j in $(seq 1 $DEV_RESIDENT_RPS_COUNT) 500afa8e06SEd Maste do 510afa8e06SEd Maste RESIDENT_RP=$(echo "$RESIDENT_RPS" | sed "${j}q;d") 520afa8e06SEd Maste UNPROT_CREDS=$(echo "${PIN}\n" | setsid -w ${FIDO_TOOLS_PREFIX}fido2-token -L -k $RESIDENT_RP $DEV_PATH | grep ' uvopt$' | cut -d' ' -f2,3,4) 530afa8e06SEd Maste printf "\n" 540afa8e06SEd Maste UNPROT_CREDS_COUNT=$(echo "$UNPROT_CREDS" | wc -l) 550afa8e06SEd Maste if [ $UNPROT_CREDS_COUNT -gt 0 ] ; then 560afa8e06SEd Maste FOUND=1 570afa8e06SEd Maste echo "Unprotected credentials on $DEV_PRETTY for '$RESIDENT_RP':" 580afa8e06SEd Maste echo "$UNPROT_CREDS" 590afa8e06SEd Maste fi 600afa8e06SEd Maste done 610afa8e06SEd Maste if [ $FOUND -eq 0 ] ; then 620afa8e06SEd Maste echo "No unprotected credentials on $DEV_PRETTY" 630afa8e06SEd Maste fi 640afa8e06SEd Maste else 650afa8e06SEd Maste echo "$DEV_PRETTY cannot enumerate credentials" 660afa8e06SEd Maste echo "Discovering unprotected SSH credentials only..." 670afa8e06SEd Maste STUB_HASH=$(echo -n "" | openssl sha256 -binary | base64) 680afa8e06SEd Maste printf "$STUB_HASH\nssh:\n" | ${FIDO_TOOLS_PREFIX}fido2-assert -G -r -t up=false $DEV_PATH 2> /dev/null || ASSERT_EXIT_CODE=$? 690afa8e06SEd Maste if [ $ASSERT_EXIT_CODE -eq 0 ] ; then 700afa8e06SEd Maste echo "Found an unprotected SSH credential on $DEV_PRETTY!" 710afa8e06SEd Maste else 720afa8e06SEd Maste echo "No unprotected SSH credentials (default settings) on $DEV_PRETTY" 730afa8e06SEd Maste fi 740afa8e06SEd Maste fi 750afa8e06SEd Maste printf "\n" 760afa8e06SEd Mastedone 77