1 files changed, 75 insertions, 0 deletions
diff --git a/tools/fido2-unprot.sh b/tools/fido2-unprot.sh
new file mode 100755
index 0000000..44b28b8
--- /dev/null
+++ b/tools/fido2-unprot.sh
@@ -0,0 +1,75 @@
+#!/bin/sh
+# Copyright (c) 2020 Fabian Henneke.
+# Use of this source code is governed by a BSD-style
+# license that can be found in the LICENSE file.
+if [ $(uname) != "Linux" ] ; then
+   echo "Can only run on Linux"
+   exit 1
+fi
+TOKEN_VERSION=$(${FIDO_TOOLS_PREFIX}fido2-token -V 2>&1)
+if [ $? -ne 0 ] ; then
+    echo "Please install libfido2 1.5.0 or higher"
+    exit
+fi
+TOKEN_VERSION_MAJOR=$(echo "$TOKEN_VERSION" | cut -d. -f1)
+TOKEN_VERSION_MINOR=$(echo "$TOKEN_VERSION" | cut -d. -f2)
+if [ $TOKEN_VERSION_MAJOR -eq 0 -o $TOKEN_VERSION_MAJOR -eq 1 -a $TOKEN_VERSION_MINOR -lt 5 ] ; then
+    echo "Please install libfido2 1.5.0 or higher (current version: $TOKEN_VERSION)"
+    exit 1
+fi
+set -e
+TOKEN_OUTPUT=$(${FIDO_TOOLS_PREFIX}fido2-token -L)
+DEV_PATH_NAMES=$(echo "$TOKEN_OUTPUT" | sed -r 's/^(.*): .*\((.*)\)$/\1 \2/g')
+DEV_COUNT=$(echo "$DEV_PATH_NAMES" | wc -l)
+for i in $(seq 1 $DEV_COUNT)
+do
+    DEV_PATH_NAME=$(echo "$DEV_PATH_NAMES" | sed "${i}q;d")
+    DEV_PATH=$(echo "$DEV_PATH_NAME" | cut -d' ' -f1)
+    DEV_NAME=$(echo "$DEV_PATH_NAME" | cut -d' ' -f1 --complement)
+    DEV_PRETTY=$(echo "$DEV_NAME (at '$DEV_PATH')")
+    if expr match "$(${FIDO_TOOLS_PREFIX}fido2-token -I $DEV_PATH)" ".* credMgmt.* clientPin.*\|.* clientPin.* credMgmt.*" > /dev/null ; then
+        printf "Enter PIN for $DEV_PRETTY once (ignore further prompts): "
+        stty -echo
+        read PIN
+        stty echo
+        printf "\n"
+        RESIDENT_RPS=$(echo "${PIN}\n" | setsid -w ${FIDO_TOOLS_PREFIX}fido2-token -L -r $DEV_PATH | cut -d' ' -f3)
+        printf "\n"
+        RESIDENT_RPS_COUNT=$(echo "$RESIDENT_RPS" | wc -l)
+        FOUND=0
+        for j in $(seq 1 $DEV_RESIDENT_RPS_COUNT)
+        do
+            RESIDENT_RP=$(echo "$RESIDENT_RPS" | sed "${j}q;d")
+            UNPROT_CREDS=$(echo "${PIN}\n" | setsid -w ${FIDO_TOOLS_PREFIX}fido2-token -L -k $RESIDENT_RP $DEV_PATH | grep ' uvopt$' | cut -d' ' -f2,3,4)
+            printf "\n"
+            UNPROT_CREDS_COUNT=$(echo "$UNPROT_CREDS" | wc -l)
+            if [ $UNPROT_CREDS_COUNT -gt 0 ] ; then
+                FOUND=1
+                echo "Unprotected credentials on $DEV_PRETTY for '$RESIDENT_RP':"
+                echo "$UNPROT_CREDS"
+            fi
+        done
+        if [ $FOUND -eq 0 ] ; then
+            echo "No unprotected credentials on $DEV_PRETTY"
+        fi
+    else
+        echo "$DEV_PRETTY cannot enumerate credentials"
+        echo "Discovering unprotected SSH credentials only..."
+        STUB_HASH=$(echo -n "" | openssl sha256 -binary | base64)
+        printf "$STUB_HASH\nssh:\n" | ${FIDO_TOOLS_PREFIX}fido2-assert -G -r -t up=false $DEV_PATH 2> /dev/null || ASSERT_EXIT_CODE=$?
+        if [ $ASSERT_EXIT_CODE -eq 0 ] ; then
+            echo "Found an unprotected SSH credential on $DEV_PRETTY!"
+        else
+            echo "No unprotected SSH credentials (default settings) on $DEV_PRETTY"
+        fi
+    fi
+    printf "\n"
+done

diff --git a/tools/fido2-unprot.sh b/tools/fido2-unprot.sh new file mode 100755 index 0000000..44b28b8 --- /dev/null +++ b/tools/fido2-unprot.sh
@@ -0,0 +1,75 @@
	1	#!/bin/sh
	2
	3	# Copyright (c) 2020 Fabian Henneke.
	4	# Use of this source code is governed by a BSD-style
	5	# license that can be found in the LICENSE file.
	6
	7
	8	if [ $(uname) != "Linux" ] ; then
	9	echo "Can only run on Linux"
	10	exit 1
	11	fi
	12
	13	TOKEN_VERSION=$(${FIDO_TOOLS_PREFIX}fido2-token -V 2>&1)
	14	if [ $? -ne 0 ] ; then
	15	echo "Please install libfido2 1.5.0 or higher"
	16	exit
	17	fi
	18
	19	TOKEN_VERSION_MAJOR=$(echo "$TOKEN_VERSION" \| cut -d. -f1)
	20	TOKEN_VERSION_MINOR=$(echo "$TOKEN_VERSION" \| cut -d. -f2)
	21	if [ $TOKEN_VERSION_MAJOR -eq 0 -o $TOKEN_VERSION_MAJOR -eq 1 -a $TOKEN_VERSION_MINOR -lt 5 ] ; then
	22	echo "Please install libfido2 1.5.0 or higher (current version: $TOKEN_VERSION)"
	23	exit 1
	24	fi
	25
	26	set -e
	27
	28	TOKEN_OUTPUT=$(${FIDO_TOOLS_PREFIX}fido2-token -L)
	29	DEV_PATH_NAMES=$(echo "$TOKEN_OUTPUT" \| sed -r 's/^(.): .\((.*)\)$/\1 \2/g')
	30	DEV_COUNT=$(echo "$DEV_PATH_NAMES" \| wc -l)
	31
	32	for i in $(seq 1 $DEV_COUNT)
	33	do
	34	DEV_PATH_NAME=$(echo "$DEV_PATH_NAMES" \| sed "${i}q;d")
	35	DEV_PATH=$(echo "$DEV_PATH_NAME" \| cut -d' ' -f1)
	36	DEV_NAME=$(echo "$DEV_PATH_NAME" \| cut -d' ' -f1 --complement)
	37	DEV_PRETTY=$(echo "$DEV_NAME (at '$DEV_PATH')")
	38	if expr match "$(${FIDO_TOOLS_PREFIX}fido2-token -I $DEV_PATH)" ".* credMgmt.* clientPin.\\|. clientPin.* credMgmt.*" > /dev/null ; then
	39	printf "Enter PIN for $DEV_PRETTY once (ignore further prompts): "
	40	stty -echo
	41	read PIN
	42	stty echo
	43	printf "\n"
	44	RESIDENT_RPS=$(echo "${PIN}\n" \| setsid -w ${FIDO_TOOLS_PREFIX}fido2-token -L -r $DEV_PATH \| cut -d' ' -f3)
	45	printf "\n"
	46	RESIDENT_RPS_COUNT=$(echo "$RESIDENT_RPS" \| wc -l)
	47	FOUND=0
	48	for j in $(seq 1 $DEV_RESIDENT_RPS_COUNT)
	49	do
	50	RESIDENT_RP=$(echo "$RESIDENT_RPS" \| sed "${j}q;d")
	51	UNPROT_CREDS=$(echo "${PIN}\n" \| setsid -w ${FIDO_TOOLS_PREFIX}fido2-token -L -k $RESIDENT_RP $DEV_PATH \| grep ' uvopt$' \| cut -d' ' -f2,3,4)
	52	printf "\n"
	53	UNPROT_CREDS_COUNT=$(echo "$UNPROT_CREDS" \| wc -l)
	54	if [ $UNPROT_CREDS_COUNT -gt 0 ] ; then
	55	FOUND=1
	56	echo "Unprotected credentials on $DEV_PRETTY for '$RESIDENT_RP':"
	57	echo "$UNPROT_CREDS"
	58	fi
	59	done
	60	if [ $FOUND -eq 0 ] ; then
	61	echo "No unprotected credentials on $DEV_PRETTY"
	62	fi
	63	else
	64	echo "$DEV_PRETTY cannot enumerate credentials"
	65	echo "Discovering unprotected SSH credentials only..."
	66	STUB_HASH=$(echo -n "" \| openssl sha256 -binary \| base64)
	67	printf "$STUB_HASH\nssh:\n" \| ${FIDO_TOOLS_PREFIX}fido2-assert -G -r -t up=false $DEV_PATH 2> /dev/null \|\| ASSERT_EXIT_CODE=$?
	68	if [ $ASSERT_EXIT_CODE -eq 0 ] ; then
	69	echo "Found an unprotected SSH credential on $DEV_PRETTY!"
	70	else
	71	echo "No unprotected SSH credentials (default settings) on $DEV_PRETTY"
	72	fi
	73	fi
	74	printf "\n"
	75	done