diff options
Diffstat (limited to 'tools/fido2-unprot.sh')
-rwxr-xr-x | tools/fido2-unprot.sh | 75 |
1 files changed, 75 insertions, 0 deletions
diff --git a/tools/fido2-unprot.sh b/tools/fido2-unprot.sh new file mode 100755 index 0000000..44b28b8 --- /dev/null +++ b/tools/fido2-unprot.sh | |||
@@ -0,0 +1,75 @@ | |||
1 | #!/bin/sh | ||
2 | |||
3 | # Copyright (c) 2020 Fabian Henneke. | ||
4 | # Use of this source code is governed by a BSD-style | ||
5 | # license that can be found in the LICENSE file. | ||
6 | |||
7 | |||
8 | if [ $(uname) != "Linux" ] ; then | ||
9 | echo "Can only run on Linux" | ||
10 | exit 1 | ||
11 | fi | ||
12 | |||
13 | TOKEN_VERSION=$(${FIDO_TOOLS_PREFIX}fido2-token -V 2>&1) | ||
14 | if [ $? -ne 0 ] ; then | ||
15 | echo "Please install libfido2 1.5.0 or higher" | ||
16 | exit | ||
17 | fi | ||
18 | |||
19 | TOKEN_VERSION_MAJOR=$(echo "$TOKEN_VERSION" | cut -d. -f1) | ||
20 | TOKEN_VERSION_MINOR=$(echo "$TOKEN_VERSION" | cut -d. -f2) | ||
21 | if [ $TOKEN_VERSION_MAJOR -eq 0 -o $TOKEN_VERSION_MAJOR -eq 1 -a $TOKEN_VERSION_MINOR -lt 5 ] ; then | ||
22 | echo "Please install libfido2 1.5.0 or higher (current version: $TOKEN_VERSION)" | ||
23 | exit 1 | ||
24 | fi | ||
25 | |||
26 | set -e | ||
27 | |||
28 | TOKEN_OUTPUT=$(${FIDO_TOOLS_PREFIX}fido2-token -L) | ||
29 | DEV_PATH_NAMES=$(echo "$TOKEN_OUTPUT" | sed -r 's/^(.*): .*\((.*)\)$/\1 \2/g') | ||
30 | DEV_COUNT=$(echo "$DEV_PATH_NAMES" | wc -l) | ||
31 | |||
32 | for i in $(seq 1 $DEV_COUNT) | ||
33 | do | ||
34 | DEV_PATH_NAME=$(echo "$DEV_PATH_NAMES" | sed "${i}q;d") | ||
35 | DEV_PATH=$(echo "$DEV_PATH_NAME" | cut -d' ' -f1) | ||
36 | DEV_NAME=$(echo "$DEV_PATH_NAME" | cut -d' ' -f1 --complement) | ||
37 | DEV_PRETTY=$(echo "$DEV_NAME (at '$DEV_PATH')") | ||
38 | if expr match "$(${FIDO_TOOLS_PREFIX}fido2-token -I $DEV_PATH)" ".* credMgmt.* clientPin.*\|.* clientPin.* credMgmt.*" > /dev/null ; then | ||
39 | printf "Enter PIN for $DEV_PRETTY once (ignore further prompts): " | ||
40 | stty -echo | ||
41 | read PIN | ||
42 | stty echo | ||
43 | printf "\n" | ||
44 | RESIDENT_RPS=$(echo "${PIN}\n" | setsid -w ${FIDO_TOOLS_PREFIX}fido2-token -L -r $DEV_PATH | cut -d' ' -f3) | ||
45 | printf "\n" | ||
46 | RESIDENT_RPS_COUNT=$(echo "$RESIDENT_RPS" | wc -l) | ||
47 | FOUND=0 | ||
48 | for j in $(seq 1 $DEV_RESIDENT_RPS_COUNT) | ||
49 | do | ||
50 | RESIDENT_RP=$(echo "$RESIDENT_RPS" | sed "${j}q;d") | ||
51 | UNPROT_CREDS=$(echo "${PIN}\n" | setsid -w ${FIDO_TOOLS_PREFIX}fido2-token -L -k $RESIDENT_RP $DEV_PATH | grep ' uvopt$' | cut -d' ' -f2,3,4) | ||
52 | printf "\n" | ||
53 | UNPROT_CREDS_COUNT=$(echo "$UNPROT_CREDS" | wc -l) | ||
54 | if [ $UNPROT_CREDS_COUNT -gt 0 ] ; then | ||
55 | FOUND=1 | ||
56 | echo "Unprotected credentials on $DEV_PRETTY for '$RESIDENT_RP':" | ||
57 | echo "$UNPROT_CREDS" | ||
58 | fi | ||
59 | done | ||
60 | if [ $FOUND -eq 0 ] ; then | ||
61 | echo "No unprotected credentials on $DEV_PRETTY" | ||
62 | fi | ||
63 | else | ||
64 | echo "$DEV_PRETTY cannot enumerate credentials" | ||
65 | echo "Discovering unprotected SSH credentials only..." | ||
66 | STUB_HASH=$(echo -n "" | openssl sha256 -binary | base64) | ||
67 | printf "$STUB_HASH\nssh:\n" | ${FIDO_TOOLS_PREFIX}fido2-assert -G -r -t up=false $DEV_PATH 2> /dev/null || ASSERT_EXIT_CODE=$? | ||
68 | if [ $ASSERT_EXIT_CODE -eq 0 ] ; then | ||
69 | echo "Found an unprotected SSH credential on $DEV_PRETTY!" | ||
70 | else | ||
71 | echo "No unprotected SSH credentials (default settings) on $DEV_PRETTY" | ||
72 | fi | ||
73 | fi | ||
74 | printf "\n" | ||
75 | done | ||