Home | History | Annotate | Line # | Download | only in tools 
      1 #!/bin/sh
      2 
      3 # Copyright (c) 2020 Fabian Henneke.
      4 # Use of this source code is governed by a BSD-style
      5 # license that can be found in the LICENSE file.
      6 # SPDX-License-Identifier: BSD-2-Clause
      7 
      8 
      9 if [ "$(uname)" != "Linux" ] ; then
     10    echo "Can only run on Linux"
     11    exit 1
     12 fi
     13 
     14 if ! TOKEN_VERSION=$("${FIDO_TOOLS_PREFIX}"fido2-token -V 2>&1); then
     15     echo "Please install libfido2 1.5.0 or higher"
     16     exit 1
     17 fi
     18 
     19 TOKEN_VERSION_MAJOR=$(echo "$TOKEN_VERSION" | cut -d. -f1)
     20 TOKEN_VERSION_MINOR=$(echo "$TOKEN_VERSION" | cut -d. -f2)
     21 if [ "$TOKEN_VERSION_MAJOR" -eq 0 ] ; then
     22     echo "Please install libfido2 1.5.0 or higher (current version: $TOKEN_VERSION)"
     23     exit 1
     24 fi
     25 if [ "$TOKEN_VERSION_MAJOR" -eq 1 ] && [ "$TOKEN_VERSION_MINOR" -lt 5 ] ; then
     26     echo "Please install libfido2 1.5.0 or higher (current version: $TOKEN_VERSION)"
     27     exit 1
     28 fi
     29 
     30 set -e
     31 
     32 TOKEN_OUTPUT=$("${FIDO_TOOLS_PREFIX}"fido2-token -L)
     33 DEV_PATH_NAMES=$(echo "$TOKEN_OUTPUT" | sed -r 's/^(.*): .*\((.*)\)$/\1 \2/g')
     34 DEV_COUNT=$(echo "$DEV_PATH_NAMES" | wc -l)
     35 
     36 for i in $(seq 1 "$DEV_COUNT")
     37 do
     38     DEV_PATH_NAME=$(echo "$DEV_PATH_NAMES" | sed "${i}q;d")
     39     DEV_PATH=$(echo "$DEV_PATH_NAME" | cut -d' ' -f1)
     40     DEV_NAME=$(echo "$DEV_PATH_NAME" | cut -d' ' -f1 --complement)
     41     DEV_PRETTY="$DEV_NAME (at '$DEV_PATH')"
     42     if expr "$("${FIDO_TOOLS_PREFIX}"fido2-token -I "$DEV_PATH")" : ".* credMgmt.* clientPin.*\|.* clientPin.* credMgmt.*" > /dev/null ; then
     43         printf "Enter PIN for %s once (ignore further prompts): " "$DEV_PRETTY"
     44         stty -echo
     45         IFS= read -r PIN
     46         stty echo
     47         printf "\n"
     48         RESIDENT_RPS=$(printf "%s\n" "$PIN" | setsid -w "${FIDO_TOOLS_PREFIX}"fido2-token -L -r "$DEV_PATH" | cut -d' ' -f3)
     49         printf "\n"
     50         RESIDENT_RPS_COUNT=$(echo "$RESIDENT_RPS" | wc -l)
     51         FOUND=0
     52         for j in $(seq 1 "$RESIDENT_RPS_COUNT")
     53         do
     54             RESIDENT_RP=$(echo "$RESIDENT_RPS" | sed "${j}q;d")
     55             UNPROT_CREDS=$(printf "%s\n" "$PIN" | setsid -w "${FIDO_TOOLS_PREFIX}"fido2-token -L -k "$RESIDENT_RP" "$DEV_PATH" | grep ' uvopt$' | cut -d' ' -f2,3,4)
     56             printf "\n"
     57             UNPROT_CREDS_COUNT=$(echo "$UNPROT_CREDS" | wc -l)
     58             if [ "$UNPROT_CREDS_COUNT" -gt 0 ] ; then
     59                 FOUND=1
     60                 echo "Unprotected credentials on $DEV_PRETTY for '$RESIDENT_RP':"
     61                 echo "$UNPROT_CREDS"
     62             fi
     63         done
     64         if [ $FOUND -eq 0 ] ; then
     65             echo "No unprotected credentials on $DEV_PRETTY"
     66         fi
     67     else
     68         echo "$DEV_PRETTY cannot enumerate credentials"
     69         echo "Discovering unprotected SSH credentials only..."
     70         STUB_HASH=$(printf "" | openssl sha256 -binary | base64)
     71         printf "%s\nssh:\n" "$STUB_HASH" | "${FIDO_TOOLS_PREFIX}"fido2-assert -G -r -t up=false "$DEV_PATH" 2> /dev/null || ASSERT_EXIT_CODE=$?
     72         if [ "$ASSERT_EXIT_CODE" -eq 0 ] ; then
     73             echo "Found an unprotected SSH credential on $DEV_PRETTY!"
     74         else
     75             echo "No unprotected SSH credentials (default settings) on $DEV_PRETTY"
     76         fi
     77     fi
     78     printf "\n"
     79 done
     80