Last active
March 13, 2024 01:24
-
-
Save Apsu/5893348 to your computer and use it in GitHub Desktop.
GPG passphrase preset to be called from pam_exec
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
# grab PAM-provided auth token | |
read token | |
# gpg-preset-passphrase is often in /usr/libexec or /usr/lib/gnupg | |
preset=/usr/lib/gnupg/gpg-preset-passphrase | |
# grab our user, USER isn't always set | |
USER=$(id -un) | |
# switch to PAM_USER, buffer return value | |
$([[ $PAM_USER != $USER ]] && echo su - $PAM_USER -s) /bin/bash <<EOF || true | |
# pick an agent, any agent | |
#source <(keychain --quiet --eval --noask --ignore-missing --agents gpg) | |
source <(envoy -p) | |
# get these keygrips: | |
# pub/sub fprints only for priv keys | |
# SSH keys managed by gpg | |
keygrips="\$(gpg -K --fingerprint --fingerprint | | |
sed -rn '/fingerprint/ {s/^.*= (.*)$/\1/; s/ //gp}') | |
\$(sed -rn '/^[^#]/ s/^([A-F0-9]*).*$/\1/p' ${GNUPGHOME:-.gnupg}/sshcontrol)" | |
# preset each keygrip | |
for keygrip in \$keygrips | |
do | |
$preset -v -c \$keygrip <<< "$token" | |
done | |
EOF |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
auth optional pam_exec.so expose_authtok /usr/local/bin/preset.sh |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment