forked from DataDog/yubikey
-
Notifications
You must be signed in to change notification settings - Fork 0
/
expect.sh
executable file
·242 lines (184 loc) · 5.58 KB
/
expect.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
#!/usr/bin/env expect
#
# This Expect script was generated by autoexpect on Wed Aug 1 17:10:59 2018
# Expect and autoexpect were both written by Don Libes, NIST.
#
# Note that autoexpect does not guarantee a working script. It
# necessarily has to guess about certain things. Two reasons a script
# might fail are:
#
# 1) timing - A surprising number of programs (rn, ksh, zsh, telnet,
# etc.) and devices discard or ignore keystrokes that arrive "too
# quickly" after prompts. If you find your new script hanging up at
# one spot, try adding a short sleep just before the previous send.
# Setting "force_conservative" to 1 (see below) makes Expect do this
# automatically - pausing briefly before sending each character. This
# pacifies every program I know of. The -c flag makes the script do
# this in the first place. The -C flag allows you to define a
# character to toggle this mode off and on.
set force_conservative 1 ;# set to 1 to force conservative mode even if
;# script was not run conservatively originally
if {$force_conservative} {
set send_slow {1 .1}
proc send {ignore arg} {
sleep .1
exp_send -s -- $arg
}
}
#
# 2) differing output - Some programs produce different output each time
# they run. The "date" command is an obvious example. Another is
# ftp, if it produces throughput statistics at the end of a file
# transfer. If this causes a problem, delete these patterns or replace
# them with wildcards. An alternative is to use the -p flag (for
# "prompt") which makes Expect only look for the last line of output
# (i.e., the prompt). The -P flag allows you to define a character to
# toggle this mode off and on.
#
# Read the man page for more info.
#
# -Don
set timeout -1
match_max 100000
# https://stackoverflow.com/a/17060172
set TOUCH_POLICY [lindex $argv 0];
set PUK [lindex $argv 1];
set GPG_HOMEDIR [lindex $argv 2];
set PIN [lindex $argv 3];
set KEY_LENGTH [lindex $argv 4];
set REALNAME [lindex $argv 5];
set EMAIL [lindex $argv 6];
set COMMENT [lindex $argv 7];
# Turn off OTP.
send_user "Turning off YubiKey OTP:\n"
spawn ykman mode "FIDO+CCID"
expect {
"Mode is already FIDO+CCID, nothing to do..." {
expect eof
}
": " {
send -- "y\r"
expect eof
}
}
# Set up PIN, PUK, and then generate keys on card.
send_user "Now generating your GPG keys on the YubiKey itself.\n"
spawn gpg --homedir=$GPG_HOMEDIR --card-edit
expect -exact "gpg/card> "
send -- "admin\r"
# https://developers.yubico.com/PGP/Card_edit.html
expect -exact "gpg/card> "
send -- "passwd\r"
# Change PIN
expect -exact "Your selection? "
send -- "1\r"
# Default PIN
expect -exact "PIN: "
send -- "123456\r"
# New PIN
expect -exact "PIN: "
send -- "$PIN\r"
# Repeat new PIN
expect -exact "PIN: "
send -- "$PIN\r"
# Change PUK
expect -exact "Your selection? "
send -- "3\r"
# Default PUK
expect -exact "Admin PIN: "
send -- "12345678\r"
# New PUK
expect -exact "Admin PIN: "
send -- "$PUK\r"
# Repeat new PUK
expect -exact "Admin PIN: "
send -- "$PUK\r"
# Get out of passwd menu
expect -exact "Your selection? "
send -- "q\r"
# Set desired key attributes.
expect -exact "gpg/card> "
send -- "key-attr\r"
# Signature key.
expect -exact "Your selection? "
# RSA
send -- "1\r"
expect "What keysize do you want? (*) "
send -- "$KEY_LENGTH\r"
# Send new PUK
expect -exact "Admin PIN: "
send -- "$PUK\r"
# Encryption key.
expect -exact "Your selection? "
# RSA
send -- "1\r"
expect "What keysize do you want? (*) "
send -- "$KEY_LENGTH\r"
# Send new PUK
expect -exact "Admin PIN: "
send -- "$PUK\r"
# Authentication key.
expect -exact "Your selection? "
# RSA
send -- "1\r"
expect "What keysize do you want? (*) "
send -- "$KEY_LENGTH\r"
# Send new PUK
expect -exact "Admin PIN: "
send -- "$PUK\r"
# Time to generate.
expect -exact "gpg/card> "
send -- "generate\r"
expect -exact "Make off-card backup of encryption key? (Y/n) "
send -- "n\r"
# Send new PIN
expect -exact "PIN: "
send -- "$PIN\r"
expect -exact "Key is valid for? (0) "
send -- "10y\r"
expect -exact "Is this correct? (y/N) "
send -- "y\r"
expect -exact "Real name: "
send -- "$REALNAME\r"
expect -exact "Email address: "
send -- "$EMAIL\r"
expect -exact "Comment: "
send -- "$COMMENT\r"
expect -exact "Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? "
send -- "O\r"
# Send new PUK
expect -exact "Admin PIN: "
send -- "$PUK\r"
send_user "\nNow generating keys on card, lights will be flashing, this will take a few minutes, please wait...\n"
expect -exact "gpg/card> "
send -- "quit\r"
expect eof
# Turn on touch for SIGNATURES.
send_user "Now requiring you to touch your Yubikey to sign any message.\n"
spawn ykman openpgp set-touch sig $TOUCH_POLICY
expect -exact "Enter admin PIN: "
stty -echo
send -- "$PUK\r"
expect -exact "Set touch policy of signature key to $TOUCH_POLICY? \[y/N\]: "
send -- "y\r"
expect eof
# Turn on touch for AUTHENTICATION.
send_user "Now requiring you to touch your Yubikey to authenticate SSH.\n"
spawn ykman openpgp set-touch aut on
expect -exact "Enter admin PIN: "
stty -echo
send -- "$PUK\r"
expect -exact "Set touch policy of authentication key to on? \[y/N\]: "
send -- "y\r"
expect eof
# Turn on touch for ENCRYPTION.
send_user "Now requiring you to touch your Yubikey to encrypt any message.\n"
spawn ykman openpgp set-touch enc on
expect -exact "Enter admin PIN: "
stty -echo
send -- "$PUK\r"
expect -exact "Set touch policy of encryption key to on? \[y/N\]: "
send -- "y\r"
expect eof
# Touch for ATTESTATION works only for Yubico firmware >= 5.2.3.
# https://support.yubico.com/support/solutions/articles/15000027139-yubikey-5-2-3-enhancements-to-openpgp-3-4-support