Apsu · August 22, 2022 14:55
diff --git a/gpg-pam-exec b/gpg-pam-exec
 #!/usr/bin/env bash

 # grab PAM-provided auth token
 read token

 # grab our user, $USER isn't always set
 USER="$(id -un)"

 # switch to PAM_USER if passed, buffer return value
 $([[ "$PAM_USER" != "$USER" ]] && echo su - "$PAM_USER" -s) /usr/local/bin/gpg-preset-passphrase <<< "$token"
diff --git a/gpg-preset-passphrase b/gpg-preset-passphrase
 #!/usr/bin/env bash

 # Don't pass in args so it never shows up in ps
 read token

 # gpg-preset-passphrase is often in /usr/libexec or /usr/lib/gnupg
 preset=/usr/lib/gnupg/gpg-preset-passphrase

 # Start agent if needed, grab env
 source <(/usr/local/bin/gpg-start-agent)

 # Set these fingerprints:
 #   pub/sub fprints only for priv keys
 #   SSH keys managed by gpg
 fingerprints=($(gpg -K --fingerprint --fingerprint --with-colons | sed -nr '/ssb/,+1{s/^fpr:+(.*):$/\1/p}'))
 fingerprints+=($(gpg-connect-agent "keyinfo --ssh-list" /bye | sed -nr 's/^.*KEYINFO ([^ ]+).*$/\1/p'))

 # Preset each fingerprint
 for fingerprint in "${fingerprints[@]}"
 do
  $preset -c "$fingerprint" <<< "$token"
 done
diff --git a/gpg-start-agent b/gpg-start-agent
 #!/usr/bin/env bash

 # Start the GnuPG agent and enable OpenSSH agent emulation
 # Outputs lines for "source"

 # Store env vars here
 gnupginf="${HOME}/.gnupg/gpg-agent.info"

 # Already running?
 if pgrep -U "${USER}" -x gpg-agent &>/dev/null; then
  # Spit out export lines
  while read line; do echo export "$line"; done < "$gnupginf"
 else
  # Start agent, write vars to file, and spit out export lines
  gpg-agent --enable-ssh-support --disable-scdaemon --daemon --write-env-file "$gnupginf"
 fi

 unset gnupginf
diff --git a/login b/login
 auth optional pam_exec.so expose_authtok /usr/local/bin/gpg-pam-exec
	#!/usr/bin/env bash

	# grab PAM-provided auth token
	read token

	# grab our user, $USER isn't always set
	USER="$(id -un)"

	# switch to PAM_USER if passed, buffer return value
	$([[ "$PAM_USER" != "$USER" ]] && echo su - "$PAM_USER" -s) /usr/local/bin/gpg-preset-passphrase <<< "$token"
	#!/usr/bin/env bash

	# Don't pass in args so it never shows up in ps
	read token

	# gpg-preset-passphrase is often in /usr/libexec or /usr/lib/gnupg
	preset=/usr/lib/gnupg/gpg-preset-passphrase

	# Start agent if needed, grab env
	source <(/usr/local/bin/gpg-start-agent)

	# Set these fingerprints:
	# pub/sub fprints only for priv keys
	# SSH keys managed by gpg
	fingerprints=($(gpg -K --fingerprint --fingerprint --with-colons \| sed -nr '/ssb/,+1{s/^fpr:+(.*):$/\1/p}'))
	fingerprints+=($(gpg-connect-agent "keyinfo --ssh-list" /bye \| sed -nr 's/^.KEYINFO ([^ ]+).$/\1/p'))

	# Preset each fingerprint
	for fingerprint in "${fingerprints[@]}"
	do
	$preset -c "$fingerprint" <<< "$token"
	done
	#!/usr/bin/env bash

	# Start the GnuPG agent and enable OpenSSH agent emulation
	# Outputs lines for "source"

	# Store env vars here
	gnupginf="${HOME}/.gnupg/gpg-agent.info"

	# Already running?
	if pgrep -U "${USER}" -x gpg-agent &>/dev/null; then
	# Spit out export lines
	while read line; do echo export "$line"; done < "$gnupginf"
	else
	# Start agent, write vars to file, and spit out export lines
	gpg-agent --enable-ssh-support --disable-scdaemon --daemon --write-env-file "$gnupginf"
	fi

	unset gnupginf