0

I have recently purchased my first Yubikey and I am using the ykman oath code command on Centos 7 to show the passcodes stored on this key. I have put a password on the yubikey which must be entered to see the appropriate oath codes. I am trying to automatically extract these auth codes using a very simple bash script called yubitest.sh as follows

#!/bin/bash  
expect <(cat << 'EOF'   
spawn ykman oath code  
expect "Enter your password: "  
send "PASSWORD\r"  
EOF  
)

OUTPUT

Unfortunately the PASSWORD is passed to the yubikey but seems not to be processed and the return of this script is to fall through to the command prompt as follows

[laptop .ssh]$ ./yubitest.sh (make sure permissions are set to 700)  
spawn ykman oath code  
Enter your password:   
[laptop .ssh]$

It should return a list of codes from the yubikey.

This is the output when in debug mode for expect (using the -d in the above script after the word expect )

expect version 5.45  
argv[0] = expect  argv[1] = -d  argv[2] = /dev/fd/63    
set argc 0  
set argv0 "/dev/fd/63"  
set argv ""  
executing commands from command file /dev/fd/63  
spawn ykman oath code  
parent: waiting for sync byte  
parent: telling child to go ahead  
parent: now unsynchronized from child  
spawn: returns {29954}  

expect: does "" (spawn_id exp6) match glob pattern "Enter your password: "? no  
Enter your password:   
expect: does "Enter your password: " (spawn_id exp6) match glob pattern "Enter your password: "? yes  
expect: set expect_out(0,string) "Enter your password: "  
expect: set expect_out(spawn_id) "exp6"  
expect: set expect_out(buffer) "Enter your password: "  
send: sending "PASSWORD" to { exp6 }

Can anyone help highlight why the send command of expect is not passing the PASSWORD correctly? Also can anyone advise on how to pass the results of this to an environment variable?

Aserre
  • 4,916
  • 5
  • 33
  • 56
culzeanman
  • 1
  • 1

2 Answers2

0

This is because the expect script exits before ykman completes. After you send the password:

expect eof
glenn jackman
  • 238,783
  • 38
  • 220
  • 352
  • @culzeanman, don't edit other people's answers as a reply. If you have more details to add to the question, edit the question and add them there. – glenn jackman Aug 06 '20 at 05:52
  • Txs for the suggestion @Glen - adding the "expect eof" causes the script to timeout and drop through to the unix prompt without display the yubikey details. It also causes the password to be visibly displayed beside the "Enter your password: " prompt. – culzeanman Aug 06 '20 at 07:55
  • I can't explain why it would be timing out. What does ykman do after you provide the password? This is where `autoexpect` can come in handy. – glenn jackman Aug 06 '20 at 14:14
  • if i enter ykman at the command prompt after entering the password it returns a list of 2FA codes for particular websites. I haven't tried the autoexpect feature as yet so will read up on how that works and see if that will help - thanks for the suggestion – culzeanman Aug 06 '20 at 23:39
  • unfortunately same problem with autoexpect. the expect script it creates when run just times out with no output from ykman – culzeanman Aug 07 '20 at 00:08
0

I have found a good solution to access the codes stored on the yubikey without using expect to pass the password. The ykman command stores an encrypted version of the password to access the stored codes on your yubikey in your home directory under .ykman in a json file using the ykman remember-password command. When the yubikey is inserted and you run your ykman oath code command it automatically reads this encrypted file, without further human intervention and gives the desired output.

culzeanman
  • 1
  • 1