I have recently purchased my first Yubikey and I am using the ykman oath code command on Centos 7 to show the passcodes stored on this key. I have put a password on the yubikey which must be entered to see the appropriate oath codes. I am trying to automatically extract these auth codes using a very simple bash script called yubitest.sh
as follows
#!/bin/bash
expect <(cat << 'EOF'
spawn ykman oath code
expect "Enter your password: "
send "PASSWORDr"
EOF
)
OUTPUT
Unfortunately the PASSWORD is passed to the yubikey but seems not to be processed and the return of this script is to fall through to the command prompt as follows
[laptop .ssh]$ ./yubitest.sh (make sure permissions are set to 700)
spawn ykman oath code
Enter your password:
[laptop .ssh]$
It should return a list of codes from the yubikey.
This is the output when in debug mode for expect (using the -d in the above script after the word expect )
expect version 5.45
argv[0] = expect argv[1] = -d argv[2] = /dev/fd/63
set argc 0
set argv0 "/dev/fd/63"
set argv ""
executing commands from command file /dev/fd/63
spawn ykman oath code
parent: waiting for sync byte
parent: telling child to go ahead
parent: now unsynchronized from child
spawn: returns {29954}
expect: does "" (spawn_id exp6) match glob pattern "Enter your password: "? no
Enter your password:
expect: does "Enter your password: " (spawn_id exp6) match glob pattern "Enter your password: "? yes
expect: set expect_out(0,string) "Enter your password: "
expect: set expect_out(spawn_id) "exp6"
expect: set expect_out(buffer) "Enter your password: "
send: sending "PASSWORD" to { exp6 }
Can anyone help highlight why the send command of expect is not passing the PASSWORD correctly? Also can anyone advise on how to pass the results of this to an environment variable?
2
Answers
I have found a good solution to access the codes stored on the yubikey without using expect to pass the password. The ykman command stores an encrypted version of the password to access the stored codes on your yubikey in your home directory under .ykman in a json file using the ykman remember-password command. When the yubikey is inserted and you run your ykman oath code command it automatically reads this encrypted file, without further human intervention and gives the desired output.
This is because the expect script exits before ykman completes. After you
send
the password: