djedi/privacy-toolkit
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
privacy-toolkit/tools/yubico/install.sh
rpriven 319efece5f
Initial commit
2025-12-31 19:44:07 -07:00

238 lines
7.8 KiB
Bash
Executable file
Raw Blame History

#!/bin/bash
set -euo pipefail
# ==============================================================================
# Yubico Tools Installation Script
# ==============================================================================
# Installs the Yubico suite for YubiKey management and authentication
#
# Tools Installed:
# - YubiKey Manager (GUI) - Configure YubiKey settings, PINs, FIDO2, etc.
# - Yubico Authenticator - TOTP/HOTP authenticator using YubiKey
# - yubico-piv-tool - PIV (smart card) functionality
#
# Threat Model:
# - Phishing-resistant 2FA with hardware tokens
# - Password-less authentication via FIDO2/WebAuthn
# - Hardware-backed TOTP codes (can't be stolen from phone)
# - PIV/Smart card authentication for SSH, code signing
#
# Source: https://developers.yubico.com/
# ==============================================================================
# Colors
readonly GREEN='\033[0;32m'
readonly YELLOW='\033[1;33m'
readonly RED='\033[0;31m'
readonly BLUE='\033[0;34m'
readonly NC='\033[0m'
log() { echo -e "${GREEN}[INFO]${NC} $*"; }
warn() { echo -e "${YELLOW}[WARN]${NC} $*"; }
error() { echo -e "${RED}[ERROR]${NC} $*"; exit 1; }
header() { echo -e "${BLUE}=== $* ===${NC}"; }
INSTALL_DIR="${HOME}/opt/yubico"
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
header "Yubico Tools Installation"
echo ""
echo "This script will install:"
echo " 1. YubiKey Manager Qt (AppImage)"
echo " 2. Yubico Authenticator (for TOTP/HOTP)"
echo " 3. yubico-piv-tool (PIV/Smart Card support)"
echo ""
echo "Install location: $INSTALL_DIR"
echo ""
read -p "Continue? [Y/n]: " confirm
[[ "${confirm:-Y}" =~ ^[Nn] ]] && exit 0
# ==============================================================================
# Install Dependencies
# ==============================================================================
header "Installing Dependencies"
log "Installing system packages for smart card and YubiKey support..."
sudo apt update
sudo apt install -y \
pcscd \
libpcsclite1 \
libpcsclite-dev \
swig \
libccid \
libfuse2 \
libu2f-udev \
yubikey-personalization \
python3-pip \
python3-venv \
qtwayland5 \
libqt5waylandclient5
# Start pcscd service
log "Enabling pcscd service..."
sudo systemctl enable pcscd
sudo systemctl start pcscd
# ==============================================================================
# Create Install Directory
# ==============================================================================
mkdir -p "$INSTALL_DIR"
cd "$INSTALL_DIR"
# ==============================================================================
# Install YubiKey Manager Qt (AppImage)
# ==============================================================================
header "Installing YubiKey Manager Qt"
MANAGER_URL="https://developers.yubico.com/yubikey-manager-qt/Releases/yubikey-manager-qt-latest-linux.AppImage"
log "Downloading from: $MANAGER_URL"
curl -L -o yubikey-manager.AppImage "$MANAGER_URL"
chmod +x yubikey-manager.AppImage
# Create desktop entry
log "Creating desktop entry..."
mkdir -p ~/.local/share/applications
cat > ~/.local/share/applications/yubikey-manager.desktop << EOF
[Desktop Entry]
Name=YubiKey Manager
Comment=Configure your YubiKey
Exec=env QT_QPA_PLATFORM=xcb ${INSTALL_DIR}/yubikey-manager.AppImage
Icon=yubikey-manager
Type=Application
Categories=Utility;Security;
Terminal=false
EOF
log "✅ YubiKey Manager installed"
# ==============================================================================
# Install Yubico Authenticator
# ==============================================================================
header "Installing Yubico Authenticator"
AUTH_URL="https://developers.yubico.com/yubioath-flutter/Releases/yubico-authenticator-latest-linux.tar.gz"
log "Downloading from: $AUTH_URL"
curl -L -o yubico-authenticator.tar.gz "$AUTH_URL"
tar -xzf yubico-authenticator.tar.gz
rm yubico-authenticator.tar.gz
# Find extracted directory (version varies)
AUTH_DIR=$(find . -maxdepth 1 -type d -name "yubico-authenticator*" | head -1)
if [ -n "$AUTH_DIR" ]; then
mv "$AUTH_DIR" authenticator
# Create desktop entry
cat > ~/.local/share/applications/yubico-authenticator.desktop << EOF
[Desktop Entry]
Name=Yubico Authenticator
Comment=TOTP/HOTP authenticator for YubiKey
Exec=${INSTALL_DIR}/authenticator/authenticator
Icon=yubico-authenticator
Type=Application
Categories=Utility;Security;
Terminal=false
EOF
log "✅ Yubico Authenticator installed"
else
warn "Could not find authenticator directory after extraction"
fi
# ==============================================================================
# Install yubico-piv-tool
# ==============================================================================
header "Installing yubico-piv-tool"
PIV_URL="https://developers.yubico.com/yubico-piv-tool/Releases/yubico-piv-tool-latest.tar.gz"
log "Downloading from: $PIV_URL"
curl -L -o yubico-piv-tool.tar.gz "$PIV_URL"
tar -xzf yubico-piv-tool.tar.gz
rm yubico-piv-tool.tar.gz
# Find extracted directory
PIV_DIR=$(find . -maxdepth 1 -type d -name "yubico-piv-tool*" | head -1)
if [ -n "$PIV_DIR" ]; then
mv "$PIV_DIR" piv-tool
# Add to PATH hint
log "piv-tool binaries at: ${INSTALL_DIR}/piv-tool/bin/"
log "✅ yubico-piv-tool installed"
else
warn "Could not find piv-tool directory after extraction"
fi
# ==============================================================================
# Create launch scripts
# ==============================================================================
header "Creating Launch Scripts"
mkdir -p ~/bin
# YubiKey Manager launcher (use xcb backend for Wayland compatibility)
cat > ~/bin/yubikey-manager << EOF
#!/bin/bash
# Use xcb (X11) backend - more reliable than Wayland for this AppImage
export QT_QPA_PLATFORM=xcb
exec ${INSTALL_DIR}/yubikey-manager.AppImage "\$@"
EOF
chmod +x ~/bin/yubikey-manager
# Yubico Authenticator launcher
cat > ~/bin/yubico-auth << EOF
#!/bin/bash
exec ${INSTALL_DIR}/authenticator/authenticator "\$@"
EOF
chmod +x ~/bin/yubico-auth
log "✅ Launch scripts created in ~/bin/"
# ==============================================================================
# Verify Installation
# ==============================================================================
header "Verifying Installation"
echo ""
echo "Installed components:"
[ -f "$INSTALL_DIR/yubikey-manager.AppImage" ] && echo " ✅ YubiKey Manager AppImage" || echo " ❌ YubiKey Manager"
[ -d "$INSTALL_DIR/authenticator" ] && echo " ✅ Yubico Authenticator" || echo " ❌ Yubico Authenticator"
[ -d "$INSTALL_DIR/piv-tool" ] && echo " ✅ yubico-piv-tool" || echo " ❌ yubico-piv-tool"
systemctl is-active --quiet pcscd && echo " ✅ pcscd service running" || echo " ⚠️ pcscd service not running"
# Check for YubiKey
echo ""
log "Checking for connected YubiKey..."
if lsusb | grep -qi "yubico\|yubikey"; then
echo " ✅ YubiKey detected!"
lsusb | grep -i "yubico\|yubikey"
else
warn "No YubiKey detected. Plug one in to use the tools."
fi
# ==============================================================================
# Usage Instructions
# ==============================================================================
echo ""
header "Installation Complete"
echo ""
echo "Usage:"
echo " yubikey-manager - Launch YubiKey Manager GUI"
echo " yubico-auth - Launch Yubico Authenticator"
echo ""
echo "YubiKey Manager can:"
echo " - Reset and configure YubiKey"
echo " - Manage FIDO2 PIN"
echo " - Configure OTP slots"
echo " - Manage PIV certificates"
echo ""
echo "Yubico Authenticator:"
echo " - Store TOTP/HOTP codes on YubiKey"
echo " - Codes stored in hardware (phishing-resistant)"
echo " - Scan QR codes to add accounts"
echo ""
echo "PIV Tool (command line):"
echo " ${INSTALL_DIR}/piv-tool/bin/yubico-piv-tool --help"
echo ""
echo "📖 Documentation: https://developers.yubico.com/"
Reference in a new issue View git blame Copy permalink