nhcarrigan/ephemere
9
0
Fork 0
generated from nhcarrigan/template
Code Issues Pull Requests Actions Releases Activity
Files
1fb18f95b85a19f894a2929fd26ac58dc8e930f1
ephemere/bash/yubikey/README.md
T
hikari ec58c9c843
CI / dependency-pin-check-typescript (push) Successful in 5s
Details
CI / dependency-pin-check-python (push) Successful in 4s
Details
CI / python (push) Successful in 9m28s
Details
CI / typescript (push) Successful in 9m42s
Details
Security Scan and Upload / Security & DefectDojo Upload (push) Successful in 1m39s
Details
feat: reorganise bash scripts and add comprehensive documentation (#6) 
## Summary

This PR completes the bash script restructuring and adds comprehensive documentation across all script categories.

### Bash Restructuring

- Moved cohort shell scripts (`remove_github_members.sh`, `update_github_teams.sh`) from `python/cohort/` into a new `bash/cohort/` directory
- Moved existing bash utilities (`add-keys-to-git.sh`, `fix-yubikey-perms.sh`, `list-yubikey-ssh-keys.sh`) into a new `bash/yubikey/` subdirectory
- Updated `run.sh` to support **Bash** as a third language option alongside TypeScript and Python
  - Bash scripts are run directly (no 1Password secret injection needed)
  - Category discovery and script listing works the same as for TS/Python
  - Removed dead "Root Scripts" logic that was no longer needed

### Documentation

Added `README.md` files for all script categories that were missing them:

- `bash/cohort/README.md` — cohort GitHub team management scripts
- `bash/yubikey/README.md` — YubiKey SSH key and permission utilities
- `typescript/src/crowdin/README.md` — Crowdin translation management scripts
- `typescript/src/discord/README.md` — Discord bot utility scripts
- `typescript/src/discourse/README.md` — Discourse forum management scripts
- `typescript/src/gitea/README.md` — Gitea bulk repository operation scripts
- `typescript/src/github/README.md` — GitHub API interaction scripts
- `typescript/src/music/README.md` — Music file metadata tools
- `typescript/src/s3/README.md` — S3-compatible object storage scripts
- `typescript/src/security/README.md` — Security analysis and reporting scripts
- `python/cohort/README.md` — Updated to remove moved shell scripts, fix usage commands

Also updated project-level docs:

- **`README.md`** — Corrected project structure, fixed running instructions (removed references to non-existent `make run-ts`/`make run-py` targets), added Bash prerequisites
- **`CLAUDE.md`** — Updated project overview, structure, development standards, and script-adding guides to reflect the current state of the project

 This PR was created with help from Hikari~ 🌸

Co-authored-by: Naomi Carrigan <commits@nhcarrigan.com>
Reviewed-on: #6
Co-authored-by: Hikari <hikari@nhcarrigan.com>
Co-committed-by: Hikari <hikari@nhcarrigan.com>
2026-02-23 20:18:41 -08:00

2.8 KiB
Raw Blame History

YubiKey Scripts

Shell scripts for managing YubiKey hardware security keys on WSL (Windows Subsystem for Linux). Covers SSH key extraction, Git signing key configuration, and fixing USB permission issues that commonly arise in WSL environments.

All scripts require a YubiKey to be attached and forwarded to WSL via usbipd. The ykman and yubico-piv-tool packages must be installed.

Getting Started

Run scripts via the interactive runner from the project root:

make run
# Select: Bash → yubikey → <script>

Or run directly:

bash bash/yubikey/<script-name>.sh

Table of Contents

add-keys-to-git.sh

Extracts the SSH public keys from three YubiKey PIV slots and writes them as Git commit signing keys to the corresponding per-context Git config files. Run this after replacing or re-provisioning a YubiKey.

Slot Context Config file
9a Personal ~/.git-naomi
9c Deepgram ~/.git-dg
9e FreeCodeCamp ~/.git-fcc

Usage

bash bash/yubikey/add-keys-to-git.sh

Environment Variables

None.

Data Files

None.

Notes

  • After running, you must upload the new public keys to GitHub (and any other services that verify commit signatures) manually.
  • Requires ykman and ssh-keygen to be available in your PATH.

fix-yubikey-perms.sh

Repairs YubiKey connectivity in WSL by fixing USB device permissions, restarting smart card services, and applying a polkit policy override that allows smart card access in WSL's "inactive" session context.

Usage

bash bash/yubikey/fix-yubikey-perms.sh

Environment Variables

None.

Data Files

None.

Notes

  • Run this script when ykman or yubico-piv-tool fail with "Failed to connect" or similar errors after attaching the YubiKey via usbipd.
  • The polkit fix modifies /usr/share/polkit-1/actions/org.debian.pcsc-lite.policy (a backup is created automatically on first run).
  • Requires sudo access. Several steps use sudo to modify system files and restart services.
  • Requires lsusb, yubico-piv-tool, systemctl, and gpgconf to be available.

list-yubikey-ssh-keys.sh

Scans PIV slots 9a, 9c, 9d, and 9e on the connected YubiKey and prints any SSH public keys found, along with the certificate subject label if one is present.

Usage

bash bash/yubikey/list-yubikey-ssh-keys.sh

Environment Variables

None.

Data Files

None.

Notes

  • Requires ykman, ssh-keygen, and openssl to be available.
  • Writes a temporary file to /tmp/yubi_tmp.pem during execution; it is cleaned up automatically after each slot is processed.
Reference in New Issue View Git Blame Copy Permalink