Apsu/preset.sh

## preset.sh
#!/bin/bash

# grab PAM-provided auth token
read token

# gpg-preset-passphrase is often in /usr/libexec or /usr/lib/gnupg
preset=/usr/lib/gnupg/gpg-preset-passphrase

# grab our user, USER isn't always set
USER=$(id -un)

# switch to PAM_USER, buffer return value
$([[ $PAM_USER != $USER ]] && echo su - $PAM_USER -s) /bin/bash <<EOF || true
    # pick an agent, any agent
    #source <(keychain --quiet --eval --noask --ignore-missing --agents gpg)
    source <(envoy -p)

    # get these keygrips:
    #   pub/sub fprints only for priv keys
    #   SSH keys managed by gpg
    keygrips="\$(gpg -K --fingerprint --fingerprint |
                 sed -rn '/fingerprint/ {s/^.*= (.*)$/\1/; s/ //gp}')
              \$(sed -rn '/^[^#]/ s/^([A-F0-9]*).*$/\1/p' ${GNUPGHOME:-.gnupg}/sshcontrol)"

    # preset each keygrip
    for keygrip in \$keygrips
    do
        $preset -v -c \$keygrip <<< "$token"
    done
EOF

## system-auth
auth    optional    pam_exec.so expose_authtok /usr/local/bin/preset.sh
	#!/bin/bash

	# grab PAM-provided auth token
	read token

	# gpg-preset-passphrase is often in /usr/libexec or /usr/lib/gnupg
	preset=/usr/lib/gnupg/gpg-preset-passphrase

	# grab our user, USER isn't always set
	USER=$(id -un)

	# switch to PAM_USER, buffer return value
	$([[ $PAM_USER != $USER ]] && echo su - $PAM_USER -s) /bin/bash <<EOF \|\| true
	# pick an agent, any agent
	#source <(keychain --quiet --eval --noask --ignore-missing --agents gpg)
	source <(envoy -p)

	# get these keygrips:
	# pub/sub fprints only for priv keys
	# SSH keys managed by gpg
	keygrips="\$(gpg -K --fingerprint --fingerprint \|
	sed -rn '/fingerprint/ {s/^.= (.)$/\1/; s/ //gp}')
	\$(sed -rn '/^[^#]/ s/^([A-F0-9]).$/\1/p' ${GNUPGHOME:-.gnupg}/sshcontrol)"

	# preset each keygrip
	for keygrip in \$keygrips
	do
	$preset -v -c \$keygrip <<< "$token"
	done
	EOF