Apsu/gpg-pam-exec

## gpg-pam-exec
#!/usr/bin/env bash

# grab PAM-provided auth token
read token

# grab our user, $USER isn't always set
USER="$(id -un)"

# switch to PAM_USER if passed, buffer return value
$([[ "$PAM_USER" != "$USER" ]] && echo su - "$PAM_USER" -s) /usr/local/bin/gpg-preset-passphrase <<< "$token"

## gpg-preset-passphrase
#!/usr/bin/env bash

# Don't pass in args so it never shows up in ps
read token

# gpg-preset-passphrase is often in /usr/libexec or /usr/lib/gnupg
preset=/usr/lib/gnupg/gpg-preset-passphrase

# Start agent if needed, grab env
source <(/usr/local/bin/gpg-start-agent)

# Set these fingerprints:
#   pub/sub fprints only for priv keys
#   SSH keys managed by gpg
fingerprints=($(gpg -K --fingerprint --fingerprint --with-colons | sed -nr '/ssb/,+1{s/^fpr:+(.*):$/\1/p}'))
fingerprints+=($(gpg-connect-agent "keyinfo --ssh-list" /bye | sed -nr 's/^.*KEYINFO ([^ ]+).*$/\1/p'))

# Preset each fingerprint
for fingerprint in "${fingerprints[@]}"
do
  $preset -c "$fingerprint" <<< "$token"
done

## gpg-start-agent
#!/usr/bin/env bash

# Start the GnuPG agent and enable OpenSSH agent emulation
# Outputs lines for "source"

# Store env vars here
gnupginf="${HOME}/.gnupg/gpg-agent.info"

# Already running?
if pgrep -U "${USER}" -x gpg-agent &>/dev/null; then
  # Spit out export lines
  while read line; do echo export "$line"; done < "$gnupginf"
else
  # Start agent, write vars to file, and spit out export lines
  gpg-agent --enable-ssh-support --disable-scdaemon --daemon --write-env-file "$gnupginf"
fi

unset gnupginf

## login
auth optional pam_exec.so expose_authtok /usr/local/bin/gpg-pam-exec
	#!/usr/bin/env bash

	# grab PAM-provided auth token
	read token

	# grab our user, $USER isn't always set
	USER="$(id -un)"

	# switch to PAM_USER if passed, buffer return value
	$([[ "$PAM_USER" != "$USER" ]] && echo su - "$PAM_USER" -s) /usr/local/bin/gpg-preset-passphrase <<< "$token"
	#!/usr/bin/env bash

	# Don't pass in args so it never shows up in ps
	read token

	# gpg-preset-passphrase is often in /usr/libexec or /usr/lib/gnupg
	preset=/usr/lib/gnupg/gpg-preset-passphrase

	# Start agent if needed, grab env
	source <(/usr/local/bin/gpg-start-agent)

	# Set these fingerprints:
	# pub/sub fprints only for priv keys
	# SSH keys managed by gpg
	fingerprints=($(gpg -K --fingerprint --fingerprint --with-colons \| sed -nr '/ssb/,+1{s/^fpr:+(.*):$/\1/p}'))
	fingerprints+=($(gpg-connect-agent "keyinfo --ssh-list" /bye \| sed -nr 's/^.KEYINFO ([^ ]+).$/\1/p'))

	# Preset each fingerprint
	for fingerprint in "${fingerprints[@]}"
	do
	$preset -c "$fingerprint" <<< "$token"
	done
	#!/usr/bin/env bash

	# Start the GnuPG agent and enable OpenSSH agent emulation
	# Outputs lines for "source"

	# Store env vars here
	gnupginf="${HOME}/.gnupg/gpg-agent.info"

	# Already running?
	if pgrep -U "${USER}" -x gpg-agent &>/dev/null; then
	# Spit out export lines
	while read line; do echo export "$line"; done < "$gnupginf"
	else
	# Start agent, write vars to file, and spit out export lines
	gpg-agent --enable-ssh-support --disable-scdaemon --daemon --write-env-file "$gnupginf"
	fi

	unset gnupginf