Scripting Token Retrieval on OSX

It's being sometime that I'm working from home and because of that I have to use my RSA software token way more often. After a couple of: start SecurID, type your pin, copy the token number, close the SecurID and paste on whatever intranet site I want to access; I went and automated the whole thing with AppleScript.

Now I just fire up the script using and done, the token is added to my clipboard and I can paste it anywhere I need.

Note on security

There's a caveat. If you're willing to automate the token retrieval, where did you plan to write down your pin? If you do it on the script itself it's a bad idea since is easy to get your pin just by executing grep on it.

A better and more secure solution is to have an encrypted storage on your OSX from where you can retrieve the pin, and guess what, you have it and it's called Keychain. That's what I did, just added a new key to "login.keychain" (where all your web passwords get saved) called rsatoken.

The implementation

I needed to search the internet for some information (since AppleScript is not my strongest skill) and I ended up with this script:

set appName to "SecurID"
set thePin to RsaTokenPin()

activate application appName

tell application appName
    tell application "System Events"
        keystroke thePin -- type the pin number
        key code 36 -- return key
        delay 0.3 -- wait for token appear
        key code 48 -- press tab
        key code 49 -- space (to hit the copy button)
    end tell
end tell

quit application appName

on RsaTokenPin()
    return (do shell script "security -q find-generic-password -gl rsatoken 2>&1  | egrep '^password' | awk -F\\\" '{print $2}'")
end RsaTokenPin

What the script does is pretty much the way you have to do it manually, it fires up the SecurID application, enters your pin, type return than a tab followed by a space (which will press the "copy" button) and closes the application.

The catch is on retrieving your pin number, it doesn't use the AppleScript API to do it. Several sources stated that AppleScript and Keychain are not a good combination and dreadful slow. So I followed their advise and used the security shell command.

The security command doesn't give a usable output with just the password so I had to use a little more piping around to get what I wanted.

That's it, quick recap. Add a key named "rsatoken" to your Keychain with your pin as password. Paste this script in your Apple Script Editor and save it as an Application. This should save some minutes during the day if you need to enter your token quite often as I do.

Cheers, Marco.

Published in Oct 09, 2012