YubiKey lock screen: Difference between revisions

From D3xt3r01.tk
Jump to navigationJump to search
Created page with "==What== I'm trying to make my fedora desktop lock the screen and unlock when it sees my key in. ==HOW== Get the serial, idVendor, idProduct of the thing. <source lang="ba..."
 
 
(18 intermediate revisions by the same user not shown)
Line 1: Line 1:
==What==
==What==


I'm trying to make my fedora desktop lock the screen and unlock when it sees my key in.
I'm trying to make my fedora 17 ( gnome3 ) desktop lock the screen when it sees my yubikey removed from the usb slot.


==HOW==
==HOW==
Line 13: Line 13:
Create a /etc/udev/rules.d/85-screen-lock-toggle.rules
Create a /etc/udev/rules.d/85-screen-lock-toggle.rules
<source lang="bash">
<source lang="bash">
ACTION=="remove", ATTRS{serial}=="1234567890", ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0010", RUN+="/usr/local/bin/gnome-lock-enable"
SUBSYSTEM=="usb", ACTION=="remove", ENV{ID_VENDOR_ID}=="1050", ENV{ID_MODEL_ID}="0010", RUN+="/usr/local/bin/gnome-lock enable"
ACTION=="add", ATTRS{serial}=="1234567890", ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0010", RUN+="/usr/local/bin/gnome-lock-disable"
SUBSYSTEM=="usb", ACTION=="add", ENV{ID_VENDOR_ID}=="1050", ENV{ID_MODEL_ID}=="0010", RUN+="/usr/local/bin/gnome-lock disable"
</source>
</source>


And the 2 scripts.
Also you should probably reload the rules:
<source lang="bash">
udevadm control --reload-rules
</source>
 
And you should create the following script (you'll probably have to comment out default requiretty in /etc/sudoers) :


<source lang="bash">
<source lang="bash">
~# cat /usr/local/bin/gnome-lock-enable
~# cat /usr/local/bin/gnome-lock
#!/bin/bash
#!/bin/bash
echo "lock enable" > /tmp/yubi_lock_log  
log="/tmp/yubi_lock_log"
user=`ps aux | grep gnome-screensaver | head -n 1 | awk '{print $1}'`
yubimap="/etc/yubikey_decmappings"
ykinfo=$(/usr/bin/ykinfo -q -s)
if [ -n $user ]; then
if [ ! -z "${PAM_USER}" ]
GNOME_SCREENSAVER_PROC=`ps xa | grep gnome-screensaver | head -n 1 | awk '{print $1}'`
then
export `grep -z DBUS_SESSION_BUS_ADDRESS /proc/$GNOME_SCREENSAVER_PROC/environ`
    echo "AUTH-PAM $(date) $(whoami) - '${PAM_USER}' '$0'" >>${log}
su $user -c "gconftool-2 --set "/apps/gnome-screensaver/lock_enabled" --type bool 1"
        if [ "$(fgrep -wc ${PAM_USER} ${yubimap})" == "1" ]
fi
        then
~# cat /usr/local/bin/gnome-lock-disable
            echo "IT REQUIRES YUBIKEY." >>${log}
#!/bin/bash
                if [ -z "${ykinfo}" ]
echo "lock enable" > /tmp/yubi_lock_log
                then
                    echo "Didn't find a yubikey." >>${log}
user=`ps aux | grep gnome-screensaver | head -n 1 | awk '{print $1}'`
                        exit 1
if [ -n $user ]; then
                fi
GNOME_SCREENSAVER_PROC=`ps xa | grep gnome-screensaver | head -n 1 | awk '{print $1}'`
                echo "Searching for ${PAM_USER}:${ykinfo} in ${yubimap}. Found:" >>${log}
export `grep -z DBUS_SESSION_BUS_ADDRESS /proc/$GNOME_SCREENSAVER_PROC/environ`
                fgrep -w ${PAM_USER}:${ykinfo} ${yubimap} >>${log}
su $user -c "gconftool-2 --set "/apps/gnome-screensaver/lock_enabled" --type bool 0"
                exitcode=$?
                echo "EXITCODE=${exitcode}" >>${log}
                exit ${exitcode}
        else
            exit 0
        fi
else
    gnome_session=$(/usr/bin/ps aux | fgrep gnome-session | head -n 1)
        user=$(echo ${gnome_session} | awk '{print $1}')
        GNOME_SESSION_PROC=$(echo $gnome_session | awk '{print $2}')
        export `grep -z DBUS_SESSION_BUS_ADDRESS /proc/$GNOME_SESSION_PROC/environ`
        export DISPLAY=":0"
        current_lock_status=$(/sbin/runuser ${user} -c "/usr/bin/qdbus org.gnome.ScreenSaver /org/gnome/ScreenSaver org.gnome.ScreenSaver.GetActive")
        echo "AUTH-GNOME $(date) $(whoami) - '${user}' - '${ykinfo}' - '$0' '$1'" >>${log}
        if [ "$1" == "enable" ]
        then
                if [ -n ${user} -a "$(fgrep -wc ${user} ${yubimap})" == "1" -a "${current_lock_status}" == "false" ]
                then
                        /sbin/runuser ${user} -c "/usr/bin/dbus-send --type=method_call --dest=org.gnome.ScreenSaver /org/gnome/ScreenSaver org.gnome.ScreenSaver.Lock"
                        touch /tmp/.yubikey_lock
                fi
        else
            if [ -n ${user} -a "$(fgrep -wc ${user}:${ykinfo} ${yubimap})" == "1" ]
                then
                    if [ -f /tmp/.yubikey_lock ]
                        then
                              /sbin/runuser ${user} -c "dbus-send --type=method_call --dest=org.gnome.ScreenSaver /org/gnome/ScreenSaver org.gnome.ScreenSaver.SetActive boolean:false"
                                rm -f /tmp/.yubikey_lock
                        fi
                fi
        fi
fi
fi
</source>
Your /etc/yubikey_decmappings should contain user:key, you can see that with ykinfo -q -s (which key should be able to unlock what login if in multiple desktop environment )
The ykinfo binary is available in rawhide ( or >= fedora 18 ).
Also, since fedora 17 it seems for me at least that I can't use gnome-screensaver-command to query the screensaver so I switched to dbus and runuser :)
Latest changes to the script enable it to only unlock if it was locked by the yubikey !
In order for the pam method to work, you'd need these 2 lines in the required /etc/pam.d ( don't know which one your system uses. My fedora used /etc/pam.d/password-auth and /etc/pam.d/system-auth ):
<source lang="bash">
auth required pam_exec.so quiet /usr/local/bin/gnome-lock
auth sufficient    pam_unix.so try_first_pass nullok
</source>
==ISSUES==
On an arch environment it has been said you need some other exports for this to work...
<source lang="bash">
GNOME_SCREENSAVER_PROC=`ps xa | grep gnome-screensaver | head -n 1 | awk '{print $1}'`
export `grep -z DBUS_SESSION_BUS_ADDRESS /proc/$GNOME_SCREENSAVER_PROC/environ`
</source>
Also, you could probably use dbus to do the job for locking/unlocking
<source lang="bash">
sudo -u ${user} dbus-send --type=method_call --dest=org.gnome.ScreenSaver /org/gnome/ScreenSaver org.gnome.ScreenSaver.SetActive boolean:false # for unlock
sudo -u ${user} dbus-send --type=method_call --dest=org.gnome.ScreenSaver /org/gnome/ScreenSaver org.gnome.ScreenSaver.Lock # for lock
sudo -u ${user} qdbus org.gnome.ScreenSaver /org/gnome/ScreenSaver org.gnome.ScreenSaver.GetActive # to query via qdbus
sudo -u ${user} /usr/bin/gnome-screensaver-command --query
</source>
</source>

Latest revision as of 17:37, 4 April 2013

What

I'm trying to make my fedora 17 ( gnome3 ) desktop lock the screen when it sees my yubikey removed from the usb slot.

HOW

Get the serial, idVendor, idProduct of the thing.

udevadm info -a -p $(udevadm info -q path -n /dev/hidraw0)

Create a /etc/udev/rules.d/85-screen-lock-toggle.rules

SUBSYSTEM=="usb", ACTION=="remove", ENV{ID_VENDOR_ID}=="1050", ENV{ID_MODEL_ID}="0010", RUN+="/usr/local/bin/gnome-lock enable"
SUBSYSTEM=="usb", ACTION=="add", ENV{ID_VENDOR_ID}=="1050", ENV{ID_MODEL_ID}=="0010", RUN+="/usr/local/bin/gnome-lock disable"

Also you should probably reload the rules:

udevadm control --reload-rules

And you should create the following script (you'll probably have to comment out default requiretty in /etc/sudoers) :

~# cat /usr/local/bin/gnome-lock
#!/bin/bash
log="/tmp/yubi_lock_log"
yubimap="/etc/yubikey_decmappings"
ykinfo=$(/usr/bin/ykinfo -q -s)
if [ ! -z "${PAM_USER}" ]
then
    	echo "AUTH-PAM $(date) $(whoami) - '${PAM_USER}' '$0'" >>${log}
        if [ "$(fgrep -wc ${PAM_USER} ${yubimap})" == "1" ]
        then
            	echo "IT REQUIRES YUBIKEY." >>${log}
                if [ -z "${ykinfo}" ]
                then
                    	echo "Didn't find a yubikey." >>${log}
                        exit 1
                fi
                echo "Searching for ${PAM_USER}:${ykinfo} in ${yubimap}. Found:" >>${log}
                fgrep -w ${PAM_USER}:${ykinfo} ${yubimap} >>${log}
                exitcode=$?
                echo "EXITCODE=${exitcode}" >>${log}
                exit ${exitcode}
        else
            	exit 0
        fi
else
    	gnome_session=$(/usr/bin/ps aux | fgrep gnome-session | head -n 1)
        user=$(echo ${gnome_session} | awk '{print $1}')
        GNOME_SESSION_PROC=$(echo $gnome_session | awk '{print $2}')
        export `grep -z DBUS_SESSION_BUS_ADDRESS /proc/$GNOME_SESSION_PROC/environ`
        export DISPLAY=":0"
        current_lock_status=$(/sbin/runuser ${user} -c "/usr/bin/qdbus org.gnome.ScreenSaver /org/gnome/ScreenSaver org.gnome.ScreenSaver.GetActive")
        echo "AUTH-GNOME $(date) $(whoami) - '${user}' - '${ykinfo}' - '$0' '$1'" >>${log}
        if [ "$1" == "enable" ]
        then
                if [ -n ${user} -a "$(fgrep -wc ${user} ${yubimap})" == "1" -a "${current_lock_status}" == "false" ]
                then
                        /sbin/runuser ${user} -c "/usr/bin/dbus-send --type=method_call --dest=org.gnome.ScreenSaver /org/gnome/ScreenSaver org.gnome.ScreenSaver.Lock"
                        touch /tmp/.yubikey_lock
                fi
        else
            	if [ -n ${user} -a "$(fgrep -wc ${user}:${ykinfo} ${yubimap})" == "1" ]
                then
                    	if [ -f /tmp/.yubikey_lock ]
                        then
                               	/sbin/runuser ${user} -c "dbus-send --type=method_call --dest=org.gnome.ScreenSaver /org/gnome/ScreenSaver org.gnome.ScreenSaver.SetActive boolean:false"
                                rm -f /tmp/.yubikey_lock
                        fi
                fi
        fi
fi

Your /etc/yubikey_decmappings should contain user:key, you can see that with ykinfo -q -s (which key should be able to unlock what login if in multiple desktop environment )

The ykinfo binary is available in rawhide ( or >= fedora 18 ).

Also, since fedora 17 it seems for me at least that I can't use gnome-screensaver-command to query the screensaver so I switched to dbus and runuser :)

Latest changes to the script enable it to only unlock if it was locked by the yubikey !

In order for the pam method to work, you'd need these 2 lines in the required /etc/pam.d ( don't know which one your system uses. My fedora used /etc/pam.d/password-auth and /etc/pam.d/system-auth ):

auth required pam_exec.so quiet /usr/local/bin/gnome-lock
auth sufficient    pam_unix.so try_first_pass nullok

ISSUES

On an arch environment it has been said you need some other exports for this to work...

GNOME_SCREENSAVER_PROC=`ps xa | grep gnome-screensaver | head -n 1 | awk '{print $1}'`
export `grep -z DBUS_SESSION_BUS_ADDRESS /proc/$GNOME_SCREENSAVER_PROC/environ`

Also, you could probably use dbus to do the job for locking/unlocking

sudo -u ${user} dbus-send --type=method_call --dest=org.gnome.ScreenSaver /org/gnome/ScreenSaver org.gnome.ScreenSaver.SetActive boolean:false # for unlock
sudo -u ${user} dbus-send --type=method_call --dest=org.gnome.ScreenSaver /org/gnome/ScreenSaver org.gnome.ScreenSaver.Lock # for lock
sudo -u ${user} qdbus org.gnome.ScreenSaver /org/gnome/ScreenSaver org.gnome.ScreenSaver.GetActive # to query via qdbus
sudo -u ${user} /usr/bin/gnome-screensaver-command --query