YubiKey lock screen: Difference between revisions

From D3xt3r01.tk
Jump to navigationJump to search
← Older editNewer edit →
Line 29: Line 29:
log="/tmp/yubi_lock_log"
log="/tmp/yubi_lock_log"
yubimap="/etc/yubikey_decmappings"
yubimap="/etc/yubikey_decmappings"
echo "$(date) $(whoami) '$0' '$1'" >> ${log}
user=$(ps aux | grep gnome-screensaver | head -n 1 | awk '{print $1}')
echo "$(date) $(whoami) - '${user}' '$0' '$1'" >> ${log}
export DISPLAY=":0"
current_lock_status=$(sudo -u ${user} /usr/bin/gnome-screensaver-command --query)


user=`ps aux | grep gnome-screensaver | head -n 1 | awk '{print $1}'`
export DISPLAY=":0"
if [ "$1" == "enable" ]
if [ "$1" == "enable" ]
then
then
     if [ -n ${user} -a "$(grep -c ${user}:${ID_SERIAL_SHORT} ${yubimap})" == "1" ]
     if [ -n ${user} -a "$(grep -c ${user}:${ID_SERIAL_SHORT} ${yubimap})" == "1" -a "$(echo ${current_lock_status} | fgrep -wc inactive)" == "1" ]
         then
         then
             sudo -u ${user} /usr/bin/gnome-screensaver-command -l >> ${log} 2>&1
             sudo -u ${user} /usr/bin/gnome-screensaver-command -l >> ${log} 2>&1
                touch /tmp/.yubikey_lock
         fi
         fi
else
else
     if [ -n ${user} -a "$(grep -c ${user}:000$(ykinfo -q -s) ${yubimap})" == "1" ]
     if [ -n ${user} -a "$(grep -c ${user}:000$(ykinfo -q -s) ${yubimap})" == "1" ]
         then
         then
             sudo -u ${user} /usr/bin/gnome-screensaver-command -d >> ${log} 2>&1
             if [ -f /tmp/.yubikey_lock ]
                then
                    sudo -u ${user} /usr/bin/gnome-screensaver-command -d >> ${log} 2>&1
                        rm -f /tmp/.yubikey_lock
                fi
         fi
         fi
fi
fi
</source>
</source>


Your /etc/yubikey_decmappings should contain user:000key, padding with 000(you can see that in env) (which key should be able to unlock what login if in multiple desktop environment )
Your /etc/yubikey_decmappings should contain user:000key, padding with 000(you can see that in env or ykinfo -q -s) (which key should be able to unlock what login if in multiple desktop environment )
 
The ykinfo binary is available in rawhide ( or >= fedora 19 )
 
Latest changes to the script enable it to only unlock if it was locked by the yubikey !


==ISSUES==
==ISSUES==

Revision as of 16:31, 2 April 2013

What

I'm trying to make my fedora 17 ( gnome3 ) desktop lock the screen when it sees my yubikey removed from the usb slot.

HOW

Get the serial, idVendor, idProduct of the thing. 

udevadm info -a -p $(udevadm info -q path -n /dev/hidraw0)

Create a /etc/udev/rules.d/85-screen-lock-toggle.rules 

SUBSYSTEM=="usb", ACTION=="remove", ENV{ID_VENDOR_ID}=="1050", ENV{ID_MODEL_ID}="0010", RUN+="/usr/local/bin/gnome-lock enable"
SUBSYSTEM=="usb", ACTION=="add", ENV{ID_VENDOR_ID}=="1050", ENV{ID_MODEL_ID}=="0010", RUN+="/usr/local/bin/gnome-lock disable"

Also you should probably reload the rules: 

udevadm control --reload-rules

And you should create the following script (you'll probably have to comment out default requiretty in /etc/sudoers) : 

~# cat /usr/local/bin/gnome-lock
#!/bin/bash
log="/tmp/yubi_lock_log"
yubimap="/etc/yubikey_decmappings"
user=$(ps aux | grep gnome-screensaver | head -n 1 | awk '{print $1}')
echo "$(date) $(whoami) - '${user}' '$0' '$1'" >> ${log}
export DISPLAY=":0"
current_lock_status=$(sudo -u ${user} /usr/bin/gnome-screensaver-command --query)

if [ "$1" == "enable" ]
then
    	if [ -n ${user} -a "$(grep -c ${user}:${ID_SERIAL_SHORT} ${yubimap})" == "1" -a "$(echo ${current_lock_status} | fgrep -wc inactive)" == "1" ]
        then
            	sudo -u ${user} /usr/bin/gnome-screensaver-command -l >> ${log} 2>&1
                touch /tmp/.yubikey_lock
        fi
else
    	if [ -n ${user} -a "$(grep -c ${user}:000$(ykinfo -q -s) ${yubimap})" == "1" ]
        then
            	if [ -f /tmp/.yubikey_lock ]
                then
                    	sudo -u ${user} /usr/bin/gnome-screensaver-command -d >> ${log} 2>&1
                        rm -f /tmp/.yubikey_lock
                fi
        fi
fi

Your /etc/yubikey_decmappings should contain user:000key, padding with 000(you can see that in env or ykinfo -q -s) (which key should be able to unlock what login if in multiple desktop environment )

The ykinfo binary is available in rawhide ( or >= fedora 19 )

Latest changes to the script enable it to only unlock if it was locked by the yubikey !

ISSUES

On an arch environment it has been said you need some other exports for this to work... 

GNOME_SCREENSAVER_PROC=`ps xa | grep gnome-screensaver | head -n 1 | awk '{print $1}'`
export `grep -z DBUS_SESSION_BUS_ADDRESS /proc/$GNOME_SCREENSAVER_PROC/environ`

Also, you could probably use dbus to do the job for locking/unlocking 

sudo -u ${user} dbus-send --type=method_call --dest=org.gnome.ScreenSaver /org/gnome/ScreenSaver org.gnome.ScreenSaver.SetActive boolean:false # for unlock
sudo -u ${user} dbus-send --type=method_call --dest=org.gnome.ScreenSaver /org/gnome/ScreenSaver org.gnome.ScreenSaver.Lock # for lock
Retrieved from "https://wiki.d3xt3r01.tk//index.php?title=YubiKey_lock_screen&oldid=6574"