YubiKey lock screen: Difference between revisions

From D3xt3r01.tk
Jump to navigationJump to search
Line 29: Line 29:
log="/tmp/yubi_lock_log"
log="/tmp/yubi_lock_log"
yubimap="/etc/yubikey_decmappings"
yubimap="/etc/yubikey_decmappings"
user=$(ps aux | grep gnome-screensaver | head -n 1 | awk '{print $1}')
ykinfo=$(/usr/bin/ykinfo -q -s)
echo "$(date) $(whoami) - '${user}' '$0' '$1'" >> ${log}
export DISPLAY=":0"
current_lock_status=$(sudo -u ${user} /usr/bin/gnome-screensaver-command --query)


if [ "$1" == "enable" ]
if [ ! -z "${PAM_USER}" ]
then
then
    if [ -n ${user} -a "$(grep -c ${user}:${ID_SERIAL_SHORT} ${yubimap})" == "1" -a "$(echo ${current_lock_status} | fgrep -wc inactive)" == "1" ]
echo "AUTH-PAM $(date) $(whoami) - '${PAM_USER}' '$0'" >>${log}
        then
if [ "$(fgrep -wc ${PAM_USER} ${yubimap})" == "1" ]
            sudo -u ${user} /usr/bin/gnome-screensaver-command -l >> ${log} 2>&1
then
                touch /tmp/.yubikey_lock
echo "IT REQUIRES YUBIKEY." >>${log}
        fi
if [ -z "${ykinfo}" ]  
then
echo "Didn't find a yubikey." >>${log}
exit 1
fi
echo "Searching for ${PAM_USER}:${ykinfo} in ${yubimap}. Found:" >>${log}
fgrep -w ${PAM_USER}:${ykinfo} ${yubimap} >>${log}
exitcode=$?
echo "EXITCODE=${exitcode}" >>${log}
exit ${exitcode}
else
exit 0
fi
else
else
    if [ -n ${user} -a "$(grep -c ${user}:000$(ykinfo -q -s) ${yubimap})" == "1" ]
user=$(ps aux | grep gnome-screensaver | head -n 1 | awk '{print $1}')
        then
echo "AUTH-GNOME $(date) $(whoami) - '${user}' '$0' '$1'" >> ${log}
            if [ -f /tmp/.yubikey_lock ]
export DISPLAY=":0"
                then
current_lock_status=$(sudo -u ${user} /usr/bin/gnome-screensaver-command --query)
                    sudo -u ${user} /usr/bin/gnome-screensaver-command -d >> ${log} 2>&1
if [ "$1" == "enable" ]
                        rm -f /tmp/.yubikey_lock
then
                fi
    if [ -n ${user} -a "$(fgrep -c ${user}:${ID_SERIAL_SHORT} ${yubimap})" == "1" -a "$(echo ${current_lock_status} | fgrep -wc inactive)" == "1" ]
        fi
        then
            sudo -u ${user} /usr/bin/gnome-screensaver-command -l >>${log} 2>&1
                touch /tmp/.yubikey_lock
        fi
else
    if [ -n ${user} -a "$(grep -c ${user}:${ykinfo} ${yubimap})" == "1" ]
        then
            if [ -f /tmp/.yubikey_lock ]
                then
                    sudo -u ${user} /usr/bin/gnome-screensaver-command -d >>${log} 2>&1
                        rm -f /tmp/.yubikey_lock
                fi
        fi
fi
fi
fi
</source>
</source>
Line 58: Line 80:


Latest changes to the script enable it to only unlock if it was locked by the yubikey !
Latest changes to the script enable it to only unlock if it was locked by the yubikey !
In order for the pam method to work, you'd need these 2 lines in the required /etc/pam.d ( don't know which one your system uses. My fedora used /etc/pam.d/password-auth and /etc/pam.d/system-auth ):
<source lang="bash">
auth required pam_exec.so quiet /usr/local/bin/gnome-lock
auth sufficient    pam_unix.so try_first_pass nullok
</source>


==ISSUES==
==ISSUES==

Revision as of 17:28, 3 April 2013

What

I'm trying to make my fedora 17 ( gnome3 ) desktop lock the screen when it sees my yubikey removed from the usb slot.

HOW

Get the serial, idVendor, idProduct of the thing.

udevadm info -a -p $(udevadm info -q path -n /dev/hidraw0)

Create a /etc/udev/rules.d/85-screen-lock-toggle.rules

SUBSYSTEM=="usb", ACTION=="remove", ENV{ID_VENDOR_ID}=="1050", ENV{ID_MODEL_ID}="0010", RUN+="/usr/local/bin/gnome-lock enable"
SUBSYSTEM=="usb", ACTION=="add", ENV{ID_VENDOR_ID}=="1050", ENV{ID_MODEL_ID}=="0010", RUN+="/usr/local/bin/gnome-lock disable"

Also you should probably reload the rules:

udevadm control --reload-rules

And you should create the following script (you'll probably have to comment out default requiretty in /etc/sudoers) :

~# cat /usr/local/bin/gnome-lock
#!/bin/bash
log="/tmp/yubi_lock_log"
yubimap="/etc/yubikey_decmappings"
ykinfo=$(/usr/bin/ykinfo -q -s)

if [ ! -z "${PAM_USER}" ]
then
	echo "AUTH-PAM $(date) $(whoami) - '${PAM_USER}' '$0'" >>${log}
	if [ "$(fgrep -wc ${PAM_USER} ${yubimap})" == "1" ]
	then
		echo "IT REQUIRES YUBIKEY." >>${log}
		if [ -z "${ykinfo}" ] 
		then
			echo "Didn't find a yubikey." >>${log}
			exit 1
		fi
		echo "Searching for ${PAM_USER}:${ykinfo} in ${yubimap}. Found:" >>${log}
		fgrep -w ${PAM_USER}:${ykinfo} ${yubimap} >>${log}
		exitcode=$?
		echo "EXITCODE=${exitcode}" >>${log}
		exit ${exitcode}
	else
		exit 0
	fi
else
	user=$(ps aux | grep gnome-screensaver | head -n 1 | awk '{print $1}')
	echo "AUTH-GNOME $(date) $(whoami) - '${user}' '$0' '$1'" >> ${log}
	export DISPLAY=":0"
	current_lock_status=$(sudo -u ${user} /usr/bin/gnome-screensaver-command --query)
	if [ "$1" == "enable" ]
	then
	    	if [ -n ${user} -a "$(fgrep -c ${user}:${ID_SERIAL_SHORT} ${yubimap})" == "1" -a "$(echo ${current_lock_status} | fgrep -wc inactive)" == "1" ]
	        then
	            	sudo -u ${user} /usr/bin/gnome-screensaver-command -l >>${log} 2>&1
	                touch /tmp/.yubikey_lock
	        fi
	else
	    	if [ -n ${user} -a "$(grep -c ${user}:${ykinfo} ${yubimap})" == "1" ]
	        then
	            	if [ -f /tmp/.yubikey_lock ]
	                then
	                    	sudo -u ${user} /usr/bin/gnome-screensaver-command -d >>${log} 2>&1
	                        rm -f /tmp/.yubikey_lock
	                fi
	        fi
	fi
fi

Your /etc/yubikey_decmappings should contain user:000key, padding with 000(you can see that in env or ykinfo -q -s) (which key should be able to unlock what login if in multiple desktop environment )

The ykinfo binary is available in rawhide ( or >= fedora 19 )

Latest changes to the script enable it to only unlock if it was locked by the yubikey !

In order for the pam method to work, you'd need these 2 lines in the required /etc/pam.d ( don't know which one your system uses. My fedora used /etc/pam.d/password-auth and /etc/pam.d/system-auth ):

auth required pam_exec.so quiet /usr/local/bin/gnome-lock
auth sufficient    pam_unix.so try_first_pass nullok

ISSUES

On an arch environment it has been said you need some other exports for this to work...

GNOME_SCREENSAVER_PROC=`ps xa | grep gnome-screensaver | head -n 1 | awk '{print $1}'`
export `grep -z DBUS_SESSION_BUS_ADDRESS /proc/$GNOME_SCREENSAVER_PROC/environ`

Also, you could probably use dbus to do the job for locking/unlocking

sudo -u ${user} dbus-send --type=method_call --dest=org.gnome.ScreenSaver /org/gnome/ScreenSaver org.gnome.ScreenSaver.SetActive boolean:false # for unlock
sudo -u ${user} dbus-send --type=method_call --dest=org.gnome.ScreenSaver /org/gnome/ScreenSaver org.gnome.ScreenSaver.Lock # for lock
sudo -u ${user} qdbus org.gnome.ScreenSaver /org/gnome/ScreenSaver org.gnome.ScreenSaver.GetActive # to query via qdbus
sudo -u ${user} /usr/bin/gnome-screensaver-command --query