Yubico Forum

Re: [linux] Lock\Unlock system with Yubikey removal\insertio

2013-08-08T09:45:02+01:00

Hello,

It would be great is someone could create a neat HOW-TO for this following the guidelines viewtopic.php?f=16&t=918 here...

Statistics: Posted by Tom — Thu Aug 08, 2013 9:45 am

Re: [linux] Lock\Unlock system with Yubikey removal\insertio

2013-08-08T09:03:06+01:00

Works pretty well in Kali (Debian based)

However if you use your Yubikey in HMAC-SHA1 challenge-response mode; this will also enable your screensaver when you do "sudo" in a terminal. And I have yet to figure out how to allow unlocking of gnome-screensaver in challenge-response mode

Statistics: Posted by SphaZ — Thu Aug 08, 2013 9:03 am

Re: [linux] Lock\Unlock system with Yubikey removal\insertio

2012-06-04T03:24:34+01:00

I'm using 64bit Mint 12 and I've gotten it to work by using the suggested changes to the udev rules:

Code:

ENV{ID_VENDOR_ID}=="1050", ENV{ID_MODEL_ID}=="0010"

and by changing the command to stop the screensaver, as the --poke option no longer exists. You should now use:

Code:

su $user -c "/usr/bin/gnome-screensaver-command --deactivate"

I suspect that these same changes apply to pretty much all distros that use Gnome 3.

Statistics: Posted by cafuego — Mon Jun 04, 2012 3:24 am

Re: [linux] Lock\Unlock system with Yubikey removal\insertio

2011-12-12T20:03:45+01:00

Hi all,

I love this feature so much but I've some troubles with it. Maybe you can help me.
It seems that it only works when I've opened a Terminal window. it doesn't matter if this window is active or not.

When I look in the syslog it shows even if it does not works:
Dec 12 19:55:41 PC logger: YubiKey Removed - Locking Workstation
Dec 12 19:55:45 PC logger: YubiKey Inserted - Unlocking Workstation

I'm running Linux Mint 12 64Bit and Finger installed.

Many thanks in advance,

Statistics: Posted by PH-MJS — Mon Dec 12, 2011 8:03 pm

Re: [linux] Lock\Unlock system with Yubikey removal\insertio

2011-11-12T21:06:03+01:00

If the gnome-screensaver-lock and gnome-screensaver-unlock scripts fail to work for some of you, make sure you have finger installed, or else replace finger with who in the scripts.

Statistics: Posted by fvieira — Sat Nov 12, 2011 9:06 pm

Re: [linux] Lock\Unlock system with Yubikey removal\insertio

2011-09-25T08:05:39+01:00

A related script to disable/enable the screen lock in Gnome. It won't unlock the computer if it is locked, but as long as your Yubikey is plugged in, you computer won't lock. The lock is tied to my presence in the apartment, but someone couldn't steal my keys and gain access to my computer.

Use the udev method above to run the script.

/usr/local/bin/gnome-lock-disable (on udev "add")

Code:

#!/bin/bash

user=`ps aux | grep gnome-screensaver | head -n 1 | awk '{print $1}'`

if [ -n $user ]; then
        GNOME_SCREENSAVER_PROC=`ps xa | grep gnome-screensaver | head -n 1 | awk '{print $1}'`
        export `grep -z DBUS_SESSION_BUS_ADDRESS /proc/$GNOME_SCREENSAVER_PROC/environ`
        su $user -c "gconftool-2 --set "/apps/gnome-screensaver/lock_enabled" --type bool 0"
fi

/usr/local/bin/gnome-lock-enable (on udev "remove")

Code:

#!/bin/bash

user=`ps aux | grep gnome-screensaver | head -n 1 | awk '{print $1}'`

if [ -n $user ]; then
        GNOME_SCREENSAVER_PROC=`ps xa | grep gnome-screensaver | head -n 1 | awk '{print $1}'`
        export `grep -z DBUS_SESSION_BUS_ADDRESS /proc/$GNOME_SCREENSAVER_PROC/environ`
        su $user -c "gconftool-2 --set "/apps/gnome-screensaver/lock_enabled" --type bool 1"
fi

I like this DBUS_SESSION_BUS_ADDRESS code the best of all the ones I've seen. I got it from http://john.nachtimwald.com/2010/07/25/ ... -in-gnome/

Statistics: Posted by webarnes — Sun Sep 25, 2011 8:05 am

Re: [linux] Lock\Unlock system with Yubikey removal\insertio

2011-07-14T22:08:52+01:00

At risk of bumping an old topic, I think the following is worth noting.

If you run the automatic lock/unlock functionality, don't try and use the Yubikey personalisation tool.
When it scans the yubikey for its firmware rev etc, it will effectively disconnect it and lock the screen.

Z.

Statistics: Posted by zardoz — Thu Jul 14, 2011 10:08 pm

Re: [linux] Lock\Unlock system with Yubikey removal\insertion

2010-04-27T00:55:06+01:00

Hello!

I am running Ubuntu Hardy (8.04 LTS), and I had to make some changes to get it to work:

Move udev rules file

I renamed the file from 45-yubikey.rules to 85-yubikey.rules.

I did this rename according to the instructions I found at /etc/udev/rules.d/README:

Quote:

<<>>

Files should be named xx-descriptive-name.rules, the xx should be
chosen first according to the following sequence points:

<<>>

40 rules that set the permissions of device nodes
(can be overriden by later rules)

<<>>

80 rules that run programs (but do not load modules)

<<>>

Packages should chose the approriate sequence point and add 5 to it
(e.g. 25-iftab.rules, 45-libsane.rules, etc.) unless there is a need
for a particular order.
Use ID_VENDOR for rules matching

Looking around the environment, it looks like the ID_VENDOR environment variable contains the vendor name in string form. When the device is connected or removed, the vendor name is "Yubico". I just match on that, instead of matching on a vendor & product ID.

Here are the rules I'm using now:

Code:
ACTION=="remove", ENV{ID_VENDOR}=="Yubico", RUN+="/usr/local/bin/gnome-screensaver-lock"
ACTION=="add", ENV{ID_VENDOR}=="Yubico", RUN+="/usr/local/bin/gnome-screensaver-unlock"
Set DBUS_SESSION_BUS_ADDRESS for lock/poke command to work

With the script provided, every time I tried to run it, I would get the error "Screensaver not running", even though the gnome-screensaver process was running.

After some testing, it appears that the gnome-screensaver-command command uses D-Bus for communications, and that it needs the DBUS_SESSION_BUS_ADDRESS environment variable set in order to know how to communicate with D-Bus.

DBUS_SESSION_BUS_ADDRESS is set when D-Bus is launched, presumably on user login, but it isn't included as part of root's environment. However, since the gnome-screensaver daemon process uses D-Bus, it must have the DBUS_SESSION_BUS_ADDRESS variable as part of its local environment. Therefore, I added the following two lines to /usr/local/bin/gnome-screensaver-lock and /usr/local/bin/gnome-screensaver-unlock:

Code:
GNOME_SCREENSAVER_PROC=`ps xa | grep gnome-screensaver | head -n 1 | perl -p -e '$_=join(",", (split)[0]);'`
export `grep -z DBUS_SESSION_BUS_ADDRESS /proc/$GNOME_SCREENSAVER_PROC/environ`

The lines were added above the "logger" line, very close to the end of the file.

The first line goes through the list of all processes on the system, looks for the gnome-screensaver process, and extracts the process ID (which should be the first number on the first line of the output). This line is where things are likely to break on other systems, and I wouldn't be surprised if this breaks on systems where multiple users are logged in.

The second line takes the discovered process ID, pulls the process's environment, pulls out the DBUS_SESSION_BUS_ADDRESS variable, and sticks it into the session's environment, to be used by the gnome-screensaver-command at the end of the script.

That's it! Once I did all of that, everything started working, and I really like it. Thanks very much for making me aware of another way in which I can use my newly-purchased Yubikey!

Statistics: Posted by akkornel — Tue Apr 27, 2010 12:55 am

Re: [linux] Lock\Unlock system with Yubikey removal\insertion

2009-11-18T07:22:41+01:00

I set this up but the remove rule didn't work. I'm running karmic which must have changes to udev. I fixed it by changing the remove rule:

Code:

ACTION=="add", ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0010", RUN+="/usr/local/bin/gnome-screensaver-unlock"
ACTION=="remove", ENV{ID_VENDOR_ID}=="1050", ENV{ID_MODEL_ID}=="0010", RUN+="/usr/local/bin/gnome-screensaver-lock"

Also after restarting udev the lock unlock worked but my yubikey stopped generating passwords. Not sure why but I had to do a reboot.

Oh ya, if you want to see what udev events occur when you plug/unplug the yubikey try this:

Code:

udevadm monitor --udev --environment

Statistics: Posted by greatguin — Wed Nov 18, 2009 7:22 am

[linux] Lock\Unlock system with Yubikey removal\insertion

2009-01-29T20:07:35+01:00

I have setup my system with YubiPAM for local authentication and I wanted to go one step further. The following information will make your system lock when your yubikey is removed and bring up the password prompt when you reinsert it.

*** WARNING ***
If you are on a laptop DO NOT remove the uhci-hcd module to save power, if you do your screen will lock (the yubikey is removed now, right?) and you won't be able to reload the module to allow yourself to login.

*** INSTRUCTIONS ***
1) Create /etc/udev/rules.d/45-yubikey.rules and put in the following lines.

Code:

ACTION=="add", ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0010", RUN+="/usr/local/bin/gnome-screensaver-unlock"
ACTION=="remove", ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0010", RUN+="/usr/local/bin/gnome-screensaver-lock"

2) Create /usr/local/bin/gnome-screensaver-lock and paste the following and chmod a+x the file

Code:

#!/bin/sh

getXuser() {
        user=`finger| grep -m1 ":$displaynum " | awk '{print $1}'`
 
        if [ x"$user" = x"" ]; then
                user=`finger| grep -m1 ":$displaynum" | awk '{print $1}'`
        fi
        if [ x"$user" != x"" ]; then
                userhome=`getent passwd $user | cut -d: -f6`
                export XAUTHORITY=$userhome/.Xauthority
        else
                export XAUTHORITY=""
        fi
}

for x in /tmp/.X11-unix/*; do
    displaynum=`echo $x | sed s#/tmp/.X11-unix/X##`
    getXuser
    if [ x"$XAUTHORITY" != x"" ]; then
        # extract current state
   export DISPLAY=":$displaynum"
    fi
done

logger "YubiKey Removed - Locking Workstation"
su $user -c "/usr/bin/gnome-screensaver-command --lock"

3) Create /usr/local/bin/gnome-screensaver-unlock and paste the following and chmod a+x the file

Code:

#!/bin/sh

getXuser() {
        user=`finger| grep -m1 ":$displaynum " | awk '{print $1}'`
 
        if [ x"$user" = x"" ]; then
                user=`finger| grep -m1 ":$displaynum" | awk '{print $1}'`
        fi
        if [ x"$user" != x"" ]; then
                userhome=`getent passwd $user | cut -d: -f6`
                export XAUTHORITY=$userhome/.Xauthority
        else
                export XAUTHORITY=""
        fi
}

for x in /tmp/.X11-unix/*; do
    displaynum=`echo $x | sed s#/tmp/.X11-unix/X##`
    getXuser
    if [ x"$XAUTHORITY" != x"" ]; then
        # extract current state
   export DISPLAY=":$displaynum"
    fi
done

logger "YubiKey Inserted - Unlocking Workstation"
su $user -c "/usr/bin/gnome-screensaver-command --poke"

4) Restart udev.

Code:

sudo /etc/init.d/udev restart

or on older udev installs

Code:

sudo udevcontrol reload_rules

--
Brenden

Statistics: Posted by bmorgenthaler — Thu Jan 29, 2009 8:07 pm