Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 3:52 pm

All times are UTC + 1 hour




Post new topic Reply to topic  [ 10 posts ] 
Author Message
PostPosted: Thu Jan 29, 2009 8:07 pm 
Offline

Joined: Tue Nov 25, 2008 9:25 pm
Posts: 8
I have setup my system with YubiPAM for local authentication and I wanted to go one step further. The following information will make your system lock when your yubikey is removed and bring up the password prompt when you reinsert it.

*** WARNING ***
If you are on a laptop DO NOT remove the uhci-hcd module to save power, if you do your screen will lock (the yubikey is removed now, right?) and you won't be able to reload the module to allow yourself to login.

*** INSTRUCTIONS ***
1) Create /etc/udev/rules.d/45-yubikey.rules and put in the following lines.
Code:
ACTION=="add", ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0010", RUN+="/usr/local/bin/gnome-screensaver-unlock"
ACTION=="remove", ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0010", RUN+="/usr/local/bin/gnome-screensaver-lock"


2) Create /usr/local/bin/gnome-screensaver-lock and paste the following and chmod a+x the file
Code:
#!/bin/sh

getXuser() {
        user=`finger| grep -m1 ":$displaynum " | awk '{print $1}'`
 
        if [ x"$user" = x"" ]; then
                user=`finger| grep -m1 ":$displaynum" | awk '{print $1}'`
        fi
        if [ x"$user" != x"" ]; then
                userhome=`getent passwd $user | cut -d: -f6`
                export XAUTHORITY=$userhome/.Xauthority
        else
                export XAUTHORITY=""
        fi
}

for x in /tmp/.X11-unix/*; do
    displaynum=`echo $x | sed s#/tmp/.X11-unix/X##`
    getXuser
    if [ x"$XAUTHORITY" != x"" ]; then
        # extract current state
   export DISPLAY=":$displaynum"
    fi
done

logger "YubiKey Removed - Locking Workstation"
su $user -c "/usr/bin/gnome-screensaver-command --lock"


3) Create /usr/local/bin/gnome-screensaver-unlock and paste the following and chmod a+x the file
Code:
#!/bin/sh

getXuser() {
        user=`finger| grep -m1 ":$displaynum " | awk '{print $1}'`
 
        if [ x"$user" = x"" ]; then
                user=`finger| grep -m1 ":$displaynum" | awk '{print $1}'`
        fi
        if [ x"$user" != x"" ]; then
                userhome=`getent passwd $user | cut -d: -f6`
                export XAUTHORITY=$userhome/.Xauthority
        else
                export XAUTHORITY=""
        fi
}

for x in /tmp/.X11-unix/*; do
    displaynum=`echo $x | sed s#/tmp/.X11-unix/X##`
    getXuser
    if [ x"$XAUTHORITY" != x"" ]; then
        # extract current state
   export DISPLAY=":$displaynum"
    fi
done

logger "YubiKey Inserted - Unlocking Workstation"
su $user -c "/usr/bin/gnome-screensaver-command --poke"


4) Restart udev.
Code:
sudo /etc/init.d/udev restart
or on older udev installs
Code:
sudo udevcontrol reload_rules


--
Brenden


Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Wed Nov 18, 2009 7:22 am 
Offline

Joined: Wed Nov 18, 2009 7:16 am
Posts: 1
I set this up but the remove rule didn't work. I'm running karmic which must have changes to udev. I fixed it by changing the remove rule:
Code:
ACTION=="add", ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0010", RUN+="/usr/local/bin/gnome-screensaver-unlock"
ACTION=="remove", ENV{ID_VENDOR_ID}=="1050", ENV{ID_MODEL_ID}=="0010", RUN+="/usr/local/bin/gnome-screensaver-lock"

Also after restarting udev the lock unlock worked but my yubikey stopped generating passwords. Not sure why but I had to do a reboot.

Oh ya, if you want to see what udev events occur when you plug/unplug the yubikey try this:
Code:
udevadm monitor --udev --environment


Top
 Profile  
Reply with quote  
PostPosted: Tue Apr 27, 2010 12:55 am 
Offline

Joined: Sat Apr 24, 2010 1:24 am
Posts: 2
Hello!

I am running Ubuntu Hardy (8.04 LTS), and I had to make some changes to get it to work:

  • Move udev rules file

    I renamed the file from 45-yubikey.rules to 85-yubikey.rules.

    I did this rename according to the instructions I found at /etc/udev/rules.d/README:

    Quote:
    <<<snip>>>

    Files should be named xx-descriptive-name.rules, the xx should be
    chosen first according to the following sequence points:

    <<<snip>>>

    40 rules that set the permissions of device nodes
    (can be overriden by later rules)

    <<<snip>>>

    80 rules that run programs (but do not load modules)

    <<<snip>>>

    Packages should chose the approriate sequence point and add 5 to it
    (e.g. 25-iftab.rules, 45-libsane.rules, etc.) unless there is a need
    for a particular order.

  • Use ID_VENDOR for rules matching

    Looking around the environment, it looks like the ID_VENDOR environment variable contains the vendor name in string form. When the device is connected or removed, the vendor name is "Yubico". I just match on that, instead of matching on a vendor & product ID.

    Here are the rules I'm using now:

    Code:
    ACTION=="remove", ENV{ID_VENDOR}=="Yubico", RUN+="/usr/local/bin/gnome-screensaver-lock"
    ACTION=="add", ENV{ID_VENDOR}=="Yubico", RUN+="/usr/local/bin/gnome-screensaver-unlock"

  • Set DBUS_SESSION_BUS_ADDRESS for lock/poke command to work

    With the script provided, every time I tried to run it, I would get the error "Screensaver not running", even though the gnome-screensaver process was running.

    After some testing, it appears that the gnome-screensaver-command command uses D-Bus for communications, and that it needs the DBUS_SESSION_BUS_ADDRESS environment variable set in order to know how to communicate with D-Bus.

    DBUS_SESSION_BUS_ADDRESS is set when D-Bus is launched, presumably on user login, but it isn't included as part of root's environment. However, since the gnome-screensaver daemon process uses D-Bus, it must have the DBUS_SESSION_BUS_ADDRESS variable as part of its local environment. Therefore, I added the following two lines to /usr/local/bin/gnome-screensaver-lock and /usr/local/bin/gnome-screensaver-unlock:

    Code:
    GNOME_SCREENSAVER_PROC=`ps xa | grep gnome-screensaver | head -n 1 | perl -p -e '$_=join(",", (split)[0]);'`
    export `grep -z DBUS_SESSION_BUS_ADDRESS /proc/$GNOME_SCREENSAVER_PROC/environ`


    The lines were added above the "logger" line, very close to the end of the file.

    The first line goes through the list of all processes on the system, looks for the gnome-screensaver process, and extracts the process ID (which should be the first number on the first line of the output). This line is where things are likely to break on other systems, and I wouldn't be surprised if this breaks on systems where multiple users are logged in.

    The second line takes the discovered process ID, pulls the process's environment, pulls out the DBUS_SESSION_BUS_ADDRESS variable, and sticks it into the session's environment, to be used by the gnome-screensaver-command at the end of the script.

That's it! Once I did all of that, everything started working, and I really like it. Thanks very much for making me aware of another way in which I can use my newly-purchased Yubikey!


Top
 Profile  
Reply with quote  
PostPosted: Thu Jul 14, 2011 10:08 pm 
Offline

Joined: Wed Jul 13, 2011 3:44 pm
Posts: 6
At risk of bumping an old topic, I think the following is worth noting.

If you run the automatic lock/unlock functionality, don't try and use the Yubikey personalisation tool.
When it scans the yubikey for its firmware rev etc, it will effectively disconnect it and lock the screen.

Z.


Top
 Profile  
Reply with quote  
PostPosted: Sun Sep 25, 2011 8:05 am 
Offline

Joined: Sat Sep 04, 2010 12:10 am
Posts: 2
A related script to disable/enable the screen lock in Gnome. It won't unlock the computer if it is locked, but as long as your Yubikey is plugged in, you computer won't lock. The lock is tied to my presence in the apartment, but someone couldn't steal my keys and gain access to my computer.

Use the udev method above to run the script.

/usr/local/bin/gnome-lock-disable (on udev "add")

Code:
#!/bin/bash

user=`ps aux | grep gnome-screensaver | head -n 1 | awk '{print $1}'`

if [ -n $user ]; then
        GNOME_SCREENSAVER_PROC=`ps xa | grep gnome-screensaver | head -n 1 | awk '{print $1}'`
        export `grep -z DBUS_SESSION_BUS_ADDRESS /proc/$GNOME_SCREENSAVER_PROC/environ`
        su $user -c "gconftool-2 --set "/apps/gnome-screensaver/lock_enabled" --type bool 0"
fi


/usr/local/bin/gnome-lock-enable (on udev "remove")

Code:
#!/bin/bash

user=`ps aux | grep gnome-screensaver | head -n 1 | awk '{print $1}'`

if [ -n $user ]; then
        GNOME_SCREENSAVER_PROC=`ps xa | grep gnome-screensaver | head -n 1 | awk '{print $1}'`
        export `grep -z DBUS_SESSION_BUS_ADDRESS /proc/$GNOME_SCREENSAVER_PROC/environ`
        su $user -c "gconftool-2 --set "/apps/gnome-screensaver/lock_enabled" --type bool 1"
fi


I like this DBUS_SESSION_BUS_ADDRESS code the best of all the ones I've seen. I got it from http://john.nachtimwald.com/2010/07/25/ ... -in-gnome/


Top
 Profile  
Reply with quote  
PostPosted: Sat Nov 12, 2011 9:06 pm 
Offline

Joined: Sat Nov 12, 2011 9:00 pm
Posts: 1
If the gnome-screensaver-lock and gnome-screensaver-unlock scripts fail to work for some of you, make sure you have finger installed, or else replace finger with who in the scripts.


Top
 Profile  
Reply with quote  
PostPosted: Mon Dec 12, 2011 8:03 pm 
Offline

Joined: Mon Dec 12, 2011 7:49 pm
Posts: 3
Hi all,

I love this feature so much but I've some troubles with it. Maybe you can help me.
It seems that it only works when I've opened a Terminal window. it doesn't matter if this window is active or not.

When I look in the syslog it shows even if it does not works:
Dec 12 19:55:41 PC logger: YubiKey Removed - Locking Workstation
Dec 12 19:55:45 PC logger: YubiKey Inserted - Unlocking Workstation

I'm running Linux Mint 12 64Bit and Finger installed.

Many thanks in advance,


Top
 Profile  
Reply with quote  
PostPosted: Mon Jun 04, 2012 3:24 am 
Offline

Joined: Fri Sep 10, 2010 8:56 am
Posts: 3
I'm using 64bit Mint 12 and I've gotten it to work by using the suggested changes to the udev rules:

Code:
ENV{ID_VENDOR_ID}=="1050", ENV{ID_MODEL_ID}=="0010"


and by changing the command to stop the screensaver, as the --poke option no longer exists. You should now use:

Code:
su $user -c "/usr/bin/gnome-screensaver-command --deactivate"


I suspect that these same changes apply to pretty much all distros that use Gnome 3.


Top
 Profile  
Reply with quote  
PostPosted: Thu Aug 08, 2013 9:03 am 
Offline

Joined: Mon Jul 29, 2013 7:29 am
Posts: 6
Works pretty well in Kali (Debian based)

However if you use your Yubikey in HMAC-SHA1 challenge-response mode; this will also enable your screensaver when you do "sudo" in a terminal. And I have yet to figure out how to allow unlocking of gnome-screensaver in challenge-response mode :|


Top
 Profile  
Reply with quote  
PostPosted: Thu Aug 08, 2013 9:45 am 
Offline
Site Admin
Site Admin

Joined: Wed Nov 14, 2012 2:59 pm
Posts: 666
Hello,

It would be great is someone could create a neat HOW-TO for this following the guidelines viewtopic.php?f=16&t=918 here...

_________________
-Tom


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 10 posts ] 

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group