Yubico Forum

Proper inux udev rule for response when yubikey is inserted?
Page 1 of 1

Author:  coventry [ Sat Mar 16, 2013 10:04 pm ]
Post subject:  Proper inux udev rule for response when yubikey is inserted?

I have the following rules in /etc/udev/rules.d/90-yubikey.rules:

ACTION=="remove", ENV{ID_VENDOR}=="Yubico", RUN+="/usr/local/bin/ykgone"
ACTION=="add",      ENV{ID_VENDOR}=="Yubico", RUN+="/usr/local/bin/ykhere"

The "remove" rule works great, but the "add" rule is causing problems. With the "add" rule in place, inserting the yubikey causes /usr/local/bin/ykhere to be executed many times a second, the LED on the yubikey to flash at about the same rate, and the yubikey to stop responding to button presses with an OTP token key sequence (but the OTP loss may be because /usr/local/bin/ykhere is generating so many HMAC-SHA1 challenges.)

How can I modify the "add" line so that /usr/local/bin/ykhere is only run once when the key is inserted, and the OTP button works as usual the rest of the time

This is on lubuntu 12.10, with packages yubikey-personalization 1.7.0-1, libyubikey0 1.8-1. yubikey firmware version 2.3.3.

The script /usr/local/bin/ykhere is


if [ -n "$(lsusb | grep Yubikey)" ] ; then
    /bin/su coventry -c /usr/local/bin/unlock

And /usr/local/bin/unlock is


if [ "`~/bin/chalresp.py `" == "OK" ]; then
    pkill xscreensaver

And finally, this is chalresp.py:


import subprocess, os, re

recpath = os.path.expanduser('~/.ykchalresp')

chal, resp = open(recpath).read().strip().split()

def make_resp(chal):
    return subprocess.check_output(['ykchalresp', '-2', '-H', chal]

tresp = make_resp(chal)

if tresp == resp:
    # Challenge succeeded; make a new challenge for next time
    nresp = make_resp(tresp)
    print >> open(recpath, 'w'), tresp, nresp
    print 'OK'
    print 'Failed'

I can "fix" the problem by putting a "sleep 20" after "pkill xscreensaver" in /usr/local/bin/unlock and a "service udev restart" after calling /usr/local/bin/unlock in /usr/local/bin/ykhere. But that's kind of a horrendous abuse.

Author:  coventry [ Mon Mar 18, 2013 5:40 am ]
Post subject:  Re: Proper inux udev rule for response when yubikey is inser

"sleep 20" and "pkill xscreensaver" was proving unreliable, in that I still wasn't getting OTPs from a keypress, and the LED would occasionally start flashing again. So I've worked around it for now by replacing the "add" rule with something which tracks the state of the screensaver.


function yubiwait() {
    while [ "`~/bin/chalresp.py 2> /dev/null`" != "OK" ] ; do sleep 0.05 ; done
    killall xscreensaver

( while [ /bin/true ] ; do xscreensaver-command -watch ; done ) \
    | while read a ; do
        echo $a | grep "^LOCK" && yubiwait

Page 1 of 1 All times are UTC + 1 hour
Powered by phpBB® Forum Software © phpBB Group