Yubico Forum :: View topic - Proper inux udev rule for response when yubikey is inserted?

ACTION=="remove", ENV{ID_VENDOR}=="Yubico", RUN+="/usr/local/bin/ykgone"
ACTION=="add", ENV{ID_VENDOR}=="Yubico", RUN+="/usr/local/bin/ykhere"

#!/bin/bash

if [ -n "$(lsusb | grep Yubikey)" ] ; then
/bin/su coventry -c /usr/local/bin/unlock
fi

if [ "`~/bin/chalresp.py `" == "OK" ]; then
pkill xscreensaver
fi

#!/usr/bin/python

import subprocess, os, re

recpath = os.path.expanduser('~/.ykchalresp')

chal, resp = open(recpath).read().strip().split()

def make_resp(chal):
return subprocess.check_output(['ykchalresp', '-2', '-H', chal]
).strip()

tresp = make_resp(chal)

if tresp == resp:
# Challenge succeeded; make a new challenge for next time
nresp = make_resp(tresp)
print >> open(recpath, 'w'), tresp, nresp
print 'OK'
exit(0)
else:
print 'Failed'
exit(1)

#!/bin/bash

function yubiwait() {
while [ "`~/bin/chalresp.py 2> /dev/null`" != "OK" ] ; do sleep 0.05 ; done
killall xscreensaver
}

( while [ /bin/true ] ; do xscreensaver-command -watch ; done ) \
| while read a ; do
echo $a | grep "^LOCK" && yubiwait
done

Author:	coventry [ Sat Mar 16, 2013 10:04 pm ]
Post subject:	Proper inux udev rule for response when yubikey is inserted?
I have the following rules in /etc/udev/rules.d/90-yubikey.rules: Code: ACTION=="remove", ENV{ID_VENDOR}=="Yubico", RUN+="/usr/local/bin/ykgone" ACTION=="add", ENV{ID_VENDOR}=="Yubico", RUN+="/usr/local/bin/ykhere" The "remove" rule works great, but the "add" rule is causing problems. With the "add" rule in place, inserting the yubikey causes /usr/local/bin/ykhere to be executed many times a second, the LED on the yubikey to flash at about the same rate, and the yubikey to stop responding to button presses with an OTP token key sequence (but the OTP loss may be because /usr/local/bin/ykhere is generating so many HMAC-SHA1 challenges.) How can I modify the "add" line so that /usr/local/bin/ykhere is only run once when the key is inserted, and the OTP button works as usual the rest of the time This is on lubuntu 12.10, with packages yubikey-personalization 1.7.0-1, libyubikey0 1.8-1. yubikey firmware version 2.3.3. The script /usr/local/bin/ykhere is Code: #!/bin/bash if [ -n "$(lsusb \| grep Yubikey)" ] ; then /bin/su coventry -c /usr/local/bin/unlock fi And /usr/local/bin/unlock is #!/bin/bash Code: if [ "`~/bin/chalresp.py `" == "OK" ]; then pkill xscreensaver fi And finally, this is chalresp.py: Code: #!/usr/bin/python import subprocess, os, re recpath = os.path.expanduser('~/.ykchalresp') chal, resp = open(recpath).read().strip().split() def make_resp(chal): return subprocess.check_output(['ykchalresp', '-2', '-H', chal] ).strip() tresp = make_resp(chal) if tresp == resp: # Challenge succeeded; make a new challenge for next time nresp = make_resp(tresp) print >> open(recpath, 'w'), tresp, nresp print 'OK' exit(0) else: print 'Failed' exit(1) I can "fix" the problem by putting a "sleep 20" after "pkill xscreensaver" in /usr/local/bin/unlock and a "service udev restart" after calling /usr/local/bin/unlock in /usr/local/bin/ykhere. But that's kind of a horrendous abuse.

Author:	coventry [ Mon Mar 18, 2013 5:40 am ]
Post subject:	Re: Proper inux udev rule for response when yubikey is inser
"sleep 20" and "pkill xscreensaver" was proving unreliable, in that I still wasn't getting OTPs from a keypress, and the LED would occasionally start flashing again. So I've worked around it for now by replacing the "add" rule with something which tracks the state of the screensaver. Code: #!/bin/bash function yubiwait() { while [ "`~/bin/chalresp.py 2> /dev/null`" != "OK" ] ; do sleep 0.05 ; done killall xscreensaver } ( while [ /bin/true ] ; do xscreensaver-command -watch ; done ) \ \| while read a ; do echo $a \| grep "^LOCK" && yubiwait done

Yubico Forum https://forum.yubico.com/

Proper inux udev rule for response when yubikey is inserted? https://forum.yubico.com/viewtopic.php?f=4&t=1004	Page 1 of 1

Page 1 of 1	All times are UTC + 1 hour
Powered by phpBB® Forum Software © phpBB Group https://www.phpbb.com/