Yubico Forum :: View topic - [linux] Lock\Unlock system with Yubikey removal\insertion

ACTION=="add", ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0010", RUN+="/usr/local/bin/gnome-screensaver-unlock"
ACTION=="remove", ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0010", RUN+="/usr/local/bin/gnome-screensaver-lock"

#!/bin/sh

getXuser() {
user=`finger| grep -m1 ":$displaynum " | awk '{print $1}'`

if [ x"$user" = x"" ]; then
user=`finger| grep -m1 ":$displaynum" | awk '{print $1}'`
fi
if [ x"$user" != x"" ]; then
userhome=`getent passwd $user | cut -d: -f6`
export XAUTHORITY=$userhome/.Xauthority
else
export XAUTHORITY=""
fi
}

for x in /tmp/.X11-unix/*; do
displaynum=`echo $x | sed s#/tmp/.X11-unix/X##`
getXuser
if [ x"$XAUTHORITY" != x"" ]; then
# extract current state
export DISPLAY=":$displaynum"
fi
done

logger "YubiKey Removed - Locking Workstation"
su $user -c "/usr/bin/gnome-screensaver-command --lock"

#!/bin/sh

getXuser() {
user=`finger| grep -m1 ":$displaynum " | awk '{print $1}'`

if [ x"$user" = x"" ]; then
user=`finger| grep -m1 ":$displaynum" | awk '{print $1}'`
fi
if [ x"$user" != x"" ]; then
userhome=`getent passwd $user | cut -d: -f6`
export XAUTHORITY=$userhome/.Xauthority
else
export XAUTHORITY=""
fi
}

for x in /tmp/.X11-unix/*; do
displaynum=`echo $x | sed s#/tmp/.X11-unix/X##`
getXuser
if [ x"$XAUTHORITY" != x"" ]; then
# extract current state
export DISPLAY=":$displaynum"
fi
done

logger "YubiKey Inserted - Unlocking Workstation"
su $user -c "/usr/bin/gnome-screensaver-command --poke"

sudo /etc/init.d/udev restart

sudo udevcontrol reload_rules

ACTION=="add", ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0010", RUN+="/usr/local/bin/gnome-screensaver-unlock"
ACTION=="remove", ENV{ID_VENDOR_ID}=="1050", ENV{ID_MODEL_ID}=="0010", RUN+="/usr/local/bin/gnome-screensaver-lock"

udevadm monitor --udev --environment

ACTION=="remove", ENV{ID_VENDOR}=="Yubico", RUN+="/usr/local/bin/gnome-screensaver-lock"
ACTION=="add", ENV{ID_VENDOR}=="Yubico", RUN+="/usr/local/bin/gnome-screensaver-unlock"

GNOME_SCREENSAVER_PROC=`ps xa | grep gnome-screensaver | head -n 1 | perl -p -e '$_=join(",", (split)[0]);'`
export `grep -z DBUS_SESSION_BUS_ADDRESS /proc/$GNOME_SCREENSAVER_PROC/environ`

#!/bin/bash

user=`ps aux | grep gnome-screensaver | head -n 1 | awk '{print $1}'`

if [ -n $user ]; then
GNOME_SCREENSAVER_PROC=`ps xa | grep gnome-screensaver | head -n 1 | awk '{print $1}'`
export `grep -z DBUS_SESSION_BUS_ADDRESS /proc/$GNOME_SCREENSAVER_PROC/environ`
su $user -c "gconftool-2 --set "/apps/gnome-screensaver/lock_enabled" --type bool 0"
fi

ENV{ID_VENDOR_ID}=="1050", ENV{ID_MODEL_ID}=="0010"

su $user -c "/usr/bin/gnome-screensaver-command --deactivate"

Author:	bmorgenthaler [ Thu Jan 29, 2009 8:07 pm ]
Post subject:	[linux] Lock\Unlock system with Yubikey removal\insertion
I have setup my system with YubiPAM for local authentication and I wanted to go one step further. The following information will make your system lock when your yubikey is removed and bring up the password prompt when you reinsert it. * WARNING * If you are on a laptop DO NOT remove the uhci-hcd module to save power, if you do your screen will lock (the yubikey is removed now, right?) and you won't be able to reload the module to allow yourself to login. * INSTRUCTIONS * 1) Create /etc/udev/rules.d/45-yubikey.rules and put in the following lines. Code: ACTION=="add", ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0010", RUN+="/usr/local/bin/gnome-screensaver-unlock" ACTION=="remove", ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0010", RUN+="/usr/local/bin/gnome-screensaver-lock" 2) Create /usr/local/bin/gnome-screensaver-lock and paste the following and chmod a+x the file Code: #!/bin/sh getXuser() { user=`finger\| grep -m1 ":$displaynum " \| awk '{print $1}'` if [ x"$user" = x"" ]; then user=`finger\| grep -m1 ":$displaynum" \| awk '{print $1}'` fi if [ x"$user" != x"" ]; then userhome=`getent passwd $user \| cut -d: -f6` export XAUTHORITY=$userhome/.Xauthority else export XAUTHORITY="" fi } for x in /tmp/.X11-unix/; do displaynum=`echo $x \| sed s#/tmp/.X11-unix/X##` getXuser if [ x"$XAUTHORITY" != x"" ]; then # extract current state export DISPLAY=":$displaynum" fi done logger "YubiKey Removed - Locking Workstation" su $user -c "/usr/bin/gnome-screensaver-command --lock" 3) Create /usr/local/bin/gnome-screensaver-unlock and paste the following and chmod a+x the file Code:* #!/bin/sh getXuser() { user=`finger\| grep -m1 ":$displaynum " \| awk '{print $1}'` if [ x"$user" = x"" ]; then user=`finger\| grep -m1 ":$displaynum" \| awk '{print $1}'` fi if [ x"$user" != x"" ]; then userhome=`getent passwd $user \| cut -d: -f6` export XAUTHORITY=$userhome/.Xauthority else export XAUTHORITY="" fi } for x in /tmp/.X11-unix/; do displaynum=`echo $x \| sed s#/tmp/.X11-unix/X##` getXuser if [ x"$XAUTHORITY" != x"" ]; then # extract current state export DISPLAY=":$displaynum" fi done logger "YubiKey Inserted - Unlocking Workstation" su $user -c "/usr/bin/gnome-screensaver-command --poke" 4) Restart udev. Code:* sudo /etc/init.d/udev restart or on older udev installs Code: sudo udevcontrol reload_rules -- Brenden

Author:	greatguin [ Wed Nov 18, 2009 7:22 am ]
Post subject:	Re: [linux] Lock\Unlock system with Yubikey removal\insertion
I set this up but the remove rule didn't work. I'm running karmic which must have changes to udev. I fixed it by changing the remove rule: Code: ACTION=="add", ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0010", RUN+="/usr/local/bin/gnome-screensaver-unlock" ACTION=="remove", ENV{ID_VENDOR_ID}=="1050", ENV{ID_MODEL_ID}=="0010", RUN+="/usr/local/bin/gnome-screensaver-lock" Also after restarting udev the lock unlock worked but my yubikey stopped generating passwords. Not sure why but I had to do a reboot. Oh ya, if you want to see what udev events occur when you plug/unplug the yubikey try this: Code: udevadm monitor --udev --environment

Author:	akkornel [ Tue Apr 27, 2010 12:55 am ]
Post subject:	Re: [linux] Lock\Unlock system with Yubikey removal\insertion
Hello! I am running Ubuntu Hardy (8.04 LTS), and I had to make some changes to get it to work: Move udev rules file I renamed the file from 45-yubikey.rules to 85-yubikey.rules. I did this rename according to the instructions I found at /etc/udev/rules.d/README: Quote: <<<snip>>> Files should be named xx-descriptive-name.rules, the xx should be chosen first according to the following sequence points: <<<snip>>> 40 rules that set the permissions of device nodes (can be overriden by later rules) <<<snip>>> 80 rules that run programs (but do not load modules) <<<snip>>> Packages should chose the approriate sequence point and add 5 to it (e.g. 25-iftab.rules, 45-libsane.rules, etc.) unless there is a need for a particular order. Use ID_VENDOR for rules matching Looking around the environment, it looks like the ID_VENDOR environment variable contains the vendor name in string form. When the device is connected or removed, the vendor name is "Yubico". I just match on that, instead of matching on a vendor & product ID. Here are the rules I'm using now: Code: ACTION=="remove", ENV{ID_VENDOR}=="Yubico", RUN+="/usr/local/bin/gnome-screensaver-lock" ACTION=="add", ENV{ID_VENDOR}=="Yubico", RUN+="/usr/local/bin/gnome-screensaver-unlock" Set DBUS_SESSION_BUS_ADDRESS for lock/poke command to work With the script provided, every time I tried to run it, I would get the error "Screensaver not running", even though the gnome-screensaver process was running. After some testing, it appears that the gnome-screensaver-command command uses D-Bus for communications, and that it needs the DBUS_SESSION_BUS_ADDRESS environment variable set in order to know how to communicate with D-Bus. DBUS_SESSION_BUS_ADDRESS is set when D-Bus is launched, presumably on user login, but it isn't included as part of root's environment. However, since the gnome-screensaver daemon process uses D-Bus, it must have the DBUS_SESSION_BUS_ADDRESS variable as part of its local environment. Therefore, I added the following two lines to /usr/local/bin/gnome-screensaver-lock and /usr/local/bin/gnome-screensaver-unlock: Code: GNOME_SCREENSAVER_PROC=`ps xa \| grep gnome-screensaver \| head -n 1 \| perl -p -e '$_=join(",", (split)[0]);'` export `grep -z DBUS_SESSION_BUS_ADDRESS /proc/$GNOME_SCREENSAVER_PROC/environ` The lines were added above the "logger" line, very close to the end of the file. The first line goes through the list of all processes on the system, looks for the gnome-screensaver process, and extracts the process ID (which should be the first number on the first line of the output). This line is where things are likely to break on other systems, and I wouldn't be surprised if this breaks on systems where multiple users are logged in. The second line takes the discovered process ID, pulls the process's environment, pulls out the DBUS_SESSION_BUS_ADDRESS variable, and sticks it into the session's environment, to be used by the gnome-screensaver-command at the end of the script. That's it! Once I did all of that, everything started working, and I really like it. Thanks very much for making me aware of another way in which I can use my newly-purchased Yubikey!

Author:	zardoz [ Thu Jul 14, 2011 10:08 pm ]
Post subject:	Re: [linux] Lock\Unlock system with Yubikey removal\insertio
At risk of bumping an old topic, I think the following is worth noting. If you run the automatic lock/unlock functionality, don't try and use the Yubikey personalisation tool. When it scans the yubikey for its firmware rev etc, it will effectively disconnect it and lock the screen. Z.

Author:	webarnes [ Sun Sep 25, 2011 8:05 am ]
Post subject:	Re: [linux] Lock\Unlock system with Yubikey removal\insertio
A related script to disable/enable the screen lock in Gnome. It won't unlock the computer if it is locked, but as long as your Yubikey is plugged in, you computer won't lock. The lock is tied to my presence in the apartment, but someone couldn't steal my keys and gain access to my computer. Use the udev method above to run the script. /usr/local/bin/gnome-lock-disable (on udev "add") Code: #!/bin/bash user=`ps aux \| grep gnome-screensaver \| head -n 1 \| awk '{print $1}'` if [ -n $user ]; then GNOME_SCREENSAVER_PROC=`ps xa \| grep gnome-screensaver \| head -n 1 \| awk '{print $1}'` export `grep -z DBUS_SESSION_BUS_ADDRESS /proc/$GNOME_SCREENSAVER_PROC/environ` su $user -c "gconftool-2 --set "/apps/gnome-screensaver/lock_enabled" --type bool 0" fi /usr/local/bin/gnome-lock-enable (on udev "remove") Code: #!/bin/bash user=`ps aux \| grep gnome-screensaver \| head -n 1 \| awk '{print $1}'` if [ -n $user ]; then GNOME_SCREENSAVER_PROC=`ps xa \| grep gnome-screensaver \| head -n 1 \| awk '{print $1}'` export `grep -z DBUS_SESSION_BUS_ADDRESS /proc/$GNOME_SCREENSAVER_PROC/environ` su $user -c "gconftool-2 --set "/apps/gnome-screensaver/lock_enabled" --type bool 1" fi I like this DBUS_SESSION_BUS_ADDRESS code the best of all the ones I've seen. I got it from http://john.nachtimwald.com/2010/07/25/ ... -in-gnome/

Yubico Forum https://forum.yubico.com/

[linux] Lock\Unlock system with Yubikey removal\insertion https://forum.yubico.com/viewtopic.php?f=8&t=246	Page 1 of 1

Author:	fvieira [ Sat Nov 12, 2011 9:06 pm ]
Post subject:	Re: [linux] Lock\Unlock system with Yubikey removal\insertio
If the gnome-screensaver-lock and gnome-screensaver-unlock scripts fail to work for some of you, make sure you have finger installed, or else replace finger with who in the scripts.

Author:	PH-MJS [ Mon Dec 12, 2011 8:03 pm ]
Post subject:	Re: [linux] Lock\Unlock system with Yubikey removal\insertio
Hi all, I love this feature so much but I've some troubles with it. Maybe you can help me. It seems that it only works when I've opened a Terminal window. it doesn't matter if this window is active or not. When I look in the syslog it shows even if it does not works: Dec 12 19:55:41 PC logger: YubiKey Removed - Locking Workstation Dec 12 19:55:45 PC logger: YubiKey Inserted - Unlocking Workstation I'm running Linux Mint 12 64Bit and Finger installed. Many thanks in advance,

Author:	cafuego [ Mon Jun 04, 2012 3:24 am ]
Post subject:	Re: [linux] Lock\Unlock system with Yubikey removal\insertio
I'm using 64bit Mint 12 and I've gotten it to work by using the suggested changes to the udev rules: Code: ENV{ID_VENDOR_ID}=="1050", ENV{ID_MODEL_ID}=="0010" and by changing the command to stop the screensaver, as the --poke option no longer exists. You should now use: Code: su $user -c "/usr/bin/gnome-screensaver-command --deactivate" I suspect that these same changes apply to pretty much all distros that use Gnome 3.

Author:	SphaZ [ Thu Aug 08, 2013 9:03 am ]
Post subject:	Re: [linux] Lock\Unlock system with Yubikey removal\insertio
Works pretty well in Kali (Debian based) However if you use your Yubikey in HMAC-SHA1 challenge-response mode; this will also enable your screensaver when you do "sudo" in a terminal. And I have yet to figure out how to allow unlocking of gnome-screensaver in challenge-response mode

Author:	Tom [ Thu Aug 08, 2013 9:45 am ]
Post subject:	Re: [linux] Lock\Unlock system with Yubikey removal\insertio
Hello, It would be great is someone could create a neat HOW-TO for this following the guidelines viewtopic.php?f=16&t=918 here...

Page 1 of 1	All times are UTC + 1 hour
Powered by phpBB® Forum Software © phpBB Group https://www.phpbb.com/