Yubico Forum

[HOW TO] - [Linux / Debian ] Login, lock/unlock screensaver
Page 1 of 2

Author:  Triqster [ Thu Aug 22, 2013 2:43 pm ]
Post subject:  [HOW TO] - [Linux / Debian ] Login, lock/unlock screensaver

OS: Linux Mint 15 (Cinnamon) | Works on other Debian based distro's, remember to change your screensaver command this might be different depending on the distro
Yubikey: Yubikey II

This is a Short guide on how to get your Yubikey to work on Linux (Debian based) with the option to lock/unlock your screen using your Yubikey.

* Login with Yubikey + password required
* Screen unlocking by just inserting your Yubikey (only works after already beeing logged into the system)
* Single Udev rule to fire up a single script
* No screen flickering when using sudo commands, it will check if the key is physically removed rather then a challenge-response trigger.
* Using your Yubikey serial, this prevents others users to unlock the system with their Yubikey.


Install the following packages:

sudo apt-get install libpam-yubico
sudo apt-get yubikey-personalization

Execute the following command for the users you want to be able to login (Using the Yubikey + password combination):

mkdir ~/.yubico
ykpamcfg -2 -v

This should create a file in ~/.yubico/challenge-XXXXXX

Make sure you also do this for your root user!


Edit your pam.d auth file:
Backup your current common-auth file:
sudo cp /etc/pam.d/common-auth /etc/pam.d/common-auth.BAK

sudo vi /etc/pam.d/common-auth (Note might be different when using another distro!)

My common-auth file:
# Use this to use both your password + Yubikey. You can comment this line if you want to JUST use your Yubikey (NOT RECCOMENDED)
auth required pam_unix.so nullok_secure try_first_pass

# The line below is required to be able to use your Yubikey
auth   [success=1 new_authtok_reqd=ok default=die ignore=ignore]   pam_yubico.so mode=challenge-response

# Default rules
auth   requisite         pam_deny.so
auth   required         pam_permit.so
auth   optional         pam_ecryptfs.so unwrap
auth   optional         pam_cap.so

Check if your Yubikey is working open a new Terminal shell:
sudo su -

Try executing this with and without the Yubikey, when the Yubikey is removed you should NOT be able to login!
Only continue if this works. if it doesn't work double check your common-auth file before continueing.

Yubikey screen lock/unlock:
Create a udev rule to run a script if the Yubikey is inserted, changed or removed:

Get your Yubikey serial (To prevent other users for unlocking your screen):
udevadm monitor --environment --udev

now insert or remove your Yubikey!

look for a line like this:

Copy or write your serial down!
(Double check your ID_MODEL_ID with the above step, this should be 0010 if your using the same model as me)

sudo vi /etc/udev/rules.d/85-yubikey.rules (Double check 85 is the correct rule number for your distro)

insert the following:
# Yubikey Udev Rule: running a bash script in case your Yubikey is inserted, removed or triggered by challenge-response
ACTION=="remove|add|change", ENV{ID_VENDOR_ID}=="1050", ENV{ID_MODEL_ID}=="0010", ENV{ID_SERIAL_SHORT}=="0001711399", RUN+="/usr/local/bin/yubikey"

Change the following:
ENV{ID_SERIAL_SHORT}=="0001711399" with your own serial number found in the step above

now create the actual bash script:
sudo vi /usr/local/bin/yubikey

Insert the followig code:
# Double checking if the Yubikey is actually removed, Challenge-Response won't trigger the screensaver this way.
result=$(lsusb | grep -e "Yubikey")

if [ $? -ne 0 ]; then
        logger "YubiKey Removed or Changed"
        # Running the Cinnamon screensaver lock command
        /bin/su $USERNAME -c "DISPLAY=:0 /usr/bin/cinnamon-screensaver-command --lock"
        # Running the Cinnamon screensaver unlock command
        logger "YubiKey Found, Unlocking screensaver if found"
        /bin/su $USERNAME -c "DISPLAY=:0 /usr/bin/cinnamon-screensaver-command -d"

Make sure you change your user name (mine is joost):

If you're using another distro or graphical Linux shell change the screensaver command:

Reload your Udev rules:
sudo udevadm control --reload-rules
sudo service udev reload

Now check if its working (Should if followed correctly!)


Author:  mphilipp [ Thu Aug 22, 2013 7:13 pm ]
Post subject:  Re: [HOW TO] - [Linux / Debian ] Login, lock/unlock screensa

Nice writeup!
Stupid question of the week: I assume this only works if you're on the machine itself, so not on a remote server?
Is there a way to get OTP working for remote servers? I have a server in a DC and I do have a generated (not OTP) password+my own added gibberish but it would be cool to protect the remote (putty) logons with an OTP.
Forget it: I did a bit of google and found http://code.google.com/p/yubico-pam/wik ... dSSHViaPAM. This is what I want.

Author:  Triqster [ Thu Aug 22, 2013 7:56 pm ]
Post subject:  Re: [HOW TO] - [Linux / Debian ] Login, lock/unlock screensa

Posted in the wrong forum section, should be in:
Computer Logon - Windows | Linux | MacOS | freeBSD

Can some mod please move it over there.

Cheers in advance!

Author:  wgwau [ Tue Aug 27, 2013 1:11 pm ]
Post subject:  Re: [HOW TO] - [Linux / Debian ] Login, lock/unlock screensa

I've tried setting this up but whenever I run udev I can't get it to show ID_SERIAL_SHORT. I've turned on USB Descriptor serial # display, but nought. Can you advise?

E: Nevermind, worked out the config wasn't saving automatically.

Author:  PacoBell [ Thu Nov 28, 2013 7:24 am ]
Post subject:  Re: [HOW TO] - [Linux / Debian ] Login, lock/unlock screensa

Wait a sec, I can't seem to find the ID_SERIAL_SHORT after that command, either, and I don't know how to turn on the "USB Descriptor serial # display". The closest I could find is "ID_SERIAL=Yubico_Yubikey_NEO_OTP+CCID", but that's hardly unique. Is this a known issue with Neos?

Author:  Tom [ Thu Nov 28, 2013 9:12 am ]
Post subject:  Re: [HOW TO] - [Linux / Debian ] Login, lock/unlock screensa

Firmware version?

Author:  yubidoobydoo [ Tue Jan 07, 2014 1:12 am ]
Post subject:  Re: [HOW TO] - [Linux / Debian ] Login, lock/unlock screensa

For those playing along at home, you need to enable USB Descriptor and HMAC-SHA1 Challenge-Response on Slot II.

Screenshots from the yubikey personlisation tool

  • Select Challenge-Response tab
  • Select HMAC-SHA1
Challenge Response.png
Challenge Response.png [ 68.75 KiB | Viewed 40855 times ]

  • Select Configuration Slot 2
  • Click Generate
  • Click Write Configuration
Program.png [ 125.48 KiB | Viewed 40855 times ]

Author:  yubidoobydoo [ Tue Jan 07, 2014 1:18 am ]
Post subject:  Re: [HOW TO] - [Linux / Debian ] Login, lock/unlock screensa

  • Click settings
  • Enable USB Descriptor
  • Click Update Settings

USB Descriptor.png
USB Descriptor.png [ 135.29 KiB | Viewed 40853 times ]

  • Select Configuration slot 2
  • Click update
Update Settings.png
Update Settings.png [ 79.34 KiB | Viewed 40853 times ]

Now follow the guide posted above.

Author:  Aggraxis [ Sat Mar 22, 2014 4:54 am ]
Post subject:  Re: [HOW TO] - [Linux / Debian ] Login, lock/unlock screensa

I just got my YubiKey a couple of days ago and came across this guide. I just wanted to pass on that I managed to pull this off (including the screen lock/unlock part). I have dabbled with Linux on and off over the years, so I'm not what you'd call an expert... just crazy enough to go poking until something breaks. :)

I followed these instructions to set up my ultrabook. Everything works as described in this guide. Thank you guys very much for putting this info out there for us to find. I really appreciate the help.


Author:  Videl [ Tue Apr 22, 2014 4:23 pm ]
Post subject:  Re: [HOW TO] - [Linux / Debian ] Login, lock/unlock screensa

Hello guys, so I tried it and it worked perfectly until I restarted.
The error message was "Insufficient permissions" when authenticating with the Yubico key. I have an encrypted home partition, so I thought it was because of that but even when trying to log with root, I had the same error message.

Any one have any idea?

Thank you guys for the tutorial nonetheless, really handy. I will probably try it on other computers.

Page 1 of 2 All times are UTC + 1 hour
Powered by phpBB® Forum Software © phpBB Group