Yubico Forum

I have setup my system with YubiPAM for local authentication and I wanted to go one step further. The following information will make your system lock when your yubikey is removed and bring up the password prompt when you reinsert it.

*** WARNING ***
If you are on a laptop DO NOT remove the uhci-hcd module to save power, if you do your screen will lock (the yubikey is removed now, right?) and you won't be able to reload the module to allow yourself to login.

*** INSTRUCTIONS ***
1) Create /etc/udev/rules.d/45-yubikey.rules and put in the following lines.


2) Create /usr/local/bin/gnome-screensaver-lock and paste the following and chmod a+x the file


3) Create /usr/local/bin/gnome-screensaver-unlock and paste the following and chmod a+x the file


4) Restart udev.
or on older udev installs


--
Brenden

I set this up but the remove rule didn't work. I'm running karmic which must have changes to udev. I fixed it by changing the remove rule:

Also after restarting udev the lock unlock worked but my yubikey stopped generating passwords. Not sure why but I had to do a reboot.

Oh ya, if you want to see what udev events occur when you plug/unplug the yubikey try this:

Hello!

I am running Ubuntu Hardy (8.04 LTS), and I had to make some changes to get it to work:

• Move udev rules file
  
  I renamed the file from 45-yubikey.rules to 85-yubikey.rules.
  
  I did this rename according to the instructions I found at /etc/udev/rules.d/README:
  
  
  Quote:
  <<<snip>>>
  
  Files should be named xx-descriptive-name.rules, the xx should be
  chosen first according to the following sequence points:
  
  <<<snip>>>
  
  40 rules that set the permissions of device nodes
  (can be overriden by later rules)
  
  <<<snip>>>
  
  80 rules that run programs (but do not load modules)
  
  <<<snip>>>
  
  Packages should chose the approriate sequence point and add 5 to it
  (e.g. 25-iftab.rules, 45-libsane.rules, etc.) unless there is a need
  for a particular order.
  
  
• Use ID_VENDOR for rules matching
  
  Looking around the environment, it looks like the ID_VENDOR environment variable contains the vendor name in string form. When the device is connected or removed, the vendor name is "Yubico". I just match on that, instead of matching on a vendor & product ID.
  
  Here are the rules I'm using now:
  
  
  Code:
  ACTION=="remove", ENV{ID_VENDOR}=="Yubico", RUN+="/usr/local/bin/gnome-screensaver-lock"
  ACTION=="add", ENV{ID_VENDOR}=="Yubico", RUN+="/usr/local/bin/gnome-screensaver-unlock"
  
  
• Set DBUS_SESSION_BUS_ADDRESS for lock/poke command to work
  
  With the script provided, every time I tried to run it, I would get the error "Screensaver not running", even though the gnome-screensaver process was running.
  
  After some testing, it appears that the gnome-screensaver-command command uses D-Bus for communications, and that it needs the DBUS_SESSION_BUS_ADDRESS environment variable set in order to know how to communicate with D-Bus.
  
  DBUS_SESSION_BUS_ADDRESS is set when D-Bus is launched, presumably on user login, but it isn't included as part of root's environment. However, since the gnome-screensaver daemon process uses D-Bus, it must have the DBUS_SESSION_BUS_ADDRESS variable as part of its local environment. Therefore, I added the following two lines to /usr/local/bin/gnome-screensaver-lock and /usr/local/bin/gnome-screensaver-unlock:
  
  
  Code:
  GNOME_SCREENSAVER_PROC=`ps xa | grep gnome-screensaver | head -n 1 | perl -p -e '$_=join(",", (split)[0]);'`
  export `grep -z DBUS_SESSION_BUS_ADDRESS /proc/$GNOME_SCREENSAVER_PROC/environ`
  
  
  The lines were added above the "logger" line, very close to the end of the file.
  
  The first line goes through the list of all processes on the system, looks for the gnome-screensaver process, and extracts the process ID (which should be the first number on the first line of the output). This line is where things are likely to break on other systems, and I wouldn't be surprised if this breaks on systems where multiple users are logged in.
  
  The second line takes the discovered process ID, pulls the process's environment, pulls out the DBUS_SESSION_BUS_ADDRESS variable, and sticks it into the session's environment, to be used by the gnome-screensaver-command at the end of the script.

That's it! Once I did all of that, everything started working, and I really like it. Thanks very much for making me aware of another way in which I can use my newly-purchased Yubikey!

At risk of bumping an old topic, I think the following is worth noting.

If you run the automatic lock/unlock functionality, don't try and use the Yubikey personalisation tool.
When it scans the yubikey for its firmware rev etc, it will effectively disconnect it and lock the screen.

Z.

A related script to disable/enable the screen lock in Gnome. It won't unlock the computer if it is locked, but as long as your Yubikey is plugged in, you computer won't lock. The lock is tied to my presence in the apartment, but someone couldn't steal my keys and gain access to my computer.

Use the udev method above to run the script.

/usr/local/bin/gnome-lock-disable (on udev "add")



/usr/local/bin/gnome-lock-enable (on udev "remove")



I like this DBUS_SESSION_BUS_ADDRESS code the best of all the ones I've seen. I got it from http://john.nachtimwald.com/2010/07/25/ ... -in-gnome/

If the gnome-screensaver-lock and gnome-screensaver-unlock scripts fail to work for some of you, make sure you have finger installed, or else replace finger with who in the scripts.

Hi all,

I love this feature so much but I've some troubles with it. Maybe you can help me.
It seems that it only works when I've opened a Terminal window. it doesn't matter if this window is active or not.

When I look in the syslog it shows even if it does not works:
Dec 12 19:55:41 PC logger: YubiKey Removed - Locking Workstation
Dec 12 19:55:45 PC logger: YubiKey Inserted - Unlocking Workstation

I'm running Linux Mint 12 64Bit and Finger installed.

Many thanks in advance,

I'm using 64bit Mint 12 and I've gotten it to work by using the suggested changes to the udev rules:



and by changing the command to stop the screensaver, as the --poke option no longer exists. You should now use:



I suspect that these same changes apply to pretty much all distros that use Gnome 3.

Works pretty well in Kali (Debian based)

However if you use your Yubikey in HMAC-SHA1 challenge-response mode; this will also enable your screensaver when you do "sudo" in a terminal. And I have yet to figure out how to allow unlocking of gnome-screensaver in challenge-response mode

Hello,

It would be great is someone could create a neat HOW-TO for this following the guidelines viewtopic.php?f=16&t=918 here...

_________________
-Tom