From b856595ba0e413d582bc7838ac95e331a7244191 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?= Date: Wed, 22 Jul 2015 03:57:31 +0200 Subject: [PATCH] yubikey: add screen locking instruction --- YubiKey.md | 41 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 41 insertions(+) diff --git a/YubiKey.md b/YubiKey.md index 62ac3e0f..8f8b5e37 100644 --- a/YubiKey.md +++ b/YubiKey.md @@ -92,3 +92,44 @@ When everything is ok, your screen will be unlocked. In any case you can still use your login password, but do it in secure location where no one can snoop your password. + +Locking the screen when YubiKey is removed +------------------------------------------ + +You can setup your system to automatically lock the screen when you unplug +YubiKey. This will require creating simple qrexec service which will expose +ability to lock the screen to your USB VM, and then adding udev hook to +actually call that service. + +1. First configure the qrexec service. Create `/etc/qubes-rpc/custom.LockScreen` (in dom0) + with simple command to lock the screen. In case of xscreensaver (used in Xfce) + it would be: + + DISPLAY=:0 xscreensaver-command -lock + +2. Allow your USB VM to call that service. Assuming that its named `sys-usb` it +would require creating `/etc/qubes-rpc/policy/custom.LockScreen` with: + + sys-usb dom0 allow + +3. Create udev hook in your USB VM. Store it in `/rw/config` to have it +persistent across VM restarts. For example name the file +`/rw/config/yubikey.rules`. Write there single line: + + ACTION=="remove", SUBSYSTEM=="usb", ENV{ID_SECURITY_TOKEN}=="1", RUN+="/usr/bin/qrexec-client-vm dom0 custom.LockScreen" + +4. Ensure that the udev hook is placed in the right place after VM restart. Append to `/rw/config/rc.local`: + + ln -s /rw/config/yubikey.rules /etc/udev/rules.d/ + udevadm control --reload + + Then make `/rw/config/rc.local` executable. For changes to take effect, you + need to call this script manually for the first time. + +If you use KDE, the command(s) in first step would be different: + + # In case of USB VM being autostarted, it will not have direct access to D-Bus + # session bus, so find its address manually: + kde_pid=`pidof kdeinit4` + export `cat /proc/$kde_pid/environ|grep -ao 'DBUS_SESSION_BUS_ADDRESS=[[:graph:]]*'` + qdbus org.freedesktop.ScreenSaver /ScreenSaver Lock