mirror of
https://github.com/QubesOS/qubes-doc.git
synced 2024-10-01 01:25:40 -04:00
yubikey: add screen locking instruction
This commit is contained in:
parent
d019dca8ee
commit
b856595ba0
41
YubiKey.md
41
YubiKey.md
@ -92,3 +92,44 @@ When everything is ok, your screen will be unlocked.
|
||||
|
||||
In any case you can still use your login password, but do it in secure location
|
||||
where no one can snoop your password.
|
||||
|
||||
Locking the screen when YubiKey is removed
|
||||
------------------------------------------
|
||||
|
||||
You can setup your system to automatically lock the screen when you unplug
|
||||
YubiKey. This will require creating simple qrexec service which will expose
|
||||
ability to lock the screen to your USB VM, and then adding udev hook to
|
||||
actually call that service.
|
||||
|
||||
1. First configure the qrexec service. Create `/etc/qubes-rpc/custom.LockScreen` (in dom0)
|
||||
with simple command to lock the screen. In case of xscreensaver (used in Xfce)
|
||||
it would be:
|
||||
|
||||
DISPLAY=:0 xscreensaver-command -lock
|
||||
|
||||
2. Allow your USB VM to call that service. Assuming that its named `sys-usb` it
|
||||
would require creating `/etc/qubes-rpc/policy/custom.LockScreen` with:
|
||||
|
||||
sys-usb dom0 allow
|
||||
|
||||
3. Create udev hook in your USB VM. Store it in `/rw/config` to have it
|
||||
persistent across VM restarts. For example name the file
|
||||
`/rw/config/yubikey.rules`. Write there single line:
|
||||
|
||||
ACTION=="remove", SUBSYSTEM=="usb", ENV{ID_SECURITY_TOKEN}=="1", RUN+="/usr/bin/qrexec-client-vm dom0 custom.LockScreen"
|
||||
|
||||
4. Ensure that the udev hook is placed in the right place after VM restart. Append to `/rw/config/rc.local`:
|
||||
|
||||
ln -s /rw/config/yubikey.rules /etc/udev/rules.d/
|
||||
udevadm control --reload
|
||||
|
||||
Then make `/rw/config/rc.local` executable. For changes to take effect, you
|
||||
need to call this script manually for the first time.
|
||||
|
||||
If you use KDE, the command(s) in first step would be different:
|
||||
|
||||
# In case of USB VM being autostarted, it will not have direct access to D-Bus
|
||||
# session bus, so find its address manually:
|
||||
kde_pid=`pidof kdeinit4`
|
||||
export `cat /proc/$kde_pid/environ|grep -ao 'DBUS_SESSION_BUS_ADDRESS=[[:graph:]]*'`
|
||||
qdbus org.freedesktop.ScreenSaver /ScreenSaver Lock
|
||||
|
Loading…
Reference in New Issue
Block a user