Locking your screen when you remove your U2F device

10.06.2020 | Johannes Kastl in howto

Universal Second Factor (U2F) devices were invented as a second factor for websites using two factor authentication. The website sends a challenge, the U2F device responds if its button is pressed. A small LED starts blinking, you press your button and thus confirm the usage.

But you cannot only use U2F devices for websites. Using PAM’s pam_u2f module, you can plug it into any service that uses PAM. This was described in my previous article.

If you want to use your U2F device to unlock your running session, you need to treat it like a key. So, when you leave your desk to grab a cup of coffee, you need to take your key with you. You should of course lock your screen when you leave your desk, too. But wait – couldn’t you combine these steps? Lock your screen by removing your U2F device?

Screen locking basics

For each window manager out there there is a command that tells it to lock your screen. In my case, using KDE Plasma 5.18 with LightDM on openSUSE Tumbleweed, this means light-locker-command -l.

This commands needs to be run as your user with some details regarding your desktop session. Something along these lines:

sudo -u "my_user" DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/1000/bus DISPLAY=:0 light-locker-command -l

So, now we just need to figure out a way to run that command as soon as the device is removed. udev to the rescue…

udev basics

On most Linux distributions, udev is responsible for “stuff that involves hardware”. For us, that means that udev can watch for a certain device to be removed, and trigger some actions (like running a script).

To not have to write lots of rules, the easiest way is to expand the udev rule from the previous article to not only allow users access to the U2F key’s device nodes, but also add a label to that device. And then, if a device with this label is being removed, udev triggers the screen locking script.

Labelling a device

Create an udev rule (or modify the one from the previous article) that labels your device as “Yes, I want my screen to be locked if this device is removed”. This is done by adding an ENV{engage_screenlock}="yes" parameter.

KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="2ccf", ATTRS{idProduct}=="0880", TAG+="uaccess", GROUP="u2f_users", MODE="0660", ENV{engage_screenlock}="yes"

Of course, the values for idVendor and idProduct need to be adjusted to your U2F device. You will find lots of devices included in the udev rule from the official documentation.

Running a script on device removal

Using the following udev rule, once a device labelled as engage_screenlock is being removed, a script is being run.

SUBSYSTEM=="hidraw", ACTION=="remove", ENV{engage_screenlock}=="yes", RUN+="/usr/local/bin/u2f-lock-screen.sh"

Create the script that does the screen locking

The script that does the actual locking based on the one I found here.

#!/bin/bash

HOTKEY="KEY_LEFTSHIFT"

# Check, if hotkey is being pressed during lockscreen attempt
# exit (i.e. do nothing) if key is pressed
kbd_devices="$(grep -E '^H:.* kbd ' /proc/bus/input/devices | sed 's/.*event\([0-9]\+\).*/event\1/')"
for event_dev in ${kbd_devices}; do
    evtest --query "/dev/input/${event_dev}" EV_KEY "${HOTKEY}" || exit 0
done

# Write message to system log
/usr/bin/logger "Screen locked because Yubikey/U2F-Key has been disconnected."

# Lock the screen
sudo -u "my_user" DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/1000/bus DISPLAY=:0 light-locker-command -l

exit 0

Putting it all together

After creating all rules and the script, reload udev using systemctl reload systemd-udevd. And then try removing your device.

For those wondering what the HOTKEY="KEY_LEFTSHIFT" in the script is used for: If you want to remove your U2F device, but do not want to lock your screen, just hold the left SHIFT key while removing the device…

Johannes Kastl
Johannes Kastl
Johannes is a Linux trainer and consultant and has been with B1 Systems since 2017. His topics include configuration management (Ansible, Salt, Chef, Puppet), version control (git), Infrastructure as Code (Terraform) and automation (Jenkins) as well as testing (Inspec, anyone?). At daytime he works as a sysadmin and fixes problems, at night he tries new technologies like Kubernetes (openSUSE Kubic!), podman or transactional-updates.

 

Haben Sie Anmerkungen oder Nachfragen? Melden Sie sich unter blog%b1-systems.de
Col 2