├── .gitignore ├── 95-yubikey-hotplug.rules ├── COPYING ├── PKGBUILD ├── README.md ├── yubikey-hotplug └── yubikey-hotplug.install /.gitignore: -------------------------------------------------------------------------------- 1 | *.pkg.tar.xz 2 | -------------------------------------------------------------------------------- /95-yubikey-hotplug.rules: -------------------------------------------------------------------------------- 1 | ACTION=="add", SUBSYSTEM=="usb", ENV{ID_VENDOR_ID}=="1050", ENV{ID_MODEL_ID}=="0116", RUN+="/usr/bin/yubikey-hotplug connect" 2 | ACTION=="remove", SUBSYSTEM=="usb", ENV{ID_VENDOR_ID}=="1050", ENV{ID_MODEL_ID}=="0116", RUN+="/usr/bin/yubikey-hotplug disconnect" 3 | 4 | -------------------------------------------------------------------------------- /COPYING: -------------------------------------------------------------------------------- 1 | Copyright (c) 2017 Dan Fuhry 2 | 3 | THE MIT LICENSE 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /PKGBUILD: -------------------------------------------------------------------------------- 1 | pkgname=yubikey-hotplug 2 | pkgver=1 3 | pkgrel=1 4 | pkgdesc="udev hotplug event for Yubikey devices" 5 | arch=('any') 6 | url="https://github.com/fuhry/yubikey-hotplug" 7 | license=('MIT') 8 | depends=('bash' 'yubikey-manager') 9 | source=('yubikey-hotplug' '95-yubikey-hotplug.rules') 10 | install='yubikey-hotplug.install' 11 | sha256sums=('b4b351492b0ed2acea010d3103624f82349d7752f7bfbf6ccac246b931bc5c8c' 12 | '0b314b6da0b6674a5440c80112a00f0edce2713d8e104b35966a0e67336e03d7') 13 | 14 | package() { 15 | install -d -m0755 "${pkgdir}/etc/udev/rules.d" 16 | install -m0644 "${srcdir}/95-yubikey-hotplug.rules" "${pkgdir}/etc/udev/rules.d/" 17 | install -d -m0755 "${pkgdir}/usr/bin" 18 | install -m0755 "${srcdir}/yubikey-hotplug" "${pkgdir}/usr/bin/" 19 | } 20 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # `yubikey-hotplug`: Automatic screen lock/unlock for Yubikeys 2 | 3 | This is a small script that allows the running desktop environment's screensaver to be locked/unlocked based on hotplug events of a Yubikey. It has the following features: 4 | 5 | * Fast and responsive, triggered via a udev hook 6 | * Confined to specific Yubikey serial numbers per-user 7 | * No root access required for configuration 8 | * Secure - workstation cannot be unlocked with a yubikey if it was unplugged while the PC was locked 9 | 10 | ## Dependencies 11 | 12 | This utility depends on `yubikey-manager` which is available in the Arch Linux `community` repository. 13 | 14 | ## Setup 15 | 16 | To configure `yubikey-hotplug`, all you need to do is write your Yubikey's serial number to a file in your home directory: 17 | 18 | ``` 19 | mkdir -p ~/.config/yubikey-hotplug 20 | echo 1234567 > ~/.config/yubikey-hotplug/serials 21 | ``` 22 | 23 | If you don't know your Yubikey's serial number, use `ykman info` to get it. If `ykman` can't figure out what it is then this program will not work, as it uses `ykman` to query the Yubikey's serial number. Note that some very old Yubikeys do not have serial numbers. 24 | 25 | ## Security 26 | 27 | Unlike other attributes, the serial number is completely burned into the Yubikey and no two will ever be the same. It is theoretically possible to make a fake device with the same hwid and API as a Yubikey. There is no challenge-response or other secret key based authentication that occurs when the system verifies the Yubikey's serial number. So keep this in mind, this utility is a convenience aid and not a replacement for proper workstation security. 28 | 29 | The utility will check if the screensaver is locked when a Yubikey is unplugged. If it is, it will create a flag file (`~/.config/yubikey-hotplug/require-unlocked-plugin`) which signals that plugging the Yubikey back in should not unlock the workstation. The use case for this is perhaps you left your workstation unattended and forgot to take your Yubikey with you - this protects you from an attacker unplugging your Yubikey and immediately plugging it back in. **If you unplug your Yubikey while your workstation is locked, you must unlock it and then reconnect the Yubikey to automatically delete the flag file.** 30 | 31 | ## Limitations 32 | 33 | The utility currently works only on MATE, an issue will be opened to track progress on support for other desktop environments. 34 | 35 | ## Author/License 36 | 37 | Written by Dan Fuhry . 38 | 39 | MIT licensed; please see the [COPYING file](COPYING). 40 | -------------------------------------------------------------------------------- /yubikey-hotplug: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | ykserial() 4 | { 5 | export LANG=en_US.UTF-8 6 | ykman info | grep '^Serial number:' | cut -d: -f2 | tr -dc '[0-9]' 7 | } 8 | 9 | foreach_passwd() 10 | { 11 | call="$1" 12 | while read line; do 13 | IFS=: line=($line) 14 | user="${line[0]}" 15 | password="${line[1]}" 16 | uid="${line[2]}" 17 | gid="${line[3]}" 18 | gecos="${line[4]}" 19 | home="${line[5]}" 20 | loginshell="${line[6]}" 21 | 22 | eval $call 23 | done < /etc/passwd 24 | } 25 | 26 | get_xscreen() 27 | { 28 | who | egrep "^${1}\b" | egrep -q '\(:[0-9]+\)$' | tr -d '()' 29 | return $? 30 | } 31 | 32 | unlock() 33 | { 34 | test -d "$home/.config/yubikey-hotplug" || return 0 35 | screen=$(get_xscreen "$user") 36 | [ $? -ne 0 ] && return 0 37 | if fgrep -qx $serial "$home/.config/yubikey-hotplug/serials" ; then 38 | flag_file="$home/.config/yubikey-hotplug/require-unlocked-plugin" 39 | screensaver_command="/usr/bin/env DISPLAY=${screen} XAUTHORITY=/run/user/$uid/gdm/Xauthority DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/$uid/bus mate-screensaver-command" 40 | screensaver_state=$(su "$user" -c "$screensaver_command -q" | egrep -o '\b(in)?active\b') 41 | if [ -f "$flag_file" ]; then 42 | if [ "$screensaver_state" = "active" ]; then 43 | logger -p kern.info "Refusing to unlock $user's screen as their yubikey was removed while the screensaver was active." 44 | elif [ "$screensaver_state" = "inactive" ]; then 45 | logger -p kern.info "$user's Yubikey inserted while screen unlocked. Removing flag file to re-enable Yubikey unlock." 46 | rm -f "$flag_file" 47 | fi 48 | elif [ "$screensaver_state" = "active" ]; then 49 | logger -p kern.info "Unlocking screen for user $user ($uid) due to Yubikey connect" 50 | su "$user" -c "$screensaver_command -d" 51 | elif [ "$screensaver_state" = "inactive" ]; then 52 | logger -p kern.info "Yubikey connected but $user's screen is not locked. Doing nothing." 53 | fi 54 | fi 55 | } 56 | 57 | lock() 58 | { 59 | test -d "$home/.config/yubikey-hotplug" || return 0 60 | screen=$(get_xscreen "$user") 61 | [ $? -ne 0 ] && return 0 62 | screensaver_command="/usr/bin/env DISPLAY=${screen} XAUTHORITY=/run/user/$uid/gdm/Xauthority DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/$uid/bus mate-screensaver-command" 63 | screensaver_state=$(su "$user" -c "$screensaver_command -q" | egrep -o '\b(in)?active\b') 64 | flag_file="$home/.config/yubikey-hotplug/require-unlocked-plugin" 65 | if [ "$screensaver_state" = "active" ]; then 66 | logger -p kern.info "Yubikey unplugged while $user's screensaver was active. The user must plug their Yubikey in while the screen is unlocked to reenable unlocking." 67 | touch "$flag_file" 68 | chown $uid:$gid "$flag_file" 69 | elif [ "$screensaver_state" = "inactive" -a ! -f "$flag_file" ]; then 70 | logger -p kern.info "Locking screen for user $user ($uid) due to Yubikey disconnect" 71 | su "$user" -c "$screensaver_command -l" 72 | elif [ "$screensaver_state" = "inactive" -a -f "$flag_file" ]; then 73 | logger -p kern.info "Ignoring Yubikey disconnect as flag file exists. Reconnect Yubikey while screen is unlocked to re-enable yubikey-hotplug." 74 | fi 75 | } 76 | 77 | case "$1" in 78 | connect) 79 | serial= 80 | for ((i=0; i<5; i++)); do 81 | serial=`ykserial` 82 | [ -n "$serial" ] && break 83 | sleep 1 84 | done 85 | if [ -z "$serial" ]; then 86 | logger -p kern.warn "Yubikey connected but unable to determine its serial number." 87 | exit 1 88 | fi 89 | logger -p kern.notice "Yubikey connected, serial #${serial}" 90 | foreach_passwd unlock 91 | ;; 92 | disconnect) 93 | logger -p kern.notice "Yubikey disconnected" 94 | foreach_passwd lock 95 | ;; 96 | *) 97 | echo "Usage: $0 (connect|disconnect)" 98 | ;; 99 | esac 100 | -------------------------------------------------------------------------------- /yubikey-hotplug.install: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | post_install() { 4 | udevadm control --reload-rules 5 | 6 | echo ">> Note! To use yubikey-hotplug, write the serial number (1 per" 7 | echo ">> line) of your yubikey(s) to the file:" 8 | echo ">> ~/.config/yubikey-hotplug/serials" 9 | } 10 | --------------------------------------------------------------------------------