Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Lock/unlock user session on Linux with Yubikey
# Yubikey Udev Rule: running a bash script in case your Yubikey is inserted/removed
ACTION=="add", ENV{PRODUCT}=="1050/407/511", ENV{DEVTYPE}=="usb_device", RUN+="/usr/local/bin/pam-session-locker.sh unlock"
ACTION=="remove", ENV{PRODUCT}=="1050/407/511", ENV{DEVTYPE}=="usb_device", RUN+="/usr/local/bin/pam-session-locker.sh lock"

Lock/unlock user session on Linux with Yubikey

The goal is prevent phisical access to a Linux desktop system, when the user is not in front of the machine. User presence would be validated by checking a pre-configured, USB connected Yubikey device.

Locking happens when the Yubikey device is removed and unlocking occurs as soon as the device is inserted. Locking does not use any security feature of the Yubikey, while unlocking relies on the HMAC-SHA1 or OTP challenge-response functionality provided by the device.

Prerequsite

Required software to be installed

At least one Yubikey needs to be configured for challenge-response mode. To do this setup a free slot of the device for this mode and make sure that touch of the button is disabled for that slot.

Example: setup HMAC-SHA1 for slot #2, using the Yubico Personalisation tool.

ykpersonalize -v -2 -ochal-resp -ochal-hmac -ohmac-lt64 -oserial-api-visible

Save the challenge-response secret for the user you want to use this feature. The following command will create a file like ~/.yubico/challenge-1234567 with the necesary security data.

ykpamcfg -2 -A add_hmac_chalresp

Make sure the configuration is not readable by others:

chown 0700 ~/.yubico

Setup screen locking

  1. Add new service to PAM

Create the /etc/pam.d/session-locker file and make sure it's owned by root and writable only by root.

chown root: /etc/pam.d/session-locker
chmod 644 /etc/pam.d/session-locker
  1. Add new rule to udev

Create the file /etc/udev/rules.d/85-yubikey.rules file and make sure it's owned by root and writable only by root.

chown root: /etc/udev/rules.d/85-yubikey.rules
chmod 644 /etc/udev/rules.d/85-yubikey.rules
  1. Install the control shell script

Create the file /usr/local/bin/pam-session-locker.sh file and make sure it's owned by root and writable only by root. Also set the executable flag on the file.

chown root: /usr/local/bin/pam-session-locker.sh
chmod 755 /usr/local/bin/pam-session-locker.sh
#!/usr/bin/env bash
do_lock()
{
/usr/bin/loginctl lock-sessions --no-ask-password
}
do_unlock()
{
/usr/bin/pamtester session-locker $USER authenticate && /usr/bin/loginctl unlock-sessions --no-ask-password
}
get_current_user()
{
/usr/bin/loginctl show-session -p Name $(/usr/bin/loginctl list-sessions --no-legend | awk '{ print $1 }') | awk -F '=' '{ print $2 }'
}
USER=$(get_current_user)
ACTION=$1
case $ACTION in
"lock")
do_lock
;;
"unlock")
do_unlock
;;
esac
auth required pam_yubico.so mode=challenge-response
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment