The goal is prevent phisical access to a Linux desktop system, when the user is not in front of the machine. User presence would be validated by checking a pre-configured, USB connected Yubikey device.
Locking happens when the Yubikey device is removed and unlocking occurs as soon as the device is inserted. Locking does not use any security feature of the Yubikey, while unlocking relies on the HMAC-SHA1 or OTP challenge-response functionality provided by the device.
Required software to be installed
At least one Yubikey needs to be configured for challenge-response mode. To do this setup a free slot of the device for this mode and make sure that touch of the button is disabled for that slot.
Example: setup HMAC-SHA1 for slot #2, using the Yubico Personalisation tool.
ykpersonalize -v -2 -ochal-resp -ochal-hmac -ohmac-lt64 -oserial-api-visible
Save the challenge-response secret for the user you want to use this feature. The following command will create a file like ~/.yubico/challenge-1234567 with the necesary security data.
ykpamcfg -2 -A add_hmac_chalresp
Make sure the configuration is not readable by others:
chown 0700 ~/.yubico
- Add new service to PAM
Create the /etc/pam.d/session-locker file and make sure it's owned by root and writable only by root.
chown root: /etc/pam.d/session-locker
chmod 644 /etc/pam.d/session-locker
- Add new rule to udev
Create the file /etc/udev/rules.d/85-yubikey.rules file and make sure it's owned by root and writable only by root.
chown root: /etc/udev/rules.d/85-yubikey.rules
chmod 644 /etc/udev/rules.d/85-yubikey.rules
- Install the control shell script
Create the file /usr/local/bin/pam-session-locker.sh file and make sure it's owned by root and writable only by root. Also set the executable flag on the file.
chown root: /usr/local/bin/pam-session-locker.sh
chmod 755 /usr/local/bin/pam-session-locker.sh