Yubikey Lock PC and Close terminal sessions when removed

Locking your PC when you walk away is super important so someone cant mess with your PC while you are away. It’s usually just a co worker messing with your background or icons BUT it could have some serious consequences is a bad actor was to get on your PC unattended. Since I use my Yubikey for 2FA I wanted to take an extra step and have my PC lock and close all my terminal sessions when I remove the Yubikey. I found a post here that I followed for getting the screen to lock but I added the extra step of closing my terminal windows. Here are the steps I followed:

First I needed to get the vendor-ID and model-ID of my Yubikey 5NFC (if you have the same model you can PROBABLY use the same info as me, but if its a different model this is how you find it). First plug in your Yubikey and then from terminal type in:

sudo udevadm monitor --environment --udev

Now remove the Yubikey and look at the output (you can kill the command at this point too with ctrl+c). The output is crazy long but towards the “semi-topish” you should see something similar to this:

We are looking for the ID_VENDOR_ID (1050) and ID_MODEL_ID (0407 or 407 if you drop the leading 0). Now lets take this info and put it into a file called 20-yubikey.rules located at: /etc/udev/rules.d/ the file should look like this:

ACTION=="remove", ENV{DEVTYPE}=="usb_device", ENV{SUBSYSTEM}=="usb", ENV{PRODUCT}=="1050/407/*", RUN+="/home/user/lockscreen.sh"

The important part to change is you have a different model is the “ENV{PRODUCT}==”1050/407/*” the 1050 the vendorID and the 407 is the model. Also the RUN+=”/home/user/lockscreen.sh” this should point to wherever you put the lockscreen script. I put it in my user dir but it can go anywhere you feel is secure.

Now that we have that file we need to reload the udev rules (or reboot)

sudo udevadm control --reload-rules

Now for the script that actually does the stuff! I thought I got this from this guy here because I remember following that post… but his script is different than mine…so if I find who I got this from again I’ll re tag it for credit but I modified it to also kill all of my konsole sessions as well. Here is the script:

#!/usr/bin/sh
# this script is only suitable for a single use machine as the following will lock and kill all non root sessions
# if unable to unlock your screensaver screen lock, check the permissions of your U2F key mappings. Your screen lock 
# will run under your current user permission 

user=`ps aux | grep -v root | grep session | head -n 1 | awk '{print $1}'`
sessionids=`loginctl list-sessions | grep ${user} | awk '{print $1}'`
for sessionid in $sessionids
do
        loginctl lock-session $sessionid
        echo "U2F locked sessionid $sessionid  ($user)" | systemd-cat -p info -t udev
done

# close any other tty sessions
ttys=`who | grep tty | grep -v \(:0\) | awk '{print $2}'`
for tty in $ttys
do
        pkill --signal HUP -t $tty
        echo "U2F killed $tty ($user)" | systemd-cat -p info -t udev
done
kill $(ps aux | grep 'konsole' | awk '{print $2}')

Put this in a file called lockscreen.sh and place it where you specified in the 20-yubikey.rules file. For example mine went here: /home/user/lockscreen.sh
Next we need to make the script executable as well as make it accessible only by our user:

sudo chmod 700 lockscreen.sh

Now if everything went right when you remove your Yubikey your PC will lock and close all tty and konsole windows.

This is all good an fine but we have an issue if we want to remove the Yubikey WITHOUT the PC locking. For this is wrote a tine script to simply remove the lockscreen file and after you press a key it replaces the file. To get this working we first copy our current lockscreen file:

cp lockscreen.sh lockscreen.sh.bak

Now create another file called removeYubilock.sh with this:

#!/bin/bash
rm /home/user/lockscreen.sh
echo "Remove the YubiKey and press any key to continue"
while [ true ] ; do
read -t 3 -n 1
if [ $? = 0 ] ; then
cp /home/user/lockscreen.sh.bak /home/user/lockscreen.sh
echo "Lockscreen file replaced"
exit ;
else
echo "waiting for the keypress"
fi
done

Now make it executable:

sudo chmod 700 removeYubiLock.sh

Now to test:

Now we have a working autoscreen locking using our Yubikey!

Tagged : / /