diff options
author | Ben Sima <ben@bsima.me> | 2022-02-01 22:23:13 -0500 |
---|---|---|
committer | Ben Sima <ben@bsima.me> | 2022-02-01 22:23:13 -0500 |
commit | d61fc3da96fb2cbc44f39f58ad6bbfe7001b6c81 (patch) | |
tree | 94e150e90b8ad974a814d5459055fe7d90576bd0 /machines | |
parent | 3c98890752eeb27730a42514cfc2cc5d90cf7c9f (diff) |
lock when yubikey is removed
Took me forever but I figured out how to use udev rules to give xautolock
permission to see the yubi when unlocking.
Also triggers a systemd service that locks the screen when yubi is removed. I
couldn't do this directly in a udev RUN becaues udev sucks at running programs
as different users and with environment variables and such.
This is still a bit buggy, I seem to consistently need to authenticate twice
when unlocking, but I think that would be fixed if I get rid of the
serviceConfig.User thing with some fancy scripting.
And as a backup, added Super+Shift+L for manual locking.
Diffstat (limited to 'machines')
-rw-r--r-- | machines/helium.nix | 31 |
1 files changed, 28 insertions, 3 deletions
diff --git a/machines/helium.nix b/machines/helium.nix index 564dd28..b0bcf64 100644 --- a/machines/helium.nix +++ b/machines/helium.nix @@ -47,6 +47,7 @@ in { yubioath-desktop yubico-pam yubikey-manager + yubikey-personalization ]; nixpkgs = { @@ -107,10 +108,12 @@ in { xserver.desktopManager.xterm.enable = true; xserver.xautolock.enable = true; + xserver.xautolock.locker = "${pkgs.xlockmore}/bin/xlock"; + xserver.xautolock.nowlocker = "${pkgs.xlockmore}/bin/xlock"; # xautolock -locknow + xserver.xautolock.time = 5; # minutes xserver.xautolock.enableNotifier = true; - xserver.xautolock.notifier = "${pkgs.libnotify}/bin/notify-send 'locking in 10 seconds'"; - xserver.xautolock.nowlocker = "${pkgs.i3lock}/bin/i3lock --color=000000 --show-failed-attempts --ignore-empty-password"; - xserver.xautolock.locker = "${pkgs.i3lock}/bin/i3lock --color=000000 --show-failed-attempts --ignore-empty-password"; + xserver.xautolock.notify = 30; # seconds + xserver.xautolock.notifier = ''${pkgs.libnotify}/bin/notify-send "Locking in 30 seconds"''; vnstat.enable = true; @@ -118,6 +121,28 @@ in { fail2ban.enable = true; clamav.daemon.enable = true; clamav.updater.enable = true; + + udev.extraRules = '' + # allows xlock to read the yubikey for challenge-response when unlocking. + # you need to do 'udevadm control --reload && udevadm trigger' after + # changing this. 'ykinfo -v' without sudo should work. + ACTION!="add|change", GOTO="yubico_end", ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0010|0110|0111|0114|0116|0401|0403|0405|0407|0410", OWNER="ben", MODE="0600" + LABEL="yubico_end" + + # when yubi is removed, activate yubilock + ACTION=="remove", ENV{ID_BUS}=="usb", ENV{ID_VENDOR_ID}=="1050", ENV{ID_MODEL_ID}=="0407", ENV{ID_SERIAL}="Yubico_Yubikey_4_OTP+U2F+CCID", RUN+="${pkgs.systemd}/bin/systemctl start yubilock" + ''; + }; + systemd.services = { + "yubilock" = { + script = "xlock"; + path = [ pkgs.xlockmore ]; + wantedBy = ["dummy.device"]; # i have to provide a WantedBy + environment = { DISPLAY = ":0"; }; + # i think i can get rid of user if I use this script: + # https://0day.work/locking-the-screen-when-removing-a-yubikey/ + serviceConfig.User = "ben"; + }; }; # Use the systemd-boot EFI boot loader. |