0

When I have this key:

https://support.yubico.com/support/solutions/articles/15000006900-security-key-by-yubico

I would like to use it to lock the screen when I pull it out and go away from computer and I would like to unlock the screen by inserting yubikey into USB slot when I come back - I want to trigger verification that it is really my key and I don't want to enter password.

I was looking here

https://www.dalemacartney.com/2013/01/14/locking-and-unlocking-the-gnome3-session-with-a-yubikey/

which seems to be a good start, however there is serial number check in the script used there and I would like to do public/private key verification without additionally entering password.

There is ykinfo -q -s command to get serial number of key. Is there cli utility to trigger yubikey authentication?

Ľubomír Mlích
  • 123

1 Answers1

0

On ubuntu 18.04 + Unity7 I need to add:

auth sufficient pam_u2f.so

before

@include common-auth

in file /etc/pam.d/unity

to be able to unlock screen either by password or yubikey, when my ubikey is inserted - this is not exactly what I expected. I want to insert my ubikey to see authentication query and then do authentication. Also after authentication succeeded I need to click on "Unlock" button which not seems to be neccessary.

Second part is to lock screen after pulling yubikey out. To catch pulling out my yubikey I need to create file /etc/udev/rules.d/95-yubikey-screen-lock.rules with content:

ACTION=="remove", SUBSYSTEM=="usb", ENV{PRODUCT}=="1050/120/502", RUN+="/tmp/test.sh"

and use command to have OS use it:

sudo udevadm control --reload

ENV{PRODUCT} value can be get by running

sudo udevadm monitor --kernel --property --subsystem-match=usb | grep PRODUCT

and pulling yubikey out of USB.

/tmp/test.sh script contains:

su - lmlich -c "gnome-screensaver-command -l"

which will be run as root and it will run command to lock screen in my distro as user lmlich (that's me in OS).

And that will do it.

When combined however, after pulling out yubikey, lock screen show password challenge. When I enter wrong password I can authenticate using yubikey.

It's a solution, but not good solution.

Ľubomír Mlích
  • 123