YubiKey and locking your screen

Tutorial is based on Fedora 25 in combination with the Yubikey 2 and 4.
Last update 2017-04-21

Introduction

Recently I have been busy with smartcards and YubiKeys. The reason is that I want to add an extra layer of security for accessing websites, SSH and more. The last few years we have steadily been moving away from managing Linux servers in the shell to Ansible, Jenkins and Gitlab. In my opinion this demands an extra layer of security based on access control lists.

Apart from this, forgetting to lock your desktop at a hacker congress is the last thing you want to do. So, I implemented a physical procedure. One that makes sure that my screen is locked, without fiddling with hotkeys. Hotkeys are nice, but notoriously failing when you’re working in another VM or switched over to the TTY. Information about to make this possible is scattered all over the Internet, got absolete or was lacking decent documentation.

The documentation is created based on https://www.dalemacartney.com/2013/01/14/locking-and-unlocking-the-gnome3-session-with-a-yubikey/. While reading the article, the TLS cert was expired on this site and the site looked abandoned.

The don’t

I did not figure out a way to unlock the screen with a decent two way factor authentication procedure. In the article mentioned above there’s a way, but I think that unlocking your station with just the YubiKey is to insecure. I’m still trying to figure out how difficult it would be for 2FA, but currently I did not see a possibility and I don’t want to hand out snake oil…

Steps to do

  • UDEV rules
  • Add a Bash script

UDEV rules

Add a couple of lines of code in a new file in /etc/udev/rules.d/85-yubikey-screen-lock.rules
step 1

SUBSYSTEM=="usb", ACTION=="remove", ENV{ID_VENDOR_ID}=="1050", ENV{ID_MODEL_ID}="0010", RUN+="/usr/local/bin/yubikey-screen-lock enable"

As you can see, the Vendor ID is 1050, if you want to debug udev problems use: $ sudo udevadm monitor –environment . This will putt all udev activity on your screen.

step 2 Reload udev rules

sudo udevadm control --reload

Add a script

Download this yubikey-screen-lock and place it in /usr/local/bin/ . It’s important to keep the name ‘yubikey-screen-lock’, since udev will execute this script. chmod the file.

sudo chmod 755 /usr/local/bin/yubikey-screen-lock

That’s it!

Any YubiKey will work to lock your screen since it will only look at the vendor id, so in theory with a bit of effort you can implement this procedure with any device as long if you got the vendor id. This can easily be fetched with:

 $ sudo udevadm monitor --enviroment .

The procedure is a nice extra feature when you already use the YubiKey for other authentication methods.