How to lock/unlock your KDE Plasma when Yubikey (or any other USB device) is removed/plugged

Big thanks to bmorgenthaler for giving me a basic idea on how to do this.

Edit: Warning

The yubikey is detected as ejected when you open yubikey personalization tool or whenever an app requests Challange-Response (but not on U2F), so if you use one of these often, you should probably not set this up.

Warning

While locking is fairly safe (the only thing possible is someone plugging and then unplugging their own yubikey to lock your device), unlocking is VERY unsafe (everyone with a yubikey can unlock your pc), and should probably not be done.

If you want to accomplish something to this in a more secure manner, use U2F or Yubikey OTP PAM.

Instructions

Step 1

Run lsusb:

From there, find Vendor ID and Product ID of the USB drive you want to use as the device to lock your PC:

In my case, the red-marked place (1050) is the Vendor ID (yours should be 1050 too, if you're using a genuine yubikey) and green-marked place is the Product ID (0407 for Yubikey 4 and 4 Nano).

Note these down, we'll need them in the next step.

Step 2

Create a file called /etc/udev/rules.d/45-yubikey.rules. You can also pick a higher or lower priority number (the 45 part) or a different name (yubikey part). Up to you.

You might need to run your editor with sudo permissions.

In the file, type

ACTION=="remove", ATTRS{idVendor}=="[THE VENDOR ID]", ATTRS{idProduct}=="[THE PRODUCT ID]", RUN+="/usr/local/bin/lock-pc"  

Replace [THE VENDOR ID] and [THE PRODUCT ID] with the values you found on step 1.

If you want to add unlock support too (HIGHLY UNRECOMMENDED, SEE WARNING), add another line, copy the content above, replace stuff in brackets, change action to add, and change script in run to have a different name (like unlock-pc).

Step 3

Create a file on /usr/local/bin/lock-pc (and if you ignored warnings and went with adding unlock support, create a file with the name you picked).

Place

#!/bin/sh

USER_SESSION=$(loginctl list-sessions | grep [YOUR USERNAME] | awk '{print $1}')  
/usr/bin/loginctl lock-session $USER_SESSION

in it. Replace [YOUR USERNAME] with... your username (duh), save it.

(For the unlock stuff, it's the same code and same replaces, except you change lock-session to unlock-session too)

Chmod a+x the file (sudo chmod a+x /usr/local/bin/lock-pc and one more if you added unlock support).

[Tiny note: You can make this work on non-plasma DEs too, you just need to change the script to fit your DEs lock/unlock commands]

Step 4

Reload udev rules. This has a ton of commands, apparently, so here's all:

  • Worked for me: sudo udevadm control --reload-rules
  • sudo /etc/init.d/udev restart
  • sudo udevcontrol reload_rules

If none of these worked, try googling (or ducking), or just restarting your computer.

That's it. You're done. When you pull out your yubikey, your PC will now lock.

Avery (Arda) Özkal

Some kind of developer. Cares about FOSS, privacy, gender equality and stuff. Likes gaming. Blogs occasionally.

Ankara, Turkey https://ave.zone

Subscribe to ao's blog

Get the latest posts delivered right to your inbox.

or subscribe via RSS with Feedly!