Arch Linux

Veldora

Member

From: Sol III, Milky Way

Registered: 2023-01-26

Posts: 48

[SOLVED] udev rule to automatically lock system when ubikey is removed

Hi,
I'm trying to write a udev rule to lock the screen, whenever the yubikey is removed.
The udev rule triggers a systemd service which then executes /usr/bin/loginctl lock-sessions

However, the udev rule doesn't fire, when the ATTR{idVendor} and ATTR{idProduct} are given.
When removing them, it works without a hassle.

Here's the service file:

[Unit]
Description=Lock screen on yubikey removal

[Service]
Type=oneshot
ExecStart=/usr/bin/loginctl lock-sessions

[Install]
WantedBy=multi-user.target

Here's the original udev-rule, which doesn't work:

ACTION=="remove", SUBSYSTEM=="usb", ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0402",  RUN+="/usr/bin/systemctl --no-block start lock-screen.service"

Here's the modified udev-rule, that works:

ACTION=="remove", SUBSYSTEM=="usb", RUN+="/usr/bin/systemctl --no-block start lock-screen.service"

To avoid questions such as: "Did you check if it's the correct idVendor and idProduct" here's the output of lsusb:

[root@archlinux ~]# lsusb
Bus 004 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
Bus 003 Device 023: ID 1050:0402 Yubico.com Yubikey 4/5 U2F
Bus 003 Device 003: ID 174f:1812 Syntek Integrated Camera
Bus 003 Device 002: ID 06cb:00f9 Synaptics, Inc. 
Bus 003 Device 005: ID 8087:0033 Intel Corp. 
Bus 003 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 002 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub

And yes, when calling the service via `systemctl start lock-screen.service` the screen gets locked aswell.

Thank you all for helping in advance.

Cheers
Veldora

Last edited by Veldora (2023-06-27 08:07:05)

Veldora

Member

From: Sol III, Milky Way

Registered: 2023-01-26

Posts: 48

Re: [SOLVED] udev rule to automatically lock system when ubikey is removed

Solved using:

ACTION=="remove", SUBSYSTEM=="usb", ENV{PRODUCT}=="1050/402/556", RUN+="/usr/bin/loginctl lock-sessions"

According to https://stackoverflow.com/questions/310 … is-removed

Information about removed devices is passed in ENV rather than in ATTR since there's no longer any device to extract information from.

fuchsi3010

Member

Registered: 2021-11-16

Posts: 2

Re: [SOLVED] udev rule to automatically lock system when ubikey is removed

hi,  i put your rule in `/etc/udev/rules.d/80-lock-screen-on-yubikey-removal.rules` and did `udevadm control --reload`, but no dice :-(

where did the `556` come from in `ENV{PRODUCT}=="1050/402/556"`?
i get the same output as you from `lsusb`:

Bus 003 Device 019: ID 1050:0402 Yubico.com Yubikey 4/5 U2F

so i get the `1050/402` part, but cant find `556` anywhere.

fuchsi3010

Member

Registered: 2021-11-16

Posts: 2

Re: [SOLVED] udev rule to automatically lock system when ubikey is removed

i now have a working setup with:

$ cat /etc/udev/rules.d/80-yubikey.rules 
# Yubikey Udev Rule: locking the screen in case a Yubikey is removed 
ACTION=="remove", ENV{HID_NAME}=="Yubico YubiKey FIDO", RUN+="/usr/bin/loginctl lock-sessions"

this is of course less elegant because it will lock if any yubikey is removed, but this is not a concern for me.
cheers!

peterwilli

Member

Registered: 2023-11-03

Posts: 1

Re: [SOLVED] udev rule to automatically lock system when ubikey is removed

hi,  i put your rule in `/etc/udev/rules.d/80-lock-screen-on-yubikey-removal.rules` and did `udevadm control --reload`, but no dice :-(

where did the `556` come from in `ENV{PRODUCT}=="1050/402/556"`?
i get the same output as you from `lsusb`:

Bus 003 Device 019: ID 1050:0402 Yubico.com Yubikey 4/5 U2F

so i get the `1050/402` part, but cant find `556` anywhere.

With `udevadm monitor --kernel --property --subsystem-match=usb`, you can see realtime what gets (un)plugged. If you run the command, and then physically remove the USB device in question, you get your full ID in the format that udev expects it. I don't own a Yubikey anymore, but I managed to do this successfully with Nitrokey. There shouldn't be a difference.

(Also hey everyone am new here, made an account just for this first reply!)