Locking your screen when you remove your U2F device

Screen locking basics

For each window manager out there there is a command that tells it to lock your screen. In my case, using KDE Plasma 5.18 with LightDM on openSUSE Tumbleweed, this means light-locker-command -l.

This commands needs to be run as your user with some details regarding your desktop session. Something along these lines:

sudo -u "my_user" DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/1000/bus DISPLAY=:0 light-locker-command -l

So, now we just need to figure out a way to run that command as soon as the device is removed. udev to the rescue…

udev basics

On most Linux distributions, udev is responsible for “stuff that involves hardware”. For us, that means that udev can watch for a certain device to be removed, and trigger some actions (like running a script).

To not have to write lots of rules, the easiest way is to expand the udev rule from the previous article to not only allow users access to the U2F key’s device nodes, but also add a label to that device. And then, if a device with this label is being removed, udev triggers the screen locking script.

Labelling a device

Create an udev rule (or modify the one from the previous article) that labels your device as “Yes, I want my screen to be locked if this device is removed”. This is done by adding an ENV{engage_screenlock}="yes" parameter.

KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="2ccf", ATTRS{idProduct}=="0880", TAG+="uaccess", GROUP="u2f_users", MODE="0660", ENV{engage_screenlock}="yes"

Of course, the values for idVendor and idProduct need to be adjusted to your U2F device. You will find lots of devices included in the udev rule from the official documentation.

Running a script on device removal

Using the following udev rule, once a device labelled as engage_screenlock is being removed, a script is being run.

SUBSYSTEM=="hidraw", ACTION=="remove", ENV{engage_screenlock}=="yes", RUN+="/usr/local/bin/u2f-lock-screen.sh"

Create the script that does the screen locking

The script that does the actual locking based on the one I found here.

#!/bin/bash

HOTKEY="KEY_LEFTSHIFT"

# Check, if hotkey is being pressed during lockscreen attempt
# exit (i.e. do nothing) if key is pressed
kbd_devices="$(grep -E '^H:.* kbd ' /proc/bus/input/devices | sed 's/.*event\([0-9]\+\).*/event\1/')"
for event_dev in ${kbd_devices}; do
    evtest --query "/dev/input/${event_dev}" EV_KEY "${HOTKEY}" || exit 0
done

# Write message to system log
/usr/bin/logger "Screen locked because Yubikey/U2F-Key has been disconnected."

# Lock the screen
sudo -u "my_user" DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/1000/bus DISPLAY=:0 light-locker-command -l

exit 0

Putting it all together

After creating all rules and the script, reload udev using systemctl reload systemd-udevd. And then try removing your device.

For those wondering what the HOTKEY="KEY_LEFTSHIFT" in the script is used for: If you want to remove your U2F device, but do not want to lock your screen, just hold the left SHIFT key while removing the device…