10

X11 screen locking: a secure and modular approach

 4 years ago
source link: http://leahneukirchen.org/blog/archive/2020/01/x11-screen-locking-a-secure-and-modular-approach.html
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.

For years I’ve been using XScreenSaver as a default, but I recently learned about xsecurelock and re-evaluated my screen-saving requirements:

  • The screen saver should turn on and lock on after some configurable time.
  • The screen saver should lock on a hotkey.
  • The screen saver should lock before suspend.
  • The screen saver should authenticate via PAM.
  • The screen saver should be configurable via xset s .
  • The screen saver should tell to forget SSH agent keys on locking.
  • I can disable the screen saver, e.g. when giving a presentation.

  • The screen saver should display a pretty demo.

    When I just used XScreenSaver, I had these issues:

  • Locking before suspend was not so easy, I had hacks using either xauth as root or additional helper scripts trapping signals.

  • Forgetting the SSH agent keys required a small, butadditional script.
  • Rarely, XScreenSaver got stuck, so I had to kill it from a TTY to get in.

  • Myxlbiff managed to pop up over XScreenSaver.

    After some unsuccessful fiddling with xss-lock and xautolock, I settled down on this toolset now:

  • xsecurelock for screen locking and spawning XScreenSaver demos

  • xidle for spawning xsecurelock after timeout
  • xbindkeys for triggering xidle on hotkey

  • acpid for triggering xidle on lid close

    Note that none of this requires systemd, DBus, or really anything else that X11 didn’t have for at least 25 years.

So, how to put it together:

I use a script run-xsecurelock , which is spawned from .xinitrc : 

#!/bin/sh
# run-xsecurelock - run xsecurelock(1) with right config

if [ "$1" = lock ]; then
    ssh-add -D
    XSECURELOCK_BLANK_TIMEOUT=900 \
    XSECURELOCK_PASSWORD_PROMPT=time_hex \
    XSECURELOCK_SAVER=saver_xscreensaver \
    XSECURELOCK_SAVER_RESET_ON_AUTH_CLOSE=1 \
    XSECURELOCK_SHOW_DATETIME=1 \
        exec xsecurelock
fi

xidle -no -program "$HOME/bin/run-xsecurelock lock" -timeout 600

This runs xidle with a timeout of 10 minutes and tells it to spawn this script again with the lock argment, so it will run xsecurelock after forgetting the SSH agent keys. xsecurelock then spawns a random XScreenSaver demo. There is no support for cycling the demo, but you can trigger the authentication dialog and close it to get a different demo.

Then, we can set up the hotkey in ~/.xbindkeysrc : 

"xset s activate"
  Insert

I used to use the Pause key for triggering the screen saver, but my T480 doesn’t have it anymore, so I use Insert now, which I don’t use else.

Finally, acpid can trigger xidle by sending SIGUSR1 from handler.sh : 

pkill -USR1 xidle

Note how simple this is as root and doesn’t require getting X11 credentials or complex IPC.

To disable xidle, I just run xset s off . The timeout is configurable at run time using xset s SECONDS .

This should satisfy all my requirements and is a cleaner setup then I had before.

NP: Leonard Cohen—Thanks for the Dance


report

Recommend

About Joyk


Aggregate valuable and interesting links.
Joyk means Joy of geeK