Yubikey Macbook autolock

In this article I’ll show you how to enable screensaver automatically when you pull out your Yubikey from USB port in Macbook. This will be extension of Yubico tutorial showing how to secure Macosx with their key.

If you not yet familiar with ways to secure Macosx with Yubikey firstly follow tutorial available on Yubico web page: guide . That article will show you how to use Yubico PAM module with screensaver.

If you have PAM module configured, first of all we have to check if Yubikey is in USB or not, to do that simply use:

system_profiler SPUSBDataType | grep -ci yubikey | cat

This will give you list of connected USB devices alongside with names, which can be searched for Yubikey string (in our example as case insensitive) and then returned as count of occurrences. Piping it via cat is to avoid 0 return code in case if grep finds nothing – this is well known practice.

Next step is think how enable screensaver from command line in Macos . This can be simply done by invoking screensaver binary in console:


(above path is valid for Sierra and upper)

Having this knowledge we can prepare simple bash script checking if our Yubikey is plugged in and if it’s not enabling screen saver.

[gist https://gist.github.com/inthuriel/d0cff220a6df79a43316b6385068d11c /]

Next step will be to run our script as a daemon in system. This will require to prepare *.plist file with configuration we may load to launchd . In my example I created basic file of this type with KeepAlive option to keep script always running.

[gist https://gist.github.com/inthuriel/bbc654cd531ce36f0c626d43cacdd63a /]

I decided to place it in ~/Library/LaunchAgents as it will be lunched by my user, although launchd has several other places to place *.plist files.

Also, assuming you followed Yubico tutorial for Macosx securing with Yubikey I placed my script in ~/.yubico directory, which is default in this tutorial.

You have to remember to give this file 600 permissions (for security reasons) and bootstrap it as your user to run screensaver properly:

launchctl bootstrap gui/501 ~/Library/LaunchAgents/com.yubikey.plist

This is basically it. After bootstrap your script will be visible in process list:

ps aux | grep yubikey | grep -v grep                                                                                                            user        46809   0.0  0.0  4288056   1092   ??  S     7:08PM   0:03.95 /bin/bash /Users/user/.yubico/yubikey-daemon.sh

and after you remove Yubikey from usb port it will lock the screen.

Mikołaj Niedbała

I'm a Poland based IT administrator, linux administrator and IT engineer creating professional IT infrastructure solutions based on Linux and virtual environments.

Dodaj komentarz

Twój adres e-mail nie zostanie opublikowany. Wymagane pola są oznaczone *