Automatic Screen Lock at Removal script

I bought a Nitrokey Pro 2 and found this article on your documentation website.

https://docs.nitrokey.com/pro/linux/automatic-screen-lock.html

My computer is running a Debian 10.10 with Gnome 3.30.2. Unfortunately the article does not work somehow for me. I did all steps gave execute rights (chmod +x) to the script and ran it as a test from the root terminal.
First of all it works, then I ran it manually from a normal terminal. Now I was prompted to enter the user password and the computer got locked. The user is not in the sudoers file or in sudo group.

Now I unplugged the Nitrokey and nothing happens. Is it a problem from Debian or does it only run on Ubuntu?

Do you have a idea?

I haven’t received an answer. Can you give it a look? Do you need more information?

1 Like

hey @DieRuebe,

generally there might be slight differences between how ubuntu & debian handle things. But you should easily be able to debug this. There are 2 components here which play together: udev and a simple script.

So 1st step would be to find out if your script gets called, if you remove your nitrokey. Just add a line like this echo "hello hello" > /tmp/mytest as the first line into your script. This will write a file /tmp/mytest if the script gets called by udev on removal of your nitrokey.

Is this working ? if yes, the problem is within your script, if not the problem is within your udev rule. I would guess udev is your problem, but as you now have a way to test this, you can check the various parts of your rule (e.g., check if the script location is correct, check if the product id matches the output of lsusb).

On top of that, did you reboot ? and or reload the udev rules, guess it was like this: udevadm control --reload-rules && udevadm trigger, because afaik the rules are not reloaded automatically.

best

Hi again,
@daringer thanks, I tried out your suggestions, but it still does not work. As you assumed it isn’t the script that does not work. I added the echo "hello hello" > /tmp/mytest to the script and it hasn’t been run.

Now I installed a fresh Debian GNU/Linux 11 (bullseye) with GNOME 3.38.5 Wayland on my NitroPad X230 - and still nothing happens.
I also tried a lot a things for example I changeg several other key values as ATTRS{idVendor}=="20a0", ATTRS{idProduct}=="4108" instead of ENV{PRODUCT}=="20a0/4108/101", ran udevadm control --reload-rules && udevadm trigger and also rebooted several times.

Here are my file permissions, content of my scripts and what udevadm monitor does when the Nitrokey is removed. For me it looks correct, but I have no idea what the OS does in the background. Maybe anyone else has an idea.

$ ls -la /etc/udev/rules.d/85-nitrokey.rules
-rwxr-xr-x 1 root root 94 Oct 14 21:18 /etc/udev/rules.d/85-nitrokey.rules

$ sudo editor /etc/udev/rules.d/85-nitrokey.rules
ACTION=="remove", ENV{PRODUCT}=="20a0/4108/101", RUN+="/usr/local/bin/gnome-screensaver-lock"

$ ls -la /usr/local/bin/gnome-screensaver-lock
-rwxr-xr-x 1 root root 237 Oct 14 21:17 /usr/local/bin/gnome-screensaver-lock

(Note: the grave accent is used around the user attribute, but not displayed here in the forum)
$ sudo editor /usr/local/bin/gnome-screensaver-lock
user=ps axo user:30,comm | egrep "gdm-(wayland|x)" | awk '{print $1}'

if [ -n $user ]; then
	su $user -c "/usr/bin/dbus-send --type=method_call --dest=org.gnome.ScreenSaver /org/gnome/ScreenSaver org.gnome.ScreenSaver.Lock"
fi`

$ lsusb
Bus 001 Device 009: ID 20a0:4108 Clay Logic Nitrokey Pro

$ udevadm monitor --property --subsystem-match=usb

UDEV  [524.256033] unbind   /devices/pci0000:00/0000:00:1a.0/usb1/1-1/1-1.2/1-1.2:1.0 (usb)
ACTION=unbind
DEVPATH=/devices/pci0000:00/0000:00:1a.0/usb1/1-1/1-1.2/1-1.2:1.0
SUBSYSTEM=usb
DEVTYPE=usb_interface
PRODUCT=20a0/4108/101
TYPE=0/0/0
INTERFACE=3/0/0
SEQNUM=2904
USEC_INITIALIZED=469947382
ID_PATH=pci-0000:00:1a.0-usb-0:1.2:1.0
ID_PATH_TAG=pci-0000_00_1a_0-usb-0_1_2_1_0

UDEV  [524.256837] remove   /devices/pci0000:00/0000:00:1a.0/usb1/1-1/1-1.2/1-1.2:1.1 (usb)
ACTION=remove
DEVPATH=/devices/pci0000:00/0000:00:1a.0/usb1/1-1/1-1.2/1-1.2:1.1
SUBSYSTEM=usb
DEVTYPE=usb_interface
PRODUCT=20a0/4108/101
TYPE=0/0/0
INTERFACE=11/0/0
MODALIAS=usb:v20A0p4108d0101dc00dsc00dp00ic0Bisc00ip00in01
SEQNUM=2906
USEC_INITIALIZED=469946878
ID_VENDOR_FROM_DATABASE=Clay Logic
ID_PATH=pci-0000:00:1a.0-usb-0:1.2:1.1
ID_PATH_TAG=pci-0000_00_1a_0-usb-0_1_2_1_1

UDEV  [524.257826] remove   /devices/pci0000:00/0000:00:1a.0/usb1/1-1/1-1.2/1-1.2:1.0 (usb)
ACTION=remove
DEVPATH=/devices/pci0000:00/0000:00:1a.0/usb1/1-1/1-1.2/1-1.2:1.0
SUBSYSTEM=usb
DEVTYPE=usb_interface
PRODUCT=20a0/4108/101
TYPE=0/0/0
INTERFACE=3/0/0
MODALIAS=usb:v20A0p4108d0101dc00dsc00dp00ic03isc00ip00in00
SEQNUM=2905
USEC_INITIALIZED=469947382
ID_PATH=pci-0000:00:1a.0-usb-0:1.2:1.0
ID_PATH_TAG=pci-0000_00_1a_0-usb-0_1_2_1_0

UDEV  [524.259217] unbind   /devices/pci0000:00/0000:00:1a.0/usb1/1-1/1-1.2 (usb)
ACTION=unbind
DEVPATH=/devices/pci0000:00/0000:00:1a.0/usb1/1-1/1-1.2
SUBSYSTEM=usb
DEVNAME=/dev/bus/usb/001/007
DEVTYPE=usb_device
PRODUCT=20a0/4108/101
TYPE=0/0/0
BUSNUM=001
DEVNUM=007
SEQNUM=2907
USEC_INITIALIZED=469940924
ID_PATH=pci-0000:00:1a.0-usb-0:1.2
ID_PATH_TAG=pci-0000_00_1a_0-usb-0_1_2
ID_FOR_SEAT=usb-pci-0000_00_1a_0-usb-0_1_2
MAJOR=189
MINOR=6
TAGS=:seat:uaccess:systemd:security-device:
CURRENT_TAGS=:seat:

UDEV  [524.261424] remove   /devices/pci0000:00/0000:00:1a.0/usb1/1-1/1-1.2 (usb)
ACTION=remove
DEVPATH=/devices/pci0000:00/0000:00:1a.0/usb1/1-1/1-1.2
SUBSYSTEM=usb
DEVNAME=/dev/bus/usb/001/007
DEVTYPE=usb_device
PRODUCT=20a0/4108/101
TYPE=0/0/0
BUSNUM=001
DEVNUM=007
SEQNUM=2908
USEC_INITIALIZED=469940924
ID_PATH=pci-0000:00:1a.0-usb-0:1.2
ID_PATH_TAG=pci-0000_00_1a_0-usb-0_1_2
ID_FOR_SEAT=usb-pci-0000_00_1a_0-usb-0_1_2
MAJOR=189
MINOR=6
TAGS=:security-device:seat:uaccess:systemd:
CURRENT_TAGS=:seat:

When I got some time I will setup a new Ubuntu 20.04 VM and try it again from scretch…

Hi @DieRuebe und @daringer

did you have any success. On arch linux I need to add the following lines to get the script to work.

pid_gnome=$(pgrep gnome-session|head -1)
DBUS_SESSION_BUS_ADDRESS=$(grep -z DBUS_SESSION_BUS_ADDRESS /proc/${pid_gnome}/environ|cut -d= -f2- | tr -d '\0\n')
export DBUS_SESSION_BUS_ADDRESS=${DBUS_SESSION_BUS_ADDRESS}

I took this from: linux - How to export DBUS_SESSION_BUS_ADDRESS - Stack Overflow

However, while it now works from the command line it doesn’t when dbus calls the script.

May 07 15:33:39 it72 kernel: usb 1-2: USB disconnect, device number 15
May 07 15:33:39 it72 systemd-udevd[65183]: 1-2:1.1: Process '/usr/local/bin/gnome-screensaver-lock' failed with exit code 1.
May 07 15:33:39 it72 systemd-udevd[65182]: 1-2:1.0: Process '/usr/local/bin/gnome-screensaver-lock' failed with exit code 1.
May 07 15:33:39 it72 systemd-udevd[65183]: 1-2: Process '/usr/local/bin/gnome-screensaver-lock' failed with exit code 1.

Any ideas?

Hello All!
Hope you all doing great.
I have more than one Nitrokey3aNFC devices. My question is , can I do automatic screen lock with only specific Nitrokey3aNFC device not from all devices?
I used following command to lock my screen on removal of nitrokey3a NFC:
ACTION==“remove”, ENV{PRODUCT}==““20a0/42b2/105”, RUN+=”/path /to /directory/ screen-lock.sh"
By using the above mentioned command, I can do screen lock with all available Nitrokey3aNFC devices. However, my requirement is want to lock screen of PC with my own specific device not from all Nitrokey3a devices.
Please anybody would like to guide me how can I do screen lock with my own nitrokey3a NFC device not from all available nitrokey3a devices.

Regards,
engr.

You will have to check in your script also the serial number of the specific nitrokey you want to use to lock your screen. These udev rules do check only on the product id and vendor.

Thanks bernd.
I have checked using command lsusb -v, it shows their serial numbers are also not different. :slight_smile:

@engr Not the USB Serial, but the Nitrokey Serial (or from the PIV or PGP SC):

Nitrokey Serial

/* AABBC and DDEEF is the "short ID you will also see with the Nitrokey App 2. */

$ nitropy list
Command line tool to interact with Nitrokey devices 0.4.43
:: 'Nitrokey FIDO2' keys
:: 'Nitrokey Start' keys:
:: 'Nitrokey 3' keys
/dev/hidraw8: Nitrokey 3 AABBC<and-much-more>
/dev/hidraw9: Nitrokey 3 DDEEF<and-much-more>

PGP SmartCard

$ gpg-card LIST --cards
0* D276000124010304000FDDEEFxxx0000
1  D276000124010304000FAABBCxxx0000

PIV and PKCS#11

$ opensc-tool --list-readers
# Detected readers (pcsc)
Nr.  Card  Features  Name
0    Yes             Nitrokey Nitrokey 3 [CCID/ICCD Interface] 00 00
1    Yes             Nitrokey Nitrokey 3 [CCID/ICCD Interface] 01 00

$ opensc-tool --serial --reader 0
00 0F AA BB Cx xx ...$Z.
 $ opensc-tool --serial --reader 1
00 0F DD EE Fx xx ...pU.
$ pkcs11-tool --list-slots
Available slots:
Slot 0 (0x0): Nitrokey Nitrokey 3 [CCID/ICCD Interface] 00 00
  token label        : OpenPGP card (User PIN)
  token manufacturer : OpenPGP project
  token model        : PKCS#15 emulated
  token flags        : login required, token initialized, PIN initialized
  hardware version   : 3.4
  firmware version   : 3.4
  serial num         :  000fABBCxxx
  pin min/max        : 6/127
Slot 1 (0x1): Nitrokey Nitrokey 3 [CCID/ICCD Interface] 00 00
  token label        : OpenPGP card (User PIN (sig))
  token manufacturer : OpenPGP project
  token model        : PKCS#15 emulated
  token flags        : login required, token initialized, PIN initialized
  hardware version   : 3.4
  firmware version   : 3.4
  serial num         : 000fAABBCxxx
  pin min/max        : 6/127
Slot 2 (0x4): Nitrokey Nitrokey 3 [CCID/ICCD Interface] 01 00
  token label        : OpenPGP card (User PIN)
  token manufacturer : OpenPGP project
  token model        : PKCS#15 emulated
  token flags        : login required, token initialized, PIN initialized
  hardware version   : 3.4
  firmware version   : 3.4
  serial num         : 000fDDEEFxxx
  pin min/max        : 6/127
Slot 3 (0x5): Nitrokey Nitrokey 3 [CCID/ICCD Interface] 01 00
  token label        : OpenPGP card (User PIN (sig))
  token manufacturer : OpenPGP project
  token model        : PKCS#15 emulated
  token flags        : login required, token initialized, PIN initialized
  hardware version   : 3.4
  firmware version   : 3.4
  serial num         : 000fDDEEFxxx
  pin min/max        : 6/127

Edit: Fixed the PGP SC and PKCS#11 Serial

Thank you @bernd for your response.
Would you please tell me about changes i have to made in udev rules or screen lock script?
as I only define ENV{PRODUCT}==“20a0/42b2/105” in udev rule file.
However, my point is first I have to check nitrokey 3 device, if it matches with my desired nitrokey3a device, then trigger the screen lock script. How can i do that?

You just need to call loginctl lock-session, assuming you run a distribution with systemd…
For details: man loginctl.