[prev in list] [next in list] [prev in thread] [next in thread]
List: linux-crypto
Subject: Re: Auto-unmounting secure partitions
From: Omen Wild <Omen.Wild () Dartmouth ! EDU>
Date: 2002-11-11 20:10:53
[Download RAW message or body]
[Attachment #2 (multipart/mixed)]
Quoting Stephen Robert Norris <srn@fn.com.au> on Mon, Nov 11 09:22:
>
> For a workstation, I think it would be better that when the display is
> locked, the filesystem is umounted. I've even got some scripts that do
> it, except I don't know how to hook them into xscreensaver to make it do
> it.
I have attached a script that I use to do this. I run it from my
.xsession when I start X. It triggers a 'ssh-add -D' and a 'sudo -k'
when the screen locks, then fires a custom script 'mssh-add' on an
unblank. The xscreensaver-command manpage describes the -watch command
in some detail.
I like the idea of using PAM for the unblank and have toyed with the
idea of writing a module that would grab a sudo token, and try to add
my ssh keys (at least for the ones that use the same passphrase)
automatically when I unlock the screen.
Omen
--
This is a test of the Emergency Broadcast System. Had this been an
actual emergency, we would have fled in terror, and you would not have
been informed.
["ssh-xscreensaver" (text/plain)]
#! /usr/bin/perl -w
use strict;
sub killall($@);
sub sig_handler($);
sub D($@);
$SIG{'TERM'} = 'sig_handler';
$SIG{'INT'} = 'sig_handler';
my $log = $ENV{'HOME'} . "/.xscreensaver.log";
my @stop =
(
#"xplanetbg",
);
my $child = open (WATCH, "/usr/bin/xscreensaver-command -watch|") or
die "$0: can't watch xscreensaver\n";
#print "$0: child = $child\n";
open(LOG, ">>$log") or
die "$0: can't open log file '$log': $!\n";
my $blanked = 0;
while (my $line = <WATCH>) {
print LOG $line or
die "$0: unable to print to log file: $!\n";
if ($line =~ m/^LOCK/) {
if (!$blanked) {
$blanked = 1;
system("/usr/bin/ssh-add -D");
system("/usr/bin/sudo -k");
killall('STOP', @stop);
}
}
if ($line =~ m/^UNBLANK/) {
$blanked = 0;
system($ENV{'HOME'} . "/bin/mssh-add </dev/null");
killall('CONT', @stop);
}
}
sub killall($@) {
my ($signal, @programs) = @_;
foreach my $program (@programs) {
system("/usr/bin/killall -$signal $program")
}
}
sub sig_handler($) {
if(defined($child)) {
print STDERR "$0: Killing watch child $child: ";
kill(15, $child);
waitpid($child, 0);
print " done.\n";
}
exit(1);
}
sub D($@) {
my ($level, @what) = @_;
if(defined($ENV{'DEBUG'}) && $ENV{'DEBUG'} > $level) {
print STDERR @what;
}
}
["smime.p7s" (application/x-pkcs7-signature)]
-
Linux-crypto: cryptography in and on the Linux system
Archive: http://mail.nl.linux.org/linux-crypto/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic