 |
Title: Automatically lock screen on OpenBSD using xidle and xlock |
|
Author: Solène |
|
Date: 30 July 2021 |
|
Tags: openbsd security |
|
Description: |
|
|
|
# Introduction |
|
|
|
For security reasons I like when my computer screen get locked when I'm |
|
away and forgot to lock it manually or when I suspend the computer. |
|
Those operations are usually native in desktop managers such as Xfce, |
|
MATE or Gnome but not when you use a simple window manager. |
|
|
|
Yesterday, I was looking at the xlock man page and found |
|
recommendations to use it with xidle, a program that triggers a command |
|
when we don't use a computer. That was the match I required to do |
|
something. |
|
|
|
# xidle |
|
|
|
xidle is simple, you tell it about conditions and it will run a |
|
command. Basically, it has three triggers: |
|
|
|
* no activity from the user after $TIMEOUT |
|
* cursor is moved in a screen border or corner for $SECONDS |
|
* xidle receives a SIGUSR1 signal |
|
|
|
The first trigger is useful for automatic run, usually when you leave |
|
the computer and you forget to lock. The second one is a simple way to |
|
trigger your command manually by moving the cursor at the right place, |
|
and finally the last one is the way to script the trigger. |
|
|
 |
xidle man page, EXAMPLES section showing how to use it with xlock |
|
xlock man page |
|
|
|
# Using both |
|
|
|
Reusing the example given in xidle it was easy to build the command |
|
line. You would have to use this in your ~/.xsession file that contain |
|
instructions to run your graphical session. The following command will |
|
lock the screen if you let your mouse cursor in the upper left corner |
|
of the screen for 5 seconds or if you are inactive for 1800 seconds (30 |
|
minutes), once the screen is locked by xlock, it will turn off the |
|
display after 5 seconds. It is critical to run this command in |
|
background using "&" so the xsession script can continue. |
|
|
|
```shell commands |
|
xidle -delay 5 -nw -program "/usr/X11R6/bin/xlock -dpmsstandby 5" -timeout 1800… |
|
``` |
|
|
|
# Resume / Suspend case |
|
|
|
So, we currently made your computer auto locking after some time when |
|
you are not using it, but what if you put your computer on suspend and |
|
leave, this mean anyone can open it and it won't be locked. We should |
|
trigger the command just before suspending the device, so it will be |
|
locked upon resume. |
|
|
|
This operation is possible by giving a SIGUSR1 to xidle at the right |
|
time, and apmd (the power management daemon on OpenBSD) is able to |
|
execute scripts when suspending (and not only). |
|
|
|
apmd man page, FILES section about the supported operations running scripts |
|
|
|
Create the directory /etc/apm/ and write /etc/apm/suspend with this |
|
content: |
|
|
|
```shell script |
|
#!/bin/sh |
|
|
|
pkill -USR1 xidle |
|
``` |
|
|
|
Make the script executable with chmod +x /etc/apm/suspend and restart |
|
apmd. Now, you should have the screen getting locked when you suspend |
|
your computer, automatically. |
|
|
|
# Conclusion |
|
|
|
Locking access to a computer is very important because most of the time |
|
we have programs opened, security keys unlocked (ssh, gpg, password |
|
managers etc...) and if someone put their hands on it they can access |
|
all files. Locking the screen is a simple but very effective way to |
|
prevent this disaster to happen. |
