Re: Auto-unmounting secure partitions

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Quoting Stephen Robert Norris <srn@fn.com.au> on Mon, Nov 11 09:22:
>
> For a workstation, I think it would be better that when the display is
> locked, the filesystem is umounted. I've even got some scripts that do
> it, except I don't know how to hook them into xscreensaver to make it do
> it.

I have attached a script that I use to do this.  I run it from my
.xsession when I start X.  It triggers a 'ssh-add -D' and a 'sudo -k'
when the screen locks, then fires a custom script 'mssh-add' on an
unblank.  The xscreensaver-command manpage describes the -watch command
in some detail.

I like the idea of using PAM for the unblank and have toyed with the
idea of writing a module that would grab a sudo token, and try to add
my ssh keys (at least for the ones that use the same passphrase)
automatically when I unlock the screen.

Omen

-- 
This is a test of the Emergency Broadcast System.  Had this been an
actual emergency, we would have fled in terror, and you would not have
been informed.

#! /usr/bin/perl -w

use strict;

sub killall($@);
sub sig_handler($);
sub D($@);

$SIG{'TERM'} = 'sig_handler';
$SIG{'INT'} = 'sig_handler';

my $log = $ENV{'HOME'} . "/.xscreensaver.log";

my @stop = 
  (
   #"xplanetbg",
  );

my $child = open (WATCH, "/usr/bin/xscreensaver-command -watch|") or 
  die "$0: can't watch xscreensaver\n";

#print "$0: child = $child\n";

open(LOG, ">>$log") or
  die "$0: can't open log file '$log': $!\n";

my $blanked = 0;

while (my $line = <WATCH>) {
  print LOG $line or 
	die "$0: unable to print to log file: $!\n";
  if ($line =~ m/^LOCK/) {
	if (!$blanked) {
	  $blanked = 1;
	  
	  system("/usr/bin/ssh-add -D");
	  system("/usr/bin/sudo -k");
	  killall('STOP', @stop);
	}
  }
  if ($line =~ m/^UNBLANK/) {
	$blanked = 0;
	
	system($ENV{'HOME'} . "/bin/mssh-add </dev/null");
	killall('CONT', @stop);
  }
}

sub killall($@) {
  my ($signal, @programs) = @_;
  
  foreach my $program (@programs) {
	system("/usr/bin/killall -$signal $program")
  }
}

sub sig_handler($) {
  if(defined($child)) {
	print STDERR "$0: Killing watch child $child: ";
	kill(15, $child);
	waitpid($child, 0);
	print " done.\n";
  }

  exit(1);
}

sub D($@) {
  my ($level, @what) = @_;
  if(defined($ENV{'DEBUG'}) && $ENV{'DEBUG'} > $level) {
	print STDERR @what;
  }
}

Attachment: smime.p7s
Description: application/pkcs7-signature

[Index of Archives]     [Kernel]     [Linux Crypto]     [Gnu Crypto]     [Gnu Classpath]     [Netfilter]     [Bugtraq]
  Powered by Linux