Script to lock Mac upon removal of USB Yubikey?

Hello,

I am writing to request help with configuring my MBP so that it the screen will lock when I remove my Yubikey (http://www.yubico.com/personal-use - “The YubiKey is a hardware authentication token that looks like a small USB memory stick, but it is actually a keyboard.”) from a USB port. I do not need any sort of unlocking capability upon reinsertion of the Yubikey.

There is an application called Rohos (http://www.rohos.com/products/rohos-logon-key-for-mac) that can sense removal of the Yubikey and lock the screen. However, the application costs $32 and it does far more than I want it to do. It also caused problems with logging into other user accounts.

There is an application called Proximity (http://code.google.com/p/reduxcomputing-proximity) that will execute a script if a paired Bluetooth device loses connection with the Mac. I like the basic functionality but would like for the trigger to be removal of the USB Yubikey.

I wonder if I could use Launchd (via Lingon) to periodically check (every minute, perhaps) if the specific Yubikey is present. If it is not, it could run an script to that will lock the screen (or activate the screensaver). A script on this site (http://macscripter.net/viewtopic.php?id=24748) seems to contain some of the features I need, but I am not sure if the Yubikey appears to the Mac as the UBS drive does. In terminal I navigated to Volumes and listed the contents but did not see the Yubikey.

Do any of you have any ideas or code?

Thank you!
Erik

I did some searching and found that if I run “system_profiler SPUSBDataType” in Terminal then the list of devices includes the Yubikey with Serial Number and other information that also is displayed in System Information (Profiler). Perhaps the script could run that command and look for the Serial Number? If it is not present then the sleep command could be executed?

Hi,

there are (at least) two options to accomplish that.

A stay open applescript which polls IOReg periodically.
This handler returns the state of the connection, you have to gather product ID and vendor ID from system profiler.
The values are displayed hexadecimal, the script expects decimal values


property vendorID : 1234
property productID : 567

YubiKeyIsConnected()

on YubiKeyIsConnected()
	set grepItems to "\"idVendor\" = " & vendorID & "\\|" & "\"idProduct\" = " & productID
	try
		set theResult to paragraphs of (do shell script "ioreg -c IOUSBDevice | grep " & quoted form of grepItems)
		return (count theResult) = 2
	on error
		return false
	end try
end YubiKeyIsConnected


The second option is a C/Objective-C command line tool, which registers to a callback function of IOReg
This open source code by Apple works fine.

AFAIK you cannot use launchd to monitor non-volume USB devices.

Stefan,

Fantastic. Thank you. Could you help me with one more thing? How would the code have to be modified so that it would execute “activate application “ScreenSaverEngine”” if the key were removed?

Also, I could have launchd run this script periodically, right?

Thank you!
Erik

something like this


property status : false
property vendorID : 1234
property productID : 567

set currentState to YubiKeyIsConnected()
if currentState is true and status is false then
	set status to true
else if currentState is false and status is true then
	set status to false
	activate application "ScreenSaverEngine"
end if

on YubiKeyIsConnected()
	set grepItems to "\"idVendor\" = " & vendorID & "\\|" & "\"idProduct\" = " & productID
	try
		set theResult to paragraphs of (do shell script "ioreg -c IOUSBDevice | grep " & quoted form of grepItems)
		return (count theResult) = 2
	on error
		return false
	end try
end YubiKeyIsConnected