Sunday, November 29, 2020

#1 2012-03-29 01:32:18 pm

emikysa
Member
Registered: 2007-04-08
Posts: 36

Script to lock Mac upon removal of USB Yubikey?

Hello,

I am writing to request help with configuring my MBP so that it the screen will lock when I remove my Yubikey (http://www.yubico.com/personal-use - “The YubiKey is a hardware authentication token that looks like a small USB memory stick, but it is actually a keyboard.”) from a USB port. I do not need any sort of unlocking capability upon reinsertion of the Yubikey.

There is an application called Rohos (http://www.rohos.com/products/rohos-logon-key-for-mac) that can sense removal of the Yubikey and lock the screen.  However, the application costs $32 and it does far more than I want it to do.  It also caused problems with logging into other user accounts.

There is an application called Proximity (http://code.google.com/p/reduxcomputing-proximity) that will execute a script if a paired Bluetooth device loses connection with the Mac.  I like the basic functionality but would like for the trigger to be removal of the USB Yubikey.

I wonder if I could use Launchd (via Lingon) to periodically check (every minute, perhaps) if the specific Yubikey is present.  If it is not, it could run an script to that will lock the screen (or activate the screensaver).  A script on this site (http://macscripter.net/viewtopic.php?id=24748) seems to contain some of the features I need, but I am not sure if the Yubikey appears to the Mac as the UBS drive does.   In terminal I navigated to Volumes and listed the contents but did not see the Yubikey.

Do any of you have any ideas or code?

Thank you!
Erik

Offline

 

#2 2012-03-29 07:59:52 pm

emikysa
Member
Registered: 2007-04-08
Posts: 36

Re: Script to lock Mac upon removal of USB Yubikey?

I did some searching and found that if I run "system_profiler SPUSBDataType" in Terminal then the list of devices includes the Yubikey with Serial Number and other information that also is displayed in System Information (Profiler).  Perhaps the script could run that command and look for the Serial Number?  If it is not present then the sleep command could be executed?

Offline

 

#3 2012-03-30 05:14:20 am

StefanK
Member
From:: St. Gallen, Switzerland
Registered: 2006-10-21
Posts: 11699
Website

Re: Script to lock Mac upon removal of USB Yubikey?

Hi,

there are (at least) two options to accomplish that.

A stay open applescript which polls IOReg periodically.
This handler returns the state of the connection, you have to gather product ID and vendor ID from system profiler.
The values are displayed hexadecimal, the script expects decimal values

Applescript:


property vendorID : 1234
property productID : 567

YubiKeyIsConnected()

on YubiKeyIsConnected()
   set grepItems to "\"idVendor\" = " & vendorID & "\\|" & "\"idProduct\" = " & productID
   try
       set theResult to paragraphs of (do shell script "ioreg -c IOUSBDevice | grep " & quoted form of grepItems)
       return (count theResult) = 2
   on error
       return false
   end try
end YubiKeyIsConnected

The second option is a C/Objective-C command line tool, which registers to a callback function of IOReg
This open source code by Apple works fine.

AFAIK you cannot use launchd to monitor non-volume USB devices.


regards

Stefan

Offline

 

#4 2012-03-30 01:40:04 pm

emikysa
Member
Registered: 2007-04-08
Posts: 36

Re: Script to lock Mac upon removal of USB Yubikey?

Stefan,

Fantastic.  Thank you.  Could you help me with one more thing?  How would the code have to be modified so that it would execute "activate application "ScreenSaverEngine"" if the key were removed?

Also, I could have launchd run this script periodically, right?

Thank you!
Erik

Offline

 

#5 2012-03-30 02:29:38 pm

StefanK
Member
From:: St. Gallen, Switzerland
Registered: 2006-10-21
Posts: 11699
Website

Re: Script to lock Mac upon removal of USB Yubikey?

something like this

Applescript:


property status : false
property vendorID : 1234
property productID : 567

set currentState to YubiKeyIsConnected()
if currentState is true and status is false then
   set status to true
else if currentState is false and status is true then
   set status to false
   activate application "ScreenSaverEngine"
end if

on YubiKeyIsConnected()
   set grepItems to "\"idVendor\" = " & vendorID & "\\|" & "\"idProduct\" = " & productID
   try
       set theResult to paragraphs of (do shell script "ioreg -c IOUSBDevice | grep " & quoted form of grepItems)
       return (count theResult) = 2
   on error
       return false
   end try
end YubiKeyIsConnected


regards

Stefan

Offline

 

Board footer

Powered by FluxBB

RSS (new topics) RSS (active topics)