I really do not like the smart card ecosystem – probably because it will be a big PITA to setup such subsystem on FreeBSD to make it lock/unlock my laptop with a smart card – not to mention of it will be even possible because of probable lack of drivers for a laptop builtin smart card reader. I mention it because you can lock and unlock your laptop with such smart card in very fast way.
Some people use finger prints readers (for fast workstation/laptop unlock purpose) – but its the same case scenario as with smart card – the time needed to setup it properly. Not to mention that is not that fast anyway as I often see my colleagues swinging the finger over the fingerprint reader over and over again so it will finally work the 7th time …
… but you wan also lock and unlock your UNIX laptop with your phone – by just attaching it to your device – this is where the FreeBSD’s devd(8) subsystem come handy.
Today I will show you how to lock/unlock your laptop with your phone.
You may want to check other articles in the FreeBSD Desktop series on the FreeBSD Desktop – Global Page where you will find links to all episodes of the series along with table of contents for each episodeβs contents.
Keep in mind that in order to make it work you need to attach the phone to laptop using cable that supports data transfer – it will not work with cables that only provide power for charging your phone.
Device Detection
First we need to detect what device will be your locker/unlocker.
Stop the devd(8) daemon.
# service devd stop Stopping devd. Waiting for PIDS: 71455.
Now start it in ‘foreground’ for debug purposes and then attach your phone. The command below with grep(1) will help you to find needed information.
# devd -d 2>&1 | grep --line-buffered 'Processing event' | grep --line-buffered DEVICE Processing event '!system=USB subsystem=DEVICE type=ATTACH ugen=ugen2.3 cdev=ugen2.3 vendor=0x04e8 product=0x6860 devclass=0x00 devsubclass=0x00 sernum="31000e243eb5a12e" release=0x0400 mode=host port=2 parent=ugen2.2'
I have highlited the needed information.
Do not stop this process yet.
Now you know which device will be your locker/unlocker and what even the devd(8) daemon gets when you attach your phone.
Things to note hare are:
vendor=0x04e8 product=0x6860 sernum=31000e243eb5a12e
This data above is more then enough to unlock your workstation.
Now detach your phone from the computer. You will see the DETACH even similar to the one below.
Processing event '!system=USB subsystem=DEVICE type=DETACH ugen=ugen2.3 cdev=ugen2.3 vendor=0x04e8 product=0x6860 devclass=0x00 devsubclass=0x00 sernum="31000e243eb5a12e" release=0x0400 mode=host port=2 parent=ugen2.2'
Now you know the event that will be spawned when you detach your phone.
Stop the foreground devd(8) daemon and start the service traditionally.
# devd -d 2>&1 | grep --line-buffered 'Processing event' | grep --line-buffered DEVICE Processing event '!system=USB subsystem=DEVICE type=ATTACH ugen=ugen2.3 cdev=ugen2.3 vendor=0x04e8 product=0x6860 devclass=0x00 devsubclass=0x00 sernum="31000e243eb5a12e" release=0x0400 mode=host port=2 parent=ugen2.2' Processing event '!system=USB subsystem=DEVICE type=DETACH ugen=ugen2.3 cdev=ugen2.3 vendor=0x04e8 product=0x6860 devclass=0x00 devsubclass=0x00 sernum="31000e243eb5a12e" release=0x0400 mode=host port=2 parent=ugen2.2' ^C # service devd start Starting devd.
Commands for Events
Now, what action or command should be executed when you attach or detach your phone? That depends on which screen locker you are using on your X11 setup.
I for example use the mate-screensaver for this purpose.
The ATTACH event in my case would be to kill the current process mate-screensaver which will unlock the screen and then start it again for the next lock purposes – below is the command that I will run for the ATTACH event.
pkill -9 mate-screensaver && su -l vermaden -c 'env DISPLAY=:0 mate-screensaver' &
The DETACH event will be notifying the mate-screensaver to lock the screen – here is the command that will be used for that purpose.
su -l vermaden -c 'env DISPLAY=:0 mate-screensaver-command --lock' &
Implementation
Here is how the devd(8) config file for my phone would look like.
# cat /usr/local/etc/devd/phonelock.conf
# PHONE ATTACH - UNLOCK
notify 100 {
match "system" "USB";
match "subsystem" "DEVICE";
match "type" "ATTACH";
match "vendor" "0x04e8";
match "product" "0x6860";
match "sernum" "31000e243eb5a12e";
action "pkill -9 mate-screensaver && su -l vermaden -c 'env DISPLAY=:0 mate-screensaver' &";
};
# PHONE DETACH - LOCK
notify 100 {
match "system" "USB";
match "subsystem" "DEVICE";
match "type" "DETACH";
match "vendor" "0x04e8";
match "product" "0x6860";
match "sernum" "31000e243eb5a12e";
action "su -l vermaden -c 'env DISPLAY=:0 mate-screensaver-command --lock' &";
};
Now restart the devd(8) daemon so it will read new configuration files.
# service devd restart Stopping devd. Waiting for PIDS: 1458. Starting devd.
Viola! Now you can lock and unlock your screen just by attaching or detaching your phone. I do not have any fancy video on how it behaves but you must trust me that is less then a second to lock and unlock the laptop now – be sure to keep and additional eye on your phone now, as it can unlock the access to all your files now π
You can of course use any USB device or even network actions – any event that is supported by the devd(8) daemon.
You can of course create such lock/unlock config when you attach/detach your phone and additionally configure power down action when you detach other USB device.
I forgot to mention it, that method does not disables the ‘classic’ password authentication – it just adds automatic screen lock/unlock when you attach your phone – you can still login (unlock) using just password on the mate-screensaver lock screen.
UPDATE 1 – Better devd Sniffing – Better Unlock Method
As oh5nxo from Reddit suggested its not needed to stop devd and start it in ‘debug’ mode – its easier just to attach to its ‘pipe’ with nc(1) tool.
# nc -U /var/run/devd.pipe
There is also no need to kill(1) the mate-screensaver command, its more elegant to just send the mate-screensaver-command --unlock command.
Below is the updated /usr/local/etc/devd/phonelock.conf config file for the devd(8) daemon.
# cat /usr/local/etc/devd/phonelock.conf
# PHONE ATTACH - UNLOCK
notify 100 {
match "system" "USB";
match "subsystem" "DEVICE";
match "type" "ATTACH";
match "vendor" "0x04e8";
match "product" "0x6860";
match "sernum" "33000e343fb4a42d";
action "su -l vermaden -c 'env DISPLAY=:0 mate-screensaver-command --unlock' &";
};
# PHONE DETACH - LOCK
notify 100 {
match "system" "USB";
match "subsystem" "DEVICE";
match "type" "DETACH";
match "vendor" "0x04e8";
match "product" "0x6860";
match "sernum" "33000e343fb4a42d";
action "su -l vermaden -c 'env DISPLAY=:0 mate-screensaver-command --lock' &";
};
ππππππππ 
Isn’t there another option to have real authentication with the phone, because the numbers you rely on (and you have posted) are easy to force with a usb device under your control. Please have a look here: https://github.com/obdev/v-usb/blob/master/tests/usbconfig.h#L148.
The idea is great, the approach is good. What I am asking myself is if there is a way of having certificate based authentication using the usb cable/bluetooth between the mobile phone and the computer in any way.
LikeLike
And I have to add, as I am using something different than FreeBSD, that there is an option also with Linux to do the very same thing. https://wiki.archlinux.org/index.php/Pam_usb
LikeLike
Thanks, nice to know π
LikeLike
You can create a ‘action’ script for these events that will mount such attached USB drive and check for a file or certificate on this USB drive to make the decision if to unlock the laptop or not.
LikeLike
Pingback: Valuable News – 2020/01/13 | ππππππππ
Pingback: FreeBSD desktop (20) | 0ddn1x: tricks with *nix
Thanks for this amazing list! I ll try to get some nice reading although much seems to be limited to US and Canadian residentsLikeLiked by 1 person
LikeLike