Locking OpenBSD when it's sleeping

I frequent the #openbsd IRC channel in order to help people. A question commonly asked is how to automatically lock your machine when putting it to sleep with zzz(1). I answered this question in a previous article (which was actually written four years ago; time flies!) but it was written in French, so here's a new one, also covering additional related topics.

Locking the machine when it is put to sleep

If you read apmd(8):

FILES
     /etc/apm/suspend
     /etc/apm/hibernate
     /etc/apm/standby
     /etc/apm/resume
     /etc/apm/powerup
     /etc/apm/powerdown    These files contain the host's customized actions.
                           Each file must be an executable binary or shell
                           script.  A single program or script can be used to
                           control all transitions by examining the name by
                           which it was called, which is one of suspend,
                           hibernate, standby, resume, powerup, or powerdown.

The trick is to write a script for 'etc/apm/suspend' to run when zzz is called (either directly or by closing the lid). For instance, the script I'm using is:

1
2
#!/bin/sh
doas -u danj env DISPLAY=:0 XAUTHORITY=/home/danj/.Xauthority xlock &

It requires:

  • configuring doas, left as an exercise to the reader ;)
  • running apmd (hashtag rcctl)
  • an executable script

Locking it further

This is off to a good start, but if you are a startx user (versus using xenodm), be sure to run exec startx and not just startx. Otherwise, it is possible to kill X and then access the shell.

If you don't set a maximum lifetime for your ssh-agent, you should clear your identities using ssh-add -D. You should also revoke any sudo permissions with sudo -K. doas doesn't work the same way, so doas -L won't help you much. (You have elevated permissions only in the current shell, not account-wide).

You might want to clear your clipboards, as well. Use something like: xsel -c -p; xsel -c -s; xsel -c -b.

Of course, if you use other authentication mechanisms (GNOME keyring, ssh's Control*, etc.), you should handle those as well.

Beware of the cat

Now that I have a Captive Advanced Threat, I feel the need to automatically lock the screen after it has been idle for a short while. You can achieve this using xidle. The man page is sufficiently descriptive that I won't talk about that further.


Thanks semarie for the technical proof-reading and Pamela for the English proof-reading!

By Vigdis in
Tags : #OpenBSD,
linkedin email