Giters

kennethrrosen / qubes-yubikey-killswitch

A simple, functional killswitch for use with QubesOS and Yubikey

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

qubes-yubikey-killswitch

A simple, functional killswitch for use with QubesOS and Yubikey

Here are some great resources for using Yubikey with QubesOS: https://www.qubes-os.org/doc/yubikey/ https://forum.qubes-os.org/t/u2f-only-w-yubikey/12304 https://github.com/QubesOS/qubes-app-yubikey

However, I wanted to use my Yubikey in order to access 2FA apps (specifically my vault and KeePassXC directory) while still using the Yubikey to shutdown the computer on removal (the guides above provide for 2FA with the Yubikey, or a lock-screen option).

Here's what I did. First, follow the guide here: https://www.qubes-os.org/doc/yubikey/ Then make the following changes:

In Dom0

In /etc/qubes-rpc/custom.LockScreen

sudo shutdown now

In sys-usb

In /rw/config/yubikey.rules

ACTION=="remove", SUBSYSTEM=="usb", ENV{ID_SECURITY_TOKEN}=="1", RUN+="/rw/config/yubikey-detach.sh"

In '/rw/config/yubikey-detach.sh'

#!/bin/bash

# Introduce a delay to give time for YubiKey to get assigned to VM, if that's the case
sleep 5

# Check if YubiKey is still connected
if lsusb | grep -iq yubico; then
    exit 0 # Exit quietly if YubiKey is still connected
else
    /usr/bin/qrexec-client-vm dom0 custom.LockScreen # Trigger RPC if YubiKey is not connected
fi

Then `sudo chmod +x /rw/config/yubikey-detach.sh && sudo udevadm control --reload-rules && sudo udevadm trigger'

About

A simple, functional killswitch for use with QubesOS and Yubikey

License:GNU General Public License v3.0