6

I've got Ubuntu 17.10 installed on a mid-2011 iMac. On a Dell XPS 15 laptop I was able to set up my Yubikey (via udev rules) to activate & deactivate the screensaver when the Yubikey was unplugged or plugged in. I've tried to set up the same thing in Ubuntu 17.10 but nothing seems to work. The script that I've set as the RUN parameter in the RUN section of the rule is never triggered.

Here's the output in /var/log/syslog when I plug in the Yubikey:

    Dec  5 10:38:02 computer kernel: [  814.455304] usb 2-1.3.1: new full-speed USB device number 10 using ehci-pci
Dec  5 10:38:02 computer kernel: [  814.566229] usb 2-1.3.1: New USB device found, idVendor=1050, idProduct=0116
Dec  5 10:38:02 computer kernel: [  814.566233] usb 2-1.3.1: New USB device strings: Mfr=1, Product=2, SerialNumber=0
Dec  5 10:38:02 computer kernel: [  814.566235] usb 2-1.3.1: Product: Yubikey NEO OTP+U2F+CCID
Dec  5 10:38:02 computer kernel: [  814.566237] usb 2-1.3.1: Manufacturer: Yubico
Dec  5 10:38:02 computer kernel: [  814.567661] input: Yubico Yubikey NEO OTP+U2F+CCID as /devices/pci0000:00/0000:00:1d.7/usb2/2-1/2-1.3/2-1.3.1/2-1.3.1:1.0/0003:1050:0116.000F/input/input21
Dec  5 10:38:02 computer kernel: [  814.627832] hid-generic 0003:1050:0116.000F: input,hidraw5: USB HID v1.10 Keyboard [Yubico Yubikey NEO OTP+U2F+CCID] on usb-0000:00:1d.7-1.3.1/input0
Dec  5 10:38:02 computer kernel: [  814.628715] hid-generic 0003:1050:0116.0010: hiddev2,hidraw6: USB HID v1.10 Device [Yubico Yubikey NEO OTP+U2F+CCID] on usb-0000:00:1d.7-1.3.1/input1
Dec  5 10:38:02 computer mtp-probe: checking bus 2, device 10: "/sys/devices/pci0000:00/0000:00:1d.7/usb2/2-1/2-1.3/2-1.3.1"
Dec  5 10:38:02 computer mtp-probe: bus: 2, device: 10 was not an MTP device
Dec  5 10:38:02 computer /usr/lib/gdm3/gdm-x-session[4002]: (II) config/udev: Adding input device Yubico Yubikey NEO OTP+U2F+CCID (/dev/input/event9)
Dec  5 10:38:02 computer /usr/lib/gdm3/gdm-x-session[4002]: (**) Yubico Yubikey NEO OTP+U2F+CCID: Applying InputClass "libinput keyboard catchall"
Dec  5 10:38:02 computer /usr/lib/gdm3/gdm-x-session[4002]: (II) Using input driver 'libinput' for 'Yubico Yubikey NEO OTP+U2F+CCID'            
Dec  5 10:38:02 computer /usr/lib/gdm3/gdm-x-session[2389]: (II) config/udev: Adding input device Yubico Yubikey NEO OTP+U2F+CCID (/dev/input/event9)
Dec  5 10:38:02 computer /usr/lib/gdm3/gdm-x-session[2389]: (**) Yubico Yubikey NEO OTP+U2F+CCID: Applying InputClass "libinput keyboard catchall"
Dec  5 10:38:02 computer /usr/lib/gdm3/gdm-x-session[2389]: (II) Using input driver 'libinput' for 'Yubico Yubikey NEO OTP+U2F+CCID'            
Dec  5 10:38:02 computer /usr/lib/gdm3/gdm-x-session[4002]: (II) systemd-logind: got fd for /dev/input/event9 13:73 fd 56 paused 0
Dec  5 10:38:02 computer /usr/lib/gdm3/gdm-x-session[4002]: (**) Yubico Yubikey NEO OTP+U2F+CCID: always reports core events
Dec  5 10:38:02 computer /usr/lib/gdm3/gdm-x-session[4002]: (**) Option "Device" "/dev/input/event9"
Dec  5 10:38:02 computer /usr/lib/gdm3/gdm-x-session[4002]: (**) Option "_source" "server/udev"
Dec  5 10:38:02 computer /usr/lib/gdm3/gdm-x-session[4002]: (II) event9  - (II) Yubico Yubikey NEO OTP+U2F+CCID: (II) is tagged by udev as: Keyboard
Dec  5 10:38:02 computer /usr/lib/gdm3/gdm-x-session[4002]: (II) event9  - (II) Yubico Yubikey NEO OTP+U2F+CCID: (II) device is a keyboard      
Dec  5 10:38:02 computer /usr/lib/gdm3/gdm-x-session[4002]: (II) event9  - (II) Yubico Yubikey NEO OTP+U2F+CCID: (II) device removed            
Dec  5 10:38:02 computer /usr/lib/gdm3/gdm-x-session[4002]: (**) Option "config_info" "udev:/sys/devices/pci0000:00/0000:00:1d.7/usb2/2-1/2-1.3/2-1.3.1/2-1.3.1:1.0/0003:1050:0116.000F/input/input21/event9"
Dec  5 10:38:02 computer /usr/lib/gdm3/gdm-x-session[4002]: (II) XINPUT: Adding extended input device "Yubico Yubikey NEO OTP+U2F+CCID" (type: KEYBOARD, id 15)
Dec  5 10:38:02 computer /usr/lib/gdm3/gdm-x-session[4002]: (**) Option "xkb_model" "pc105"
Dec  5 10:38:02 computer /usr/lib/gdm3/gdm-x-session[4002]: (**) Option "xkb_layout" "us"
Dec  5 10:38:02 computer /usr/lib/gdm3/gdm-x-session[4002]: (WW) Option "xkb_variant" requires a string value
Dec  5 10:38:02 computer /usr/lib/gdm3/gdm-x-session[4002]: (WW) Option "xkb_options" requires a string value
Dec  5 10:38:02 computer /usr/lib/gdm3/gdm-x-session[4002]: (II) event9  - (II) Yubico Yubikey NEO OTP+U2F+CCID: (II) is tagged by udev as: Keyboard
Dec  5 10:38:02 computer /usr/lib/gdm3/gdm-x-session[4002]: (II) event9  - (II) Yubico Yubikey NEO OTP+U2F+CCID: (II) device is a keyboard      
Dec  5 10:38:02 computer /usr/lib/gdm3/gdm-x-session[2389]: (II) systemd-logind: got fd for /dev/input/event9 13:73 fd 30 paused 1
Dec  5 10:38:02 computer /usr/lib/gdm3/gdm-x-session[2389]: (II) systemd-logind: releasing fd for 13:73

When I use udevadm info, here's what I get:

looking at parent device '/devices/pci0000:00/0000:00:1d.7/usb2/2-1/2-1.3/2-1.3.1':
KERNELS=="2-1.3.1"
SUBSYSTEMS=="usb"
DRIVERS=="usb"
ATTRS{authorized}=="1"
ATTRS{avoid_reset_quirk}=="0"
ATTRS{bConfigurationValue}=="1"
ATTRS{bDeviceClass}=="00"
ATTRS{bDeviceProtocol}=="00"
ATTRS{bDeviceSubClass}=="00"
ATTRS{bMaxPacketSize0}=="64"
ATTRS{bMaxPower}=="30mA"
ATTRS{bNumConfigurations}=="1"
ATTRS{bNumInterfaces}==" 3"
ATTRS{bcdDevice}=="0333"
ATTRS{bmAttributes}=="80"
ATTRS{busnum}=="2"
ATTRS{configuration}==""
ATTRS{devnum}=="7"
ATTRS{devpath}=="1.3.1"
ATTRS{idProduct}=="0116"
ATTRS{idVendor}=="1050"
ATTRS{ltm_capable}=="no"
ATTRS{manufacturer}=="Yubico"
ATTRS{maxchild}=="0"
ATTRS{product}=="Yubikey NEO OTP+U2F+CCID"
ATTRS{quirks}=="0x0"
ATTRS{removable}=="removable"
ATTRS{speed}=="12"
ATTRS{urbnum}=="262"
ATTRS{version}==" 2.00"

And udevadm test outputs the following:

calling: test
version 234
This program is for debugging only, it does not run any program
specified by a RUN key. It may show incorrect results, because
some values may be different, or not available at a simulation run.   
=== trie on-disk ===
tool version:          234                                            
file size:         9138024 bytes
header size             80 bytes                                      
strings            1910832 bytes
nodes              7227112 bytes                                           
Load module index
Found container virtualization none.
timestamp of '/etc/systemd/network' changed
timestamp of '/lib/systemd/network' changed
Parsed configuration file /lib/systemd/network/99-default.link
Created link configuration context.
timestamp of '/etc/udev/rules.d' changed
Reading rules file: /lib/udev/rules.d/39-usbmuxd.rules
Reading rules file: /lib/udev/rules.d/40-usb-media-players.rules      
Reading rules file: /lib/udev/rules.d/40-usb_modeswitch.rules         
Reading rules file: /lib/udev/rules.d/40-vm-hotadd.rules              
Reading rules file: /lib/udev/rules.d/50-apport.rules                 
Reading rules file: /lib/udev/rules.d/50-firmware.rules
Reading rules file: /lib/udev/rules.d/50-udev-default.rules           
Reading rules file: /lib/udev/rules.d/55-dm.rules
Reading rules file: /lib/udev/rules.d/55-ippusbxd.rules               
Reading rules file: /lib/udev/rules.d/56-hpmud.rules                  
Reading rules file: /lib/udev/rules.d/60-block.rules                  
Reading rules file: /lib/udev/rules.d/60-cdrom_id.rules               
Reading rules file: /lib/udev/rules.d/60-crda.rules                   
Reading rules file: /lib/udev/rules.d/60-drm.rules                    
Reading rules file: /lib/udev/rules.d/60-evdev.rules                  
Reading rules file: /lib/udev/rules.d/60-gnupg2.rules                 
Reading rules file: /lib/udev/rules.d/60-input-id.rules               
Reading rules file: /lib/udev/rules.d/60-inputattach.rules            
Reading rules file: /lib/udev/rules.d/60-libgphoto2-6.rules           
Reading rules file: /lib/udev/rules.d/60-libsane1.rules               
Reading rules file: /lib/udev/rules.d/60-pcmcia.rules                 
Reading rules file: /lib/udev/rules.d/60-persistent-alsa.rules        
Reading rules file: /lib/udev/rules.d/60-persistent-input.rules       
Reading rules file: /lib/udev/rules.d/60-persistent-storage-dm.rules  
Reading rules file: /lib/udev/rules.d/60-persistent-storage-tape.rules
Reading rules file: /lib/udev/rules.d/60-persistent-storage.rules     
Reading rules file: /lib/udev/rules.d/60-persistent-v4l.rules         
Reading rules file: /lib/udev/rules.d/60-scdaemon.rules               
Reading rules file: /lib/udev/rules.d/60-sensor.rules                 
Reading rules file: /lib/udev/rules.d/60-serial.rules                 
Reading rules file: /lib/udev/rules.d/61-gnome-settings-daemon-rfkill.rules
Reading rules file: /lib/udev/rules.d/61-persistent-storage-android.rules
Reading rules file: /lib/udev/rules.d/64-btrfs.rules                                  
Reading rules file: /lib/udev/rules.d/64-xorg-xkb.rules               
Reading rules file: /lib/udev/rules.d/65-libwacom.rules               
Reading rules file: /lib/udev/rules.d/66-snapd-autoimport.rules       
Reading rules file: /lib/udev/rules.d/66-xorg-synaptics-quirks.rules  
Reading rules file: /lib/udev/rules.d/69-cd-sensors.rules             
Reading rules file: /lib/udev/rules.d/69-libmtp.rules                 
Reading rules file: /lib/udev/rules.d/69-wacom.rules                  
Reading rules file: /lib/udev/rules.d/69-yubikey.rules                
Reading rules file: /lib/udev/rules.d/70-debian-uaccess.rules         
Reading rules file: /lib/udev/rules.d/70-mouse.rules 
Reading rules file: /lib/udev/rules.d/70-old-u2f.rules
Reading rules file: /lib/udev/rules.d/70-power-switch.rules           
Reading rules file: /lib/udev/rules.d/70-printers.rules               
Reading rules file: /lib/udev/rules.d/70-touchpad.rules               
Reading rules file: /etc/udev/rules.d/70-u2f.rules                    
Reading rules file: /lib/udev/rules.d/70-uaccess.rules                
Reading rules file: /lib/udev/rules.d/71-power-switch-proliant.rules
Reading rules file: /lib/udev/rules.d/71-seat.rules
Reading rules file: /lib/udev/rules.d/71-u-d-c-gpu-detection.rules
Reading rules file: /lib/udev/rules.d/73-seat-late.rules
Reading rules file: /lib/udev/rules.d/73-special-net-names.rules      
Reading rules file: /lib/udev/rules.d/73-usb-net-by-mac.rules
Reading rules file: /lib/udev/rules.d/75-net-description.rules
Reading rules file: /lib/udev/rules.d/75-probe_mtd.rules
Reading rules file: /lib/udev/rules.d/77-mm-cinterion-port-types.rules
Reading rules file: /lib/udev/rules.d/77-mm-dell-port-types.rules
Reading rules file: /lib/udev/rules.d/77-mm-ericsson-mbm.rules        
Reading rules file: /lib/udev/rules.d/77-mm-haier-port-types.rules
Reading rules file: /lib/udev/rules.d/77-mm-huawei-net-port-types.rules
Reading rules file: /lib/udev/rules.d/77-mm-longcheer-port-types.rules
Reading rules file: /lib/udev/rules.d/77-mm-mtk-port-types.rules
Reading rules file: /lib/udev/rules.d/77-mm-nokia-port-types.rules    
Reading rules file: /lib/udev/rules.d/77-mm-pcmcia-device-blacklist.rules
Reading rules file: /lib/udev/rules.d/77-mm-platform-serial-whitelist.rules
Reading rules file: /lib/udev/rules.d/77-mm-qdl-device-blacklist.rules
Reading rules file: /lib/udev/rules.d/77-mm-simtech-port-types.rules
Reading rules file: /lib/udev/rules.d/77-mm-telit-port-types.rules
Reading rules file: /lib/udev/rules.d/77-mm-usb-device-blacklist.rules
Reading rules file: /lib/udev/rules.d/77-mm-usb-serial-adapters-greylist.rules
Reading rules file: /lib/udev/rules.d/77-mm-x22x-port-types.rules
Reading rules file: /lib/udev/rules.d/77-mm-zte-port-types.rules
Reading rules file: /lib/udev/rules.d/78-graphics-card.rules
Reading rules file: /lib/udev/rules.d/78-sound-card.rules             
Reading rules file: /lib/udev/rules.d/80-debian-compat.rules          
Reading rules file: /lib/udev/rules.d/80-docker-ce.rules              
Reading rules file: /lib/udev/rules.d/80-drivers.rules                
Reading rules file: /lib/udev/rules.d/80-ifupdown.rules
Reading rules file: /lib/udev/rules.d/80-iio-sensor-proxy.rules       
Reading rules file: /lib/udev/rules.d/80-libinput-device-groups.rules
Reading rules file: /lib/udev/rules.d/80-mm-candidate.rules           
Reading rules file: /lib/udev/rules.d/80-net-setup-link.rules         
Reading rules file: /lib/udev/rules.d/80-snappy-assign.rules          
Reading rules file: /lib/udev/rules.d/80-udisks2.rules                
Reading rules file: /lib/udev/rules.d/84-nm-drivers.rules             
Reading rules file: /lib/udev/rules.d/85-brltty.rules                 
Reading rules file: /lib/udev/rules.d/85-hdparm.rules                 
Reading rules file: /lib/udev/rules.d/85-hplj10xx.rules               
Reading rules file: /lib/udev/rules.d/85-nm-unmanaged.rules           
Reading rules file: /lib/udev/rules.d/85-regulatory.rules             
Reading rules file: /lib/udev/rules.d/90-alsa-restore.rules           
Reading rules file: /lib/udev/rules.d/90-console-setup.rules          
Reading rules file: /lib/udev/rules.d/90-fwupd-devices.rules          
Reading rules file: /lib/udev/rules.d/90-libgpod.rules                
Reading rules file: /lib/udev/rules.d/90-libinput-model-quirks.rules  
Reading rules file: /lib/udev/rules.d/90-pulseaudio.rules             
Reading rules file: /lib/udev/rules.d/92-libccid.rules                
Reading rules file: /lib/udev/rules.d/95-cd-devices.rules             
Reading rules file: /lib/udev/rules.d/95-upower-csr.rules             
Reading rules file: /lib/udev/rules.d/95-upower-hid.rules             
Reading rules file: /lib/udev/rules.d/95-upower-wup.rules             
Reading rules file: /lib/udev/rules.d/97-hid2hci.rules                
Reading rules file: /lib/udev/rules.d/99-systemd.rules                
rules contain 393216 bytes tokens (32768 * 12 bytes), 36008 bytes strings
24465 strings (207924 bytes), 21215 de-duplicated (175167 bytes), 3251 trie nodes used
value '[dmi/id]sys_vendor' is 'Apple Inc.'                            
value '[dmi/id]sys_vendor' is 'Apple Inc.'                            
GROUP 106 /lib/udev/rules.d/50-udev-default.rules:29                  
IMPORT builtin 'hwdb' /lib/udev/rules.d/60-evdev.rules:8              
RUN 'keyboard' /lib/udev/rules.d/60-evdev.rules:8                     
IMPORT builtin 'input_id' /lib/udev/rules.d/60-input-id.rules:5       
capabilities/ev raw kernel attribute: 120013                          
capabilities/abs raw kernel attribute: 0                              
capabilities/rel raw kernel attribute: 0                              
capabilities/key raw kernel attribute: e080ffdf01cfffff fffffffffffffffe
properties raw kernel attribute: 0 test_key: checking bit block 0 for any keys; found=1                  
test_key: checking bit block 64 for any keys; found=1                 
test_key: checking bit block 128 for any keys; found=1                
test_key: checking bit block 192 for any keys; found=1                
IMPORT builtin 'usb_id' /lib/udev/rules.d/60-persistent-input.rules:11
/sys/devices/pci0000:00/0000:00:1d.7/usb2/2-1/2-1.3/2-1.3.1/2-1.3.1:1. if_class 3 protocol 0
LINK 'input/by-id/usb-Yubico_Yubikey_NEO_OTP+U2F+CCID-event-kbd' /lib/udev/rules.d/60-persistent-input.rules:28
IMPORT builtin 'path_id' /lib/udev/rules.d/60-persistent-input.rules:35
LINK 'input/by-path/pci-0000:00:1d.7-usb-0:1.3.1:1.0-event-kbd' /lib/udev/rules.d/60-persistent-input.rules:37
RUN 'uaccess' /lib/udev/rules.d/73-seat-late.rules:15                 
PROGRAM 'libinput-device-group /sys/devices/pci0000:00/0000:00:1d.7/usb2/2-1/2-1.3/2-1.3.1/2-1.3.1:1.0/0003:1050:0116.0011/input/input22/event9' /lib/udev/rules.d/80-libinput-device-groups.rules:7
starting 'libinput-device-group /sys/devices/pci0000:00/0000:00:1d.7/usb2/2-1/2-1.3/2-1.3.1/2-1.3.1:1.0/0003:1050:0116.0011/input/input22/event9'
'libinput-device-group /sys/devices/pci0000:00/0000:00:1d.7/usb2/2-1/2-1.3/2-1.3.1/2-1.3.1:1.0/0003:1050:0116.0011/input/input22/event9'(out) '3/1050/116/110:usb-0000:00:1d.7-1.3'
Process 'libinput-device-group /sys/devices/pci0000:00/0000:00:1d.7/usb2/2-1/2-1.3/2-1.3.1/2-1.3.1:1.0/0003:1050:0116.0011/input/input22/event9' succeeded.
IMPORT builtin 'hwdb' /lib/udev/rules.d/90-libinput-model-quirks.rules:38
IMPORT builtin 'hwdb' returned non-zero                               
value '[dmi/id]modalias' is 'dmi:bvnAppleInc.:bvrIM121.88Z.0047.B1E.1110201314:bd10/20/11:svnAppleInc.:pniMac12,2:pvr1.0:rvnAppleInc.:rnMac-942B59F58194171B:rvriMac12,2:cvnAppleInc.:ct13:cvrMac-942B59F58194171B:'
IMPORT builtin 'hwdb' /lib/udev/rules.d/90-libinput-model-quirks.rules:42
IMPORT builtin 'hwdb' returned non-zero                               
IMPORT builtin 'hwdb' /lib/udev/rules.d/90-libinput-model-quirks.rules:46
IMPORT builtin 'hwdb' returned non-zero                               
handling device node '/dev/input/event9', devnum=c13:73, mode=0660, uid=0,gid=106
preserve permissions /dev/input/event9, 020660, uid=0, gid=106        
preserve already existing symlink '/dev/char/13:73' to '../input/event9'
found 'c13:73' claiming '/run/udev/links/\x2finput\x2fby-id\x2fusb-Yubico_Yubikey_NEO_OTP+U2F+CCID-event-kbd'
creating link '/dev/input/by-id/usb-Yubico_Yubikey_NEO_OTP+U2F+CCID-event-kbd' to '/dev/input/event9'
preserve already existing symlink '/dev/input/by-id/usb-Yubico_Yubikey_NEO_OTP+U2F+CCID-event-kbd' to '../event9'
found 'c13:73' claiming '/run/udev/links/\x2finput\x2fby-path\x2fpci-0000:00:1d.7-usb-0:1.3.1:1.0-event-kbd'
creating link '/dev/input/by-path/pci-0000:00:1d.7-usb-0:1.3.1:1.0-event-kbd' to
'/dev/input/event9'
preserve already existing symlink '/dev/input/by-path/pci-0000:00:1d.7-usb-0:1.3.1:1.0-event-kbd' to '../event9'
created db file '/run/udev/data/c13:73' for '/devices/pci0000:00/0000:00:1d.7/usb2/2-1/2-1.3/2-1.3.1/2-1.3.1:1.0/0003:1050:0116.0011/input/input22/event9'
.INPUT_CLASS=kbd                   
.MM_USBIFNUM=00                    
ACTION=add                         
BACKSPACE=guess                    
DEVLINKS=/dev/input/by-id/usb-Yubico_Yubikey_NEO_OTP+U2F+CCID-event-kbd /dev/input/by-path/pci-0000:00:1d.7-usb-0:1.3.1:1.0-event-kbd       
DEVNAME=/dev/input/event9          
DEVPATH=/devices/pci0000:00/0000:00:1d.7/usb2/2-1/2-1.3/2-1.3.1/2-1.3.1:1.0/0003:1050:0116.0011/input/input22/event9
ID_BUS=usb                         
ID_FOR_SEAT=input-pci-0000_00_1d_7-usb-0_1_3_1_1_0                    
ID_INPUT=1                         
ID_INPUT_KEY=1                     
ID_INPUT_KEYBOARD=1                
ID_MODEL=Yubikey_NEO_OTP+U2F+CCID  
ID_MODEL_ENC=Yubikey\x20NEO\x20OTP+U2F+CCID                           
ID_MODEL_ID=0116                   
ID_PATH=pci-0000:00:1d.7-usb-0:1.3.1:1.0                              
ID_PATH_TAG=pci-0000_00_1d_7-usb-0_1_3_1_1_0                          
ID_REVISION=0333                   
ID_SECURITY_TOKEN=1                
ID_SERIAL=Yubico_Yubikey_NEO_OTP+U2F+CCID                             
ID_TYPE=hid                        
ID_USB_DRIVER=usbhid               
ID_USB_INTERFACES=:030101:030000:0b0000:                              
ID_USB_INTERFACE_NUM=00            
ID_VENDOR=Yubico                   
ID_VENDOR_ENC=Yubico               
ID_VENDOR_ID=1050                  
LIBINPUT_DEVICE_GROUP=3/1050/116/110:usb-0000:00:1d.7-1.3             
MAJOR=13                           
MINOR=73                           
SUBSYSTEM=input                    
TAGS=:seat:power-switch:uaccess:   
USEC_INITIALIZED=1090409060        
XKBLAYOUT=us                       
XKBMODEL=pc105                     
XKBOPTIONS=                        
XKBVARIANT=                        
XKB_FIXED_LAYOUT="us"              
XKB_FIXED_VARIANT=""               
run: 'keyboard'                    
run: 'uaccess'                     
Unload module index                
Unloaded link configuration context.

Lastly, the script that the udev rule should be triggering:

#!/bin/bash

USERNAME="sean"
action=$1

logger "YubiKey Removed or Inserted, ${action}"

No matter what combination of KERNEL, SUBSYSTEM, ATTRS, or ENV in the udev rule I use, the script never seems to trigger. I even just put in just SYSTEM=="hidraw|usb|input" and after reloading the rules nothing shows up in syslog. I've tried /etc/init.d/udev restart, udevadm control -R, and service udev reload, nothing seems to get the rules in /etc/udev/rules.d to trigger.

As far as I can tell, the /etc/udev/rules.d/99-yubikey.rules isn't being loaded or seen by udev (it's not showing up in the udevadm test output).

Any ideas on stuff I can try to get this working?

vvvvv
  • 488
  • 8
  • 20
Sean Hagen
  • 81
  • 1
  • 10
  • Did you try adding the rules to /lib/udev/rules.d (not /etc...)? – ubfan1 Dec 14 '17 at 21:58
  • Yeah, I've tried both locations and neither seem to work. – Sean Hagen Dec 15 '17 at 01:04
  • 1
    Have you run `udevadm monitor --property`? With that running, you can insert and remove the device and see exactly what udev provides so that you can match against it. Also, please report the output of `stat /etc/udev/rules.d/99-yubikey.rules` and include a version the contents of that file that definitely doesn't work in your question. Finally, note that with your plan anyone could unlock your screen with any matching Yubikey model, unless you're doing something more complicated with validation that you haven't detailed in your question. – Robie Basak Dec 18 '17 at 00:06
  • @RobieBasak when I run `udevadm monitor` I get the same model ID and vendor ID that I had on my other computer. – Sean Hagen Dec 18 '17 at 18:53
  • 1
    `$ stat /etc/udev/rules.d/99-yubikey-rules File: /etc/udev/rules.d/99-yubikey-rules Size: 546 Blocks: 8 IO Block: 4096 regular file Device: 802h/2050d Inode: 14818409 Links: 1 Access: (0664/-rw-rw-r--) Uid: ( 0/ root) Gid: ( 0/ root) Access: 2017-12-18 10:49:08.526648161 -0800 Modify: 2017-12-18 10:49:08.546647827 -0800 Change: 2017-12-18 10:49:08.622646564 -0800 Birth: -` – Sean Hagen Dec 18 '17 at 18:54
  • And right now I'm fine with it being somewhat insecure -- this is mostly just to keep my computer locked while I'm not there. I'm going to look into ways to do challenge response, similar to how I've got PAM setup to check that it's my specific key as part of the auth process. – Sean Hagen Dec 18 '17 at 18:56
  • @SeanHagen can you run `ll /path/to/your-script.sh` and report on the permissions? – WinEunuuchs2Unix Dec 19 '17 at 00:14
  • @WinEunuuchs2Unix `ll /usr/local/bin/yubikey-lock -rwxr-xr-x 1 root root 703 Dec 4 20:04 /usr/local/bin/yubikey-lock` – Sean Hagen Dec 19 '17 at 00:28
  • Please pastebin the `udevadm monitor --property` output and paste the exact rules that you've tried that do not work with it. You may think this is superfluous, but you are asking for help after all and you could have made a mistake somewhere there. – Robie Basak Dec 19 '17 at 08:09
  • Also have you run `udevadm control -R` to reload the ruleset? – Robie Basak Dec 19 '17 at 08:10
  • `udevadm monitor` output: https://pastebin.com/ZcQD7GTM – Sean Hagen Dec 20 '17 at 18:17
  • rules that I'm using: https://pastebin.com/j540DNGW – Sean Hagen Dec 20 '17 at 18:17
  • @RobieBasak yeah, every time I've made a change I do `udevadmin control -R`, or `/etc/init.d/udev restart`or `service udev restart` -- none of them seem to load the rules – Sean Hagen Dec 20 '17 at 18:18
  • If you plug in a normal USB to the same port is it deteced and accessible? This should help you determine if the physical port itself is the problem. – TopHat Dec 20 '17 at 21:48
  • @TopHat the port is fine, I can still use the YubiKey as a GPG smart card, or as 2fa for lastpass/etc. It just doesn't seem to trigger any udev rules. – Sean Hagen Dec 21 '17 at 22:40

2 Answers2

1

Your udev rule isn't included in your question but from this forum I copied one and modified it:

$ cat /etc/udev/rules.d/45-yubikey.rules
ACTION=="add", ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0116", RUN+="/path/to/screensaver-unlock.sh"
ACTION=="remove", ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0116", RUN+="/path/to/screensaver-locksh"

Note: Product ID 0010 was changed to 0116 to match your udev info.

The scripts on the forum to lock and unlock the screen are not very secure as commentators have pointed out.

Looking at today's comments it reminds me to ensure your script is flagged as executable:

chmod a+x /path/to/script.sh
Minion3665
  • 103
  • 4
WinEunuuchs2Unix
  • 99,709
  • 34
  • 237
  • 401
  • 2
    This unlock script is not secure. I could simply buy a Yubikey of the same model and use it to unlock your system. – Robie Basak Dec 18 '17 at 00:08
  • That's a good point. The forum in the link my have better scripts. This was just the most popular sample from that site. It can be refined... – WinEunuuchs2Unix Dec 18 '17 at 00:10
  • the question includes a sample script to log a message when run. i'd advise removing these unsafe scripts and focusing your answer on the udev rule to make `/path/to/sample/script.sh` run. – quixotic Dec 18 '17 at 03:18
  • @RobieBasak Thanks for your input. I've removed the scripts from the forum. – WinEunuuchs2Unix Dec 18 '17 at 11:15
  • @quixotic Thanks for the suggestion on `/path/to` which I implemented. – WinEunuuchs2Unix Dec 18 '17 at 11:16
  • I've had simple rules like that, ones using subsystem, name, every combination of attributes I can think of, even just `ACTION=="add" SUBSYSTEM=="usb"` with a path to a script -- I don't see anything showing up in syslog. – Sean Hagen Dec 18 '17 at 19:00
  • I find the simpler the rule the better. Could it be defective port or key? – WinEunuuchs2Unix Dec 18 '17 at 20:42
0

Well, It seems clear to me that it's a rules filename issue. :P a typo may hide easily in code.

  1. Not loaded by udev.

    Reading rules file: /lib/udev/rules.d/97-hid2hci.rules                
Reading rules file: /lib/udev/rules.d/99-systemd.rules                
rules contain 393216 bytes tokens (32768 * 12 bytes), 36008 bytes strings

  2. Check the filename here (output by op from the comment)

    $ stat /etc/udev/rules.d/99-yubikey-rules
File: /etc/udev/rules.d/99-yubikey-rules 
Size: 546 Blocks: 8 IO Block: 4096 regular file
Device: 802h/2050d Inode: 14818409 Links: 1
Access: (0664/-rw-rw-r--) Uid: ( 0/ root) Gid: ( 0/ root)
Access: 2017-12-18 10:49:08.526648161 -0800
Modify: 2017-12-18 10:49:08.546647827 -0800
Change: 2017-12-18 10:49:08.622646564 -0800
Birth: -

Fix:

Wrong    99-yubikey-rules
Correct  99-yubikey.rules
user.dz
  • 47,137
  • 13
  • 140
  • 258