Posted on 2018-10-08
I frequent the #openbsd IRC channel in order to help people. A question commonly asked is how to automatically lock your machine when putting it to sleep with zzz(1). I answered this question in a previous article (which was actually written four years ago; time flies!) but it was written in French, so here's a new one, also covering additional related topics.
If you read apmd(8):
FILES /etc/apm/suspend /etc/apm/hibernate /etc/apm/standby /etc/apm/resume /etc/apm/powerup /etc/apm/powerdown These files contain the host's customized actions. Each file must be an executable binary or shell script. A single program or script can be used to control all transitions by examining the name by which it was called, which is one of suspend, hibernate, standby, resume, powerup, or powerdown.
The trick is to write a script for 'etc/apm/suspend' to run when zzz is called (either directly or by closing the lid). For instance, the script I'm using is:
#!/bin/sh doas -u danj env DISPLAY=:0 XAUTHORITY=/home/danj/.Xauthority xlock &
This is off to a good start, but if you are a startx user (versus using xenodm), be sure to run
exec startx and not just
startx. Otherwise, it is possible to kill X and then access the shell.
If you don't set a maximum lifetime for your
ssh-agent, you should clear your identities using
ssh-add -D. You should also revoke any
sudo permissions with
doas doesn't work the same way, so
doas -L won't help you much. (You have elevated permissions only in the current shell, not account-wide).
You might want to clear your clipboards, as well. Use something like:
xsel -c -p; xsel -c -s; xsel -c -b.
Of course, if you use other authentication mechanisms (GNOME keyring, ssh's Control*, etc.), you should handle those as well.
Now that I have a Captive Advanced
Threat, I feel the need to automatically lock the screen after it has been idle for a short while. You can achieve this using
xidle. The man
page is sufficiently descriptive that I won't talk about that further.