Sup all,

as the title states, this article will go over how to automatically enable / disable xscreensaver on the insertion / removal of your yubikey. only caveat is that it will not lock the screen. this article assumes that your xscreensaver session will lock the screen after x amount of minutes (preferably < 5 minutes).


i added these lines to file /etc/udev/rules.d/90-yubico-u2f.rules:

SUBSYSTEM=="usb", ACTION=="remove", ENV{ID_VENDOR_ID}=="XXXX", ENV{ID_MODEL_ID}="XXXX", RUN+="/usr/local/bin/yubikey_ss.sh enable"
SUBSYSTEM=="usb", ACTION=="add", ENV{ID_VENDOR_ID}=="XXXX", ENV{ID_MODEL_ID}=="XXXX", RUN+="/usr/local/bin/yubikey_ss.sh disable"

for those lines to work we need to insert the yubikey and run
udevadm monitor --udev --property
and grep both “ID_VENDOR_ID” and “ID_MODEL_ID” and replace the XXXX with the corresponding greps.

then restart udev once the script is in place


next we will add /usr/local/bin/yubikey_ss.sh with these contents:

#!/usr/bin/env bash

_USER=$(ps -aux \
    | awk '$0 !~ /root/ && /session/ {print $1}' \
    | sed -n '1p')

case "$1" in
        /bin/su ${_USER} \
            -c "DISPLAY=:0 /usr/bin/xscreensaver-command -activate"
        /bin/su ${_USER} \
            -c "DISPLAY=:0 /usr/bin/xscreensaver-command -deactivate"

and make it executable.

test to ensure that it works.


at this point, you should realize that you are just activating the screensaver and not locking it so the password will not be on unless you have the “Lock screen after” option enabled in
xscreensaver-command -demo
set it to around 5 or less minutes. one if you are paranoid.



Sup all,

I have written separate articles about this before but decided to put this all together into one article cause why not.

The purpose of this article is to have google 2fa & yubikey u2f at the login prompt (assuming you do not have a login manager (i don’t)).

This article is gentoo heavy. The equivalent for other distros should not be too different or difficult to figure out.

Needed files

First lets emerge the proper packages (some of these are just in case emerges for future usage):

For the Yubikey u2f

  • I tested this with the yubikey {4, 4 nano, and 4C} and the yubikey neo.

    Using the yubikey-personalization-gui, make sure that in slot one of the keys you have it configured to OTP. slot 2 can be whatever.
    once this is done we have to generate the ${HOME}/.config/Yubico/u2f_keys by running this :
    sudo pamu2fcfg -u $(logname) >> ${HOME}/.config/Yubico/u2f_keys

    if you are using multiple yubikeys, then every time you run the above command, you need to edit file like so:
    when you run sudo pamu2fcfg -u $(logname) >> ${HOME}/.config/Yubico/u2f_keys
    it will add the data like so :

    but if you see something like this:

    then edit so that it looks like the first example or else your u2f will not work and give really weird errors

    Now, lets add and edit the pam files:
    create file /etc/pam.d/yubico
    and add this:
    auth required pam_u2f.so cue interactive
    these items can be decoded here

    and now edit /etc/pam.d/login
    and add this line to the top:
    auth include yubico

    Now lets test that the yubikey u2f is working before fully login out.
    press alt+ctrl+f2 to bring you to a tty and you should see the u2f options here.

    if this is working, lets move on to the google 2fa portion.

    For the Google 2fa

  • I tested this with authy on android as the app.

    Lets run: google-authenticator
    which will look like this:

    click to enlarge

    and just follow the on screen steps which includes using the link provided to add the 2fa portion to your authenticator app.

    now lets create file /etc/pam.d/google-authenticator
    and add this:
    auth required pam_google_authenticator.so nullok
    which can be decoded here

    and now edit /etc/pam.d/login
    and add this line to the top:
    auth include google-authenticator

    Now lets test that the google 2fa is working before fully login out.
    press alt+ctrl+f2 to bring you to a tty and you should see the 2fa options here.

    it this is working then you should now have 2fa & u2f login setup.


    I will eventually write articles on:

  • using your yubikey for screensaver auth (will most likely be xscreensaver heavy)
  • locking / unlocking screen when the yubikey is inserted / removed
  • using 2fa & u2f for ssh / sudo auth

    Again, like with any article, YMMV.

    Here is a pic of the yubikeys i tested with:

    click to enlarge