wood_menu My Weblog My Gallery About me Contact me
Follow me on twitter

February 06, 2010 Archives

Medor v0.1 : How to protect your session using RFID tags

The idea is quite simple, at work I often leave my computer for meetings ... and don't want to have to xlock / unlock my session.
On login, I start ssh-agent with all my different keys (Work & Personnal), so leaving a terminal open with them loaded looks dangerous to me. Medor checks every 5 seconds if my keys with my RFID tag are present, if they aren't the screen is locked to prevent somebody to use my session. When my keys are back, the session is unlocked.
There's another protection, if Medor detects that the RFID reader is no longer available (somebody tried to unplug it), the screen is locked, all keys in my ssh-agent are removed and a XMPP message is sent to my cell phone.

Medor use the RFIDIOT library to access the RFID reader, have a look at my previous article to know how to use it on Debian GNU/Linux.

Here are the 2 main scripts (up-to-date release will be available on my github under dotfiles/openbox/bin/Medor)

 

Medor.sh

#!/bin/bash
#
# Medor v0.1
# Alex "laotseu" DE DOMMELIN - http://blog.tuxz.net
#
# This program is free software. It comes without any warranty, to
# the extent permitted by applicable law. You can redistribute it
# and/or modify it under the terms of the Do What The Fuck You Want
# To Public License, Version 2, as published by Sam Hocevar. See
# http://sam.zoy.org/wtfpl/COPYING for more details.
#

RFID_ID="MYTAGID"
CHECK_TAG_SCRIPT="/home/laotseu/.config/openbox/bin/Medor/python-rfid/checkTag.py"

SCREENLOCK="xlock"
SCREENLOCK_OPTS="-mode blank"
XMPP_ALERT="/home/laotseu/.config/openbox/bin/Medor/xmpp_alert.py"



function protect() {
  (ssh-agent -k > /dev/null 2>&1)
  ($XMPP_ALERT "$(date) Security Alert : RFID reader unplugged" > /dev/null 2>&1)
  lock;
}

function lock() {
  ($SCREENLOCK $SCREENLOCK_OPTS &)
}

function unlock() {
  (/usr/bin/killall -9 $SCREENLOCK)
}



## Main Loop ##

ALERT_SENT=0
while [ 42 ];
do
  TAG=`$CHECK_TAG_SCRIPT 2>/dev/null`

  case $? in
    ############################
    ## Reader not present :-( ##
    ############################
    1 )
      if [ $ALERT_SENT -eq 0 ];
      then
        protect;
        ALERT_SENT=1
      fi;
    ;;


    #################################
    ## No tag present, lock screen ##
    #################################
    255 )
      (/bin/pidof $SCREENLOCK > /dev/null 2>&1)
      if [ $? -eq 1 ];
      then
        lock;
      fi;
    ;;


    #############################################
    ## Tag present, check if allowed to unlock ##
    #############################################
    0 )
      if [ "$TAG" == "$RFID_ID" ];
      then
        (/bin/pidof $SCREENLOCK > /dev/null 2>&1)
        if [ $? -eq 0 ];
        then
          unlock;
          ALERT_SENT=0
        fi;
      else
        (/bin/pidof $SCREENLOCK > /dev/null 2>&1)
        if [ $? -eq 1 ];
        then
          lock;
        fi;
      fi;
      ;;
  esac

  sleep 3
done;

 

checkTag.py

#!/usr/bin/python

import RFIDIOtconfig
import os

try:
  card = RFIDIOtconfig.card
except:
  os._exit(1)

if card.select():
  print "%s" % card.uid
else:
  os._exit(-1)

Posted by Alexandre De Dommelin on Sat Feb 06 20:00:00 UTC 2010 | Permanent Link | Categories: Tips