leah blogs

January 2020

01jan2020 · X11 screen locking: a secure and modular approach

For years I’ve been using XScreenSaver as a default, but I recently learned about xsecurelock and re-evaluated my screen-saving requirements:

  • The screen saver should turn on and lock on after some configurable time.
  • The screen saver should lock on a hotkey.
  • The screen saver should lock before suspend.
  • The screen saver should authenticate via PAM.
  • The screen saver should be configurable via xset s.
  • The screen saver should tell to forget SSH agent keys on locking.
  • I can disable the screen saver, e.g. when giving a presentation.
  • The screen saver should display a pretty demo.

    When I just used XScreenSaver, I had these issues:

  • Locking before suspend was not so easy, I had hacks using either xauth as root or additional helper scripts trapping signals.

  • Forgetting the SSH agent keys required a small, but additional script.
  • Rarely, XScreenSaver got stuck, so I had to kill it from a TTY to get in.
  • My xlbiff managed to pop up over XScreenSaver.

    After some unsuccessful fiddling with xss-lock and xautolock, I settled down on this toolset now:

  • xsecurelock for screen locking and spawning XScreenSaver demos

  • xidle for spawning xsecurelock after timeout
  • xbindkeys for triggering xidle on hotkey
  • acpid for triggering xidle on lid close

    Note that none of this requires systemd, DBus, or really anything else that X11 didn’t have for at least 25 years.

So, how to put it together:

I use a script run-xsecurelock, which is spawned from .xinitrc:

#!/bin/sh
# run-xsecurelock - run xsecurelock(1) with right config

if [ "$1" = lock ]; then
    ssh-add -D
    XSECURELOCK_BLANK_TIMEOUT=900 \
    XSECURELOCK_PASSWORD_PROMPT=time_hex \
    XSECURELOCK_SAVER=saver_xscreensaver \
    XSECURELOCK_SAVER_RESET_ON_AUTH_CLOSE=1 \
    XSECURELOCK_SHOW_DATETIME=1 \
        exec xsecurelock
fi

xidle -no -program "$HOME/bin/run-xsecurelock lock" -timeout 600

This runs xidle with a timeout of 10 minutes and tells it to spawn this script again with the lock argment, so it will run xsecurelock after forgetting the SSH agent keys. xsecurelock then spawns a random XScreenSaver demo. There is no support for cycling the demo, but you can trigger the authentication dialog and close it to get a different demo.

Then, we can set up the hotkey in ~/.xbindkeysrc:

"xset s activate"
  Insert

I used to use the Pause key for triggering the screen saver, but my T480 doesn’t have it anymore, so I use Insert now, which I don’t use else.

Finally, acpid can trigger xidle by sending SIGUSR1 from handler.sh:

pkill -USR1 xidle

Note how simple this is as root and doesn’t require getting X11 credentials or complex IPC.

To disable xidle, I just run xset s off. The timeout is configurable at run time using xset s SECONDS.

This should satisfy all my requirements and is a cleaner setup then I had before.

NP: Leonard Cohen—Thanks for the Dance

Copyright © 2004–2022