For years I’ve been using XScreenSaver as a default, but I recently learned about xsecurelock and re-evaluated my screen-saving requirements:
- The screen saver should turn on and lock on after some configurable time.
- The screen saver should lock on a hotkey.
- The screen saver should lock before suspend.
- The screen saver should authenticate via PAM.
- The screen saver should be configurable via
- The screen saver should tell to forget SSH agent keys on locking.
- I can disable the screen saver, e.g. when giving a presentation.
The screen saver should display a pretty demo.
When I just used XScreenSaver, I had these issues:
Locking before suspend was not so easy, I had hacks using either
xauthas root or additional helper scripts trapping signals.
- Forgetting the SSH agent keys required a small, but additional script.
- Rarely, XScreenSaver got stuck, so I had to kill it from a TTY to get in.
My xlbiff managed to pop up over XScreenSaver.
After some unsuccessful fiddling with xss-lock and xautolock, I settled down on this toolset now:
xsecurelock for screen locking and spawning XScreenSaver demos
- xidle for spawning xsecurelock after timeout
- xbindkeys for triggering xidle on hotkey
acpid for triggering xidle on lid close
Note that none of this requires systemd, DBus, or really anything else that X11 didn’t have for at least 25 years.
So, how to put it together:
I use a script
run-xsecurelock, which is spawned from
# run-xsecurelock - run xsecurelock(1) with right config
if [ "$1" = lock ]; then
xidle -no -program "$HOME/bin/run-xsecurelock lock" -timeout 600
xidle with a timeout of 10 minutes and tells it to spawn
this script again with the
lock argment, so it will run
xsecurelock after forgetting the SSH agent keys.
then spawns a random XScreenSaver demo. There is no support for
cycling the demo, but you can trigger the authentication dialog and
close it to get a different demo.
Then, we can set up the hotkey in
"xset s activate"
I used to use the Pause key for triggering the screen saver, but my T480 doesn’t have it anymore, so I use Insert now, which I don’t use else.
Finally, acpid can trigger xidle by sending
pkill -USR1 xidle
Note how simple this is as root and doesn’t require getting X11 credentials or complex IPC.
To disable xidle, I just run
xset s off.
The timeout is configurable at run time using
xset s SECONDS.
This should satisfy all my requirements and is a cleaner setup then I had before.
NP: Leonard Cohen—Thanks for the Dance