Difference between revisions of "Session lock"

From ArchWiki
Jump to navigation Jump to search
(Add vlock)
m (fix shorcut typo)
 
(9 intermediate revisions by 4 users not shown)
Line 1: Line 1:
 
[[Category:Security]]
 
[[Category:Security]]
 
 
There are numerous utilities to lock the screen of a session. But it is important to note that the utility to use is highly dependant on the environment your are in, either the virtual console, or a specific display server (Xorg or Wayland).
 
There are numerous utilities to lock the screen of a session. But it is important to note that the utility to use is highly dependant on the environment your are in, either the virtual console, or a specific display server (Xorg or Wayland).
  
 
See [[List_of_applications#Screen_lockers|List of screen lockers]].
 
See [[List_of_applications#Screen_lockers|List of screen lockers]].
  
= By environment =
+
== By environment ==
  
== Virtual Console ==
+
=== Virtual Console ===
  
 
You can use {{ic|vlock}} to lock a virtual console.
 
You can use {{ic|vlock}} to lock a virtual console.
  
{{Expansion|Inactivity}}
+
=== Xorg ===
 
 
== Xorg ==
 
 
{{Expansion}}
 
{{Expansion}}
  
== Wayland tools ==
+
=== Wayland ===
 
{{Expansion}}
 
{{Expansion}}
  
= Triggering the lock =
+
== Triggering the lock ==
  
 
You can lock a session using different methods:
 
You can lock a session using different methods:
 
* from a terminal
 
* from a terminal
 
* using a GUI:
 
* using a GUI:
  * from a desktop icon
+
** from a desktop icon
  * using hot corners
+
** using hot corners
  * from a menu (mouse or keyboard driven)
+
** from a menu (mouse or keyboard driven)
* from a [[Keyboard shortcuts|shorcut]]
+
* from a [[Keyboard shortcuts|shortcut]]
 
* from an event:
 
* from an event:
  * inactivity
+
** inactivity
  * another action (suspend, hibernate, ...)
+
** another action (suspend, hibernate, ...)
  
 
The last point (triggering a lock from an event) is the trickiest, because you can do it one of two ways:
 
The last point (triggering a lock from an event) is the trickiest, because you can do it one of two ways:
  * get the action trigger to execute your lock, then to execute the initial action.
+
* get the action trigger to execute your lock, then to execute the initial action.
  * from the event trigger, add the lock to the event chain. So far this can only be done using systemd.
+
* from the event trigger, add the lock to the event chain. So far this can only be done using systemd.
  
== List of triggers ==
+
=== List of triggers ===
=== Manual ===
+
==== Manual ====
  
=== Inactivity ===
+
==== Inactivity ====
  
You can trigger a lock on inactivity using [[#Inactivity_2|systemd]], [[DPMS]] (see [[#xss-lock|xss-lock]] or [[#xautolock|xautolock]]
+
You can trigger a lock on inactivity using [[#Inactivity_2|systemd]], [[DPMS]] (see [[#xss-lock|xss-lock]]) or [[#xautolock|xautolock]]
  
=== Suspend / Hibernate ===
+
==== Suspend / Hibernate ====
 
See systemd
 
See systemd
 
   Service file dependency
 
   Service file dependency
 
   Hook to xss-lock
 
   Hook to xss-lock
  
== Xorg triggers ==
+
=== Shell triggers ===
 +
 
 +
==== ZSH ====
 +
 
 +
To execute a command after terminal inactivity, you can use the TMOUT environment variable.
 +
 
 +
You can combine it with a trap on the ALARM signal to execute the lock. Without a trap, it will just terminate the shell.
 +
 
 +
You might want to detect if you are in a graphical environments, otherwise your GUI terminals might start disappearing without you understanding why.
 +
 
 +
=== Xorg triggers ===
  
=== xss-lock ===
+
==== xss-lock ====
  
 
{{pkg|xss-lock}} is triggered by one of two things:
 
{{pkg|xss-lock}} is triggered by one of two things:
Line 63: Line 70:
 
}}
 
}}
  
==== systemd events ====
+
===== systemd events =====
  
 
By default, xss-lock subscribes to {{ic|suspend}}, {{ic|hibernate}}, {{ic|lock-session}}, and {{ic|unlock-session}} with appropriate actions (run locker and wait for user to unlock or kill locker).
 
By default, xss-lock subscribes to {{ic|suspend}}, {{ic|hibernate}}, {{ic|lock-session}}, and {{ic|unlock-session}} with appropriate actions (run locker and wait for user to unlock or kill locker).
Line 71: Line 78:
 
You can trigger a manual lock using loginctl lock-session.
 
You can trigger a manual lock using loginctl lock-session.
  
==== DPMS ====
+
===== DPMS =====
  
 
To configure DPMS signaling timeout:
 
To configure DPMS signaling timeout:
Line 82: Line 89:
  
 
Using DPMS signaling, you can set a second timer, for exemple to notify the user or to dim the screen.
 
Using DPMS signaling, you can set a second timer, for exemple to notify the user or to dim the screen.
For exemple (from {{man|5|xss-lock}}:
+
For exemple (from {{man|1|xss-lock}}):
 
{{bc|
 
{{bc|
 
# Dim the screen after three minutes of inactivity, lock the screen two minutes later using i3lock:
 
# Dim the screen after three minutes of inactivity, lock the screen two minutes later using i3lock:
Line 92: Line 99:
 
{{Note|
 
{{Note|
 
When using xss-lock with [[DPMS]], you will have to blank the screen yourself.
 
When using xss-lock with [[DPMS]], you will have to blank the screen yourself.
It won't be triggered when looking at videos
+
It will not be triggered when looking at videos
 
}}
 
}}
  
=== xautolock ===
+
==== xautolock ====
  
 
{{bc|
 
{{bc|
Line 109: Line 116:
 
}}
 
}}
  
== Wayland triggers ==
+
=== Wayland triggers ===
 
{{Expansion}}
 
{{Expansion}}
  
== SystemD triggers ==
+
=== SystemD triggers ===
  
=== DBUS Notification ===
+
==== DBUS Notification ====
  
 
Using {{ic|loginctl lock-session}}, or the {{ic|lock}} action in {{man|5|logind.conf}}, you can notify the system through DBUS that you want to lock. This notification can the be processed, for exemple by xss-lock.
 
Using {{ic|loginctl lock-session}}, or the {{ic|lock}} action in {{man|5|logind.conf}}, you can notify the system through DBUS that you want to lock. This notification can the be processed, for exemple by xss-lock.
  
=== Inactivity ===
+
==== Inactivity ====
  
In {{man|5|logind.con}}, you can configure the {{ic|IdleAction}} to {{ic|lock}}. This will trigger a DBUS notification, that will have to be processed (for exemple by xsslock) to lock the session.
+
In {{man|5|logind.conf}}, you can configure the {{ic|IdleAction}} to {{ic|lock}}. This will trigger a DBUS notification, that will have to be processed (for exemple by xsslock) to lock the session.
  
 
Note that this is for a global system (so this is not ideal for a multi user environment).
 
Note that this is for a global system (so this is not ideal for a multi user environment).
Line 126: Line 133:
 
Note also that "this requires that user sessions correctly report the idle status to the system".
 
Note also that "this requires that user sessions correctly report the idle status to the system".
  
=== Units ===
+
==== Units ====
  
==== Before suspend/hibernate ====
+
===== Before suspend/hibernate =====
  
 
You can use a [[Power_management#Sleep_hooks|Sleep hook]].
 
You can use a [[Power_management#Sleep_hooks|Sleep hook]].
Line 146: Line 153:
 
}}
 
}}
  
==== Lid closing ====
+
===== Lid closing =====
  
You can use the {{ic|lock}} action using the related [[Power_management#ACPI_events|ACPI Event]]  
+
You can use the {{ic|lock}} action using the related [[Power_management#ACPI_events|ACPI Event]]
  
= Actions after the lock has been triggered =
+
== Actions after the lock has been triggered ==
  
 
Suspend/Hibernate after X
 
Suspend/Hibernate after X
 
Shudown screen
 
Shudown screen
  
= See also =
+
== See also ==
* [https://geoff.greer.fm/2018/01/02/linux-laptop-locking/]
+
 
 +
* [https://geoff.greer.fm/2018/01/02/linux-laptop-locking/ Geoff Greer's site: Linux Laptop Locking]

Latest revision as of 05:20, 16 May 2019

There are numerous utilities to lock the screen of a session. But it is important to note that the utility to use is highly dependant on the environment your are in, either the virtual console, or a specific display server (Xorg or Wayland).

See List of screen lockers.

By environment

Virtual Console

You can use vlock to lock a virtual console.

Xorg

Tango-view-fullscreen.pngThis article or section needs expansion.Tango-view-fullscreen.png

Reason: please use the first argument of the template to provide a brief explanation. (Discuss in Talk:Session lock#)

Wayland

Tango-view-fullscreen.pngThis article or section needs expansion.Tango-view-fullscreen.png

Reason: please use the first argument of the template to provide a brief explanation. (Discuss in Talk:Session lock#)

Triggering the lock

You can lock a session using different methods:

  • from a terminal
  • using a GUI:
    • from a desktop icon
    • using hot corners
    • from a menu (mouse or keyboard driven)
  • from a shortcut
  • from an event:
    • inactivity
    • another action (suspend, hibernate, ...)

The last point (triggering a lock from an event) is the trickiest, because you can do it one of two ways:

  • get the action trigger to execute your lock, then to execute the initial action.
  • from the event trigger, add the lock to the event chain. So far this can only be done using systemd.

List of triggers

Manual

Inactivity

You can trigger a lock on inactivity using systemd, DPMS (see xss-lock) or xautolock

Suspend / Hibernate

See systemd

 Service file dependency
 Hook to xss-lock

Shell triggers

ZSH

To execute a command after terminal inactivity, you can use the TMOUT environment variable.

You can combine it with a trap on the ALARM signal to execute the lock. Without a trap, it will just terminate the shell.

You might want to detect if you are in a graphical environments, otherwise your GUI terminals might start disappearing without you understanding why.

Xorg triggers

xss-lock

xss-lock is triggered by one of two things:

The advantage of this is that you can control a lock issued manually, by inactivity, and by a suspend command at the same place.

To execute an action on one of those events:

xss-lock <locker-utility>
systemd events

By default, xss-lock subscribes to suspend, hibernate, lock-session, and unlock-session with appropriate actions (run locker and wait for user to unlock or kill locker).

You can prevent xss-lock from being triggered by suspend and hibernate using --ignore-sleep.

You can trigger a manual lock using loginctl lock-session.

DPMS

To configure DPMS signaling timeout:

  # Trigger screensaver after 10 minutes of inactivity
  xset s on
  xset s 600

DPMS signaling can also be configured in /etc/X11/xorg.conf.d/ in the Monitor section.

Using DPMS signaling, you can set a second timer, for exemple to notify the user or to dim the screen. For exemple (from xss-lock(1)):

# Dim the screen after three minutes of inactivity, lock the screen two minutes later using i3lock:

xset 180 120
xss-lock -n dim-screen.sh -- i3lock -n
Note:

When using xss-lock with DPMS, you will have to blank the screen yourself. It will not be triggered when looking at videos

xautolock

xautolock -time 12 -locker "systemctl suspend" -detectsleep
Note:

xautolock has restrictive timer limits:

  • 1 min to 1 hour for time
  • 10 min to 2 hour for killtime

It might be necessary to add -detectsleep to prevent xautolock from locking the session after resuming. One nice feature of xautolock is the corners.

Wayland triggers

Tango-view-fullscreen.pngThis article or section needs expansion.Tango-view-fullscreen.png

Reason: please use the first argument of the template to provide a brief explanation. (Discuss in Talk:Session lock#)

SystemD triggers

DBUS Notification

Using loginctl lock-session, or the lock action in logind.conf(5), you can notify the system through DBUS that you want to lock. This notification can the be processed, for exemple by xss-lock.

Inactivity

In logind.conf(5), you can configure the IdleAction to lock. This will trigger a DBUS notification, that will have to be processed (for exemple by xsslock) to lock the session.

Note that this is for a global system (so this is not ideal for a multi user environment).

Note also that "this requires that user sessions correctly report the idle status to the system".

Units

Before suspend/hibernate

You can use a Sleep hook.

[Unit]
Description=Lock the screen
Before=sleep.target
 
[Service]
#User=user
Environment=DISPLAY=:0
ExecStart=i3lock
 
[Install]
WantedBy=sleep.target
Lid closing

You can use the lock action using the related ACPI Event

Actions after the lock has been triggered

Suspend/Hibernate after X Shudown screen

See also