Ubuntu – Can console be suspended and ask for a password on wakeup

consolepasswordSecuritysuspend

Although I suspect that this is not currently possible, I would just like to ask because it would be something very useful in my opinion. Because when I close my lid and I am in the GUI my computer suspends and then requires a password to be unlocked. However if I do the same in console, there is no suspend and it doesn't ask me for a password to log back in again.

Now this can be a potential security risk so I was wondering if there was a way to pause everything running through console when the lid is closed, and so that when the machine awakes, you have to enter your password back into the console window so that it 'unlocks' your session? I am running Ubuntu GNOME 15.04. When I say the console, I mean the TTYs.

I have had a look at TTY[1-6]: Lock screen after delay (like a screensaver), however I do not feel that it fully answers my question, especially about pausing anything running so that it can continue upon resume.

I am running Ubuntu GNOME 15.10 with GNOME 3.18.

Best Answer

The other question that muru has linked in the comments ( TTY[1-6]: Lock screen after delay (like a screensaver) ) offers us the tool to locking the tty , vlock. At the simplest level , you can combine vlock -a with pm-suspend into a .bashrc function or a script. Here's mine:

$ cat lockTTY.sh 
#!/bin/bash
(sleep 3; sudo pm-suspend) &
vlock -a

What is happening here ? Basically we're launching pm-suspend with delay in subshell , in background. Meanwhile we use vlock -a to lock all the ttys. After 3 seconds, the laptop suspends.

The catch here however is the sudo pm-suspend part. You have to prevent sudo from asking you password for pm-suspend. In order to do that, we add the following line at the end of /etc/sudosers file

$USERNAME ALL = NOPASSWD: /usr/sbin/pm-suspend

Of course , replace $USERNAME with your actual username. You might call sudo visudo to open that file with your default text editor set in /etc/alternatives/editor , just to be safe, but any editor called with proper permissions will do.

What does this script allows us to do ? Suspend and lock with processes still running. vlock -a has big advantage in preventing switching to other consoles, so it's not just one console being locked, but all of them - you cannot just switch to another tty if one is locked.

You could also suspend first and lock second, i.e. call pm-suspend first and vlock -a second. But that means upon resume there is possibility someome may see your screen for a fraction of a second before vlock kicks in.

What would be the simple and dirty solution in case you don't trust vlock and don't want to install it ? Create a script /etc/pm/sleep.d/10_lockTTY with the following contents:

#!/bin/bash

case "${1}" in
        hibernate|sleep)
        ;;
        resume|thaw)
     for NUM in $(seq 1 6); do service tty$NUM restart; done         
    ;;
esac

This will reset all ttys upon return from suspend, but mind - any processes you had there will be killed.

Related Solutions

Ubuntu – Privacy issue when waking up suspended machine

This seems to be present in a lot of distros. This is a workaround I'm using for Cinnamon on Debian, but it should be possible to do something similar with other distro/window manager combinations:

Use dconf-editor to change the button-suspend action at org>cinnamon>settings-daemon>plugins>power to 'nothing' (you could also amend lid-close-ac-action and lid-close-bettery-action as well if you're using a laptop).

Save the following script to a convenient location:

#!/bin/bash
cinnamon-screensaver-command -l
systemctl suspend

Use the System Settings app to create a custom keybinding for the sleep key that points to the script.

After this it behaves as it should. You can see the lock screen pop up briefly before it goes to sleep, which is reassuring.

Ubuntu – How to force sudo to always ask for a password after waking from suspend

From man sudo:

     -K, --remove-timestamp
                 Similar to the -k option, except that it removes the user's
                 cached credentials entirely and may not be used in conjunc‐
                 tion with a command or other option.  This option does not
                 require a password.  Not all security policies support cre‐
                 dential caching.

So what you want is your user to run sudo -K each time the system suspends.

Ubuntu 15.04+ (systemd)

This can be done on Ubuntu 15.04+ by placing a script in /lib/systemd/system-sleep/.

Run sudo nano /lib/systemd/system-sleep/disable_sudo_user (replace user with your user's username for convenience);
Paste in the following script (replace user with your user's username):

#!/bin/sh
case $1/$2 in
    pre/suspend)
        su user -c 'sudo -K'
        ;;
esac

Hit CTRL+O, ENTER and CTRL+X;
Run sudo chmod o+x /lib/systemd/system-sleep/disable_sudo_user;

To enable this also for hibernation / hybrid-sleep, use this script instead:

#!/bin/sh
case $1 in
    pre)
        su user -c 'sudo -K'
        ;;
esac

Previous Ubuntu versions (Upstart)

This can be done on previous Ubuntu versions by placing a script in /etc/pm/sleep.d/.

Run sudo nano /etc/pm/sleep.d/disable_sudo_user (replace user with your user's username for convenience);
Paste in the following script (replace user with your user's username):

#!/bin/sh
case $1 in
    suspend)
        su user -c 'sudo -K'
        ;;
esac

Hit CTRL+O, ENTER and CTRL+X;
Run sudo chmod o+x /etc/pm/sleep.d/disable_sudo_user;

To enable this also for hibernation, use this script instead:

#!/bin/sh
case $1 in
    suspend|hybernate)
        su user -c 'sudo -K'
        ;;
esac