How to Enable Screen Locking on FreeBSD

How to Enable Screen Locking on FreeBSD
by İbrahim Korucuoğlu ( @siberoloji) |
Tags:
Categories:

  6 minute read  

FreeBSD, a robust and secure Unix-like operating system, offers various methods to lock your screen when stepping away from your computer. Screen locking is an essential security practice that prevents unauthorized access to your system during your absence. This comprehensive guide explores multiple approaches to implement screen locking on FreeBSD, covering console, X11, and Wayland environments, along with automated locking configurations.

Why Screen Locking Matters

Before diving into implementation details, it’s important to understand why screen locking is crucial:

  • Prevents unauthorized access to your account while you’re away
  • Protects sensitive data from casual observers
  • Complies with security policies in organizational settings
  • Forms a basic layer of physical security for your system

Console Screen Locking

FreeBSD provides several utilities for locking the console, which are particularly useful for server environments or systems without graphical interfaces.

Using lock

The lock utility is a simple, built-in tool that comes with the FreeBSD base system:

  1. Open a terminal window
  2. Type lock and press Enter
  3. You’ll be prompted to create a password
  4. Enter the password (it won’t be displayed on screen)
  5. Confirm the password when prompted
  6. Your screen is now locked

To unlock, simply enter the password you created. Note that lock is a basic utility and doesn’t offer advanced features like timeout configuration or integration with system authentication.

Using vlock

For more robust console locking, consider installing vlock (virtual console lock):

  1. Install vlock using pkg:

    # pkg install vlock

  2. Basic usage:

    vlock

  3. To lock all virtual terminals (preventing switching):

    vlock -a

vlock integrates with PAM (Pluggable Authentication Modules), providing more secure authentication compared to the basic lock utility.

X11 Screen Locking

If you’re using X11 as your display server, you have several screen locking options depending on your desktop environment or window manager.

XScreenSaver

XScreenSaver is a popular and highly configurable screen locker for X11:

  1. Install XScreenSaver:

    # pkg install xscreensaver

  2. Add XScreenSaver to your X startup script (e.g., .xinitrc or .xsession):

    xscreensaver -no-splash &

  3. Configure XScreenSaver using the graphical interface:

    xscreensaver-demo

  4. To lock the screen manually:

    xscreensaver-command -lock

XScreenSaver offers numerous configuration options, including:

  • Lock timeout settings
  • Multiple screensaver animations
  • Authentication methods
  • Display power management

slock (Simple X Lock)

For a minimalist approach, slock from the suckless tools suite is an excellent option:

  1. Install slock:

    # pkg install slock

  2. To lock your screen:

    slock

slock is extremely lightweight and follows the Unix philosophy of doing one thing well. It displays a plain black screen when locked and unlocks using your system password.

Desktop Environment-Specific Lockers

If you’re using a complete desktop environment, it likely includes its own screen locking mechanism:

KDE Plasma

  1. Configure screen locking in System Settings → Desktop Behavior → Screen Locking
  2. Lock manually with the keyboard shortcut Ctrl+Alt+L or via the application menu

GNOME

  1. Configure lock settings in Settings → Privacy → Screen Lock
  2. Lock manually with Super+L or via the system menu

Xfce

  1. Configure in Settings → Power Manager → Security
  2. Lock manually with Ctrl+Alt+L or via the Xfce menu

Wayland Screen Locking

If you’re using Wayland instead of X11, screen locking mechanisms differ slightly.

swaylock (for Sway)

If you’re using the Sway window manager:

  1. Install swaylock:

    # pkg install swaylock

  2. Basic usage:

    swaylock

  3. For a blurred screenshot as background:

    swaylock -e -f -i "$(mktemp).png"

  4. Configure swaylock in your Sway config file (~/.config/sway/config):

    # Lock screen after 300 seconds of inactivity
exec swayidle -w \
  timeout 300 'swaylock -f' \
  timeout 600 'swaymsg "output * dpms off"' \
  resume 'swaymsg "output * dpms on"' \
  before-sleep 'swaylock -f'

Waylock

Another option for Wayland compositors:

  1. Install waylock:

    # pkg install waylock

  2. Basic usage:

    waylock

Automating Screen Locking

For enhanced security, consider automating screen locking based on inactivity or system events.

Using xautolock with X11

  1. Install xautolock:

    # pkg install xautolock

  2. Configure xautolock to run your preferred locker (e.g., slock) after 10 minutes of inactivity:

    xautolock -time 10 -locker slock &

  3. Add this command to your X startup script (.xinitrc or .xsession)

Using xss-lock with systemd-logind

If you’ve enabled systemd compatibility on FreeBSD:

  1. Install xss-lock:

    # pkg install xss-lock

  2. Start xss-lock with your preferred locker:

    xss-lock -- slock &

  3. Add to your X startup script

Using swayidle with Wayland

For Wayland compositors that support the idle protocol:

  1. Install swayidle:

    # pkg install swayidle

  2. Configure swayidle in your startup configuration:

    swayidle -w \
  timeout 300 'swaylock -f' \
  timeout 600 'swaymsg "output * dpms off"' \
  resume 'swaymsg "output * dpms on"' \
  before-sleep 'swaylock -f'

Keyboard Shortcuts

To make screen locking convenient, configure keyboard shortcuts:

X11 with Custom Shortcuts

Add the following to your .xbindkeysrc file:

# Lock screen with Ctrl+Alt+L
"slock"
  Control+Alt+l

Then ensure xbindkeys starts with your X session.

i3 Window Manager

Add to your i3 config file:

# Lock screen with Mod+Shift+x
bindsym $mod+shift+x exec slock

Sway

Add to your Sway config:

# Lock screen with Mod+l
bindsym $mod+l exec swaylock

Advanced Configuration

PAM Integration

For more secure authentication, ensure your screen locker integrates with PAM. Most modern screen lockers use PAM by default. To verify PAM configuration:

  1. Check for locker-specific PAM config in /etc/pam.d/
  2. If needed, create a custom PAM service file for your locker

DPMS (Display Power Management Signaling)

Configure your display to power down after locking for additional energy savings:

For X11:

# Set standby, suspend, and off timeouts (in seconds)
xset dpms 300 600 900

For Wayland/Sway, use swayidle as shown in previous examples.

Security Considerations

When implementing screen locking, keep these security aspects in mind:

  1. Password Strength: Ensure your login password is strong since it’s the key to unlocking your screen
  2. Lock Timeout: Balance security with convenience when setting automatic locking timeouts
  3. Screen Clearing: Some lockers (like XScreenSaver) can clear screen contents before locking to prevent information leakage
  4. Physical Security: Screen locking is ineffective against attackers with physical access who can reboot the system
  5. Full Disk Encryption: For maximum security, combine screen locking with full disk encryption

Troubleshooting

Lock Not Working in X11

If your screen locker fails to start:

  • Check if the locker binary is in your PATH
  • Verify that the display environment variables are set correctly
  • Check system logs (/var/log/Xorg.0.log) for errors

PAM Authentication Failures

If unlocking fails despite correct password:

  • Check PAM configuration for the locker
  • Verify user account status
  • Review system logs (/var/log/auth.log) for authentication failures

Wayland Compatibility Issues

If screen locking doesn’t work under Wayland:

  • Ensure your Wayland compositor supports the idle protocol
  • Check if your locker is compatible with your specific Wayland implementation
  • Consider using a compositor-specific locker (like swaylock for Sway)

Conclusion

Implementing screen locking on FreeBSD is a fundamental security practice that helps protect your system from unauthorized access. Whether you’re using a text console, X11, or Wayland, FreeBSD offers multiple options to secure your session when you’re away from your computer.

By choosing the appropriate screen locking solution for your environment and automating the locking process, you can significantly enhance your system’s security posture with minimal impact on usability. Remember that screen locking is just one component of a comprehensive security strategy, and it’s most effective when combined with other security measures like strong authentication, full disk encryption, and proper physical security controls.

For the most current information on screen locking in FreeBSD, consult the FreeBSD Handbook and man pages for your specific locking utility.


< How to Use Virtual Desktops with tmux/byobu on FreeBSDOptimizing FreeBSD for Low-Latency Audio Processing >