Locking Your Shell

General Information

Often times we SSH into our BSD boxes and then have to leave our stations for a little bit. If we don’t do anything special with our open terminal, that poses a serious security threat to our boxes. Wouldn’t it be nice if we could just lock the open terminal without having to close the connection? Well, we can with a built-in utility called lock(8). There is also the vlock port that I will discuss as well.


  1. Local access on the box.
  2. A SSH client such as puTTy or SecureCRT (if you are using it remotely).



This first method uses the built-in lock(8) command.

$ lock
lock: /dev/ttyp0 on liljon.bsdguides.org. timeout in 15 minutes.
time now is Sun Oct 10 13:24:21 MST 2004

Once you issue lock, you will be prompted to enter the unlocking key, or passphrase. You will also notice that the lock will automatically timeout and unlock in 15 minutes. This is a security problem if you will be gone for more than 15 minutes. As with most commands, there are options you can tag onto the command to override the defaults. The default behavior of lock is to request an unlocking key and to timeout in 15 minutes. I like issuing

$ lock -np
lock: /dev/ttyp0 on liljon.bsdguides.org. no timeout.
time now is Sun Oct 10 13:28:16 MST 2004

With these two options, there is no timeout and the key is your password from /etc/passwd.

If you looked at the manpages, you’d see there are four options for use with lock(8).

The following options are available:

-n      Don't use a timeout value.  Terminal will be locked forever.

-p      A password is not requested, instead the user's current login
        password is used.

-t timeout
        The time limit (default 15 minutes) is changed to timeout min-

-v      Disable switching virtual terminals while this terminal is


This second method uses the vlock port. I personally find it more attractive and simpler to use.


# cd /usr/ports/security/vlock
# make install distclean

If you don’t ever want to use lock(8) again, you can replace the file with a link to vlock.

# mv /usr/bin/lock /usr/bin/lock.old
# ln -s /usr/local/bin/vlock /usr/bin/lock


vlock is pretty straight forward.

# vlock
*** This tty is not a VC (virtual console). ***
*** It may not be securely locked. ***

This TTY is now locked.
Please enter the password to unlock.
jon's Password:

Note: If you replaced lock(8) with a symlink, you can just issue lock instead of vlock.

That’s all there is to it. You can use this for your SSH connection or on your local console.

Speak Your Mind