Hi! I recently came up with the following idea. In many cases when retrieval of a secret is necessary in a terminal window/shell session, the text emitted into said terminal right before the cursor indicates that rather clearly: Examples: - SSH password authentication [email protected]'s password: - sudo [sudo] password for foo: If the you take the prior line in the shell into account also you get context to understand on which host sudo is started.
Clever people store their secrets in something like pass[1]. Retrieval of secrets is so far a manual process. If a secret is needed, then the user enters the command that retrieval the needed secret. I believe this could be aided by a trigger mechanism in a terminal emulator or a shell. My gut feel tells me the terminal emulator is the better place for the implementation. To my understanding the terminal emulator has better awareness of line content than a shell. What I have on my mind is a kind of trigger mechanism based on regular expressions. If the content of the terminal (bottom-most line, potentially including the prior line) matches a regex, then a defined action is triggered. This might come in handy for a number a usecases. What I am thinking about primarily though is retrieval of secrets from the respective store. Concrete scenario: - You have a 'special' urxvt session lingering in a corner somewhere for the sole purpose of retrieving secrets from pass (or similar software). Why? to benefit from a potentially warm cache. After all you have to authenticate against the secrets store. If the credentials cache for it is warm, then retrieval is low effort. - You enter a command in one of your many urxvt windows that matches one of the regexes you have defined that indicate a secrets retrieval demand. This triggers an action (defined alongside the regex). That action is: Issue the secret retrieval command in the designated urxvt window or talk to a gui application if that is what you need. If the cache is warm over there, you'll just get the secret you wanted in your clipboard. if the cache is cold and you have to authenticate you still spared manual entering of the retrieval command. Does this concept make sense to you in general? Are the specific technical concerns, like - It's imaginable that something like that is implemented, but it would be unduely expensive in terms of cpu load for every character that is written into the terminal or so/ - Could be done but there is a security concern - etc. I would appreciate if some people here could share their thoughts about this. -Alex [1] https://www.passwordstore.org/ _______________________________________________ rxvt-unicode mailing list [email protected] http://lists.schmorp.de/mailman/listinfo/rxvt-unicode
