RFC: Universal regex trigger mechanism, especially for secret retrieval

Alexander Huemer alexander.huemer at xx.vu
Sat Feb 29 18:12:59 CET 2020


Hi!

I recently came up with the following idea.
In many cases when retrieval of a secret is necessary in a terminal 
window/shell session, the text emitted into said terminal right before 
the cursor indicates that rather clearly:
Examples:
- SSH password authentication
  foo at bar.org's password:
- sudo
  [sudo] password for foo:
  If the you take the prior line in the shell into account also you get 
  context to understand on which host sudo is started.

Clever people store their secrets in something like pass[1]. Retrieval 
of secrets is so far a manual process. If a secret is needed, then the 
user enters the command that retrieval the needed secret. I believe this 
could be aided by a trigger mechanism in a terminal emulator or a shell.  
My gut feel tells me the terminal emulator is the better place for the 
implementation. To my understanding the terminal emulator has better 
awareness of line content than a shell.
What I have on my mind is a kind of trigger mechanism based on regular 
expressions. If the content of the terminal (bottom-most line, 
potentially including the prior line) matches a regex, then a defined 
action is triggered. This might come in handy for a number a usecases.  
What I am thinking about primarily though is retrieval of secrets from 
the respective store.
Concrete scenario:
- You have a 'special' urxvt session lingering in a corner somewhere for 
  the sole purpose of retrieving secrets from pass (or similar 
  software). Why? to benefit from a potentially warm cache. After all 
  you have to authenticate against the secrets store. If the credentials 
  cache for it is warm, then retrieval is low effort.
- You enter a command in one of your many urxvt windows that matches one 
  of the regexes you have defined that indicate a secrets retrieval 
  demand. This triggers an action (defined alongside the regex). That 
  action is: Issue the secret retrieval command in the designated urxvt 
  window or talk to a gui application if that is what you need. If the 
  cache is warm over there, you'll just get the secret you wanted in 
  your clipboard. if the cache is cold and you have to authenticate you 
  still spared manual entering of the retrieval command.

Does this concept make sense to you in general?
Are the specific technical concerns, like
- It's imaginable that something like that is implemented, but it would 
  be unduely expensive in terms of cpu load for every character that is 
  written into the terminal or so/
- Could be done but there is a security concern
- etc.

I would appreciate if some people here could share their thoughts about 
this.

-Alex

[1] https://www.passwordstore.org/



More information about the rxvt-unicode mailing list