RFC: Universal regex trigger mechanism, especially for secret retrieval
Alexander Huemer
alexander.huemer at xx.vu
Sat Feb 29 18:12:59 CET 2020
Hi!
I recently came up with the following idea.
In many cases when retrieval of a secret is necessary in a terminal
window/shell session, the text emitted into said terminal right before
the cursor indicates that rather clearly:
Examples:
- SSH password authentication
foo at bar.org's password:
- sudo
[sudo] password for foo:
If the you take the prior line in the shell into account also you get
context to understand on which host sudo is started.
Clever people store their secrets in something like pass[1]. Retrieval
of secrets is so far a manual process. If a secret is needed, then the
user enters the command that retrieval the needed secret. I believe this
could be aided by a trigger mechanism in a terminal emulator or a shell.
My gut feel tells me the terminal emulator is the better place for the
implementation. To my understanding the terminal emulator has better
awareness of line content than a shell.
What I have on my mind is a kind of trigger mechanism based on regular
expressions. If the content of the terminal (bottom-most line,
potentially including the prior line) matches a regex, then a defined
action is triggered. This might come in handy for a number a usecases.
What I am thinking about primarily though is retrieval of secrets from
the respective store.
Concrete scenario:
- You have a 'special' urxvt session lingering in a corner somewhere for
the sole purpose of retrieving secrets from pass (or similar
software). Why? to benefit from a potentially warm cache. After all
you have to authenticate against the secrets store. If the credentials
cache for it is warm, then retrieval is low effort.
- You enter a command in one of your many urxvt windows that matches one
of the regexes you have defined that indicate a secrets retrieval
demand. This triggers an action (defined alongside the regex). That
action is: Issue the secret retrieval command in the designated urxvt
window or talk to a gui application if that is what you need. If the
cache is warm over there, you'll just get the secret you wanted in
your clipboard. if the cache is cold and you have to authenticate you
still spared manual entering of the retrieval command.
Does this concept make sense to you in general?
Are the specific technical concerns, like
- It's imaginable that something like that is implemented, but it would
be unduely expensive in terms of cpu load for every character that is
written into the terminal or so/
- Could be done but there is a security concern
- etc.
I would appreciate if some people here could share their thoughts about
this.
-Alex
[1] https://www.passwordstore.org/
More information about the rxvt-unicode
mailing list