RFC: Universal regex trigger mechanism, especially for secret retrieval

Alexander Huemer alexander.huemer at xx.vu
Mon Mar 2 17:22:36 CET 2020


On Sat, Feb 29, 2020 at 08:23:58PM +0100, Marc Lehmann wrote:
> On Sat, Feb 29, 2020 at 05:12:59PM +0000, Alexander Huemer <alexander.huemer at xx.vu> wrote:
> > What I have on my mind is a kind of trigger mechanism based on regular 
> > expressions. If the content of the terminal (bottom-most line, 
> > potentially including the prior line) matches a regex, then a defined 
> > action is triggered. This might come in handy for a number a usecases.  
> > What I am thinking about primarily though is retrieval of secrets from 
> > the respective store.
> 
> Sure, that would be easy with an extension - and detecting tty modes (e.g.
> echo) is certainly possible form an extension as well.
> 
> > - You have a 'special' urxvt session lingering in a corner somewhere for 
> >   the sole purpose of retrieving secrets from pass (or similar 
> >   software). Why? to benefit from a potentially warm cache. After all 
> >   you have to authenticate against the secrets store. If the credentials 
> >   cache for it is warm, then retrieval is low effort.
> 
> I'm not sure I understaned that, why retrieve secrets in a different
> termnal than where you need to use it?

Two reasons.
- If you relatively frequently retrieve secrets and do that all from the 
  same terminal/shell session, then chances are good you find a warm 
  authentication cache and don't have to authenticate against your 
  secrets store.
- In other windows you might be ssh-ed into another host where your 
  secrets-store isn't available.

For these reasons I have picked up the workflow of having a terminal 
window/shell session just for running pass.

> 
> > - It's imaginable that something like that is implemented, but it would 
> >   be unduely expensive in terms of cpu load for every character that is 
> >   written into the terminal or so/
> 
> I can't imagine anything like this is alraedy implemented,m but what would
> I know.
> 
> I don't think it would be unduly expensive - in fact, if you imagine a
> strategy where, when tty output is received, a timer is started to check
> every second or so, and if nothing changed, would install a handler for
> tty output, then, when there is a lot of output, it would only check once
> per second, and if there is no outpt,. it could sleep, resulting in very
> little cpu usage, and none when idle.
> 
> > - Could be done but there is a security concern
> 
> Well, of course, this means any program could retrieve your secrets in
> a mostly automated fashion, and storing secrets such as passwords in a
> clipboard is a relatively big security concern, as they can survive for a
> very long time unprotected.

Yes, that's understood. Though, if a program you are running in your 
shell is trying to do nasty things like retrieving secrets from pass, 
you already lost.
As a side-note, pass ensures that secrets are wiped from the clipboard 
after a defined time-frame.

Thanks for your answers.
Not sure I find the time to look into an implementation of this, would 
be fun though.
If any lurkers are looking for stuff to do, speak up, by all means!

-Alex



More information about the rxvt-unicode mailing list