RFC: Universal regex trigger mechanism, especially for secret retrieval
Alexander Huemer
alexander.huemer at xx.vu
Mon Mar 2 17:22:36 CET 2020
On Sat, Feb 29, 2020 at 08:23:58PM +0100, Marc Lehmann wrote:
> On Sat, Feb 29, 2020 at 05:12:59PM +0000, Alexander Huemer <alexander.huemer at xx.vu> wrote:
> > What I have on my mind is a kind of trigger mechanism based on regular
> > expressions. If the content of the terminal (bottom-most line,
> > potentially including the prior line) matches a regex, then a defined
> > action is triggered. This might come in handy for a number a usecases.
> > What I am thinking about primarily though is retrieval of secrets from
> > the respective store.
>
> Sure, that would be easy with an extension - and detecting tty modes (e.g.
> echo) is certainly possible form an extension as well.
>
> > - You have a 'special' urxvt session lingering in a corner somewhere for
> > the sole purpose of retrieving secrets from pass (or similar
> > software). Why? to benefit from a potentially warm cache. After all
> > you have to authenticate against the secrets store. If the credentials
> > cache for it is warm, then retrieval is low effort.
>
> I'm not sure I understaned that, why retrieve secrets in a different
> termnal than where you need to use it?
Two reasons.
- If you relatively frequently retrieve secrets and do that all from the
same terminal/shell session, then chances are good you find a warm
authentication cache and don't have to authenticate against your
secrets store.
- In other windows you might be ssh-ed into another host where your
secrets-store isn't available.
For these reasons I have picked up the workflow of having a terminal
window/shell session just for running pass.
>
> > - It's imaginable that something like that is implemented, but it would
> > be unduely expensive in terms of cpu load for every character that is
> > written into the terminal or so/
>
> I can't imagine anything like this is alraedy implemented,m but what would
> I know.
>
> I don't think it would be unduly expensive - in fact, if you imagine a
> strategy where, when tty output is received, a timer is started to check
> every second or so, and if nothing changed, would install a handler for
> tty output, then, when there is a lot of output, it would only check once
> per second, and if there is no outpt,. it could sleep, resulting in very
> little cpu usage, and none when idle.
>
> > - Could be done but there is a security concern
>
> Well, of course, this means any program could retrieve your secrets in
> a mostly automated fashion, and storing secrets such as passwords in a
> clipboard is a relatively big security concern, as they can survive for a
> very long time unprotected.
Yes, that's understood. Though, if a program you are running in your
shell is trying to do nasty things like retrieving secrets from pass,
you already lost.
As a side-note, pass ensures that secrets are wiped from the clipboard
after a defined time-frame.
Thanks for your answers.
Not sure I find the time to look into an implementation of this, would
be fun though.
If any lurkers are looking for stuff to do, speak up, by all means!
-Alex
More information about the rxvt-unicode
mailing list