Mercurial > thoughts
view org/emacs-password.org @ 17:63a9cd3edcc0
review.
author | Robert McIntyre <rlm@mit.edu> |
---|---|
date | Mon, 01 Apr 2013 16:05:13 +0000 |
parents | 8a5b6ca53764 |
children |
line wrap: on
line source
1 #+title: Password Security in Emacs Terminal Emulators2 #+author: Robert McIntyre3 #+email: rlm@mit.edu4 #+description: emacs terminal password security5 #+keywords: emacs, password, security, term6 #+SETUPFILE: ../../aurellem/org/setup.org7 #+INCLUDE: ../../aurellem/org/level-0.org8 #+babel: :mkdirp yes :noweb yes :exports both10 I use emacs for everything -- email, programming, document11 preparation, planning... You name it, I do it! One thing which I use12 emacs for is terminal emulation, which is where you create a buffer in13 emacs where you can enter commands as if the buffer were a14 terminal. Good terminal emulation packages for emacs include15 =multi-term= and =term=.17 * Watch Out for =view-lossage=!18 However, if you are going to use terminal emulation in emacs, you have19 to be careful around "sudo" prompts, and when logging into other20 servers using ssh, because /the last 300 keystrokes you have typed in21 emacs are available/ using =C-h l=, a help function in emacs which22 displays the last keypresses you have typed.24 #+begin_example25 C-h l runs the command view-lossage, which is an interactive compiled26 Lisp function in `help.el'.28 It is bound to C-h l, <help> l.30 (view-lossage)32 Display last 300 input keystrokes.33 #+end_example35 Let's say my password is "sup3r-seekrit#7".37 I open an emacs terminal using =M-x multi-term=, then do the following39 #+begin_example40 [~] $ ssh rlm@linerva.mit.edu41 Password:43 Welcome to Linerva, the SIPB Linux dialup for MIT.44 Linerva runs Debathena on Debian squeeze.45 http://linerva.mit.edu for more information46 blanche linerva-announce -a $USER # for outage announcements47 linerva@mit.edu (not IS&T) for questions and bug reports49 Last login: Mon Mar 4 12:53:23 2013 from ella.csail.mit.edu50 rlm@dr-wily:~$ exit51 logout52 Connection to linerva.mit.edu closed.53 #+end_example55 Now, when I type =C-h l=, I can see this:57 #+begin_example58 s s h SPC r l m @ l i n e r v a . m i t . e d u <return>59 s u p 3 r - s e e k r i t # 7 <return> e x i t C-h l60 #+end_example62 Needless to say, this can be a security vulnerability.64 * Solutions to this problem66 - If you don't ever type your password into an emacs terminal buffer,67 then you are not at risk. This can be accomplished by using ssh68 keyfiles or Kerberos for connecting to remote servers, and by69 enabling passwordless sudo.71 - You can disable emacs keylogging, though you then won't be able to72 use the =view-lossage= command anymore.74 - If there's no way for an attacker to get into your emacs process,75 then your passwords are safe. Still, you run the risk of someone76 physically near your computer using this method to view your77 password, as well as inadvertently exposing your password when78 showing someone what =view-lossage= does!80 * Source Listing81 #+html: <ul> <li> <a href="../org/emacs-password.org">This org file</a> </li> </ul>