1) Shell history, contextual or not, does contain useful information. It's useful for both the user and the bad actors. -> Keeping history at all is a trade-off between usability and security.
1) Obligatory, do not write passwords as command-line arguments.
1) With this out of the way, the point of this post is to determine if the trade-off is worth it for the reader. Plus maybe you are already taking other more severe trade-offs - doing something less safe than keeping contextual history.
1) TODO: compare RESH history with standard history (there is the context which is more useful and that also means more sensitive) -> contextual history is more useful than regular history
1) Let's look at ssh keys. How do you protect them? Encrypted HDD when turned off? encrypted until you load them to the ssh-agent (any process running under your user or root can authenticate using your ssh-agent)? Encrypted until you use them (you type in the password at every ssh)?
1) TODO: Retrieving vs. using
6) Let's break down the measures in the previous section. How does RESH compare? TODO -> Unless you decrypt your ssh key every time you use it, your history is similarly safe as your ssh keys.
8) TODO: security of synchronizing RESH history
9) TODO: security of history over ssh (compare to ssh-agent forwarding)
curusarn
commented
1 year ago
Contents:
1) Shell history, contextual or not, does contain useful information. It's useful for both the user and the bad actors. -> Keeping history at all is a trade-off between usability and security.
1) Obligatory, do not write passwords as command-line arguments.
1) With this out of the way, the point of this post is to determine if the trade-off is worth it for the reader. Plus maybe you are already taking other more severe trade-offs - doing something less safe than keeping contextual history.
1) TODO: compare RESH history with standard history (there is the context which is more useful and that also means more sensitive) -> contextual history is more useful than regular history
1) Let's look at ssh keys. How do you protect them? Encrypted HDD when turned off? encrypted until you load them to the ssh-agent (any process running under your user or root can authenticate using your ssh-agent)? Encrypted until you use them (you type in the password at every ssh)?
1) TODO: Retrieving vs. using
6) Let's break down the measures in the previous section. How does RESH compare? TODO -> Unless you decrypt your ssh key every time you use it, your history is similarly safe as your ssh keys.
8) TODO: security of synchronizing RESH history
9) TODO: security of history over ssh (compare to ssh-agent forwarding)