At work, I’m currently deploying my Perl modules on a new platform ( multiple servers ), which doesn’t have an automated deployment mechanism yet. I use Gnu Screen a lot. It’s a must have tool when working on remote servers.
Long time ago, I spent time to craft a good
.screenrc configuration file for my needs. But I only discovered yesterday that I could protect my screen session from being recovered from a super user on the remote server. The documentation is lacking precise description on how to set it up, so here is a quick tutorial.
The idea is that when a screen is running, it can be detached and reattached. However, a super user has the possibility to attach any screen launched by a user of the system. Now, what if inside the screen, you use sensitive informations, or connect to other remote servers ? The super user will have access to these as well. To protect yourself from that (actually to mitigate the issue), it’s possible to have screen ask for a password when trying to reattach it.
In no way this method will prevent
root to access your sensitive information. This method will just make it more difficult for a super user to see your screen content using
su $user and
screen -r -d.
daxim pointed out on #dancer, there are numerous ways for
root to get at your sensitive information :
Easily done :
screen provides a way to encrypt a password right from a screen session. In the following snippets, I assume the default screen key is A, as default.
# hit ctrl A :password # enter the new password twice
Now, the encrypted password is in the screen clipboard. We need to retrieve it
The key shortcut for pasting the clipboard is by default
# hit ctrl A ] # the encrypted password should be pasted in the console
Copy the encrypted password and paste it in
~/.screenrc (or whatever your screen configuration file is)
# add this line, with your encrypted password password VGdGzMopF
You need to restart screen to take the password in account. Now, next time a screen is reattached, the password will be prompted.
dams@foo:~$ screen -r -d plop Screen password: