At work, I’m currently deploying my Perl modules on a new platform ( multiple servers ), which doesn’t have an automated deployment mechanism yet. I use Gnu Screen a lot. It’s a must have tool when working on remote servers.
Long time ago, I spent time to craft a good
.screenrc configuration file for
my needs. But I only discovered yesterday that I could protect my screen
session from being recovered from a super user on the remote server. The
documentation is lacking precise description on how to set it up, so here is
a quick tutorial.
The idea is that when a screen is running, it can be detached and reattached. However, a super user has the possibility to attach any screen launched by a user of the system. Now, what if inside the screen, you use sensitive informations, or connect to other remote servers ? The super user will have access to these as well. To protect yourself from that (actually to mitigate the issue), it’s possible to have screen ask for a password when trying to reattach it.
In no way this method will prevent
root to access your sensitive information.
This method will just make it more difficult for a super user to see your screen content using
su $user and
screen -r -d.
daxim pointed out on #dancer, there are numerous ways for
root to get at your sensitive information :
Easily done :
screen provides a way to encrypt a password right from a screen session. In the following snippets, I assume the default screen key is A, as default.
Now, the encrypted password is in the screen clipboard. We need to retrieve it
The key shortcut for pasting the clipboard is by default
Copy the encrypted password and paste it in
~/.screenrc (or whatever your screen configuration file is)
You need to restart screen to take the password in account. Now, next time a screen is reattached, the password will be prompted.