« Back
in tmux read.

Simple Screen Showcase with Tmux

Tmux is a multi-platform terminal multiplexer similar (and for me, better) than GNU screen. I'm describing a new and simpler way to share you terminal interactively. It'll be a read-only of course, that's why it's a showcase.

I'm seen many different workflows of achieving this, and I think they're really more complicated and insecure that it should be. Most likely my approach isn't new or secure enough to replace the established ones, but I'm putting it into your consideration.

Background

Although I'm describing the process for a Linux system, the process might be pretty similar in other Unix derivate such as MacOS. If I'm right and the solution it's secure, I don't see the need of more intermediate hosts, virtual machines, etc.

Procedure

1. Create a restricted user

Yes, we will need an account. Otherwise our authentication is more magical than it should. The idea is simple: we assign the user a restricted shell as a security measure (as you'll soon see it won't have a shell at all), we lock the password to avoid logins not using a ssh key.

sudo adduser -s /bin/rbash --disabled-password  

2. Create a tmux session using a socket using a location.

You must use a location which is accessible by the user you just created. I use /var/tmux for this, although you'd probably want to use a noexec filesystem.

tmux -S <socket_location>  

3. Start playing with your session

4. Get the SSH public key of the user that will connect to you and save it.

5. Append it to the created user's authorized keys along with a custom command.

command="tmux -S <socket_location> attach -r",no-port-forwarding,no-X11-forwarding,no-agent-forwarding <key>  

6. Tell the other user to connect to you by ssh

He/She will see the tmux session just after the connection is established. As described, the session will be ready-only ("-r" parameter above), so the only commands the remote has at hand it's to detach (aka exit).

Further ideas

There are a few things you might want to try by yourself, as
alternatives to this approach.

  • Using Vagrant to setup a Virtual Machine and give your peer full-access.
  • Chrooted install in your own machine.
  • Quick provisioning of Amazon instance. (Chef, Puppet, or a pre-set AMI).

Conclusion

There's nothing outstandingly new about this approach, but I happen to see a lot of people forget that you can use a shared account with public keys and force a command instead of giving a shell.

comments powered by Disqus