Tmux is a multi-platform terminal multiplexer similar (and for me, better) than GNU screen. I'm describing a new and simpler way to share you terminal interactively. It'll be a read-only of course, that's why it's a showcase.
I'm seen many different workflows of achieving this, and I think they're really more complicated and insecure that it should be. Most likely my approach isn't new or secure enough to replace the established ones, but I'm putting it into your consideration.
Although I'm describing the process for a Linux system, the process might be pretty similar in other Unix derivate such as MacOS. If I'm right and the solution it's secure, I don't see the need of more intermediate hosts, virtual machines, etc.
Yes, we will need an account. Otherwise our authentication is more magical than it should. The idea is simple: we assign the user a restricted shell as a security measure (as you'll soon see it won't have a shell at all), we lock the password to avoid logins not using a ssh key.
sudo adduser -s /bin/rbash --disabled-password
You must use a location which is accessible by the user you just created. I use /var/tmux
for this, although you'd probably want to use a noexec
filesystem.
tmux -S <socket_location>
command="tmux -S <socket_location> attach -r",no-port-forwarding,no-X11-forwarding,no-agent-forwarding <key>
He/She will see the tmux session just after the connection is established. As described, the session will be ready-only ("-r"
parameter above), so the only commands the remote has at hand it's to detach (aka exit).
There are a few things you might want to try by yourself, as alternatives to this approach.
There's nothing outstandingly new about this approach, but I happen to see a lot of people forget that you can use a shared account with public keys and force a command instead of giving a shell.