I had always taken for granted that my SSH sessions were, well, secure. I just assumed that the contents of the scrollback buffer in a terminal would not be saved anywhere locally for something like this. My assumption was that it was stored in memory and flushed when the session was over. This allowed me to look at sensitive data, passwords, emails, and so on without worry about it leaving traces locally.
It turns out, my assumptions of security may have been wrong.
On Hacker News, today, a link was posted with the title: Terminal scrollback written to local disk, including remote ssh sessions. This led to a page over at climagic.org: Bugreport – libVTE scrollback buffer written to disk, affecting gnome-terminal, xfce4-terminal, terminator and more.
When I started reading, a sinking feeling in my stomach began to overtake me. An understanding that I had about the security of what I was looking at over SSH sessions was suddenly compromised. The list of common terminals that were affected was troubling:
gnome-terminal
terminator
xfce4-terminal
guake
evilvte
lilyterm
sakura
termit
Anything else that uses libVTE for a terminal widget.
The clear and concise disclosure was well-written and provides information about what can be done to fix this. The author was even kind enough to provide an explanation and demonstration video:
While this may not be a security issue for a lot of users, it is nice to have an understanding that what you are looking at over that remote secure shell session may leave traces on your computer locally.
If you liked this post, then please consider subscribing to my feed or following me on Twitter @randomdrake.