[In case it wasn't clear, above was mildly tongue-in-cheek; secrets should not be in your bash history, but of course things approaching (and including) PII may well be]
Not saying I make of habit of this, but sometimes you have to pass sensitive things as arguments (passwords, api tokens, customer data, etc), it happens.
I think client side encryption by Bashhub would alleviate this security concern.
That doesn't have to mean typing it at your command line. My approach is typically to set shell variables with read (if I need to type it) or xclip (if I need to paste).
Of course, client side encryption would be great in any case.
I expect I might take more care about maintaining a tidy history (see my other comment about splitting out separate histories by context), and reflexively clear bits of my history when I don't want them hanging around in the way of a ctrl-r - which would certainly include bits of passwords and anything pasted.
That said, this seems to use PROMPT_COMMAND to log off history, which would not give the opportunity for such tidying. Worrisome.
Splitting history is done fundamentally by setting HISTFILE - nothing too surprising about that.
But for my particular setup, I more broadly divide my shell use by context. I have a script called "session". `session $somename` looks for a screen (feel free to prefer tmux) session named $somename. If one exists, it attaches it. If not, it spawns it. Before doing so, it sets a shell variable SESSION to $somename. My bash_profile then customizes a lot of things based on the contents of that variable, including adding $SESSION to the prompt, and sourcing ~/.session/$SESSION/bash_profile. This lets me set context-specific aliases and such. Because SESSION is set above the terminal multiplexer, new windows spawned while in one context share the same context.
I've found most of this quite nice, but the history is the biggest win.
This is offtopic, but do you have issues maintaining the right path to the SSH agent socket when switching between screen sessions? (tmux has the same issue)
The ssh agent forwarding info is stored in environment variables, which are then inherited by any other process spawned from your initial connection, so everything that cares knows the agent pid and where to find the agent socket.
The problem is that, with screen and tmux, the content of those environment variables outlasts their accuracy.
The solution needs to take the form of updating those environment variables. It looks like there's a .ssh_agent file that can be sourced to update it, though I'm not finding - at a skim of the docs - what creates that and when. It does only seem to contain info for a single socket, so assuming it's populated on login there's still a possibility of that data being stale:
connection 1 login
connection 1 writes info to file
connection 2 login
connection 2 writes info to file
connection 2 logout
leaves the info wrong if you try to use it from connection 1.
Better would be to store all active agent sessions. We can implement that as follows:
in .bash_profile:
if [ "$SSH_AUTH_SOCK" -a "$SSH_AGENT_PID" ]; then
exec {SSH_AGENT_INFOS_FD}>>~/.ssh_agent_infos
if flock $SSH_AGENT_INFOS_FD; then
sed -i "1i$SSH_AGENT_PID $SSH_AUTH_SOCK" ~/.ssh_agent_infos
fi
exec {SSH_AGENT_INFOS_FD}>&-
fi
This creates the file if it doesn't exist, locks it, and prepends the current session's info. It goes in .bash_profile, not .bashrc, so that it is only executed for login shells.
in .bash_logout:
if [ "$SSH_AUTH_SOCK" -a "$SSH_AGENT_PID" ]; then
flock .ssh_agent_infos sed -i "/^$SSH_AGENT_PID /d" .ssh_agent_infos
fi
This locks the file and strips out lines with a matching PID. .bash_logout is sourced on exit from a login shell.
in .bashrc, set BASH_PROMPT so that it includes the following (personally, my BASH_PROMPT is set to source ~/.bash_prompt):
exec {SSH_AGENT_INFOS_FD}>>~/.ssh_agent_infos
if flock -w 1 -s $SSH_AGENT_INFOS_FD; then
read -u $SSH_AGENT_INFOS_FD SSH_AGENT_PID SSH_AUTH_SOCK
fi
exec {SSH_AGENT_INFOS_FD}>&-
This will run every time a new prompt is generated (so, right after running the previous command, if any). It locks the file, and then reads the first line out of it to populate SSH_AGENT_ID and SSH_AUTH_SOCK. So if a shell has old values in those variables, you should just need to hit enter to repopulate them.
Note that the above assumes that, if you're logging in from multiple devices, your agents are interchangeable. If you need to keep them separate, then adjust the above to either tag the lines in .ssh_agent_infos or use multiple files.
Alas, not helpful here. The logging is done in PROMPT_COMMAND, meaning by the time you can type another command things are already logged and editing your history won't help. Hopefully (though I see no evidence of this, I've also only skimmed the material) things are marshalled somewhere locally and can be inspected/edited before being sent to the server.
