Currently, XMouse opens an interactive prompt and executes arbitrary commands. In setups where the PC has limited trust in the phone, it would be nice to limit what the phone can do[1] by setting the command="..."
option in authorized_keys.
AFAICT, all XMouse does is to invoke xdotool
. That tool has a mode for interactive use, so rather than running the equivalent of
$ ssh user@host
$$ export DISPLAY=:0 && unset HISTFILE
$$ xdotool mousemove_relative ...
$$ xdotool click 1
it could do
$ ssh user@host DISPLAY=:0 xdotool -
$$ mousemove_relative ...
$$ click 1
If such operation were supported, a user could trivially limit the scope of what the phone can do to the PC by entering the authorized key as command="DISPLAY=:0 xdotool -" ecdsa-sha2-nist... AAAA....
. It might also be beneficial in terms of responsiveness, as the xdotool program would be persistently active and have a persistent connection to the X server.
Practically speaking (ie. with respect to not breaking existing setups), such a feature could be introduced as an option. If enabled, a DISPLAY=:0 xdotool -
command (possibly overwritable like the Initialization command) would be sent during the SSH connection process, and no further initialization command would be sent. At any execution event like xdotool key Escape
, the leading xdotool
part would be stripped off before sending, and commands that don't have that prefix result in an error message saying that this command is not possible in that mode.
[1]: I'm aware that in many situations, keyboard/mouse access can still be escalated, but being limited to injecting input events makes attacks a lot harder, could make them more noticable, and should rule them out when the screen is locked or similar. Especially, note that I have not verified whether xdotool in script mode would allow execution of arbitrary commands, which is something that could be taken up with their issue tracker