Good to know. You can customize shortcuts by going to prefs>keys. Click the + to add a new key mapping. Press the shortcut you want. For Action choose "Select Menu Item…" and then find the item you're looking for in the popup menu that appears (Edit>Open Autocomplete…, in your case).
Lots of stuff seems broken by default if you are on an exotic layout. I am on a Macbook with a Danish-layout, and ALT+ARROW_LEFT/ARROW_RIGHT doesn't work out of the box in iterm2, however it seems to work if you rebind, or type this into .inputrc:
"\e\e[D": backward-word
"\e\e[C": forward-word
I'd love to switch to an american keyboard, because lots of Unix things seems impossible to type with my current keyboard, but maybe I am just being stupid.
I switched from a Norwegian keyboard to a UK keyboard with intl. English map on my MacBook. Default keyboard shortcuts suddenly made so much more sense - and I can code without having to use my nose when I run out of fingers for modifier keys. ()[]{}\|/:;' are all available using at most a single modifier (many of them without). Scandinavian characters are available using a single modifier for when I don't code, ex alt-a for å. Definitive productivity boost for me.
On the one hand, I appreciate that English is as pervasive as it is in software engineering, being an American... on the flip side, it's a bit disappointing how little effort is often made to make sites and applications less friendly to foreign inputs and layouts (including inputting names).
When installing, especially on an untrusted host, follow the manual installation instructions. The menu item will just output a curl|bash command (currently; this will likely change in the future).
If the host is really untrusted you're screwed, of course. Bad guys could modify your ~/.iterm2_shell_integration.bash and you'd never know. But this script is not special in any way (except that it's kinda complex and is run automatically). Maybe hash it from time to time if you're really paranoid.
The scripts assume that various things in your path are safe to run. printf, hostname, sed, echo, etc. If those are compromised you're in a bad way, and I don't think shell integration exposes anything that ordinary use wouldn't.
If you've been compromised badly enough that an attacker can decrypt your ssh session, your current directory will be revealed at each prompt. But it probably is since most people have that in their $PS1 anyway. Also the host's idea of its fully-qualified domain name.
Probably the most risky aspect of shell integration is the secure copy feature. It's possible that there's a bug in my use of libssh2 or that there are unpatched vulnerabilities in an out-of-date build of iTerm2 (or an up-to-date version of iTerm2 with an out-of-date libssh2). I try to stay on top of changes to libssh2 but I am human and Sparkle (the auto-updater) is not flawless either.
That's all that comes to mind. I'm sure other folks on here can think of more interesting attacks or vulnerabilities.
Is there a risk of the untrusted host injecting things into the shell output without permission? It looks like there's no authentication, so if I SSH somewhere untrusted that can output raw characters to my shell (which, I believe, includes git pushing over SSH, etc.), it can output the right escape sequence and insert false things into my shell history. With further cleverness, it could almost certainly inject things that look like commands I would have run but actually run evil things.
I don't have a great solution to suggest for this. One option is to add some sort of per-user static password to the escape sequence, and insert it in the file that's copied to each (trusted) host, but that just seems questionable. A better one might be to make the communication use a socket instead of an escape sequence, and forward the socket (recent OpenSSH can forward UNIX domain sockets) to trusted hosts, but that's its own mess.
This is such a useful feature, though, especially with remote hosts. It'd be a pity if it can't be done securely. :/
(While we're on the subject of security, there's an obscure attack involving interrupting the download of a `curl | sh` script -- which a MITM can do, even over SSH -- and relying on the shell to execute a partial command line. I learned about this from the Sandstorm folks, who have a workaround in https://install.sandstorm.io/ involving the sh equivalent of an IIFE.)
Yeah, it's possible they could do that if you're on a shared machine with a world-writable tty, or if a program blindly outputs info from an evil server. There's a good chance you'd notice something hinky going on, and of course there's no guarantee you'd run a command in history. Also, when you double-click on a command in history, you still need to press enter to execute it, so you'd have a chance to review the evil command. And if you're using a terminal that doesn't swallow unrecognized sequences (like Gnome terminal) you'd see the guts of the escape sequence.
Your password idea would work. It would be nearly impossible to establish a shared secret, unfortunately. It's really hard to do any kind of authentication over a one-way channel, which you almost always have to assume is what you've got in the world of terminal emulation. Key management retains its title as the worst part of crypto. The socket thing doesn't work (at least as the default mode) because nobody knows how to forward sockets and 99% of users would choose to forego the feature over learning a new ssh flag and making it work everywhere. There are gnarly race conditions there, too. How do you correlate prompts with messages on the socket?
I'm open to suggestions, but I don't see a way to make it both convenient enough to be generally useful and bulletproof.
I do plan to nuke the curl|bash thing. It was a shortcut to ship faster and to make it easy to update scripts in the field quickly when bugs were found. I did imagine everyone on hacker news scowling at me when I wrote that code, FWIW.
> The socket thing doesn't work (at least as the default mode) because nobody knows how to forward sockets
I suspect that you can do this with SSH configuration (LocalForward ~/.something:~/.something), but I haven't tested it. It mostly depends on whether you're willing to configure this, but perhaps the installer can put that at the top of ~/.ssh/config, so it's global, with a comment saying "If you don't want this globally, delete it or put it after a `Host example.com` line". Even if you trusted all SSH hosts, this would protect you from the git-clone attack.
You could probably also abuse X11 forwarding for this, which has the advantage that trusted X11 forwarding is basically the right security boundary and is just `ssh -Y`, and the disadvantage that now you're relying on X11 (or worse, a custom X11-speaking proxy so you can avoid requiring the server or client) on both sides.
> There are gnarly race conditions there, too. How do you correlate prompts with messages on the socket?
Send a token or hash in-band, and send the actual command out-of-band. If you receive an unknown token, ignore it.
> I do plan to nuke the curl|bash thing. It was a shortcut to ship faster and to make it easy to update scripts in the field quickly when bugs were found. I did imagine everyone on hacker news scowling at me when I wrote that code, FWIW.
:-)
curl https:// | sh is IMO a perfectly reasonable way to install software (at least in a world where ./configure && make install is reasonable; I don't know any humans who can audit the output of GNU autoconf). It just has this one weird problem. I sort of dislike the stigmatization of it precisely because it's hard to talk about how to do it well.
This looks really cool. One question - if I'm tunneling through one server to the next (required for me to access production servers) does the file upload/download still work?
It's stored in ~/Library/Application Support. Whether that's safer than your shell's own history depends on your personal threat model. You can turn off "Prefs>General>Save copy/paste and command history to disk" to disable this if your mac is untrusted.
So you want your bash history safer than your private ssh keys? Like at userspace, there's very little point in protecting anything. Just lock your computer when you walk away from it.
I used to use cygwin on windows with screen, it kinda works, just everything is so slow. Every time I create a new screen window I had to peek HN for latest posts. LoL
This looks great! I love iterm2 and have used it every day for years. My biggest problem is the configuration -- I just wish it had a plain text configuration file that I could keep under version control. I've experimented with using PListBuddy and a git diff driver to keep the plist under version control but it seems unwieldy and I haven't found that approach useful yet.
Also I don't really understand the difference between the main configuration interface (cmd-,) and the "Edit Session..." interface (right click on iterm2 menu). Possibly related, I have a custom command configured in Advanced -> Semantic History but it keeps reverting back to no command and I just don't understand why.
I would love not to have to use a graphical interface to configure it, I would like a plain text file instead. I think I'm being dumb and a couple hours consideration would lead me to understand any issues I'm having but the fact remains that after years of use its configuration is something I find really painful.
The popup on command completion is a neat feature actually which I've appreciated in gnome-terminal on Fedora 22, nicely integrated into the notification system
Update: I just tested it and fish 2.2 works great out of the box.
I haven't had a chance to test it yet, but I believe fish 2.2 will allow the baking to finish. Fish cleverly parses the prompt to figure out how long it is (vs bash which requires you to wrap nonprinting sequences in \[ and \]). Unfortunately fish's support for OSC codes was incomplete. This was a problem because shell integration uses them to report the current directory, hostname, prompt location, etc., so fish would wrap at the wrong location. I submitted a patch a while back, but I can't very well ask people to run a hacked version of their shell. So until a few days ago it was half baked. Now it's like 90% baked :)
I use iTerm2 a lot in the "visor" (pop up from the top) mode. I have my iTerm2 plist file edited so that it displays no bar icon and pops up even over the full screen apps. It would be really nice to have a feature where instead of a popup alert, the visor window would just slide out, to let me know that it's done.
But all in all, sounds like an awesome set of features, will have to try tonight. Thanks!
PS: On an unrelated note, if later on you could add native support for pop out window to appear in full screen apps, and maybe do a check, so that if you are in full screen app mode, it pops over with 0 y offset, but if it's in a norma screen, it pops up with offset to accommodate the menu bar, that would be awesome. But no rush :), thanks for all the awesome work!
Click to download or drop in to upload is really nice! I'm excited for this!
BTW if you're using iTerm, be aware that ⌘+clicking on a link will open the link in browser or ⌘+clicking a file in `ls` result will open the file with default app.
I really like this, but am wondering if something like ZModem over SSH would make the file transfer stuff more convenient...I feel like some things have become more complicated since the BBS days.
Terminator comes close, but to be honest, iTerm2 still beats it with its user friendliness and features.
It's really interesting how OS X is the one that has a terminal emulator with the most features out there.
iTerm2 now comes with 24-bit colors, command completion popup, notifications, triggers, profiles, mouseless copy, split panes, search, and you can even have inline images/gifs all out of the box with zero or minimal configuration required. That's just awesome.
All of these features and iTerm2 still feels much faster than Terminator to me.
I found iterm2 to be my most-missed piece of software when switching to linux desktop. Terminator just doesn't compare with ease-of-use, look, and feel. Gnome terminal is nice but lacks some of the rich features.
Simply in case anyone is not already aware, there are some phenomenal add-on features for urxvt through the perl extensions: https://github.com/muennich/urxvt-perls/
Notably, keyboard-select allows you to cut/paste things into the X buffer from anywhere in the terminal scrollback using only keyboard shortcuts. url-select, conversely, allows you to cycle through any visible URLs and either open them in an external browser or copy them to the X buffer.
Does this update speed up things as well by any chance?
I like iTerm2 a lot, but one day when i coincidentally
started using the normal Terminal i noticed how fast it was/how slow iTerm2 was, which is the reason i stopped using iTerm2 and switched to TotalTerminal (a plugin for Terminal.app).
Yes! The incoming bytestream is now parsed into tokens in a separate thread. There are various other performance improvements as well, such as a fastpath for when no double-width characters are present.
Wow guys, this is great... I'd manually tried setting something up with PushBullet for a few long running commands, but just hitting a shortcut combo is much nicer...
brew installs and bundle installs and the like will be a joy now!
Is it possible to enable/disable features? Since installing, my prompt has been rather buggy, and there are some features I don't particularly care for, but others I really like. For example, my python virtualenv prompt gets broken into two lines, both with a mark, which causes line lengths to misbehave too sometimes. Alternatively, not to sound like a downer, but is there a way to uninstall shell integration? Thanks!
I love conemu, with a git-bash prompt it's about priceless. In case anyone is looking for something similar for Explorer, I've been using a program called Clover for a while.
Linking to the alternativeto page for it, since it's free, but closed source...
Great stuff, I've been using iTerm2 for a while and it's really good to see it evolve like this.
I use screen a lot (yes I know, I should switch to tmux one day!) and shell integration doesn't seem to work properly with sessions inside screen. Works perfectly if I ssh directly. Is it going to be supported eventually or is this the ultimate signal for me to switch to tmux?
By default, it is disabled in tmux. It works fine in iTerm2's tmux integration mode, but not in plain old tmux. I'm hopeful that this feature will prove popular and useful enough that I can get tmux to add support for it. To make it work in tmux integration mode just remove the check that $TERM == "screen" in $HOME/.iterm2_shell_integration.$SHELL.
I just love iTerm2, but I feel it's slow and unresponsive at times (Garbage Collection?) compared to Apple's Terminal. I still keep using iTerm2 because of its features. If there is any way I can profile these slowness and submit a bug report to have it fixed, please let me know!
I assume you're using 2.9.x here. Try turning off prefs>advanced>avoid repainting the screen when the cursor is hidden. Let me know if that makes a difference.
I like the idea of these features, but the "run this random shellscript from the internet" part really bugs me.
Could / will you integrate it another way when it comes out of the nightly releases?
Totally reasonable thing to ask, but if you'd scrolled down a few more pixels you'd have had your answer. Directly underneath:
The easiest way to install shell integration is to select the iTerm2>Install Shell Integration menu item. It will download and run a shell script as described below.
...you'll see:
"Don't care for piping curl to bash? Do it by hand. First, download the right script for your shell...."
The linked page explains how to install by hand. I'd like to eliminate the curl|bash. It's tricky to deploy a shell script in a terminal emulator, so it hasn't been done yet. The ability to fix bugs without making users upgrade their client has been invaluable during early beta.
Well, if all I have to do is run the script, I can just import it into my git repo (by submoduling iterm2's git repo, if they have one; if they don't, they need one just for this script), and just call it normally (with a bit of if wrapper to not execute on non-iterm2 terms).
Yes, all you have to do is source the script at https://iterm2.com/misc/${SHELL}_startup.in from your ~/.login, ~/.zshrc, ~/.bash_profile, or ~/.config/fish/config.fish as appropriate. If there's ever a major change you'll get a notification when you log in and you'll need to update it, but that hasn't happened yet.
It would have been nice if the bash line contained a way to compare hashes to verify the script is untouched.(store the hash file on a 3rd party server like s3) Or pgp sign the script in some way.
I should add that I use ssh_config. I tried the file download feature but I get an error, it tries to scp from MBP.local and doesn't seem to be aware of my ssh session at all.
Everything in the Production zone in our corporate network is only available via jumphost. The kicker is that you need to support both "ProxyCommand args" enabling and "ProxyCommand None" for disabling.
I have over 300 hosts defined in my .ssh/config file and it's indispensable to have all these options, especially when mixing in 2FA jump hosts into the mix.
I use ProxyCommand for tor hidden services, for connecting to IPv6 hosts (via a v4 connection to a host with v6 connectivity), for connecting to production past a bastion host, for triggering port knocking, all sorts of stuff.
I don't get to control the UI if I shell out. I want to prompt you for your password in a native window and display a native progress bar. I want to know exactly why it failed. I want to estimate the time remaining.
That's a fair point. We do support agents and much of ssh_config. I'll look into what it would take to patch scp when I get the chance.
For folks who have setups where iTerm2's scp implementation can't connect, you can always download files over an existing ssh connection with this script:
Upload is a little trickier, but you can copy a file to the pasteboard (e.g., in Finder) and then paste it base64-encoded (Edit > Paste Special > Paste File Base64-Encoded) into base64 -D >> filename.
Also, credit goes to FinalTerm for the inspiration. RIP.