[Bug 69] Generalize SSH_ASKPASS
bugzilla-daemon at bugzilla.mindrot.org
bugzilla-daemon at bugzilla.mindrot.org
Sat Aug 30 04:48:34 EST 2008
https://bugzilla.mindrot.org/show_bug.cgi?id=69
--- Comment #12 from Jim Knoble <jmknoble at pobox.com> 2008-08-30 04:48:28 ---
Date: Thu, 28 Aug 2008 15:24:22 -0500 (CDT)
From: Ben Lindstrom <mouring at eviladmin.org>
To: openssh-unix-dev at mindrot.org
Subject: Re: SSH Command Line Password Support
In-Reply-To: <20080828190818.GB13711 at crawfish.ais.com>
Message-ID: <alpine.BSO.1.00.0808281458000.5006 at miyako.eviladmin.org>
References: <876324.11513.qm at web30706.mail.mud.yahoo.com>
<867ia2963m.fsf at ds4.des.no>
<alpine.BSO.1.10.0808271359360.14747 at fuyu.mindrot.org>
<slrngbahdp.c3c.janfrode at lc4eb5760521341.ibm.com>
<87y72itrl7.fsf at squeak.fifthhorseman.net>
<20080827185507.GD233 at greenie.muc.de>
<87iqtmkusk.fsf at squeak.fifthhorseman.net>
<alpine.BSO.1.10.0808280155290.3864 at fuyu.mindrot.org>
<20080828083820.GC2874 at apb-laptoy.apb.alt.za>
<20080828190818.GB13711 at crawfish.ais.com>
On Thu, 28 Aug 2008, Jim Knoble wrote:
> Circa 2008-08-28 04:38 dixit Alan Barrett:
>
> : On Thu, 28 Aug 2008, Damien Miller wrote:
> : > [old SSH_ASKPASS proposals:]
> : > > http://marc.info/?l=openssh-unix-dev&m=116921620227593&w=2
> : > > https://bugzilla.mindrot.org/show_bug.cgi?id=69
> : >
> : > I think we should do something like this, but I remember having some
> : > issues with the user-interface.
> :
> : I don't like having new environment variables like
> : WHEN_TO_USE_SSH_ASKPASS="always" or ALWAYS_USE_SSH_ASKPASS="yes" or
> : any other variations on this theme. I'd prefer to see ssh simply use
> : SSH_ASKPASS all the time regardless of whether or not there's a DISPLAY
> : or a tty. If the user wants conditional behaviour, they can set
> : SSH_ASKPASS to point to a script that does whatever tests they like when
> : it is invoked, or they can use a script to conditionally set SSH_ASKPASS
> : to different values before they invoke ssh.
> :
> : Alternatively, you could put all the complex policy like "use
> : SSH_ASKPASS if foo and not bar" into the configuration file, and let
> : SSH_ASKPASS continue to be the only environment variable related to
> : this issue. The main thing is that I want no more than one environment
> : variable for this.
>
> Disclaimer: I'm the creator of x11-ssh-askpass
> <http://www.jmknoble.net/software/x11-ssh-askpass/>.
>
> I believe the best way to handle this is with an ssh_config file option
> (which can then also be used on the command line). ssh-add(1) and
> ssh-agent(1) also use SSH_ASKPASS and should use a command-line option,
> since they don't read ssh_config files.
>
> This allows for the greatest combination of flexibility and backward
> compatibility. For example:
>
> ssh -oUseSshAskpass=auto
> ssh -oUseSshAskpass=yes
> ssh -oUseSshAskpass=no
>
> "auto": the current method, and the default.
>
> "yes": ignore the presence or absence of a controlling terminal
> and a DISPLAY variable, and just use SSH_ASKPASS if it's set.
>
> "no": ignore SSH_ASKPASS; always prompt the terminal for a
> passphrase or confirmation (if no terminal, fail?).
>
To me the above makes no sense at a glance. I'd rather see
"UseSshAskpassWithoutX11 {Yes/No}" or something that clearly defines
that
when
using SSH_ASKPASS what the behavior one is to expect from it.
Only advantage yours provides is if someone wants to disable it period
regardless of DISPLAY= and SSH_ASKPASS= being set (which
Problem is I can't come up with something that makes good sense at a
glance. "AUTO" to me makes no sense. Why would "AUTO" and "YES"
(without
reading a manpage) be different.
I guess I could see the syntax being "UseAskpass {X11,Yes,No}" .. I
hate
pinning stuff to X because that may not be the case for Windows or Mac.
However, seeing our use of it all over the ssh_config it make it
consistant.
Besides that the rest of the proposal is fine to me.
BTW.. Thinking through this.. Had we been discussing implementing this
today a new feature I'd be arguing that it would be SSH_ASKPASS
program's
job to care if DISPLAY= was set, but legacy issue trump this choice
these
days.
- Ben
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
You are watching someone on the CC list of the bug.
More information about the openssh-bugs
mailing list