[Bug 69] Generalize SSH_ASKPASS

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Sat Aug 30 04:48:34 EST 2008


--- Comment #12 from Jim Knoble <jmknoble at pobox.com>  2008-08-30 04:48:28 ---
Date: Thu, 28 Aug 2008 15:24:22 -0500 (CDT)
From: Ben Lindstrom <mouring at eviladmin.org>
To: openssh-unix-dev at mindrot.org
Subject: Re: SSH Command Line Password Support
In-Reply-To: <20080828190818.GB13711 at crawfish.ais.com>
Message-ID: <alpine.BSO.1.00.0808281458000.5006 at miyako.eviladmin.org>
References: <876324.11513.qm at web30706.mail.mud.yahoo.com>
 <867ia2963m.fsf at ds4.des.no>
 <alpine.BSO.1.10.0808271359360.14747 at fuyu.mindrot.org>
 <slrngbahdp.c3c.janfrode at lc4eb5760521341.ibm.com>
 <87y72itrl7.fsf at squeak.fifthhorseman.net>
 <20080827185507.GD233 at greenie.muc.de>
 <87iqtmkusk.fsf at squeak.fifthhorseman.net>
 <alpine.BSO.1.10.0808280155290.3864 at fuyu.mindrot.org>
 <20080828083820.GC2874 at apb-laptoy.apb.alt.za>
 <20080828190818.GB13711 at crawfish.ais.com>

On Thu, 28 Aug 2008, Jim Knoble wrote:

> Circa 2008-08-28 04:38 dixit Alan Barrett:
> : On Thu, 28 Aug 2008, Damien Miller wrote:
> : > [old SSH_ASKPASS proposals:]
> : > >  http://marc.info/?l=openssh-unix-dev&m=116921620227593&w=2
> : > >  https://bugzilla.mindrot.org/show_bug.cgi?id=69
> : >
> : > I think we should do something like this, but I remember having some
> : > issues with the user-interface.
> :
> : I don't like having new environment variables like
> : any other variations on this theme.  I'd prefer to see ssh simply use
> : SSH_ASKPASS all the time regardless of whether or not there's a DISPLAY
> : or a tty.  If the user wants conditional behaviour, they can set
> : SSH_ASKPASS to point to a script that does whatever tests they like when
> : it is invoked, or they can use a script to conditionally set SSH_ASKPASS
> : to different values before they invoke ssh.
> :
> : Alternatively, you could put all the complex policy like "use
> : SSH_ASKPASS if foo and not bar" into the configuration file, and let
> : SSH_ASKPASS continue to be the only environment variable related to
> : this issue.  The main thing is that I want no more than one environment
> : variable for this.
> Disclaimer:  I'm the creator of x11-ssh-askpass
> <http://www.jmknoble.net/software/x11-ssh-askpass/>.
> I believe the best way to handle this is with an ssh_config file option
> (which can then also be used on the command line).  ssh-add(1) and
> ssh-agent(1) also use SSH_ASKPASS and should use a command-line option,
> since they don't read ssh_config files.
> This allows for the greatest combination of flexibility and backward
> compatibility.  For example:
>    ssh -oUseSshAskpass=auto
>    ssh -oUseSshAskpass=yes
>    ssh -oUseSshAskpass=no
>    "auto": the current method, and the default.
>    "yes": ignore the presence or absence of a controlling terminal
>    and a DISPLAY variable, and just use SSH_ASKPASS if it's set.
>    "no": ignore SSH_ASKPASS; always prompt the terminal for a
>    passphrase or confirmation (if no terminal, fail?).

To me the above makes no sense at a glance.  I'd rather see 
"UseSshAskpassWithoutX11 {Yes/No}" or something that clearly defines
using SSH_ASKPASS what the behavior one is to expect from it.

Only advantage yours provides is if someone wants to disable it period 
regardless of DISPLAY= and SSH_ASKPASS= being set (which

Problem is I can't come up with something that makes good sense at a 
glance.  "AUTO" to me makes no sense.  Why would "AUTO" and "YES"
reading a manpage) be different.

I guess I could see the syntax being "UseAskpass {X11,Yes,No}" .. I
pinning stuff to X because that may not be the case for Windows or Mac. 
However, seeing our use of it all over the ssh_config it make it 

Besides that the rest of the proposal is fine to me.

BTW.. Thinking through this.. Had we been discussing implementing this 
today a new feature I'd be arguing that it would be SSH_ASKPASS
job to care if DISPLAY= was set, but legacy issue trump this choice

- Ben

Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
You are watching someone on the CC list of the bug.

More information about the openssh-bugs mailing list