[Bug 3644] New: Pass the number of attempt to SSH_ASKPASS

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Sun Dec 17 05:02:44 AEDT 2023 

https://bugzilla.mindrot.org/show_bug.cgi?id=3644

            Bug ID: 3644
           Summary: Pass the number of attempt to SSH_ASKPASS
           Product: Portable OpenSSH
           Version: 9.4p1
          Hardware: All
                OS: Linux
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: ssh
          Assignee: unassigned-bugs at mindrot.org
          Reporter: flafyarazi at gmail.com

I'm working on a script to make `ssh` request a passphrase from a
command of my choice instead of prompting me for a passphrase directly.

If the script doesn't find a passphrase through the command, it should
prompt me to input a passphrase.

Additionally, if the script got a passphrase from the command but the
passphrase was not correct, it should prompt me to input a passphrase
as well.

I've set
```
SSH_ASKPASS_REQUIRE=prefer
SSH_ASKPASS=<path to the following bash script>
```

bash script:
```
#!/usr/bin/env bash

key_name=$(echo "$1" | sed -n "s/.*\/\([^\/]*\)'.*/\1/p")

pass=$(get-passphrase-command "$key_name")

if [ $? -eq 0 ]; then
  echo "$pass"
else
  echo "Couldn't find passphrase from Bitwarden." >&2
  read -s -p "$1" passphrase
  echo "" >&2
  echo "$passphrase"
fi
```

`ssh` will run this script every time it wants to request a passphrase.
If a passphrase returned by the script is not correct, `ssh` will run
the script 2 more times.

The script does exactly what I've described except prompt me for a
passphrase if it got an incorrect passphrase from the command. I can't
pass information from one attempt to another, so the script has no idea
if it failed already.


`ssh` passes the prompt it usually shows as the first argument(`$1`) to
SSH_ASKPASS.

To make my script possible, I propose also passing the number of
attempted passphrases so far to SSH_ASKPASS as the second
argument(`$2`). 
This way I'll be able to detect it is the script's second attempt at
inputting a passphrase and not run the passphrase command again.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

More information about the openssh-bugs mailing list