SSH Command Line Password Support

Jim Knoble jmknoble at pobox.com
Fri Aug 29 05:08:18 EST 2008 

Circa 2008-08-28 04:38 dixit Alan Barrett:

: On Thu, 28 Aug 2008, Damien Miller wrote:
: > [old SSH_ASKPASS proposals:]
: > >  http://marc.info/?l=openssh-unix-dev&m=116921620227593&w=2
: > >  https://bugzilla.mindrot.org/show_bug.cgi?id=69
: > 
: > I think we should do something like this, but I remember having some
: > issues with the user-interface.
: 
: I don't like having new environment variables like
: WHEN_TO_USE_SSH_ASKPASS="always" or ALWAYS_USE_SSH_ASKPASS="yes" or
: any other variations on this theme.  I'd prefer to see ssh simply use
: SSH_ASKPASS all the time regardless of whether or not there's a DISPLAY
: or a tty.  If the user wants conditional behaviour, they can set
: SSH_ASKPASS to point to a script that does whatever tests they like when
: it is invoked, or they can use a script to conditionally set SSH_ASKPASS
: to different values before they invoke ssh.
: 
: Alternatively, you could put all the complex policy like "use
: SSH_ASKPASS if foo and not bar" into the configuration file, and let
: SSH_ASKPASS continue to be the only environment variable related to
: this issue.  The main thing is that I want no more than one environment
: variable for this.

Disclaimer:  I'm the creator of x11-ssh-askpass
<http://www.jmknoble.net/software/x11-ssh-askpass/>.

I believe the best way to handle this is with an ssh_config file option
(which can then also be used on the command line).  ssh-add(1) and
ssh-agent(1) also use SSH_ASKPASS and should use a command-line option,
since they don't read ssh_config files.

This allows for the greatest combination of flexibility and backward
compatibility.  For example:

    ssh -oUseSshAskpass=auto
    ssh -oUseSshAskpass=yes
    ssh -oUseSshAskpass=no

    "auto": the current method, and the default.
    
    "yes": ignore the presence or absence of a controlling terminal
    and a DISPLAY variable, and just use SSH_ASKPASS if it's set.
    
    "no": ignore SSH_ASKPASS; always prompt the terminal for a
    passphrase or confirmation (if no terminal, fail?).

    "ssh-agent"    => UseSshAskpass=auto
    "ssh-agent -p" => UseSshAskpass=yes
    "ssh-agent -P" => UseSshAskpass=no

    "ssh-add"      => UseSshAskpass=auto
    "ssh-add -p"   => UseSshAskpass=yes
    "ssh-add -P"   => UseSshAskpass=no

Folks who expect the current way of doing things don't have to change
anything.  Folks who want something different can use the command-line
or ssh_config options.  Folks who want something fancy can use
"UseSshAskpass=yes", create wrapper scripts for ssh-add(1) and
ssh-agent(1), and set SSH_ASKPASS to a script which determines what to
do, as Alan Barrett suggests.  

Comments?

--jim

-- 
jim knoble  |  jmknoble at pobox.com  |  http://www.pobox.com/~jmknoble/
(GnuPG key ID: C6F31FFA  >>>>>>  http://www.pobox.com/~jmknoble/keys/ )
(GnuPG fingerprint: 99D8:1D89:8C66:08B5:5C34::5527:A543:8C33:C6F3:1FFA)
+----------------------------------------------------------------------+
|[L]iberty, as we all know, cannot flourish in a country that is perma-|
| nently on a war footing, or even a near-war footing.  --Aldous Huxley|
+----------------------------------------------------------------------+

More information about the openssh-unix-dev mailing list