SSH Command Line Password Support
Damien Miller
djm at mindrot.org
Fri Aug 29 03:55:11 EST 2008
On Thu, 28 Aug 2008, Jim Knoble wrote:
> Disclaimer: I'm the creator of x11-ssh-askpass
> <http://www.jmknoble.net/software/x11-ssh-askpass/>.
>
> I believe the best way to handle this is with an ssh_config file option
> (which can then also be used on the command line). ssh-add(1) and
> ssh-agent(1) also use SSH_ASKPASS and should use a command-line option,
> since they don't read ssh_config files.
>
> This allows for the greatest combination of flexibility and backward
> compatibility. For example:
>
> ssh -oUseSshAskpass=auto
> ssh -oUseSshAskpass=yes
> ssh -oUseSshAskpass=no
>
> "auto": the current method, and the default.
>
> "yes": ignore the presence or absence of a controlling terminal
> and a DISPLAY variable, and just use SSH_ASKPASS if it's set.
>
> "no": ignore SSH_ASKPASS; always prompt the terminal for a
> passphrase or confirmation (if no terminal, fail?).
>
> "ssh-agent" => UseSshAskpass=auto
> "ssh-agent -p" => UseSshAskpass=yes
> "ssh-agent -P" => UseSshAskpass=no
>
> "ssh-add" => UseSshAskpass=auto
> "ssh-add -p" => UseSshAskpass=yes
> "ssh-add -P" => UseSshAskpass=no
>
> Folks who expect the current way of doing things don't have to change
> anything. Folks who want something different can use the command-line
> or ssh_config options. Folks who want something fancy can use
> "UseSshAskpass=yes", create wrapper scripts for ssh-add(1) and
> ssh-agent(1), and set SSH_ASKPASS to a script which determines what to
> do, as Alan Barrett suggests.
Could you please attach this to
https://bugzilla.mindrot.org/b/generalised-askpass ?
I think it might need a little more specification of what each option does
under various circumstances (tty/no-tty, DISPLAY/no-DISPLAY, etc.), but
it is already a lot more likeable that the suggestions already there.
Thanks,
Damien
More information about the openssh-unix-dev
mailing list