SSH Command Line Password Support

Jim Knoble jmknoble at
Sat Aug 30 05:11:14 EST 2008

[This comment also appears as .]

Circa 2008-08-29 10:22 dixit Alan Barrett:

: Having to use command line options for ssh-add and ssh-agent may be
: inconvenient in some environments.
: It occurs to me that the policy on when to use SSH_ASKPASS
: could also be embedded in the variable itself, like this:
:   SSH_ASKPASS="/path/to/script"        # like today
:   SSH_ASKPASS="always:/path/to/script" # use it regardless of DISPLAY or tty

Alan's propoasl is a much more elegant solution than the one i proposed.
In case it's not obvious, there are 3 possible states:

(1) Current behavior (depends on whether DISPLAY is set and there is a
controlling tty):


(2) Always use SSH_ASKPASS, ignoring whether DISPLAY is set and whether
a controlling tty exists:


(3) Always prompt on the tty, unless there isn't one, in which case,
fail if a passphrase or confirmation is required:

    SSH_ASKPASS="", or
    (SSH_ASKPASS is unset, i.e., not present in environment)

The third state is not explicit in Alan's comment.  States (1) and (3)
are both current behavior, thus they are completely backward compatible
with current implementations.  State (2) requires command-line options
for ssh-add or ssh-agent.

Nice work, Alan.

jim knoble  |  jmknoble at  |
(GnuPG key ID: C6F31FFA  >>>>>> )
(GnuPG fingerprint: 99D8:1D89:8C66:08B5:5C34::5527:A543:8C33:C6F3:1FFA)
|[L]iberty, as we all know, cannot flourish in a country that is perma-|
| nently on a war footing, or even a near-war footing.  --Aldous Huxley|

More information about the openssh-unix-dev mailing list