ssh-add with stdin and read_passphrase
Jean-Yves FAYE
jean-yves.faye at c-s.fr
Tue Jan 18 21:40:17 EST 2011
Le 18/01/2011 10:35, Peter Stuge a écrit :
> Jean-Yves FAYE wrote:
>> I would like to use ssh-add to unlock a key with a password provided
>> through a web interface.
>>
>> It seems even though ssh-add calls read_passphrase with RP_ALLOW_STDIN
>> at ssh-add.c:173, stdin is not used as a last resort without a valid
>> terminal or display. Is it an intended behaviour ? And if so, what are
>> the security implications of using popen() to write the password to
>> ssh-add (not using echo password|ssh-add of course).
>>
>>
>> I used this patch solves the issue :
>
> Maybe you could provide an SSH_ASKPASS instead, and avoid patching.
>
>
That was one of my alternatives, with some twists and a less
straightforward way than pipe to stdin, without using disk. Another
alternative i thought of was to decipher the key within the php script
and provide it to ssh-agent, but it may be difficult to implement.
I was mostly wondering if it was the intended behavior, given the
RP_ALLOW_STDIN flag.
Jean-Yves Faye
More information about the openssh-unix-dev
mailing list