SSH Command Line Password Support - openssh

This is a discussion on SSH Command Line Password Support - openssh ; Circa 2008-08-28 04:38 dixit Alan Barrett: : On Thu, 28 Aug 2008, Damien Miller wrote: : > [old SSH_ASKPASS proposals:] : > > http://marc.info/?l=openssh-unix-dev...1620227593&w=2 : > > https://bugzilla.mindrot.org/show_bug.cgi?id=69 : > : > I think we should do something like this, ...

+ Reply to Thread
Page 2 of 2 FirstFirst 1 2
Results 21 to 26 of 26

Thread: SSH Command Line Password Support

  1. Re: SSH Command Line Password Support

    Circa 2008-08-28 04:38 dixit Alan Barrett:

    : On Thu, 28 Aug 2008, Damien Miller wrote:
    : > [old SSH_ASKPASS proposals:]
    : > > http://marc.info/?l=openssh-unix-dev...1620227593&w=2
    : > > https://bugzilla.mindrot.org/show_bug.cgi?id=69
    : >
    : > I think we should do something like this, but I remember having some
    : > issues with the user-interface.
    :
    : I don't like having new environment variables like
    : WHEN_TO_USE_SSH_ASKPASS="always" or ALWAYS_USE_SSH_ASKPASS="yes" or
    : any other variations on this theme. I'd prefer to see ssh simply use
    : SSH_ASKPASS all the time regardless of whether or not there's a DISPLAY
    : or a tty. If the user wants conditional behaviour, they can set
    : SSH_ASKPASS to point to a script that does whatever tests they like when
    : it is invoked, or they can use a script to conditionally set SSH_ASKPASS
    : to different values before they invoke ssh.
    :
    : Alternatively, you could put all the complex policy like "use
    : SSH_ASKPASS if foo and not bar" into the configuration file, and let
    : SSH_ASKPASS continue to be the only environment variable related to
    : this issue. The main thing is that I want no more than one environment
    : variable for this.

    Disclaimer: I'm the creator of x11-ssh-askpass
    .

    I believe the best way to handle this is with an ssh_config file option
    (which can then also be used on the command line). ssh-add(1) and
    ssh-agent(1) also use SSH_ASKPASS and should use a command-line option,
    since they don't read ssh_config files.

    This allows for the greatest combination of flexibility and backward
    compatibility. For example:

    ssh -oUseSshAskpass=auto
    ssh -oUseSshAskpass=yes
    ssh -oUseSshAskpass=no

    "auto": the current method, and the default.

    "yes": ignore the presence or absence of a controlling terminal
    and a DISPLAY variable, and just use SSH_ASKPASS if it's set.

    "no": ignore SSH_ASKPASS; always prompt the terminal for a
    passphrase or confirmation (if no terminal, fail?).

    "ssh-agent" => UseSshAskpass=auto
    "ssh-agent -p" => UseSshAskpass=yes
    "ssh-agent -P" => UseSshAskpass=no

    "ssh-add" => UseSshAskpass=auto
    "ssh-add -p" => UseSshAskpass=yes
    "ssh-add -P" => UseSshAskpass=no

    Folks who expect the current way of doing things don't have to change
    anything. Folks who want something different can use the command-line
    or ssh_config options. Folks who want something fancy can use
    "UseSshAskpass=yes", create wrapper scripts for ssh-add(1) and
    ssh-agent(1), and set SSH_ASKPASS to a script which determines what to
    do, as Alan Barrett suggests.

    Comments?

    --jim

    --
    jim knoble | jmknoble@pobox.com | http://www.pobox.com/~jmknoble/
    (GnuPG key ID: C6F31FFA >>>>>> http://www.pobox.com/~jmknoble/keys/ )
    (GnuPG fingerprint: 99D8:1D89:8C66:08B5:5C34::5527:A543:8C33:C6F3:1FFA )
    +----------------------------------------------------------------------+
    |[L]iberty, as we all know, cannot flourish in a country that is perma-|
    | nently on a war footing, or even a near-war footing. --Aldous Huxley|
    +----------------------------------------------------------------------+
    _______________________________________________
    openssh-unix-dev mailing list
    openssh-unix-dev@mindrot.org
    https://lists.mindrot.org/mailman/li...enssh-unix-dev


  2. Re: SSH Command Line Password Support



    On Thu, 28 Aug 2008, Jim Knoble wrote:

    > Circa 2008-08-28 04:38 dixit Alan Barrett:
    >
    > : On Thu, 28 Aug 2008, Damien Miller wrote:
    > : > [old SSH_ASKPASS proposals:]
    > : > > http://marc.info/?l=openssh-unix-dev...1620227593&w=2
    > : > > https://bugzilla.mindrot.org/show_bug.cgi?id=69
    > : >
    > : > I think we should do something like this, but I remember having some
    > : > issues with the user-interface.
    > :
    > : I don't like having new environment variables like
    > : WHEN_TO_USE_SSH_ASKPASS="always" or ALWAYS_USE_SSH_ASKPASS="yes" or
    > : any other variations on this theme. I'd prefer to see ssh simply use
    > : SSH_ASKPASS all the time regardless of whether or not there's a DISPLAY
    > : or a tty. If the user wants conditional behaviour, they can set
    > : SSH_ASKPASS to point to a script that does whatever tests they like when
    > : it is invoked, or they can use a script to conditionally set SSH_ASKPASS
    > : to different values before they invoke ssh.
    > :
    > : Alternatively, you could put all the complex policy like "use
    > : SSH_ASKPASS if foo and not bar" into the configuration file, and let
    > : SSH_ASKPASS continue to be the only environment variable related to
    > : this issue. The main thing is that I want no more than one environment
    > : variable for this.
    >
    > Disclaimer: I'm the creator of x11-ssh-askpass
    > .
    >
    > I believe the best way to handle this is with an ssh_config file option
    > (which can then also be used on the command line). ssh-add(1) and
    > ssh-agent(1) also use SSH_ASKPASS and should use a command-line option,
    > since they don't read ssh_config files.
    >
    > This allows for the greatest combination of flexibility and backward
    > compatibility. For example:
    >
    > ssh -oUseSshAskpass=auto
    > ssh -oUseSshAskpass=yes
    > ssh -oUseSshAskpass=no
    >
    > "auto": the current method, and the default.
    >
    > "yes": ignore the presence or absence of a controlling terminal
    > and a DISPLAY variable, and just use SSH_ASKPASS if it's set.
    >
    > "no": ignore SSH_ASKPASS; always prompt the terminal for a
    > passphrase or confirmation (if no terminal, fail?).
    >


    To me the above makes no sense at a glance. I'd rather see
    "UseSshAskpassWithoutX11 {Yes/No}" or something that clearly defines that
    when
    using SSH_ASKPASS what the behavior one is to expect from it.

    Only advantage yours provides is if someone wants to disable it period
    regardless of DISPLAY= and SSH_ASKPASS= being set (which

    Problem is I can't come up with something that makes good sense at a
    glance. "AUTO" to me makes no sense. Why would "AUTO" and "YES" (without
    reading a manpage) be different.

    I guess I could see the syntax being "UseAskpass {X11,Yes,No}" .. I hate
    pinning stuff to X because that may not be the case for Windows or Mac.
    However, seeing our use of it all over the ssh_config it make it
    consistant.

    Besides that the rest of the proposal is fine to me.


    BTW.. Thinking through this.. Had we been discussing implementing this
    today a new feature I'd be arguing that it would be SSH_ASKPASS program's
    job to care if DISPLAY= was set, but legacy issue trump this choice these
    days.

    - Ben
    _______________________________________________
    openssh-unix-dev mailing list
    openssh-unix-dev@mindrot.org
    https://lists.mindrot.org/mailman/li...enssh-unix-dev


  3. Re: SSH Command Line Password Support

    On Thu, 28 Aug 2008, Jim Knoble wrote:
    > : > [old SSH_ASKPASS proposals:]
    > : > > http://marc.info/?l=openssh-unix-dev...1620227593&w=2
    > : > > https://bugzilla.mindrot.org/show_bug.cgi?id=69
    >
    > I believe the best way to handle this is with an ssh_config file option
    > (which can then also be used on the command line). ssh-add(1) and
    > ssh-agent(1) also use SSH_ASKPASS and should use a command-line option,
    > since they don't read ssh_config files.


    Having to use command line options for ssh-add and ssh-agent may be
    inconvenient in some environments.

    It occurs to me that the policy on when to use SSH_ASKPASS
    could also be embedded in the variable itself, like this:

    SSH_ASKPASS="/path/to/script" # like today
    SSH_ASKPASS="always:/path/to/script" # use it regardless of DISPLAY or tty

    --apb (Alan Barrett)
    _______________________________________________
    openssh-unix-dev mailing list
    openssh-unix-dev@mindrot.org
    https://lists.mindrot.org/mailman/li...enssh-unix-dev


  4. Re: SSH Command Line Password Support

    [This comment also appears as
    https://bugzilla.mindrot.org/show_bug.cgi?id=69#c13 .]

    Circa 2008-08-29 10:22 dixit Alan Barrett:

    : Having to use command line options for ssh-add and ssh-agent may be
    : inconvenient in some environments.
    :
    : It occurs to me that the policy on when to use SSH_ASKPASS
    : could also be embedded in the variable itself, like this:
    :
    : SSH_ASKPASS="/path/to/script" # like today
    : SSH_ASKPASS="always:/path/to/script" # use it regardless of DISPLAY or tty

    Alan's propoasl is a much more elegant solution than the one i proposed.
    In case it's not obvious, there are 3 possible states:

    (1) Current behavior (depends on whether DISPLAY is set and there is a
    controlling tty):

    SSH_ASKPASS="/path/to/file"

    (2) Always use SSH_ASKPASS, ignoring whether DISPLAY is set and whether
    a controlling tty exists:

    SSH_ASKPASS="always:/path/to/file"

    (3) Always prompt on the tty, unless there isn't one, in which case,
    fail if a passphrase or confirmation is required:

    SSH_ASKPASS="", or
    (SSH_ASKPASS is unset, i.e., not present in environment)

    The third state is not explicit in Alan's comment. States (1) and (3)
    are both current behavior, thus they are completely backward compatible
    with current implementations. State (2) requires command-line options
    for ssh-add or ssh-agent.

    Nice work, Alan.

    --
    jim knoble | jmknoble@pobox.com | http://www.pobox.com/~jmknoble/
    (GnuPG key ID: C6F31FFA >>>>>> http://www.pobox.com/~jmknoble/keys/ )
    (GnuPG fingerprint: 99D8:1D89:8C66:08B5:5C34::5527:A543:8C33:C6F3:1FFA )
    +----------------------------------------------------------------------+
    |[L]iberty, as we all know, cannot flourish in a country that is perma-|
    | nently on a war footing, or even a near-war footing. --Aldous Huxley|
    +----------------------------------------------------------------------+
    _______________________________________________
    openssh-unix-dev mailing list
    openssh-unix-dev@mindrot.org
    https://lists.mindrot.org/mailman/li...enssh-unix-dev


  5. Re: SSH Command Line Password Support

    Hi,

    On Fri, Aug 29, 2008 at 03:11:14PM -0400, Jim Knoble wrote:
    > (2) Always use SSH_ASKPASS, ignoring whether DISPLAY is set and whether
    > a controlling tty exists:
    >
    > SSH_ASKPASS="always:/path/to/file"


    Seconded. I find this elegant and would love to see it :-)

    (As of now, I'm travelling too much at unpractical night times to be
    able to code much - if nobody else volunteers before mid September, I
    might give it a go. Shouldn't be so hard, actually).

    gert
    --
    USENET is *not* the non-clickable part of WWW!
    //www.muc.de/~gert/
    Gert Doering - Munich, Germany gert@greenie.muc.de
    fax: +49-89-35655025 gert@net.informatik.tu-muenchen.de
    _______________________________________________
    openssh-unix-dev mailing list
    openssh-unix-dev@mindrot.org
    https://lists.mindrot.org/mailman/li...enssh-unix-dev


  6. Re: SSH Command Line Password Support

    Circa 2008-08-29 15:11 dixit Jim Knoble:

    : (2) Always use SSH_ASKPASS, ignoring whether DISPLAY is set and whether
    : a controlling tty exists:
    :
    : SSH_ASKPASS="always:/path/to/file"

    [...]

    : State (2) requires command-line options
    : for ssh-add or ssh-agent.

    That should be, "requires NO command-line options for ssh-add or
    ssh-agent".

    --
    jim knoble | jmknoble@pobox.com | http://www.pobox.com/~jmknoble/
    (GnuPG key ID: C6F31FFA >>>>>> http://www.pobox.com/~jmknoble/keys/ )
    (GnuPG fingerprint: 99D8:1D89:8C66:08B5:5C34::5527:A543:8C33:C6F3:1FFA )
    +----------------------------------------------------------------------+
    |[L]iberty, as we all know, cannot flourish in a country that is perma-|
    | nently on a war footing, or even a near-war footing. --Aldous Huxley|
    +----------------------------------------------------------------------+
    _______________________________________________
    openssh-unix-dev mailing list
    openssh-unix-dev@mindrot.org
    https://lists.mindrot.org/mailman/li...enssh-unix-dev


+ Reply to Thread
Page 2 of 2 FirstFirst 1 2