SSH Command Line Password Support - openssh

This is a discussion on SSH Command Line Password Support - openssh ; Hello, I am interested in an ssh that is not interactive in requesting the password, i.e, whereas I can specify the password in the command line when calling SSH. I have wondered how such a feature has not been included ...

+ Reply to Thread
Page 1 of 2 1 2 LastLast
Results 1 to 20 of 26

Thread: SSH Command Line Password Support

  1. SSH Command Line Password Support

    Hello,

    I am interested in an ssh that is not interactive in requesting the password, i.e, whereas I can specify the password in the command line when calling SSH.
    I have wondered how such a feature has not been included in such a good client, as it seems there are many (and I have searched for this) people require this capability for their scripts/automation.
    I understand the possibility of avoiding passwords altogether by generating keys, but such an implementation of password on the command line should not be too difficult.

    sshconnect2.c, for example, prompts for this on line 273. sshconnect1.c also does something similar in the function try_password_authentication(char *prompt)

    Would it be possible for you to include this?
    I would do it myself, however I've had problems compiling openssh.
    If you are willing to help me compile open ssh, I am willing to work on this issue, which I see required for many people.

    Thank you for all your work.





    _______________________________________________
    openssh-unix-dev mailing list
    openssh-unix-dev@mindrot.org
    https://lists.mindrot.org/mailman/li...enssh-unix-dev


  2. Re: SSH Command Line Password Support

    GB writes:
    > I am interested in an ssh that is not interactive in requesting the
    > password, i.e, whereas I can specify the password in the command line
    > when calling SSH.


    ps -fe

    Just use a passphrase-less keypair.

    DES
    --
    Dag-Erling Smørgrav - des@des.no
    _______________________________________________
    openssh-unix-dev mailing list
    openssh-unix-dev@mindrot.org
    https://lists.mindrot.org/mailman/li...enssh-unix-dev

  3. Re: SSH Command Line Password Support

    While trying to compile openssh (I succeeded in compiling openssl) I get the following after using make:

    gcc -g -O2 -Wall -I/opt/openssl-0.9.8h//include -DETCDIR=\"/etc/ssh\" -DSSH_PROGRAM=\"/usr/bin/ssh\" -DSSH_ASKPASS_DEFAULT=\"/usr/libexec/ssh/ssh-askpass\" -DHAVE_CONFIG_H** -c -o sshconnect1.o sshconnect1.c
    In file included from sshconnect1.c:21:
    ssh.h:464: warning: conflicting types for built-in function ‘log’
    sshconnect1.c: In function ‘respond_to_rsa_challenge’:
    sshconnect1.c:149: error: ‘MD5_CTX’ undeclared (first use in this function)
    sshconnect1.c:149: error: (Each undeclared identifier is reported only once
    sshconnect1.c:149: error: for each function it appears in.)
    sshconnect1.c:149: error: expected ‘;’ before ‘md’
    sshconnect1.c:164: warning: implicit declaration of function ‘MD5_Init’
    sshconnect1.c:164: error: ‘md’ undeclared (first use in this function)
    sshconnect1.c:165: warning: implicit declaration of function ‘MD5_Update’
    sshconnect1.c:167: warning: implicit declaration of function ‘MD5_Final’
    make: *** [sshconnect1.o] Error 1

    Can anyone help me resolve this issue?

    Thank you


    --- On Sat, 8/16/08, Dag-Erling Smørgrav wrote:
    From: Dag-Erling Smørgrav
    Subject: Re: SSH Command Line Password Support
    To: gusgl2001@yahoo.com
    Cc: openssh-unix-dev@mindrot.org
    Date: Saturday, August 16, 2008, 10:04 AM

    GB writes:
    > I am interested in an ssh that is not interactive in requesting the
    > password, i.e, whereas I can specify the password in the command line
    > when calling SSH.


    ps -fe

    Just use a passphrase-less keypair.

    DES
    --
    Dag-Erling Smørgrav - des@des.no




    _______________________________________________
    openssh-unix-dev mailing list
    openssh-unix-dev@mindrot.org
    https://lists.mindrot.org/mailman/li...enssh-unix-dev


  4. Re: SSH Command Line Password Support

    On Sat, 16 Aug 2008, GB wrote:

    > While trying to compile openssh (I succeeded in compiling openssl) I
    > get the following after using make:


    You aren't making it easy to help. What version of OpenSSH is this? It
    doesn't appear to be 5.1. What operating system? Does your platform lack
    OpenSSL? What configure options did you use?

    -d
    _______________________________________________
    openssh-unix-dev mailing list
    openssh-unix-dev@mindrot.org
    https://lists.mindrot.org/mailman/li...enssh-unix-dev


  5. Re: SSH Command Line Password Support

    Dear Developers,

    I have successfully implemented the password in the argument line for both ssh and scp.
    I would be more than willing to share my code so that it will become an official part of ssh and scp to satisfy the needs of users out there using scripts and the like.
    I don't consider the code to be the most secure possible, but it took 10 minutes to implement in ssh and 20 on scp, so modifications by you to make itcompliant would be minimal.

    Thank you

    --- On Sun, 8/17/08, Damien Miller wrote:
    From: Damien Miller
    Subject: Re: SSH Command Line Password Support
    To: "GB"
    Cc: "Dag-Erling Smørgrav" , openssh-unix-dev@mindrot.org
    Date: Sunday, August 17, 2008, 5:18 AM

    On Sat, 16 Aug 2008, GB wrote:

    > While trying to compile openssh (I succeeded in compiling openssl) I
    > get the following after using make:


    You aren't making it easy to help. What version of OpenSSH is this? It
    doesn't appear to be 5.1. What operating system? Does your platform lack
    OpenSSL? What configure options did you use?

    -d




    _______________________________________________
    openssh-unix-dev mailing list
    openssh-unix-dev@mindrot.org
    https://lists.mindrot.org/mailman/li...enssh-unix-dev


  6. Re: SSH Command Line Password Support

    On Sat 2008-08-16 10:04:35 -0400, Dag-Erling Smørgrav wrote:

    > GB writes:
    >> I am interested in an ssh that is not interactive in requesting the
    >> password, i.e, whereas I can specify the password in the command line
    >> when calling SSH.

    >
    > ps -fe
    >
    > Just use a passphrase-less keypair.


    On Tue 2008-08-26 16:12:18 -0400, GB wrote:

    > I have successfully implemented the password in the argument line
    > for both ssh and scp.
    >
    > I would be more than willing to share my code so that it will become
    > an official part of ssh and scp to satisfy the needs of users out
    > there using scripts and the like.
    >
    > I don't consider the code to be the most secure possible, but it
    > took 10 minutes to implement in ssh and 20 on scp, so modifications
    > by you to make it compliant would be minimal.


    What Dag-Erling was pointing out above is that the command line
    arguments of any process are visible to all users on most UNIX-style
    systems simply by using the "ps" command.

    This means that anything you put on the command line is not secure,
    and it would be a mistake to for OpenSSH to encourage this behavior in
    its users.

    Dag-Erling also offered you another technique to achieve your stated
    goal of "the needs of users out there using scripts", which is to use
    a passphrase-less keypair for scripted connections. You might want to
    read Brian Hatch's "SSH User Identities" [0], and Matt Taggart's "Good
    practices for using SSH" [1].

    I'm afraid it would be ill-advised for OpenSSH to adopt your proposed
    patch, since better, more secure options already exist.

    Regards,

    --dkg

    [0] http://www.securityfocus.com/infocus/1810
    [1] http://lackof.org/taggart/hacking/ssh/

    _______________________________________________
    openssh-unix-dev mailing list
    openssh-unix-dev@mindrot.org
    https://lists.mindrot.org/mailman/li...enssh-unix-dev

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.9 (GNU/Linux)

    iQIVAwUBSLRwPszS7ZTSFznpAQL0OxAAoH9G4eBY5mBtxyeKeO xV0ZzcA2Tr0XJN
    3XeP14yLVqvysX3dvzWpT8TfaRqjd79COpXPP5KK2mD0AI7ILQ XLSfP4Wbe+Pdk+
    ROAk53Gj/jltso6GMt0YPGdwnIFk70fqVI5IxRkVcZW4GtQ+cA6YVGTLqk6 VF49/
    Zy/N3T3gNoEj9tJQ6ab4rfZEDTw/25NGzvaLLRTnvsjsu4SBNCGxWAra3obW9Obp
    FljCvf8KnQ2kRtWyfMzR/n6wHRh+/wN/m5TGhFJAtZDheB6xDCed4TFC5wOchd/a
    5ZTSHEKVIWhypuBsZiK9DQMelWqD+UGPlTzaNs33KV00RjueYT D7xqNjJHgI+nZB
    J5B/i8tKo3OcKEsWzVNQJu/ZQR/u/GI0JYcYGf1lUm9XZ48QduK6LzjWwaKg/VEg
    fFF0ELphgXReKME1tbicUgm8C1W6/BFJ2NpAe1ycUGsqgodMXnyDebdJiz+UsK4U
    0B2nq/Ppxdq084N8BZpCmvp/Ax+uRa6N3SoJvNQDKg8b090ZzjxOHekKeFMsto7b
    wYejDToRQR3rS8xplFMB+mRLxf7ZlTsJXFOtPxF7Oge2SjIoDK xQvvk3iMPOjPPs
    ylRFtTIrO7V2ck3s9eFftYDtTZyVn0RIxOvdp3lrBjjCBAFjeW/2wsZFj5D4BZP+
    1fpemlGRBvg=
    =hXlH
    -----END PGP SIGNATURE-----

  7. Re: SSH Command Line Password Support

    Daniel Kahn Gillmor wrote:

    [ why passwords on command lines are evil ]

    > Dag-Erling also offered you another technique to achieve your stated
    > goal of "the needs of users out there using scripts", which is to use
    > a passphrase-less keypair for scripted connections. You might want to
    > read Brian Hatch's "SSH User Identities" [0], and Matt Taggart's "Good
    > practices for using SSH" [1].


    Or, if you must use a password, use the ssh-askpass interface that
    already exists. Why write a different and insecure one?

    --
    Carson
    _______________________________________________
    openssh-unix-dev mailing list
    openssh-unix-dev@mindrot.org
    https://lists.mindrot.org/mailman/li...enssh-unix-dev


  8. Re: SSH Command Line Password Support

    On Wed, 27 Aug 2008, Dag-Erling Smørgrav wrote:

    > GB writes: > I have successfully implemented the
    > password in the argument line for > both ssh and scp.
    >
    > Firstly, it's not a -portable issue. The patch should go upstream (to
    > OpenBSD), if anywhere.
    >
    > Secondly, I can tell you already that they will not accept it. It's a
    > very, very bad idea. Just use passphrase-less keys.


    The upstream developers mostly read this list, so anything posted here
    will be considered for both versions (likewise bugzilla, which has the
    added advantage of remembering patches more clearly).

    That being said, there is no way we will add an option like this.
    OpenSSH already has a perfectly good way of "handsfree" authentication
    in the form of public keys. Furthermore, passwords-on-commandlines are
    trivially observable by other users on a shared system and have been
    rightly considered insecure since forever.

    If you are thinking that such a hack is okay for your system because
    it is not shared with other users, then consider that any attacker who
    breaks into a low privilege account now has a perfect opportunity to
    steal a password to a different host.

    -d

    _______________________________________________
    openssh-unix-dev mailing list
    openssh-unix-dev@mindrot.org
    https://lists.mindrot.org/mailman/li...enssh-unix-dev


  9. Re: SSH Command Line Password Support

    GB writes:
    > I have successfully implemented the password in the argument line for
    > both ssh and scp.


    Firstly, it's not a -portable issue. The patch should go upstream (to
    OpenBSD), if anywhere.

    Secondly, I can tell you already that they will not accept it. It's a
    very, very bad idea. Just use passphrase-less keys.

    DES
    --
    Dag-Erling Smørgrav - des@des.no
    _______________________________________________
    openssh-unix-dev mailing list
    openssh-unix-dev@mindrot.org
    https://lists.mindrot.org/mailman/li...enssh-unix-dev

  10. Re: SSH Command Line Password Support

    On 2008-08-27, djm@mindrot.org wrote:
    >
    > That being said, there is no way we will add an option like this.
    > OpenSSH already has a perfectly good way of "handsfree" authentication
    > in the form of public keys. Furthermore, passwords-on-commandlines are
    > trivially observable by other users on a shared system and have been
    > rightly considered insecure since forever.


    Unfortunately not every client can dictate how he's allowed
    to authenticate towards an external server. We need to push
    some data from non-shared system, to a windows (free-sshd?)
    sftp server daily, and the admins there for some reason only
    allow password-based authentication.

    What would your answer be if you were in this situation ?
    Say "no, this is impossible", or hack around it with expect?



    > If you are thinking that such a hack is okay for your system because
    > it is not shared with other users, then consider that any attacker who
    > breaks into a low privilege account now has a perfect opportunity to
    > steal a password to a different host.


    I'd love to use rsa-keys if they would let me. Now they woun't,
    and the lack of client side --password option force me to use an ugly
    expect script, which is not very easy to have handle error conditions.



    -jf

    _______________________________________________
    openssh-unix-dev mailing list
    openssh-unix-dev@mindrot.org
    https://lists.mindrot.org/mailman/li...enssh-unix-dev


  11. Re: SSH Command Line Password Support

    Jan-Frode Myklebust wrote:
    > the admins there for some reason only allow password-based
    > authentication.
    >
    > What would your answer be if you were in this situation ?
    > Say "no, this is impossible", or hack around it with expect?


    expect works.

    The SSH_ASKPASS environment variable is another, perhaps more
    reliable, alternative.


    //Peter
    _______________________________________________
    openssh-unix-dev mailing list
    openssh-unix-dev@mindrot.org
    https://lists.mindrot.org/mailman/li...enssh-unix-dev


  12. Re: SSH Command Line Password Support

    _______________________________________________
    openssh-unix-dev mailing list
    openssh-unix-dev@mindrot.org
    https://lists.mindrot.org/mailman/li...enssh-unix-dev

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.9 (GNU/Linux)

    iQIVAwUBSLVwFMzS7ZTSFznpAQLVxQ/6AhRlu/aqpGPMlLrtvaIYwji39MYs4maz
    7y6HMvLu4yTW2oP/Rywh5ojCuwVegPKwZoIjobXV8iN0As4j3y4/14CZufKkJ8JW
    fynv4UxxD+6BWL2F+DrwRTnGg5yukCT68CGN5iII/q43Cyfxj/v1aVcYMtV2b93s
    aZe1xslDD6bLqomyX250qeMVt/6uQTqyqQXH0lANR9Qib+zzTW3ukTrSbpPhFJiu
    TLPVKpt+UxLDqSwhof4stLrWbH7pWSNp1+295J4ZGvXaOtbw2I e5Kms9gxr8HSx+
    L5iJJDaJyHRgsiC+qgSaQ17vFHadGj38wQlKRZbYy1PWyLqWVm vlEDYjbWPCw88O
    MbKxsQrgy9IVV4HEkwsKUfdqu7fHV9N8UEW8bDk8wucn+tK+IN CqubAFquBN/CQQ
    Q5BftmiiUxXOiefQImXQ//nFh2tZF8sPcsulnH0IWTSpb83MUK7bzfVQNaXdxVR+
    hAA+OHyFIMnsSzWlAT7wnYDL+wdZedUpZxxHWmJeU27Y6fH6Dg b/w1GPrNpyMkx5
    8Z775j9DFOtF2Q9N8Q6wJWNFnJrhHksTDJZIlHP903PcnmVd8Q rBchhwQL9QoZGm
    CsxC5f+0cqhXAEcLQVCOgUrx8mYTCIIHpU+QHF5b5ufGfQPKtc H+WkIvN8i7JXSv
    XR7L9hphoMI=
    =mWew
    -----END PGP SIGNATURE-----

  13. Re: SSH Command Line Password Support

    On Wed, 27 Aug 2008, Daniel Kahn Gillmor wrote:

    > I agree that this would be a useful feature. It seems that it was
    > proposed back in January of 2007, but nothing came of it:
    >
    > http://marc.info/?l=openssh-unix-dev...1620227593&w=2
    >
    > and years before that, it's bugzilla #69:
    >
    > https://bugzilla.mindrot.org/show_bug.cgi?id=69
    >
    > which actually contains a couple of patches, but is still in the NEW
    > state.
    >
    > Any takers on bringing one of those patches up-to-date with 5.1p1?
    > Any objections to the idea itself?


    I think we should do something like this, but I remember having some
    issues with the user-interface.

    -d
    _______________________________________________
    openssh-unix-dev mailing list
    openssh-unix-dev@mindrot.org
    https://lists.mindrot.org/mailman/li...enssh-unix-dev


  14. Re: SSH Command Line Password Support

    Hi,

    On Wed, Aug 27, 2008 at 11:17:40AM -0400, Daniel Kahn Gillmor wrote:
    > Note that you want to make sure that ssh is not connected to a tty in
    > this case, or else it will try to ask for the password from the tty
    > anyway. For scripts run from cronjobs, that shouldn't be a problem,
    > but testing them from your own shell might be confusing. Jim Knoble
    > pointed out the possible use of setsid(1) for this very purpose a few
    > days ago on this list.


    Now *that* is actually something I would find extremely useful - tell
    SSH "do not prompt for anything, use SSH_ASKPASS or fail silently" without
    having to mess around with process groups and controlling ttys, which is
    very very very much non-portable. I need to do stuff on AIX, Solaris,
    BSD, and Linux, and there is no single way that works on all those to
    get rid of your controlling tty... :-(

    gert


    --
    USENET is *not* the non-clickable part of WWW!
    //www.muc.de/~gert/
    Gert Doering - Munich, Germany gert@greenie.muc.de
    fax: +49-89-35655025 gert@net.informatik.tu-muenchen.de
    _______________________________________________
    openssh-unix-dev mailing list
    openssh-unix-dev@mindrot.org
    https://lists.mindrot.org/mailman/li...enssh-unix-dev


  15. Re: SSH Command Line Password Support

    On 2008-08-27, Daniel Kahn Gillmor wrote:

    > As Carson Gaspar pointed out elsewhere in this thread, the ssh-askpass
    > functionality is already present, and could be scripted.


    SSH_ASKPASS doesn't work together with "sftp -b batchfile", so
    expect seems to be the only way to do automated password-based
    sftp..


    -jf

    _______________________________________________
    openssh-unix-dev mailing list
    openssh-unix-dev@mindrot.org
    https://lists.mindrot.org/mailman/li...enssh-unix-dev


  16. Re: SSH Command Line Password Support

    _______________________________________________
    openssh-unix-dev mailing list
    openssh-unix-dev@mindrot.org
    https://lists.mindrot.org/mailman/li...enssh-unix-dev

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.9 (GNU/Linux)

    iQIVAwUBSLXIHMzS7ZTSFznpAQJjbQ/8Cogo9AvM+y/CFRmlNCrY1hkzUdwdFkKD
    uruS83JxVXpW1n7G1HwQzff1OBQcO374nE7EQPsH7xXwF+50G2 HNKs3mHNWQCVQV
    uza9psDwvtX3ulcgUA3vSLDBDpv3vcxpZ+Jx7lcn8XOlCFnAF4 BTRVFca8cPMgMX
    +6TJ1xrwhFdiTpt/+30xtX1QUbiYOCAPuuNkllLS/wl4NG9TNaks4039n6CEtDI5
    YGpySbT97hePp3qy5OorSuWTTbyuaiH3DWRD80wICbwthBmy+n 4pyaEeqh9PVUp3
    X/bfu/dgOZDnneAQNaQsvjJdZcNUp/mIkVdMaeOMkaQ1vUKbVgyXzsSw6BuhpnCg
    MbnTmaf5m1LeHiAcNv5nZdKeHAXkzPaMLzwU4wb/6KdaRT7X6Lp+RH+zSrh6Kpwk
    P5bOP5xQZTkMjRDD7fnQCVSsZOsAxfVGU8CfLsc9JUlyKQLBII ykAejchKwg7txR
    +7NLtEMOvIPpKIjSQFJmAu765c+7ipzkttEPo7sS0iUkpxFtCQ OWbeMOxBgykN2p
    oFmBggunSqKeeWWYNbswWKvtNAWRDYbzSiNE02seHSvAFDvUNK 2RIAIphd66QBiM
    twwm4sihBMg9jLCYeyRFxy+d239SDxGKwjqoI21hqhKvtJdmqd NznZE0XLTNL/4I
    deXm8Fqspjw=
    =cxtR
    -----END PGP SIGNATURE-----

  17. Re: SSH Command Line Password Support

    Daniel Kahn Gillmor wrote:
    > Any objections to the idea itself?


    I like it.


    //Peter

    _______________________________________________
    openssh-unix-dev mailing list
    openssh-unix-dev@mindrot.org
    https://lists.mindrot.org/mailman/li...enssh-unix-dev

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.7 (GNU/Linux)

    iD8DBQFItd2GhR3Q0dhIfEgRAjYuAKCpgC/fxlnM7C+40sG3ZqbbJ6asnACfRzVS
    H6P8F2jFmdvnWy+3JtiYVvk=
    =Wff7
    -----END PGP SIGNATURE-----


  18. Re: SSH Command Line Password Support

    On Thu, 28 Aug 2008, Damien Miller wrote:
    > [old SSH_ASKPASS proposals:]
    > > http://marc.info/?l=openssh-unix-dev...1620227593&w=2
    > > https://bugzilla.mindrot.org/show_bug.cgi?id=69

    >
    > I think we should do something like this, but I remember having some
    > issues with the user-interface.


    I don't like having new environment variables like
    WHEN_TO_USE_SSH_ASKPASS="always" or ALWAYS_USE_SSH_ASKPASS="yes" or
    any other variations on this theme. I'd prefer to see ssh simply use
    SSH_ASKPASS all the time regardless of whether or not there's a DISPLAY
    or a tty. If the user wants conditional behaviour, they can set
    SSH_ASKPASS to point to a script that does whatever tests they like when
    it is invoked, or they can use a script to conditionally set SSH_ASKPASS
    to different values before they invoke ssh.

    Alternatively, you could put all the complex policy like "use
    SSH_ASKPASS if foo and not bar" into the configuration file, and let
    SSH_ASKPASS continue to be the only environment variable related to
    this issue. The main thing is that I want no more than one environment
    variable for this.

    --apb (Alan Barrett)
    _______________________________________________
    openssh-unix-dev mailing list
    openssh-unix-dev@mindrot.org
    https://lists.mindrot.org/mailman/li...enssh-unix-dev


  19. Re: SSH Command Line Password Support

    On Thu, 28 Aug 2008, Jim Knoble wrote:

    > Disclaimer: I'm the creator of x11-ssh-askpass
    > .
    >
    > I believe the best way to handle this is with an ssh_config file option
    > (which can then also be used on the command line). ssh-add(1) and
    > ssh-agent(1) also use SSH_ASKPASS and should use a command-line option,
    > since they don't read ssh_config files.
    >
    > This allows for the greatest combination of flexibility and backward
    > compatibility. For example:
    >
    > ssh -oUseSshAskpass=auto
    > ssh -oUseSshAskpass=yes
    > ssh -oUseSshAskpass=no
    >
    > "auto": the current method, and the default.
    >
    > "yes": ignore the presence or absence of a controlling terminal
    > and a DISPLAY variable, and just use SSH_ASKPASS if it's set.
    >
    > "no": ignore SSH_ASKPASS; always prompt the terminal for a
    > passphrase or confirmation (if no terminal, fail?).
    >
    > "ssh-agent" => UseSshAskpass=auto
    > "ssh-agent -p" => UseSshAskpass=yes
    > "ssh-agent -P" => UseSshAskpass=no
    >
    > "ssh-add" => UseSshAskpass=auto
    > "ssh-add -p" => UseSshAskpass=yes
    > "ssh-add -P" => UseSshAskpass=no
    >
    > Folks who expect the current way of doing things don't have to change
    > anything. Folks who want something different can use the command-line
    > or ssh_config options. Folks who want something fancy can use
    > "UseSshAskpass=yes", create wrapper scripts for ssh-add(1) and
    > ssh-agent(1), and set SSH_ASKPASS to a script which determines what to
    > do, as Alan Barrett suggests.


    Could you please attach this to
    https://bugzilla.mindrot.org/b/generalised-askpass ?

    I think it might need a little more specification of what each option does
    under various circumstances (tty/no-tty, DISPLAY/no-DISPLAY, etc.), but
    it is already a lot more likeable that the suggestions already there.

    Thanks,
    Damien
    _______________________________________________
    openssh-unix-dev mailing list
    openssh-unix-dev@mindrot.org
    https://lists.mindrot.org/mailman/li...enssh-unix-dev


  20. Re: SSH Command Line Password Support

    Alan Barrett wrote:
    > On Thu, 28 Aug 2008, Damien Miller wrote:
    >> [old SSH_ASKPASS proposals:]
    >>> http://marc.info/?l=openssh-unix-dev...1620227593&w=2
    >>> https://bugzilla.mindrot.org/show_bug.cgi?id=69

    >> I think we should do something like this, but I remember having some
    >> issues with the user-interface.

    >
    > I don't like having new environment variables like
    > WHEN_TO_USE_SSH_ASKPASS="always" or ALWAYS_USE_SSH_ASKPASS="yes" or
    > any other variations on this theme. I'd prefer to see ssh simply use
    > SSH_ASKPASS all the time regardless of whether or not there's a DISPLAY
    > or a tty. If the user wants conditional behaviour, they can set
    > SSH_ASKPASS to point to a script that does whatever tests they like when
    > it is invoked, or they can use a script to conditionally set SSH_ASKPASS
    > to different values before they invoke ssh.
    >
    > Alternatively, you could put all the complex policy like "use
    > SSH_ASKPASS if foo and not bar" into the configuration file, and let
    > SSH_ASKPASS continue to be the only environment variable related to
    > this issue. The main thing is that I want no more than one environment
    > variable for this.
    >
    > --apb (Alan Barrett)


    Sounds good if environment variable SSH_ASKPASS is emply or a value like
    default, tty, internal, none to be used password prompt from ssh
    otherwise client(ssh) to try to get password from specified program.

    Roumen

    --
    Get X.509 certificates support in OpenSSH:
    http://roumenpetrov.info/openssh/
    _______________________________________________
    openssh-unix-dev mailing list
    openssh-unix-dev@mindrot.org
    https://lists.mindrot.org/mailman/li...enssh-unix-dev


+ Reply to Thread
Page 1 of 2 1 2 LastLast