openssh bugs - Aug 2008 - [Bug 69] Generalize SSH_ASKPASS

https://bugzilla.mindrot.org/show_bug.cgi?id=69


Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |djm at mindrot.org
              Alias|                            |generalised-askpass




-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=69


rumen <openssh at roumenpetrov.info> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |openssh at roumenpetrov.info




--- Comment #9 from rumen <openssh at roumenpetrov.info>  2008-08-30
02:34:35 ---
The problem with "Command Line Password Support" is discussed again in
the mail list and in this thread
"http://marc.info/?l=openssh-unix-dev&m=122002002422109&w=2"
is
reported that password authentication never work with proposed
workaround : to set DISPLAY and SSK_ASSPASS environment variables. Also
this impact batch sftp transfers too.

If public key authentication is allowed the known work-around is to add
key to agent and to use it. This is because ssh-add call
read_passphrase(...) with RP_ALLOW_STDIN flag set and if stdin is not
tty SSK_ASSPASS program is called.

For the password authentication and other since read_passphrase(...) is
called without any flags set the work-around is to disable temporary
read or write access to /dev/tty. In this case function will try to use
SSK_ASSPASS program.

Instead to use application command line arguments or environment
variables as flag what about variable SSK_ASSPASS_ALWAYS with same
meaning as SSK_ASSPASS. May I propose following modification to
funnction read_passphrase :
...
rppflags = (flags & RP_ECHO) ? RPP_ECHO_ON : RPP_ECHO_OFF;
if (askpass = getenv("SSK_ASSPASS_ALWAYS")) /*new line*/
   use_askpass = 1;                         /*new line*/
else if (flags & RP_USE_ASKPASS)            /*modified line*/
...
if (use_askpass && (askpass || getenv("DISPLAY"))) { 
/*modified line*/
    if (!askpass)                                     /*new line*/
    if (getenv(SSH_ASKPASS_ENV))
....
At moment I don't have time to prepare patch and to test. May be next
week.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=69


Jim Knoble <jmknoble at pobox.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |jmknoble at pobox.com




--- Comment #10 from Jim Knoble <jmknoble at pobox.com>  2008-08-30
04:40:20 ---
Date: Thu, 28 Aug 2008 15:08:18 -0400
From: Jim Knoble <jmknoble at pobox.com>
To: openssh-unix-dev at mindrot.org
Subject: Re: SSH Command Line Password Support
Message-ID: <20080828190818.GB13711 at crawfish.ais.com>
Mail-Followup-To: openssh-unix-dev at mindrot.org
References: <876324.11513.qm at web30706.mail.mud.yahoo.com>
 <867ia2963m.fsf at ds4.des.no>
 <alpine.BSO.1.10.0808271359360.14747 at fuyu.mindrot.org>
 <slrngbahdp.c3c.janfrode at lc4eb5760521341.ibm.com>
 <87y72itrl7.fsf at squeak.fifthhorseman.net>
 <20080827185507.GD233 at greenie.muc.de>
 <87iqtmkusk.fsf at squeak.fifthhorseman.net>
 <alpine.BSO.1.10.0808280155290.3864 at fuyu.mindrot.org>
 <20080828083820.GC2874 at apb-laptoy.apb.alt.za>
In-Reply-To: <20080828083820.GC2874 at apb-laptoy.apb.alt.za>

Circa 2008-08-28 04:38 dixit Alan Barrett:

: On Thu, 28 Aug 2008, Damien Miller wrote:
: > [old SSH_ASKPASS proposals:]
: > >  http://marc.info/?l=openssh-unix-dev&m=116921620227593&w=2
: > >  https://bugzilla.mindrot.org/show_bug.cgi?id=69
: > 
: > I think we should do something like this, but I remember having
some
: > issues with the user-interface.
: 
: I don't like having new environment variables like
: WHEN_TO_USE_SSH_ASKPASS="always" or
ALWAYS_USE_SSH_ASKPASS="yes" or
: any other variations on this theme.  I'd prefer to see ssh simply use
: SSH_ASKPASS all the time regardless of whether or not there's a
DISPLAY
: or a tty.  If the user wants conditional behaviour, they can set
: SSH_ASKPASS to point to a script that does whatever tests they like
when
: it is invoked, or they can use a script to conditionally set
SSH_ASKPASS
: to different values before they invoke ssh.
: 
: Alternatively, you could put all the complex policy like "use
: SSH_ASKPASS if foo and not bar" into the configuration file, and let
: SSH_ASKPASS continue to be the only environment variable related to
: this issue.  The main thing is that I want no more than one
environment
: variable for this.

Disclaimer:  I'm the creator of x11-ssh-askpass
<http://www.jmknoble.net/software/x11-ssh-askpass/>.

I believe the best way to handle this is with an ssh_config file option
(which can then also be used on the command line).  ssh-add(1) and
ssh-agent(1) also use SSH_ASKPASS and should use a command-line option,
since they don't read ssh_config files.

This allows for the greatest combination of flexibility and backward
compatibility.  For example:

    ssh -oUseSshAskpass=auto
    ssh -oUseSshAskpass=yes
    ssh -oUseSshAskpass=no

    "auto": the current method, and the default.

    "yes": ignore the presence or absence of a controlling terminal
    and a DISPLAY variable, and just use SSH_ASKPASS if it's set.

    "no": ignore SSH_ASKPASS; always prompt the terminal for a
    passphrase or confirmation (if no terminal, fail?).

    "ssh-agent"    => UseSshAskpass=auto
    "ssh-agent -p" => UseSshAskpass=yes
    "ssh-agent -P" => UseSshAskpass=no

    "ssh-add"      => UseSshAskpass=auto
    "ssh-add -p"   => UseSshAskpass=yes
    "ssh-add -P"   => UseSshAskpass=no

Folks who expect the current way of doing things don't have to change
anything.  Folks who want something different can use the command-line
or ssh_config options.  Folks who want something fancy can use
"UseSshAskpass=yes", create wrapper scripts for ssh-add(1) and
ssh-agent(1), and set SSH_ASKPASS to a script which determines what to
do, as Alan Barrett suggests.  

Comments?

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=69





--- Comment #11 from Jim Knoble <jmknoble at pobox.com>  2008-08-30
04:45:46 ---
Date: Fri, 29 Aug 2008 16:22:39 +0200
From: Alan Barrett <apb at cequrux.com>
To: openssh-unix-dev at mindrot.org
Subject: Re: SSH Command Line Password Support
Message-ID: <20080829142239.GA13113 at apb-laptoy.apb.alt.za>
References: <876324.11513.qm at web30706.mail.mud.yahoo.com>
 <867ia2963m.fsf at ds4.des.no>
 <alpine.BSO.1.10.0808271359360.14747 at fuyu.mindrot.org>
 <slrngbahdp.c3c.janfrode at lc4eb5760521341.ibm.com>
 <87y72itrl7.fsf at squeak.fifthhorseman.net>
 <20080827185507.GD233 at greenie.muc.de>
 <87iqtmkusk.fsf at squeak.fifthhorseman.net>
 <alpine.BSO.1.10.0808280155290.3864 at fuyu.mindrot.org>
 <20080828083820.GC2874 at apb-laptoy.apb.alt.za>
 <20080828190818.GB13711 at crawfish.ais.com>
In-Reply-To: <20080828190818.GB13711 at crawfish.ais.com>

On Thu, 28 Aug 2008, Jim Knoble wrote:
> : > [old SSH_ASKPASS proposals:]
> : > > 
http://marc.info/?l=openssh-unix-dev&m=116921620227593&w=2
> : > >  https://bugzilla.mindrot.org/show_bug.cgi?id=69
> 
> I believe the best way to handle this is with an ssh_config file option
> (which can then also be used on the command line).  ssh-add(1) and
> ssh-agent(1) also use SSH_ASKPASS and should use a command-line option,
> since they don't read ssh_config files.
Having to use command line options for ssh-add and ssh-agent may be
inconvenient in some environments.

It occurs to me that the policy on when to use SSH_ASKPASS
could also be embedded in the variable itself, like this:

  SSH_ASKPASS="/path/to/script"        # like today
  SSH_ASKPASS="always:/path/to/script" # use it regardless of DISPLAY
or tty

--apb (Alan Barrett)

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=69





--- Comment #12 from Jim Knoble <jmknoble at pobox.com>  2008-08-30
04:48:28 ---
Date: Thu, 28 Aug 2008 15:24:22 -0500 (CDT)
From: Ben Lindstrom <mouring at eviladmin.org>
To: openssh-unix-dev at mindrot.org
Subject: Re: SSH Command Line Password Support
In-Reply-To: <20080828190818.GB13711 at crawfish.ais.com>
Message-ID: <alpine.BSO.1.00.0808281458000.5006 at miyako.eviladmin.org>
References: <876324.11513.qm at web30706.mail.mud.yahoo.com>
 <867ia2963m.fsf at ds4.des.no>
 <alpine.BSO.1.10.0808271359360.14747 at fuyu.mindrot.org>
 <slrngbahdp.c3c.janfrode at lc4eb5760521341.ibm.com>
 <87y72itrl7.fsf at squeak.fifthhorseman.net>
 <20080827185507.GD233 at greenie.muc.de>
 <87iqtmkusk.fsf at squeak.fifthhorseman.net>
 <alpine.BSO.1.10.0808280155290.3864 at fuyu.mindrot.org>
 <20080828083820.GC2874 at apb-laptoy.apb.alt.za>
 <20080828190818.GB13711 at crawfish.ais.com>

On Thu, 28 Aug 2008, Jim Knoble wrote:
> Circa 2008-08-28 04:38 dixit Alan Barrett:
>
> : On Thu, 28 Aug 2008, Damien Miller wrote:
> : > [old SSH_ASKPASS proposals:]
> : > > 
http://marc.info/?l=openssh-unix-dev&m=116921620227593&w=2
> : > >  https://bugzilla.mindrot.org/show_bug.cgi?id=69
> : >
> : > I think we should do something like this, but I remember having some
> : > issues with the user-interface.
> :
> : I don't like having new environment variables like
> : WHEN_TO_USE_SSH_ASKPASS="always" or
ALWAYS_USE_SSH_ASKPASS="yes" or
> : any other variations on this theme.  I'd prefer to see ssh simply use
> : SSH_ASKPASS all the time regardless of whether or not there's a
DISPLAY
> : or a tty.  If the user wants conditional behaviour, they can set
> : SSH_ASKPASS to point to a script that does whatever tests they like when
> : it is invoked, or they can use a script to conditionally set SSH_ASKPASS
> : to different values before they invoke ssh.
> :
> : Alternatively, you could put all the complex policy like "use
> : SSH_ASKPASS if foo and not bar" into the configuration file, and let
> : SSH_ASKPASS continue to be the only environment variable related to
> : this issue.  The main thing is that I want no more than one environment
> : variable for this.
>
> Disclaimer:  I'm the creator of x11-ssh-askpass
> <http://www.jmknoble.net/software/x11-ssh-askpass/>.
>
> I believe the best way to handle this is with an ssh_config file option
> (which can then also be used on the command line).  ssh-add(1) and
> ssh-agent(1) also use SSH_ASKPASS and should use a command-line option,
> since they don't read ssh_config files.
>
> This allows for the greatest combination of flexibility and backward
> compatibility.  For example:
>
>    ssh -oUseSshAskpass=auto
>    ssh -oUseSshAskpass=yes
>    ssh -oUseSshAskpass=no
>
>    "auto": the current method, and the default.
>
>    "yes": ignore the presence or absence of a controlling
terminal
>    and a DISPLAY variable, and just use SSH_ASKPASS if it's set.
>
>    "no": ignore SSH_ASKPASS; always prompt the terminal for a
>    passphrase or confirmation (if no terminal, fail?).
>
To me the above makes no sense at a glance.  I'd rather see 
"UseSshAskpassWithoutX11 {Yes/No}" or something that clearly defines
that 
when 
using SSH_ASKPASS what the behavior one is to expect from it.

Only advantage yours provides is if someone wants to disable it period 
regardless of DISPLAY= and SSH_ASKPASS= being set (which

Problem is I can't come up with something that makes good sense at a 
glance.  "AUTO" to me makes no sense.  Why would "AUTO" and
"YES"
(without 
reading a manpage) be different.

I guess I could see the syntax being "UseAskpass {X11,Yes,No}" .. I
hate 
pinning stuff to X because that may not be the case for Windows or Mac. 
However, seeing our use of it all over the ssh_config it make it 
consistant.

Besides that the rest of the proposal is fine to me.


BTW.. Thinking through this.. Had we been discussing implementing this 
today a new feature I'd be arguing that it would be SSH_ASKPASS
program's 
job to care if DISPLAY= was set, but legacy issue trump this choice
these 
days.

- Ben

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=69





--- Comment #13 from Jim Knoble <jmknoble at pobox.com>  2008-08-30
05:06:57 ---
Alan Barrett's comment in #11 is a much more elegant solution than the
one i proposed.  In case it's not obvious, there are 3 possible states:

(1) Current behavior (depends on whether DISPLAY is set and there is a
controlling tty):

    SSH_ASKPASS="/path/to/file"

(2) Always use SSH_ASKPASS, ignoring whether DISPLAY is set and whether
a controlling tty exists:

    SSH_ASKPASS="always:/path/to/file"

(3) Always prompt on the tty, unless there isn't one, in which case,
fail if a passphrase or confirmation is required:

    SSH_ASKPASS="", or
    (SSH_ASKPASS is unset, i.e., not present in environment)

The third state is not explicit in Alan's comment.  States (1) and (3)
are both current behavior, thus they are completely backward compatible
with current implementations.  State (2) requires command-line options
for ssh-add or ssh-agent.

Nice work, Alan.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=69





--- Comment #14 from Jim Knoble <jmknoble at pobox.com>  2008-09-03
04:46:41 ---
Jim Knoble wrote:

--------------------
(2) Always use SSH_ASKPASS, ignoring whether DISPLAY is set and whether
a controlling tty exists:

    SSH_ASKPASS="always:/path/to/file"

[...] State (2) requires command-line options for ssh-add or ssh-agent.
--------------------

That should read, "requires NO command-line options for ssh-add or
ssh-agent".

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=69





--- Comment #15 from Roumen Petrov <openssh at roumenpetrov.info> 
2008-09-03 07:03:25 ---
I vote for SSH_ASKPASS="always:/path/to/file". May be modification
code
has to be similar to that I propose in #9.

For the current code in a X-terminal "nohup ssh-add .."  (DISPLAY is
set) is enough to get SSH_ASKPASS window.

May be Jim and Damien will update respective ssh-askpass GUI programs
to use tty if DISPLAY is not set ?

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
You are watching someone on the CC list of the bug.