openssh unix dev - Jan 2002 - [Bug 81] ssh cannot use ssh-askspass & passphrases as documented

http://bugzilla.mindrot.org/show_bug.cgi?id=81

djm at mindrot.org changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |WORKSFORME



------- Additional Comments From djm at mindrot.org  2002-01-26 10:07 -------
The suggested change is incorrect. ssh may have stdin redirected from something
else - you do not want to read the passphease from there (e.g. the output of a
pipe). BTW the passphrase reading does work as advertised, it states:
> If ssh needs a passphrase, it will read the passphrase from the
> current terminal if it was run from a terminal.  If ssh does not
> have a terminal associated with it but DISPLAY and SSH_ASKPASS
> are set, it will execute the program specified by SSH_ASKPASS
> ...
just because you have redirected stdin does not mean you have lost your
controlling terminal. You need to call setsid to do that.

You may be interested in the patch on Bug #69 though



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=81

dean.r.smart at mail.sprint.com changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |REOPENED
         Resolution|WORKSFORME                  |



------- Additional Comments From dean.r.smart at mail.sprint.com  2002-01-30
04:31 -------
D. Millers commnents are interesting.

However it seems that they changes that I suggest are required to run scp in a 
nohup'd script, with no executables other that ssh and scp. The use of
setsid
would seem to not apply if one is using shell scripting and shell commands. The 
code change I suggest makes things work and it fails to use ssh-askpass 
without. 

So why is allow stdin used for ssh-add if is so dangerous. My understanding of 
the code, which is very limited, is that this variable allows the passphrase 
stdin to come from the stdout of sss-askpass.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=81

djm at mindrot.org changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|REOPENED                    |RESOLVED
         Resolution|                            |INVALID



------- Additional Comments From djm at mindrot.org  2002-01-30 09:02 -------
If you allow from stdin then something like:

nohup sh -c "tar cvf - /home/blah | ssh foo 'gzip -9 >
/home/backup/foo2'"

will attempt to read the passphrase from the output of the tar command. If you
wish to discuss this behaviour further, please use the mailing list and do not
reopen the bug.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.