search for: read_passphrase

...everity: normal Priority: P2 Component: ssh AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: dean.r.smart at mail.sprint.com When using scp|ssh in nohup|cron|batch in a non interactive mode, sshconnect1.c and sshconnect2.c do not have the ability to call read_passphrase in such a manner to cause ssh-askpass to be utilized as documented in the man pages. The calls are as follows for the released code: # grep 'read_passphrase(' sshconnect[12].c-original sshconnect1.c-original: passphrase = read_passphrase(buf, 0); sshconnect1.c-original: response = read_...

https://bugzilla.mindrot.org/show_bug.cgi?id=2539 Bug ID: 2539 Summary: Add missing sanity check for read_passphrase() in auth-pam.c Product: Portable OpenSSH Version: 7.1p1 Hardware: All OS: All Status: NEW Severity: major Priority: P5 Component: PAM support Assignee: unassigned-bugs at mindrot....

Hi, I'm sorry if this has already come up on the list, I did a quick search of the archive and didn't notice it. I noticed IMHO strange behavior in read_passphrase: If readpassphrase returns NULL and sets errno to ENOTTY, then read_passphrase returns an empty passphrase to the caller instead of error, now what happens with password authentication is that if readpassphrase fails every time then ssh sends 3 empty passwords to the server. Is this the expected...

I would like to use ssh-add to unlock a key with a password provided through a web interface. It seems even though ssh-add calls read_passphrase with RP_ALLOW_STDIN at ssh-add.c:173, stdin is not used as a last resort without a valid terminal or display. Is it an intended behaviour ? And if so, what are the security implications of using popen() to write the password to ssh-add (not using echo password|ssh-add of course). I used this patc...

I tried replacing readpassphrase() for v2.9.9p2 on Sol8 with a different version that just calls getpassphrase(). It appears to solve the echo problem when the user tries to login in interactive mode and needs to change their password. Can anyone else try this with v2.9.9p2 on Solaris? Be sure to add: #define HAVE_GETPASSPHRASE ... to config.h when compiling (since it's not a configurable

...; - return pass; -} - void add_file(AuthenticationConnection *ac, const char *filename) { diff -U 3 -N -r ORIG/openssh-2.2.0p1/ssh.h openssh-2.2.0p1/ssh.h --- ORIG/openssh-2.2.0p1/ssh.h Tue Aug 22 20:46:25 2000 +++ openssh-2.2.0p1/ssh.h Sat Sep 9 01:10:07 2000 @@ -426,6 +426,12 @@ */ char *read_passphrase(const char *prompt, int from_stdin); +/* + * Reads a passphrase by calling ssh-askpass. Returns the passphrase + * (allocated with xmalloc), being very careful to ensure that no + * other userland buffer is storing the password. + */ +char *ssh_askpass(char *askpass, char *msg); /*-----------...

...ck7 and OpenSSH I've got a couple of questions. What is /dev/tty and why does ssh try to open it to read the password instead of stdin?(this cause ssh to die w/ "You have no controlling tty. Cannot read passphrase.\n", line 69 of readpass.c, I've made it work by calling password = read_passphrase(prompt, 1); instead of password = read_passphrase(prompt, 0); in sshconnect.c line 940 Second, in sshd.c in the do_exec_no_pty function, line 2017 or so: if (dup2(inout[0], 1) < 0) /* stdout. Note: same socket as stdin. */ perror("dup2 stdout") This seems to cause the forked...

...skpass = 1; + } } + /* Get user data. */ pw = getpwuid(original_real_uid); if (!pw) { diff -ur openssh-1.2pre16/ssh.h openssh-1.2pre16.patched/ssh.h --- openssh-1.2pre16/ssh.h Thu Dec 9 22:29:24 1999 +++ openssh-1.2pre16.patched/ssh.h Thu Dec 9 22:14:30 1999 @@ -429,6 +429,12 @@ char *read_passphrase(const char *prompt, int from_stdin); /* + * Attempts to call the ssh-askpass program to read a passphrase when + * there is no tty and $DISPLAY is set. + */ +char *ssh_askpass(const char *askpass, const char *msg); + +/* * Saves the authentication (private) key in a file, encrypting it with...

...+ error("need pin%s", + (si->token.flags & CKF_PROTECTED_AUTHENTICATION_PATH) + ? " entry on reader keypad" : ""); return (-1); } - snprintf(prompt, sizeof(prompt), "Enter PIN for '%s': ", - si->token.label); - pin = read_passphrase(prompt, RP_ALLOW_EOF); - if (pin == NULL) - return (-1); /* bail out */ + if (si->token.flags & CKF_PROTECTED_AUTHENTICATION_PATH) { + verbose("Deferring PIN entry to keypad of chipcard reader."); + pin = NULL; + } else { + snprintf(prompt, sizeof(prompt), "Enter PI...

...it sleep 5 done done ## The script runs fine, the keys are working perfectly util a seemingly random time when it cant read the keys any more and is asking for a passphrase (with a gnome util). The first time it fails after 6 iterations and this time after 4 iterations. debug1: read_passphrase: can't open /dev/tty: No such device or address debug1: permanently_drop_suid: 0 (gnome-ssh-askpass:26625): Gtk-WARNING **: cannot open display: localhost:11.0 debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password Permission denied, please try again. debug...

..._UNSPEC, filename, "", + &prv, NULL)) == 0) return prv; if (r != SSH_ERR_KEY_WRONG_PASSPHRASE) fatal("Load key \"%s\": %s", filename, ssh_err(r)); @@ -283,7 +284,7 @@ load_identity(char *filename) pass = xstrdup(identity_passphrase); else pass = read_passphrase("Enter passphrase: ", RP_ALLOW_STDIN); - r = sshkey_load_private(filename, pass, &prv, NULL); + r = sshkey_load_private_type(KEY_UNSPEC, filename, pass, &prv, NULL); explicit_bzero(pass, strlen(pass)); free(pass); if (r != 0) @@ -855,7 +856,7 @@ fingerprint_private(const cha...

...= key_load_private_type(KEY_RSA1, authfile, "", NULL, + options.group_private_key); if (private == NULL && !options.batch_mode) { snprintf(buf, sizeof(buf), "Enter passphrase for RSA key '%.100s': ", comment); @@ -251,7 +252,8 @@ passphrase = read_passphrase(buf, 0); if (strcmp(passphrase, "") != 0) { private = key_load_private_type(KEY_RSA1, - authfile, passphrase, NULL); + authfile, passphrase, NULL, + options.group_private_key); quit = 0; } else { debug2("no passphrase given, try next key&qu...

This showed up in RISKS and no one has mentioned it here yet, so.. OpenSSH contains lots of code like: char *password = read_passphrase(prompt, 0); [do stuff] memset(password, 0, strlen(password));

...[AC_MSG_RESULT(assume it is working)]) ;; *-*-hpux10.26) if test -z "$GCC"; then diff -u my_openssh-3.7p1/readpass.c openssh-3.7p1/readpass.c --- my_openssh-3.7p1/readpass.c Fri Dec 19 09:46:44 2003 +++ openssh-3.7p1/readpass.c Thu Jan 23 16:36:23 2003 @@ -99,7 +99,7 @@ char * read_passphrase(const char *prompt, int flags) { - char *askpass = NULL, *ret, buf[1024], response; + char *askpass = NULL, *ret, buf[1024]; int rppflags, use_askpass = 0, ttyfd; rppflags = (flags & RP_ECHO) ? RPP_ECHO_ON : RPP_ECHO_OFF; @@ -126,60 +126,13 @@ return ret; } - /* Before reading...

...toconf to their ppc versions. I have been able to successfully build sshd/ssh. I copy the binaries built on the x86 to the ppc, and sshd works great. I can ssh from any machine to it, but when I try to ssh from the ppc machine to another ppc machine or the x86 machine, I get the error "debug1: read_passphrase: can't open /dev/tty: No such device or address Host key verification failed." If I run it with -vvv, I get (see below): I am not running Xserver on the ppc, but it is on the x86 machine. Going through some message boards I have tried setting the DISPLAY environment variable to DISPLAY=I...

...cation/aegis-patch Subject: openssh.2 - Fix warning in readpass.c Content-Name: openssh.2.C010.patch Content-Disposition: attachment; filename=openssh.2.C010.patch X-Aegis-Project-Name: openssh.2 X-Aegis-Change-Number: 10 # # Fix the following warning in readpass.c: # # readpass.c: In function `read_passphrase': # readpass.c:120: warning: passing arg 2 of `ssh_askpass' discards # qualifiers from pointer target type # Index: openssh/readpass.c --- /usr/local/aegis/public/openssh/baseline/openssh/readpass.c Mon Aug 27 19:15:44 2001 +++ /usr/local/aegis/public/openssh/branch.2/baseline/openssh/rea...

Hi, I'm looking at integrating sftp into a larger project. It would be nice if there was a way to force read_passphrase() (in readpass.c) to use SSH_ASKPASS regardless of the properties of the terminal. This would be easy enough to do, an environment variable or a new flag definition would achieve this (I'm using an environment variable for convenience at the moment). Would anyone be interested in receiving...

I'm attaching a patch to allow ssh client to get a pin from the command line when using a smartcard. Most of it is from a patch by Danny De Cock <godot () ulyssis ! org>, but I've used the ssh read_passphrase function instead. Any errors are mine, I'm sure. This enables ssh -I 0 to use a pin-protected smartcard via opensc. Thanks, Kevin Stefanik -------------- next part -------------- A non-text attachment was scrubbed... Name: openssh-3.5p1-opensc-get_pin.patch.bz2 Type: application/x-bzip2 Siz...

...uot;); + error("need pin entry%s", + (si->token.flags & CKF_PROTECTED_AUTHENTICATION_PATH) ? " on reader keypad" : ""); return (-1); } - snprintf(prompt, sizeof(prompt), "Enter PIN for '%s': ", - si->token.label); - pin = read_passphrase(prompt, RP_ALLOW_EOF); - if (pin == NULL) - return (-1); /* bail out */ - if ((rv = f->C_Login(si->session, CKU_USER, pin, strlen(pin))) + if (si->token.flags & CKF_PROTECTED_AUTHENTICATION_PATH) { + verbose("Deferring PIN entry to keypad of chipcard reader."); + pin...

...n or related script. (Note that on some machines it may be necessary to redirect the input from /dev/null to make this work.) But my numerous efforts to trigger this behavior failed, so I looked at the source. As far as I can see, the ssh code doesn't allow for this to happen. The read_passphrase() function never gets called by ssh with the RP_ALLOW_STDIN flag set, and the only other way to get ssh_askpass() to get called is for open(_PATH_TTY, O_RDWR) to fail. But /dev/tty is a+rw in the normal case. >From readpass.c: char * read_passphrase(const char *prompt, int flags) {...