summaryrefslogtreecommitdiff
path: root/usr.bin/ssh
diff options
context:
space:
mode:
authorDamien Miller <djm@cvs.openbsd.org>2020-07-14 23:57:02 +0000
committerDamien Miller <djm@cvs.openbsd.org>2020-07-14 23:57:02 +0000
commitdf37ed0acf027b65def99c7589043c6cbdf79c2a (patch)
tree4c9ed437bd73df3dae61b00da76b9f0e90b4e30c /usr.bin/ssh
parent0657c7c798ac6d9fa78f9a6b2d0970b3ea30cd33 (diff)
allow some additional control over the use of ssh-askpass
via $SSH_ASKPASS_REQUIRE, including force-enable/disable. bz#69 ok markus@
Diffstat (limited to 'usr.bin/ssh')
-rw-r--r--usr.bin/ssh/readpass.c25
-rw-r--r--usr.bin/ssh/ssh-add.130
-rw-r--r--usr.bin/ssh/ssh.123
-rw-r--r--usr.bin/ssh/ssh.h7
4 files changed, 70 insertions, 15 deletions
diff --git a/usr.bin/ssh/readpass.c b/usr.bin/ssh/readpass.c
index 104c3188ddb..1df058e45ff 100644
--- a/usr.bin/ssh/readpass.c
+++ b/usr.bin/ssh/readpass.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: readpass.c,v 1.61 2020/01/23 07:10:22 dtucker Exp $ */
+/* $OpenBSD: readpass.c,v 1.62 2020/07/14 23:57:01 djm Exp $ */
/*
* Copyright (c) 2001 Markus Friedl. All rights reserved.
*
@@ -120,11 +120,26 @@ char *
read_passphrase(const char *prompt, int flags)
{
char cr = '\r', *askpass = NULL, *ret, buf[1024];
- int rppflags, use_askpass = 0, ttyfd;
+ int rppflags, ttyfd, use_askpass = 0, allow_askpass = 0;
const char *askpass_hint = NULL;
+ const char *s;
+
+ if ((s = getenv("DISPLAY")) != NULL)
+ allow_askpass = *s != '\0';
+ if ((s = getenv(SSH_ASKPASS_REQUIRE_ENV)) != NULL) {
+ if (strcasecmp(s, "force") == 0) {
+ use_askpass = 1;
+ allow_askpass = 1;
+ } else if (strcasecmp(s, "prefer") == 0)
+ use_askpass = allow_askpass;
+ else if (strcasecmp(s, "never") == 0)
+ allow_askpass = 0;
+ }
rppflags = (flags & RP_ECHO) ? RPP_ECHO_ON : RPP_ECHO_OFF;
- if (flags & RP_USE_ASKPASS)
+ if (use_askpass)
+ debug("%s: requested to askpass", __func__);
+ else if (flags & RP_USE_ASKPASS)
use_askpass = 1;
else if (flags & RP_ALLOW_STDIN) {
if (!isatty(STDIN_FILENO)) {
@@ -150,10 +165,10 @@ read_passphrase(const char *prompt, int flags)
}
}
- if ((flags & RP_USE_ASKPASS) && getenv("DISPLAY") == NULL)
+ if ((flags & RP_USE_ASKPASS) && !allow_askpass)
return (flags & RP_ALLOW_EOF) ? NULL : xstrdup("");
- if (use_askpass && getenv("DISPLAY")) {
+ if (use_askpass && allow_askpass) {
if (getenv(SSH_ASKPASS_ENV))
askpass = getenv(SSH_ASKPASS_ENV);
else
diff --git a/usr.bin/ssh/ssh-add.1 b/usr.bin/ssh/ssh-add.1
index f3db1956e1b..2786df51417 100644
--- a/usr.bin/ssh/ssh-add.1
+++ b/usr.bin/ssh/ssh-add.1
@@ -1,4 +1,4 @@
-.\" $OpenBSD: ssh-add.1,v 1.80 2020/06/26 05:04:07 djm Exp $
+.\" $OpenBSD: ssh-add.1,v 1.81 2020/07/14 23:57:01 djm Exp $
.\"
.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -35,7 +35,7 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.Dd $Mdocdate: June 26 2020 $
+.Dd $Mdocdate: July 14 2020 $
.Dt SSH-ADD 1
.Os
.Sh NAME
@@ -174,7 +174,7 @@ Lock the agent with a password.
.El
.Sh ENVIRONMENT
.Bl -tag -width Ds
-.It Ev "DISPLAY" and "SSH_ASKPASS"
+.It Ev "DISPLAY", "SSH_ASKPASS" and "SSH_ASKPASS_REQUIRE"
If
.Nm
needs a passphrase, it will read the passphrase from the current
@@ -195,10 +195,26 @@ This is particularly useful when calling
from a
.Pa .xsession
or related script.
-(Note that on some machines it
-may be necessary to redirect the input from
-.Pa /dev/null
-to make this work.)
+.Pp
+.Ev SSH_ASKPASS_REQUIRE
+allows further control over the use of an askpass program.
+If this variable is set to
+.Dq never
+then
+.Nm
+will never attempt to use one.
+If it is set to
+.Dq prefer ,
+then
+.Nm
+will prefer to use the askpass program instead of the TTY when requesting
+passwords.
+Finally, if the variable is set to
+.Dq force ,
+then the askpass program will be used for all passphrase input regardless
+of whether
+.Ev DISPLAY
+is set.
.It Ev SSH_AUTH_SOCK
Identifies the path of a
.Ux Ns -domain
diff --git a/usr.bin/ssh/ssh.1 b/usr.bin/ssh/ssh.1
index dce5f404b3a..7b9d3422b58 100644
--- a/usr.bin/ssh/ssh.1
+++ b/usr.bin/ssh/ssh.1
@@ -33,8 +33,8 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $OpenBSD: ssh.1,v 1.412 2020/04/17 03:34:42 djm Exp $
-.Dd $Mdocdate: April 17 2020 $
+.\" $OpenBSD: ssh.1,v 1.413 2020/07/14 23:57:01 djm Exp $
+.Dd $Mdocdate: July 14 2020 $
.Dt SSH 1
.Os
.Sh NAME
@@ -1409,6 +1409,25 @@ or related script.
may be necessary to redirect the input from
.Pa /dev/null
to make this work.)
+.It Ev SSH_ASKPASS_REQUIRE
+allows further control over the use of an askpass program.
+If this variable is set to
+.Dq never
+then
+.Nm
+will never attempt to use one.
+If it is set to
+.Dq prefer ,
+then
+.Nm
+will prefer to use the askpass program instead of the TTY when requesting
+passwords.
+Finally, if the variable is set to
+.Dq force ,
+then the askpass program will be used for all passphrase input regardless
+of whether
+.Ev DISPLAY
+is set.
.It Ev SSH_AUTH_SOCK
Identifies the path of a
.Ux Ns -domain
diff --git a/usr.bin/ssh/ssh.h b/usr.bin/ssh/ssh.h
index 0d1080bbfbe..e40f04aa3a5 100644
--- a/usr.bin/ssh/ssh.h
+++ b/usr.bin/ssh/ssh.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh.h,v 1.89 2018/12/27 03:25:25 djm Exp $ */
+/* $OpenBSD: ssh.h,v 1.90 2020/07/14 23:57:01 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -68,6 +68,11 @@
#define SSH_ASKPASS_ENV "SSH_ASKPASS"
/*
+ * Environment variable to control whether or not askpass is used.
+ */
+#define SSH_ASKPASS_REQUIRE_ENV "SSH_ASKPASS_REQUIRE"
+
+/*
* Force host key length and server key length to differ by at least this
* many bits. This is to make double encryption with rsaref work.
*/