diff options
author | Damien Miller <djm@cvs.openbsd.org> | 2020-07-14 23:57:02 +0000 |
---|---|---|
committer | Damien Miller <djm@cvs.openbsd.org> | 2020-07-14 23:57:02 +0000 |
commit | df37ed0acf027b65def99c7589043c6cbdf79c2a (patch) | |
tree | 4c9ed437bd73df3dae61b00da76b9f0e90b4e30c /usr.bin/ssh | |
parent | 0657c7c798ac6d9fa78f9a6b2d0970b3ea30cd33 (diff) |
allow some additional control over the use of ssh-askpass
via $SSH_ASKPASS_REQUIRE, including force-enable/disable.
bz#69 ok markus@
Diffstat (limited to 'usr.bin/ssh')
-rw-r--r-- | usr.bin/ssh/readpass.c | 25 | ||||
-rw-r--r-- | usr.bin/ssh/ssh-add.1 | 30 | ||||
-rw-r--r-- | usr.bin/ssh/ssh.1 | 23 | ||||
-rw-r--r-- | usr.bin/ssh/ssh.h | 7 |
4 files changed, 70 insertions, 15 deletions
diff --git a/usr.bin/ssh/readpass.c b/usr.bin/ssh/readpass.c index 104c3188ddb..1df058e45ff 100644 --- a/usr.bin/ssh/readpass.c +++ b/usr.bin/ssh/readpass.c @@ -1,4 +1,4 @@ -/* $OpenBSD: readpass.c,v 1.61 2020/01/23 07:10:22 dtucker Exp $ */ +/* $OpenBSD: readpass.c,v 1.62 2020/07/14 23:57:01 djm Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. * @@ -120,11 +120,26 @@ char * read_passphrase(const char *prompt, int flags) { char cr = '\r', *askpass = NULL, *ret, buf[1024]; - int rppflags, use_askpass = 0, ttyfd; + int rppflags, ttyfd, use_askpass = 0, allow_askpass = 0; const char *askpass_hint = NULL; + const char *s; + + if ((s = getenv("DISPLAY")) != NULL) + allow_askpass = *s != '\0'; + if ((s = getenv(SSH_ASKPASS_REQUIRE_ENV)) != NULL) { + if (strcasecmp(s, "force") == 0) { + use_askpass = 1; + allow_askpass = 1; + } else if (strcasecmp(s, "prefer") == 0) + use_askpass = allow_askpass; + else if (strcasecmp(s, "never") == 0) + allow_askpass = 0; + } rppflags = (flags & RP_ECHO) ? RPP_ECHO_ON : RPP_ECHO_OFF; - if (flags & RP_USE_ASKPASS) + if (use_askpass) + debug("%s: requested to askpass", __func__); + else if (flags & RP_USE_ASKPASS) use_askpass = 1; else if (flags & RP_ALLOW_STDIN) { if (!isatty(STDIN_FILENO)) { @@ -150,10 +165,10 @@ read_passphrase(const char *prompt, int flags) } } - if ((flags & RP_USE_ASKPASS) && getenv("DISPLAY") == NULL) + if ((flags & RP_USE_ASKPASS) && !allow_askpass) return (flags & RP_ALLOW_EOF) ? NULL : xstrdup(""); - if (use_askpass && getenv("DISPLAY")) { + if (use_askpass && allow_askpass) { if (getenv(SSH_ASKPASS_ENV)) askpass = getenv(SSH_ASKPASS_ENV); else diff --git a/usr.bin/ssh/ssh-add.1 b/usr.bin/ssh/ssh-add.1 index f3db1956e1b..2786df51417 100644 --- a/usr.bin/ssh/ssh-add.1 +++ b/usr.bin/ssh/ssh-add.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-add.1,v 1.80 2020/06/26 05:04:07 djm Exp $ +.\" $OpenBSD: ssh-add.1,v 1.81 2020/07/14 23:57:01 djm Exp $ .\" .\" Author: Tatu Ylonen <ylo@cs.hut.fi> .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland @@ -35,7 +35,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: June 26 2020 $ +.Dd $Mdocdate: July 14 2020 $ .Dt SSH-ADD 1 .Os .Sh NAME @@ -174,7 +174,7 @@ Lock the agent with a password. .El .Sh ENVIRONMENT .Bl -tag -width Ds -.It Ev "DISPLAY" and "SSH_ASKPASS" +.It Ev "DISPLAY", "SSH_ASKPASS" and "SSH_ASKPASS_REQUIRE" If .Nm needs a passphrase, it will read the passphrase from the current @@ -195,10 +195,26 @@ This is particularly useful when calling from a .Pa .xsession or related script. -(Note that on some machines it -may be necessary to redirect the input from -.Pa /dev/null -to make this work.) +.Pp +.Ev SSH_ASKPASS_REQUIRE +allows further control over the use of an askpass program. +If this variable is set to +.Dq never +then +.Nm +will never attempt to use one. +If it is set to +.Dq prefer , +then +.Nm +will prefer to use the askpass program instead of the TTY when requesting +passwords. +Finally, if the variable is set to +.Dq force , +then the askpass program will be used for all passphrase input regardless +of whether +.Ev DISPLAY +is set. .It Ev SSH_AUTH_SOCK Identifies the path of a .Ux Ns -domain diff --git a/usr.bin/ssh/ssh.1 b/usr.bin/ssh/ssh.1 index dce5f404b3a..7b9d3422b58 100644 --- a/usr.bin/ssh/ssh.1 +++ b/usr.bin/ssh/ssh.1 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh.1,v 1.412 2020/04/17 03:34:42 djm Exp $ -.Dd $Mdocdate: April 17 2020 $ +.\" $OpenBSD: ssh.1,v 1.413 2020/07/14 23:57:01 djm Exp $ +.Dd $Mdocdate: July 14 2020 $ .Dt SSH 1 .Os .Sh NAME @@ -1409,6 +1409,25 @@ or related script. may be necessary to redirect the input from .Pa /dev/null to make this work.) +.It Ev SSH_ASKPASS_REQUIRE +allows further control over the use of an askpass program. +If this variable is set to +.Dq never +then +.Nm +will never attempt to use one. +If it is set to +.Dq prefer , +then +.Nm +will prefer to use the askpass program instead of the TTY when requesting +passwords. +Finally, if the variable is set to +.Dq force , +then the askpass program will be used for all passphrase input regardless +of whether +.Ev DISPLAY +is set. .It Ev SSH_AUTH_SOCK Identifies the path of a .Ux Ns -domain diff --git a/usr.bin/ssh/ssh.h b/usr.bin/ssh/ssh.h index 0d1080bbfbe..e40f04aa3a5 100644 --- a/usr.bin/ssh/ssh.h +++ b/usr.bin/ssh/ssh.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh.h,v 1.89 2018/12/27 03:25:25 djm Exp $ */ +/* $OpenBSD: ssh.h,v 1.90 2020/07/14 23:57:01 djm Exp $ */ /* * Author: Tatu Ylonen <ylo@cs.hut.fi> @@ -68,6 +68,11 @@ #define SSH_ASKPASS_ENV "SSH_ASKPASS" /* + * Environment variable to control whether or not askpass is used. + */ +#define SSH_ASKPASS_REQUIRE_ENV "SSH_ASKPASS_REQUIRE" + +/* * Force host key length and server key length to differ by at least this * many bits. This is to make double encryption with rsaref work. */ |