support being run by ssh as ssh-askpass replacement
To use, set GIT_ANNEX_SSHASKPASS to point to a fifo or regular file (FIFO is better, avoids touching disk or multiple readers) that contains the password. Then set SSH_ASKPASS=git-annex, and when ssh runs it, it will tell ssh the password. This is not yet used..
This commit is contained in:
Joey Hess
parent
ac98853f05
commit
79cf404e75
3 changed files with 22 additions and 5 deletions
15
Annex/Ssh.hs
15
Annex/Ssh.hs
|
|
@ -16,6 +16,8 @@ module Annex.Ssh (
|
|||
sshCachingTo,
|
||||
inRepoWithSshCachingTo,
|
||||
runSshCaching,
|
||||
sshAskPassEnv,
|
||||
runSshAskPass
|
||||
) where
|
||||
|
||||
import qualified Data.Map as M
|
||||
|
|
@ -230,7 +232,7 @@ sshReadPort params = (port, reverse args)
|
|||
{- When this env var is set, git-annex runs ssh with parameters
|
||||
- to use the socket file that the env var contains.
|
||||
-
|
||||
- This is a workaround for GiT_SSH not being able to contain
|
||||
- This is a workaround for GIT_SSH not being able to contain
|
||||
- additional parameters to pass to ssh. -}
|
||||
sshCachingEnv :: String
|
||||
sshCachingEnv = "GIT_ANNEX_SSHCACHING"
|
||||
|
|
@ -268,8 +270,17 @@ sshCachingTo remote g
|
|||
where
|
||||
uncached = return g
|
||||
|
||||
runSshCaching :: [String] -> String -> IO ()
|
||||
runSshCaching :: [String] -> FilePath -> IO ()
|
||||
runSshCaching args sockfile = do
|
||||
let args' = toCommand (sshConnectionCachingParams sockfile) ++ args
|
||||
let p = proc "ssh" args'
|
||||
exitWith =<< waitForProcess . processHandle =<< createProcess p
|
||||
|
||||
{- When this env var is set, git-annex is being used as a ssh-askpass
|
||||
- program, and should read the password from the specified location,
|
||||
- and output it for ssh to read. -}
|
||||
sshAskPassEnv :: String
|
||||
sshAskPassEnv = "GIT_ANNEX_SSHASKPASS"
|
||||
|
||||
runSshAskPass :: FilePath -> IO ()
|
||||
runSshAskPass passfile = putStrLn =<< readFile passfile
|
||||
|
|
|
|||
|
|
@ -199,5 +199,11 @@ run args = do
|
|||
#ifdef WITH_EKG
|
||||
_ <- forkServer "localhost" 4242
|
||||
#endif
|
||||
maybe (dispatch True args cmds gitAnnexOptions [] header Git.CurrentRepo.get)
|
||||
(runSshCaching args) =<< getEnv sshCachingEnv
|
||||
go envmodes
|
||||
where
|
||||
go [] = dispatch True args cmds gitAnnexOptions [] header Git.CurrentRepo.get
|
||||
go ((v, a):rest) = maybe (go rest) a =<< getEnv v
|
||||
envmodes =
|
||||
[ (sshCachingEnv, runSshCaching args)
|
||||
, (sshAskPassEnv, runSshAskPass)
|
||||
]
|
||||
|
|
|
|||
|
|
@ -41,7 +41,7 @@ which gets the password from the webapp, and outputs it to stdout.
|
|||
Seems to call for the webapp and program to communicate over a local
|
||||
socket (locked down so only user can access) or environment.
|
||||
Environment is not as secure (easily snooped by root).
|
||||
Local socket probably won't work on Windows.
|
||||
Local socket probably won't work on Windows. Could just use a temp file.
|
||||
|
||||
Note that the webapp can probe to see if ssh needs a password, and can
|
||||
prompt the user for it before running ssh and the ssh-askpass shim.
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue