From 79cf404e757931b2a7ef2ec6bec34757e39f72da Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Tue, 29 Apr 2014 18:08:10 -0400 Subject: [PATCH] support being run by ssh as ssh-askpass replacement To use, set GIT_ANNEX_SSHASKPASS to point to a fifo or regular file (FIFO is better, avoids touching disk or multiple readers) that contains the password. Then set SSH_ASKPASS=git-annex, and when ssh runs it, it will tell ssh the password. This is not yet used.. --- Annex/Ssh.hs | 15 +++++++++++++-- CmdLine/GitAnnex.hs | 10 ++++++++-- doc/design/assistant/sshpassword.mdwn | 2 +- 3 files changed, 22 insertions(+), 5 deletions(-) diff --git a/Annex/Ssh.hs b/Annex/Ssh.hs index 1594801217..21bb83e28f 100644 --- a/Annex/Ssh.hs +++ b/Annex/Ssh.hs @@ -16,6 +16,8 @@ module Annex.Ssh ( sshCachingTo, inRepoWithSshCachingTo, runSshCaching, + sshAskPassEnv, + runSshAskPass ) where import qualified Data.Map as M @@ -230,7 +232,7 @@ sshReadPort params = (port, reverse args) {- When this env var is set, git-annex runs ssh with parameters - to use the socket file that the env var contains. - - - This is a workaround for GiT_SSH not being able to contain + - This is a workaround for GIT_SSH not being able to contain - additional parameters to pass to ssh. -} sshCachingEnv :: String sshCachingEnv = "GIT_ANNEX_SSHCACHING" @@ -268,8 +270,17 @@ sshCachingTo remote g where uncached = return g -runSshCaching :: [String] -> String -> IO () +runSshCaching :: [String] -> FilePath -> IO () runSshCaching args sockfile = do let args' = toCommand (sshConnectionCachingParams sockfile) ++ args let p = proc "ssh" args' exitWith =<< waitForProcess . processHandle =<< createProcess p + +{- When this env var is set, git-annex is being used as a ssh-askpass + - program, and should read the password from the specified location, + - and output it for ssh to read. -} +sshAskPassEnv :: String +sshAskPassEnv = "GIT_ANNEX_SSHASKPASS" + +runSshAskPass :: FilePath -> IO () +runSshAskPass passfile = putStrLn =<< readFile passfile diff --git a/CmdLine/GitAnnex.hs b/CmdLine/GitAnnex.hs index c37e44a2db..e4dd29b67f 100644 --- a/CmdLine/GitAnnex.hs +++ b/CmdLine/GitAnnex.hs @@ -199,5 +199,11 @@ run args = do #ifdef WITH_EKG _ <- forkServer "localhost" 4242 #endif - maybe (dispatch True args cmds gitAnnexOptions [] header Git.CurrentRepo.get) - (runSshCaching args) =<< getEnv sshCachingEnv + go envmodes + where + go [] = dispatch True args cmds gitAnnexOptions [] header Git.CurrentRepo.get + go ((v, a):rest) = maybe (go rest) a =<< getEnv v + envmodes = + [ (sshCachingEnv, runSshCaching args) + , (sshAskPassEnv, runSshAskPass) + ] diff --git a/doc/design/assistant/sshpassword.mdwn b/doc/design/assistant/sshpassword.mdwn index c44259865b..0113144c53 100644 --- a/doc/design/assistant/sshpassword.mdwn +++ b/doc/design/assistant/sshpassword.mdwn @@ -41,7 +41,7 @@ which gets the password from the webapp, and outputs it to stdout. Seems to call for the webapp and program to communicate over a local socket (locked down so only user can access) or environment. Environment is not as secure (easily snooped by root). -Local socket probably won't work on Windows. +Local socket probably won't work on Windows. Could just use a temp file. Note that the webapp can probe to see if ssh needs a password, and can prompt the user for it before running ssh and the ssh-askpass shim.