mirrors/git-annex
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages 1 Wiki Activity Actions

support being run by ssh as ssh-askpass replacement

Browse source 
To use, set GIT_ANNEX_SSHASKPASS to point to a fifo or regular file
(FIFO is better, avoids touching disk or multiple readers) that contains
the password. Then set SSH_ASKPASS=git-annex, and when ssh runs it, it will
tell ssh the password.

This is not yet used..
This commit is contained in:
Joey Hess 2014-04-29 18:08:10 -04:00
parent ac98853f05
commit 79cf404e75
3 changed files with 22 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

15
Annex/Ssh.hs
View file

@ -16,6 +16,8 @@ module Annex.Ssh (
sshCachingTo, sshCachingTo,
inRepoWithSshCachingTo, inRepoWithSshCachingTo,
runSshCaching, runSshCaching,
sshAskPassEnv,
runSshAskPass
) where ) where
import qualified Data.Map as M import qualified Data.Map as M
@ -230,7 +232,7 @@ sshReadPort params = (port, reverse args)
{- When this env var is set, git-annex runs ssh with parameters {- When this env var is set, git-annex runs ssh with parameters
- to use the socket file that the env var contains. - to use the socket file that the env var contains.
- -
- This is a workaround for GiT_SSH not being able to contain - This is a workaround for GIT_SSH not being able to contain
- additional parameters to pass to ssh. -} - additional parameters to pass to ssh. -}
sshCachingEnv :: String sshCachingEnv :: String
sshCachingEnv = "GIT_ANNEX_SSHCACHING" sshCachingEnv = "GIT_ANNEX_SSHCACHING"
@ -268,8 +270,17 @@ sshCachingTo remote g
where where
uncached = return g uncached = return g
runSshCaching :: [String] -> String -> IO () runSshCaching :: [String] -> FilePath -> IO ()
runSshCaching args sockfile = do runSshCaching args sockfile = do
let args' = toCommand (sshConnectionCachingParams sockfile) ++ args let args' = toCommand (sshConnectionCachingParams sockfile) ++ args
let p = proc "ssh" args' let p = proc "ssh" args'
exitWith =<< waitForProcess . processHandle =<< createProcess p exitWith =<< waitForProcess . processHandle =<< createProcess p
{- When this env var is set, git-annex is being used as a ssh-askpass
- program, and should read the password from the specified location,
- and output it for ssh to read. -}
sshAskPassEnv :: String
sshAskPassEnv = "GIT_ANNEX_SSHASKPASS"
runSshAskPass :: FilePath -> IO ()
runSshAskPass passfile = putStrLn =<< readFile passfile

10
CmdLine/GitAnnex.hs
View file

@ -199,5 +199,11 @@ run args = do
#ifdef WITH_EKG #ifdef WITH_EKG
_ <- forkServer "localhost" 4242 _ <- forkServer "localhost" 4242
#endif #endif
maybe (dispatch True args cmds gitAnnexOptions [] header Git.CurrentRepo.get) go envmodes
(runSshCaching args) =<< getEnv sshCachingEnv where
go [] = dispatch True args cmds gitAnnexOptions [] header Git.CurrentRepo.get
go ((v, a):rest) = maybe (go rest) a =<< getEnv v
envmodes =
[ (sshCachingEnv, runSshCaching args)
, (sshAskPassEnv, runSshAskPass)
]

2
doc/design/assistant/sshpassword.mdwn
View file

@ -41,7 +41,7 @@ which gets the password from the webapp, and outputs it to stdout.
Seems to call for the webapp and program to communicate over a local Seems to call for the webapp and program to communicate over a local
socket (locked down so only user can access) or environment. socket (locked down so only user can access) or environment.
Environment is not as secure (easily snooped by root). Environment is not as secure (easily snooped by root).
Local socket probably won't work on Windows. Local socket probably won't work on Windows. Could just use a temp file.
Note that the webapp can probe to see if ssh needs a password, and can Note that the webapp can probe to see if ssh needs a password, and can
prompt the user for it before running ssh and the ssh-askpass shim. prompt the user for it before running ssh and the ssh-askpass shim.