diff --git a/Assistant/WebApp/Configurators/Ssh.hs b/Assistant/WebApp/Configurators/Ssh.hs index 32d08ca2af..056b137171 100644 --- a/Assistant/WebApp/Configurators/Ssh.hs +++ b/Assistant/WebApp/Configurators/Ssh.hs @@ -31,6 +31,7 @@ import Config.Files import Utility.Tmp import Utility.FileMode import Utility.ThreadScheduler +import Utility.Env #ifdef mingw32_HOST_OS import Utility.Rsync @@ -344,7 +345,8 @@ sshAuthTranscript sshinput opts input = case inputAuthMethod sshinput of Just pass -> withTmpFile "ssh" $ \passfile h -> do hClose h writeFileProtected passfile pass - let env = + env <- getEnvironment + let env' = addEntries [ ("SSH_ASKPASS", program) , (sshAskPassEnv, passfile) -- ssh does not use SSH_ASKPASS @@ -352,8 +354,8 @@ sshAuthTranscript sshinput opts input = case inputAuthMethod sshinput of -- there is no controlling -- terminal. , ("DISPLAY", ":0") - ] - go [passwordprompts 1] (Just env) + ] env + go [passwordprompts 1] (Just env') passwordprompts :: Int -> String passwordprompts = sshOpt "NumberOfPasswordPrompts" . show diff --git a/doc/design/assistant/sshpassword.mdwn b/doc/design/assistant/sshpassword.mdwn index 8b0ac3fe3a..91fc76125c 100644 --- a/doc/design/assistant/sshpassword.mdwn +++ b/doc/design/assistant/sshpassword.mdwn @@ -53,3 +53,17 @@ prompt the user for it before running ssh and the ssh-askpass shim. This avoids some complexity, and perhaps some attack vectors, if the shim cannot requst an arbitrary password prompt. (This complexity not needed with the temp file approach..) + +### TODO + +* Does not work on Windows; ssh still prompts in the terminal for the + password. +* test on OSX +* test on Android +* enabling rsync repositories needs to prompt for password; currently + broken +* test gcrypt repositories (creation of new and enabling) +* If the user is slow, the cached ssh key can exire before they finish. + Currently this results in ssh being given no password, and failing. + Either avoid time-based expiry (manually expiring when done, and how + to detect if they gave up?) or notice this and give a sensible error.