summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGravatar Joey Hess <joey@kitenet.net>2014-05-14 15:02:18 -0400
committerGravatar Joey Hess <joey@kitenet.net>2014-05-14 15:38:32 -0400
commitffedbbee70d4f19dc89ca54d5fdc2277a5d5e867 (patch)
tree2f5c7b846a21ae9ebd160599e2043436d19ea81d
parent2b89de6562469c7bee6ae8e78205012ef43396dc (diff)
webapp: Better ssh password prompting.
When setting up a remote on a ssh server, prompt for a password inside the webapp, rather than relying on ssh's own password prompting in the terminal the webapp was started from, or ssh-askpass. Avoids double prompting for the ssh password (and triple-prompting on windows for rsync.net), since the entered password is cached for 10 minutes and this cached password is reused when setting up the repository, after the initial probe. When the user has an existing ssh key set up, they can choose to use it, rather than entering a password. The webapp used to probe for this case automatically, so this is a little harder, but it's an advanced user thing. Note that this commit is known to break enabling existing rsync repositories. It hs not been tested with gcrypt repositories. It's not been successfully tested yet on Windows. This commit was sponsored by Ralph Mayer.
-rw-r--r--debian/changelog1
-rw-r--r--doc/design/assistant/sshpassword.mdwn12
2 files changed, 10 insertions, 3 deletions
diff --git a/debian/changelog b/debian/changelog
index 9ed7d0ffd..349ca153e 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -6,6 +6,7 @@ git-annex (5.20140422) UNRELEASED; urgency=medium
* Simplified repository description line format. The remote name,
if any, is always in square brackets after the description.
* assistant: Clean up stale tmp files on startup.
+ * webapp: Better ssh password prompting.
-- Joey Hess <joeyh@debian.org> Fri, 02 May 2014 15:28:53 -0300
diff --git a/doc/design/assistant/sshpassword.mdwn b/doc/design/assistant/sshpassword.mdwn
index 0113144c5..8b0ac3fe3 100644
--- a/doc/design/assistant/sshpassword.mdwn
+++ b/doc/design/assistant/sshpassword.mdwn
@@ -14,10 +14,12 @@ can be pretty sure noone is sniffing the (localhost) connection.
## ssh-askpass approach
* If ssh-askpass is in PATH, or `SSH_ASKPASS` is set, do nothing.
- (Unless webapp is run remotely.)
+ (Unless webapp is run remotely.)
+ XXX not currently done; the UI would need to omit the password entry
+ fields in this case.
* Otherwise, have the assistant set `SSH_ASKPASS` to a command that will
cause the webapp to read the password and forward it on. Also, set
- DISPLAY to ensure that ssh runs the program.
+ DISPLAY to ensure that ssh runs the program. **done**
Looking at ssh.exe, I think this will even work on windows; it contains the
code to run ssh-askpass.
@@ -36,14 +38,18 @@ code to run ssh-askpass.
### ssh-askpass shim, and password forwarding
`SSH_ASKPASS` needs to be set to a program (probably git-annex)
-which gets the password from the webapp, and outputs it to stdout.
+which gets the password from the webapp, and outputs it to stdout. **done**
Seems to call for the webapp and program to communicate over a local
socket (locked down so only user can access) or environment.
Environment is not as secure (easily snooped by root).
Local socket probably won't work on Windows. Could just use a temp file.
+(Currently uses a temp file with locked down perms that it's careful
+to clean up after use.)
+
Note that the webapp can probe to see if ssh needs a password, and can
prompt the user for it before running ssh and the ssh-askpass shim.
This avoids some complexity, and perhaps some attack vectors,
if the shim cannot requst an arbitrary password prompt.
+(This complexity not needed with the temp file approach..)